ML17331B169
| ML17331B169 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 12/07/1993 |
| From: | INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG |
| To: | |
| Shared Package | |
| ML17331B167 | List: |
| References | |
| 2985-VDV-01, 2985-VDV-01-R00, 2985-VDV-1, 2985-VDV-1-R, NUDOCS 9401060210 | |
| Download: ML17331B169 (14) | |
Text
REACTOR PROTECTION AND CONTROL PROCESS INSTRUMENTATION REPLACEMENT PROJECT AT DONALD C.
COOK NUCLEAR PLANT UNITS 1 AND 2 REACTOR PROTECTION SYSTEM FUNCTIONAL DIVERSITY ASSESSMENT REPORT NO. 2985-VDV-01I REV 0 Prepared by:
Concurred by:
Lfk~P Date Date
~~ A~ P-Approved by:
s./
Date P
1 9401060210"931222 PDR ADOCK 05000315 P
UALITATIVEFUNCTIONAL DIVERSITY ASSESSMENT EXECUTIVE
SUMMARY
On April 21,
- 1992, AEPSC representatives had a meeting with the NRC on the
'eplacement of existing analog reactor protection process instrumentation with digital Foxboro Spec 200/Spec 200 Micro Electronics instrumentation.
During this
- meeting, AEPSC was asked to assume a common mode failure (CMF) of the software of the new digital equipment during a postulated accident and then provide details as to whether operators could mitigate the consequences of the accident.
In response to this request, a functional diversity assessment of each updated FSAR (UFSAR) event assuming a
common mode failure of the software has been performed.
In this assessment, all the events for both Units 1 and 2 of the Cook Nuclear Plant given in the UFSAR were considered.
A review was performed to divide events into potentially affected and not affected.
Table-1 lists these events and indicates whether they would be potentially affected or not affected if a CMF were to occur.
The potentially affected transients were then individually evaluated qualitatively in light of the FSAR analysis.
Each event evaluation was recorded on a form of the type shown in Appendix A.
This form outlines the thought process employed.
The first column in Appendix A contains the UFSAR transient number listed in Table-1.
The second column includes the name of the transient.
The third column depicts the trip/safeguard function for reactor trip.
This information was obtained from the UFSAR.
The fourth column includes the information on the impact of common mode failure on the reactor trip function. If the trip function is processed outside of the new digital reactor protection
- system, then the trip is available, e.g., trip on nuclear instrumentation system high flux. If the trip is processed by a function that is a part of the new digital equipment, then the trip/ESF function is assumed to be lost.
However, for some functions, alternate indications and/or diverse alarms are available.
The alarm/alternate indications that are available to the operator to mitigate the transient are given in the next column.
The sixth column lists pertinent diagram numbers.
The seventh column summarizes the consequences of the unavailability of diverse alarm.
The last column provides the evaluation of the event.
In this column, we have discussed the consequences of the operator's response on reactor safety.
Based on this evaluation, we have concluded that the CMF of the new digital equipment has no significant adverse impact on the public safety, Some reactor trips are not affected by the installation of the new digital equipment.
Among these trips are neutron high flux and high rate
- trips, undervoltage and underfrequency trips and reactor trip on turbine trip.
However, for events protected by trip actuations affected by the CMF, the operator will be alerted to the event by an alarme will then provide the appropriate actuations manually and enter the emergency operating procedures.
For some accidents, such as locked rotor, the consequences could be more severe than currently analyzed due to the longer response time for the required actuation.
- However, our evaluation indicates that the affected unit can be brought to a safe condition and the current LOCA offsite dose evaluation will remain bounding.
From these results, it is believed that a
CMF of the new digital system would have no adverse effect on the health and safety of the public.
Table-1 UFSAR TRP"tSIENT ~
14.1.1 14.1.2 14.1.3 14.1.4 14.1.5 14.1.6 14.1.7 14'.8 14.1.9 14.1.10 14.1.11
- 14. l. 12 14.1.13 TRANSIENT ncontrolled RCCA Withdrawal from a Subcritical Condition ncontrolled RCCA Withdrawal at Power od Cluster Control Assembly Misalignment CCA Drop Chemical Volume and Control System Malfunction Loss of Reactor Coolant Flow Startup of an Inactive Reactor Coolant Loop Loss of External Electrical Load Loss of Normal Feedwater Flow Excessive Heat Removal due to Feedwater System Malfunction Excessive Load Increase Incident Loss of All A.C. Power to the Plant Auxiliaries urbine-Generator Safety Analysi.s POTENTIALLY AFFECTED (A)/
NOT AFFECTED(NA)
A A
A A
A A
A A
A A
A A
A 14.2.1 14.2.2 14.2.3 14.2.4 14.2.5 14.2.6 14.2.7 14.2.8 Fuel Handling Accident ccidental Release of Radioactive Liquids f
ccidental Waste Gases Release Steam Generator Tube Rupture upture of a Steam Pipe upture of a Control Rod Drive Mechanism Housing (RCCA Ejection)
Secondary System Accidents Dose Consequences ajor Rupture of a Main Feedwater Pipe A
A A
A A
A A
A 14.3.1 14.3.2 14.3.3 14.3.4 14.3.5 14.3,6 14.3.7 14.3.8 Large Break LOCA Analysis Loss of Reactor Coolant from Small Ruptured Pipes or from Cracks in Large Pipes which Actuates the Emergency Core Cooling System Core and Internals Integrity Analysis Containment Integrity Analysis Environmental Consequences of a Loss of Coolant Accident ydrogen in the Containment After a Loss of Coolant ccident Long Term Cooling Nitrogen Blanketing A
A NA A
~ A A
NA NA 14.4. 2 14.4. 3 14.4.4 14.4.5 14.4.6 14 '.7 14.4.8 14.4. 9 14.4.10 14.4.11 Postulated Pipe Failure Analysis Outside Containment nalysis of Emergency Conditions Stress Calculations Description of Pipe Whip Analysis Compartment Pressures and Temperatures Description of Jet Impingement Load Analysis Containment Integrity Plant Modifications Environment Electrical Equipment Environmental Qualification NA NA NA NA NA NA NA NA NA A
~PPENDZX A
UNII I end UNIT N fSAR IRANSIENI t TRANSIENT TRIP/SAfECUARO FUNCTION fOR RX TRIP fSAR INPACT Of COONNI HCOE fAILURE (CNF) ON TRIP FUNCTION ALARN/ALTERNATE INDICATION STSTEH AYAILASLE OIACRAH N CONSEOUENCES Of UNAYAILANILITYOf DIVERSE ALARN EVALUATION OF EVENT
\\ ~
V l,g'v,
~ ~ < r k'
~
~
~
~r
~ra' UMIT 1 srd UNIT 2 ISAR TRANSIENT N 1(.1.6.1 TRANSIEMT Loss of Forced Reactor Coolant flaw TRIP/SAFEGUARD FUNCTION FOR RX TRIP @SAR ttf.t.g.t) 1.
Rx trip on reactor coolant parp power svfpty undervoltsge or urdar frequency 2.
Rx trip on low reactor coolant loop ftow.
IMPACT Of CONNCH NCOE FAILURE (CNF) OM TRIP FUNCTIOH Not Affected Low flow Rx trip lost (for sll four loops>
ALARHIALTE RNATE INDICATIOl SISIEN AVAILABLE Reactor Coolant Purp undcrfrcqucncy snd undervoltage stern (Procedure I, 2.OMP, C02C, 107, 207)
Indica Ion Ave t table Panel Indtcat lan cacpvtcl.IAdlcetfoA Dlvcrsc Aterm AvellabLc
~ah I&I Pressurizer pressure panel indicitIon Pressvrlzer pressure rccordcr Pressurizer prcssure cceputer indication Pressurizer level panel Indication Pressurtzer leveL recorder Pressurizer level cccputer Irdl cat I on Hide range tccperature records Other Alarms Pressurizer high prcssure deviation vl~ control sys'teal four htgh pressure alarms via central systcaa Pressurizer htgh level devlatlcn via ccntrol sys Icc4 Nigh LcvcL via coAtroL sys'tccl Acoust tc sent tor flow detected DIACRAH g FD.2101 Sheet 3
and C
coNBEDUENcEs 0F UMAVAILABILIII OF DIVERSE ALARM lf the Rx ls at paver st the time of the
- accident, the Imacdlate effect of a loss of coolant flow is a rapid Increase In the coolant tecperature which ls magnified by a positive HTC.
This Increase could result ln DNB with slfasequcnt adverse effects to the fuel, if the Rx ls not tripped prccptly.
EVALUATION OF EVENT Ihe Rx trip cn reactor coolant pop power apply urdervot tsge Nd under frequency remains tmaffcctcd by a cccoen cede failure (CNF) of the ncw digital fnstrtzaentat loA Ihc reactar trip on toss of flow In a coolant loop ls lost on CNF for each loop.
These are no Diverse Alarms available; however, panel Indlcat ton and cocputer Irdlcatlon sre available for the low coolant loop flow.
Two cases of loss of flow sre discussed tn fSAR (IC.1.6).
The slrultaneous Loss of paver to all C RCPC can occur due to ~Ither undcrfrequcncy or vndcrvattage, ahtch la not lapacted by CNF. This sltvatlon ls highly taltlkety, since each pap ls connected to a separate bus, vhtch ts stppt ted by one of twa transformers.
The cansepenccs of the loss of flow fnclude an Increase ln lavg, pressurizer
- prcssure, and pressurizer water level.
Mlde range RCS tccperature recorders (mace dated 9/2/92 frua U.
G. Sotos to V. D. Vandcrgurg) ere avaltable to the operator to Indicate an Increase tn lavg.
There Is no Rx trip on high Tavg.
The pressurtzer pressure will cant tram to rise talttt the operator gets a high pressure deviation alarm at 2325 psta (2.ONP C02C.200 Drcp 7) far Unit 2 ard 2175 psla for Unit l.
The Rx trip on hfgh prcssure (setpofnt < 2COO pals) Is lost dve to cNF.
However, diverse alarms (cece dated 9/2/92 frau U. G. Sotos to V. D. VandcrBurg) are available.
It ls evident that the high pressvre deviation
~Lane util draw the operator's attcnt ten, and he wlLL trip the Rx carnally.
The operator will atso be Likely to see the hfgh tevel deviation alarm at SX above pragren.
Ihe consequences of this awxaat Rx trip are discussed belew.
Crude extrapolations of DNBR for these events suggest that IONBR could be reached within rI6 to lb seconds for loss af flow In one loop.
Stutter extrapolations suggest that the high prcssure dcvlatfon atana would first be received 4 seconds Into the transient although the
~
operstlan of pressvrl ter sprays will IACreaae this estimate.
Altowlng W seconds for operation response It ls clear that DNB could 7
4 I
~
L
~'l UNIT I and UNIT 2 FSAR TRANSIENT H IL 1.6.1 (cont'd)
TRANSIENT TRIP/SAFECUARD fUNCTIOH FOR RX TRIP(FSAR 1(f,l.(.I')
IKPACT OF COKKON KOOE FAILURE (CKF) OH TRIP NNCTION ALARM/ALTFRNATEINDICATIOI STSTEH AVAILABLE DIAGRAM H CONSEQUENCES OF UNAVAILABILITTOF DIVERSE ALARH EVALUATIONOF EVENT occur resulting ln clad chxasge.
Since a nasslve cultlple failure Is accused for this event, this ls bcLleved to be acceptable Vlth a loss of f(ou ln one loop total core flou should rccteln MX recoovlng the bulk of thc heat frees the core, llnltlng the detcrloratlcn of the core prior to svuxcal reactor trip.
1hc portion of the core that experiences DNB ls expected to heat up cntIL thc Doppler coefficient shuts It doccn.
fuel is not expected to ne(t but c(ad burst and oxldatfcn ere antfclpsted.
It should also be noted that this event uas analyzed ulth a positive noderatfcn coefficient (KIC) of +5 pcn/'F.
Thfs value Is nore llnltlng than the Technical Specification lfnlt at IDOX RTP. It Is conservative and provides scbstantfai nargfn throughout coast of the life.
This causes pc+sr to Increase as the coolant tecperature Increases.
A sore realistic ssscnptfon for beginning of cycle ls
-(pccc/oF.
A negative KTC ulll tend to shutdown the core as tecperaturc Increases nltlgatlng the event.
The HTC becones scgntantfaily sore negative as burncp progresses.
The Cook Units are base loaded and operate ulth control roch ln the alL out posltlcn at full pouer.
Therefore, the possibility that automatic rod control night ulthdrau rods Hill have no Icpact because rods are essentially fullyufthdravn.
After reactor trip, the ecoergency operating procedures provide for nltlgatlon activities to bring the nachlne to a safe condltlcn.
In the evaluatlcn of the previous paragraph, an operator response tine of ~ seconds uas assessed.
Vfthouc a reactor trip, pressurlter pressure and level sre expected to ccnticae to Increase after the first atones are received.
uhen pressure reaches 2250 pale, the poRY's Hill open resultfng fn an acoustic aonltor flou cietected clara.
Extrapolating the analysis curves, uhlch do not codel pressurlter spray, this could occur before KDMBR ls reached.
'therefore, It ls likely that sn acccnutatlon of slams ulll occur before 60 secceds have elapsed.
Ihercfore, the operators response tice ccay be less than 60 seconds for this event.
,T sl 44 i
't s
~ 5
~\\
~'
UNIT I and UNIT 2 TSAR TRANSIENT g IS+I+6.1 (cont'd)
TRANSIENT TRIP/SAF EGUARO FUNCTION fOR RX TRIP (CESAR (LI.I,g,I)
IHPACT OF CCHHON HCOE FAILURE (CHF) ON TRIP FUNCTION ALARH/ALTERNATE INOICATION STSTEH AVAILABLE OIAGRAH g CCNSEOUENCES OF UNAVAILABILITTOF DIVERSE ALARH EVALUATIONOf EVENT The cxet likely cause of an event of this type, ls a failure of the reactor coolant purp (RCP) or Its notor.
The operator ls prov(dad ulth a slgnlfleant rasher of a(arne to give hln lnfonaat Ion regardfng the RCP's end enters.
Ihese a(aran Include RCP notor dlfferent I~I trip, RCP actor overload trip, axl RCP eater overheated.
Therefore, It Is likely that the operator Hill have Inforeatlon available eh(eh Hill ~(lou hta to antlclpate and, therefore, ad+tant(a((y alt(gate the event.
,c UNIT I and UNIT 2 FSAR TRANSIENT ¹ TS.T.6.2 TRANSIENT Locked Rotor/Shaft greek Accident TRIP/SAFEGUARD FUNC'TION fOR Rx TRIP (FsAR LLI~ I, gi 2)
Reactor trip on low flow signal IMPACT Of COONCI NCOE FAILURE (CNF) CN 1RIP FUNCTIOI Low flow reactor trip lost (swee 9/2/92 cece frees V.
W. Sotos to V. D.
Vendergurg)
ALARN/ALTERNATE INOICATICH SYSTOL AVAILASLE Indications Avallab e Panel Irdication Cocputer Indication Iverse ALare Avai ab OJhl&l tl Pressurizer pressure panel Irdication Pressurizer pressure recorder Pressurizer pressure cocpJter Ifdfcatfon Pressurizer leveL panel Irdicatlon Pressurizer level recorder Pressurizer Level cccputer lrd lest Ion Vide range tecperature records Sourd of pressurizer safety valves Other Alcree Pressurizer high pressure devlatlcn via control systue four high pressure alares vl~ control systua Pressurizer high level deviation via control systua Nigh level via ccntrol cyst us Acoustic cenltor flow detected OIAGRAN ¹ fg 2101 Sheet 3 and 4 CONSECUENCES OF UNAVAILABILITTOF DIVERSE ALARN If the Rx fs at power at thc tice of
- accident, the Iceediate effect of ~
loss. of flow (seizure of a RCP rotor) ls an Increase In the coolant tecperature.
'This Increase could result In DKB with subsequent adverse effects to fuel, lf the Rx ls not tripped procptly (fSAR, Page LS.1.6 1)
EVALUATION OF EVEN'I The FEAR analysis for this event assuces an instantaneous seizure of a reactor coolant Fcrp rotor.
for this event, the reactor trips on low flow signal.
The cccren cede failure (CNF) of the ncw digital Instrucentatfon would result In
~ loss of low flow Rx trfp signal.
'the loss of flow will Increase the coolant tecperature end an Increase ln pressurizer pressure due to a reduction In hest rceoval.
Thc wide range RCS tccperature recorders (cece dated 9/2/92 froa V. G. Sotos to V. D.
Vsndergurg) are available to the operator.
The pressurizer pressure will ccntlfMJe to riscg and the operator will get a high pressurizer deviation ~Larcs at 2325 pele (Procedure 2-ONP (02(.200 Drop 7) for Unit 2 ard 2175 pals for Unit 1.
1he reactor trip on high pressure
(<2(00 ps(a) Ic tost due to CNF.
Kowever, hfgh prcssure diverse elarce sre available (cece dated 9/2/92 (rect V. G. Sotos to V. D.
Vandergurg).
Therefore, the high pressure deviation aiarcc will draw the operator's attention to trip the reactor coreatiy.
This event Is very euch like the loss of forced reactor coolant flow ln cne loop.
Kowever, lt Is cere severe In that total core flow Is reduced nore rapidly to a lower value.
The total core flow ls reduced to ~70X within ~2 seconds.
As the coolant heats up, ~ significant Increase In prcssure occurs.
The peak analyzed pressure for both tcdts ls ~2590 psla.
This peak occurred at.2 seconds after the reactor trip at I second.
This pressure Is less then 110X of the design pressure, I.e. 2750 psla.
Kowever, lf reactor trip is delayed M seconds, lt corset be stated with certainty that this prcssure would not be exceeded.
Kowever, the analysis takes no credit for pressurizer spray or the pressurizer PORV's. 't Is also the case as with the loss of forced reactor coolant flow that the analysis was perforeed with a positive cederator tecperature coefficient (NTC) of +5 pccc/'F.
This value ls cere (la(ting than the Tcchnical Specification LINIt at 100X RIP. It Is conservative and provides substantial eargin throughout the core life.
UNIT 1 snd UNIT 2 FSAR TRANSIENT y TS 1.6.2 (con't)
TRANSIENT TRIP/SAFEGUARD fUHCTIOH FOR RX TRIP (FSAR L q c Lr ( ~ 2)
IHpAcT of cororou HcoE FAILURE LCHF) ON TRIP fUNCTLON ALARH/ALTERNATE IN)ICATION STSIEH AVAILABLE DIACRAH y CONSEQUENCES OF UNAVAILABILITYOF DIVERSE ALARH EVALUATION OF EVENT Therefore, as Tavg ls Increased, pouer lncressts In the analysis.
As Indicated ln the loss of forced reactor coolant flou, a raore realistic begirniny of cycle HTC, voutd be
~-Spear/'f.
Throughout core life the HIC vould decrease to the r.20pcra/'f.
The feerhack froa the HTC uould therefore tend to shut the reactor doun rather than Increase pouer ln an actual event.
The Cook ralits art base Loaded and operate vlth ccntrol roch fn the all out positlcn st fuLL povtr.
The possibility that autocatlc rod ccntrol raight vlthdrau roch vill have no fapsct because roh sre essentially fullyvlthdraun.
These consideraticns lead us to conclude that It fs rxlllkciythat prcssuriaer prcssure vould exceed 2730 pale snd virtually laposslble to exceed 3200 pslg, the ASNE goiter ard Pressure Vessel Code Ltvel C crltericn, vhlch vas used for AHSAC design.
In the analysis, DNS ls expected to occur.
In thc event of a delay of reactor trip by ~
- seconds, thfs sltuatlcn can only be cxaccrbated.
The operatlcn of pressurizer sprays erd PORV's vhich vere not axdeicd ln the analysis vill also rcsu'Lt in an Increase In fuel re ln DNS.
Kouever, It Is believed that the available flou vill prevent the core frere degrading to conditicn uhere it carnot be cooled after trfp.
The portion of the core that experiences DNB ls expected to heat up rxltft the Doppler coefficient shuts It dovn.
Fuel ls not expected to trait but clad burst and oxidation are anticipated.
Srbstantlal core darvrge Is acceptable for this event vhlch is an ANS cordition I)l event vlth arassive axrltipte failures In the evaluation of the previous tvo parsgraffrs, an operator response tlrac of M seconds vas assraaed.
Koucvcrr 'this cvctlt ls cxpcc'ttd to bc wry draraatic Several pressurizer sierras can be expected vithin seconds of the start of the event includiny the acoustfc cxxlltol flou dc'tcc'tcd elena 1he pressurlaer safety valves csn be expected to Liftvhlch creates sn lapresslve sand in the control rocra.
Therefore, tht operators response rvry be less than 60 stconds for this event.
UNIT I and UNIT 2 fSAR
'IRANSIENT ¹ Irh I.ff.2 (ccn't)
TRANSIENT TRIP/SAFEGUARD FUNCTION fOR RX TRIP (fSAR fq.I.L.S.]
IHPACT OF CCHHON HCOE FAILURE (CHF) OI TRIP FUNCTION ALARH/ALTERNATE INOICATIOH STS'IEH AVAILASLE DIAGRAH ¹ CONSEOUENCES OF UNAVAI LAB I LITT OF DIVERSE ALARH EVALUATION OF EVENT As In the ease of toss of forced reactor coolant flow, the cost likely cause of event of this type, is the failure of the reactor coolant Fxrp (RCP) or cater.
The operator Is provided with a significant rxcber of a(arse to give hln Infonaat ion regarding the RCP's and notors.
These a(arcs Include bearing tccp high, lower bearing seel water tccperature high, lower bearing coolfng water flow low, upper oil pot level high or Iow, and lower oil pot level high or low.
Therefore, It ls likely that the operator will have lnforcfatlcn available which wilt allo<< hln to anticipate snd therefore, stfxstantfel(y nit f gate the event, For Unit 2 an offslte dose calculation was per(arched ss s part of the transition to westinghouse vantage 5 fuel.
Jhe site bouxfary doses were 3 rcfs, thyroid and 0.3 rafa whole body.
These are very saaII fractions of the IOCfR100 criteria.
However, with a delay In reactor trip of M seconds, It Is anticipated that <<ore dafaage will be increased significantly.
Nevertheless, the 10CfR100 criteria are expected to be satisfied for this condition IV event.
In section IL.3.5, an offslte dose analysis tor LOCA which ls Ident lfled ss the naxicua h)pothet 1 eel accident ls described.
For this analysis, It Is accused ih t ttft f th ~l f h tht hatt f th ~ll f ~t h released
'to contal nfhCtlt ataOSphere Table I(.3.5-10 of the Unit 2 UFSAR snd Table I(.3.5.7 of the Unit I UFSAR display the doses for this analysis.
They satisfy the criteria of IOCfR100.
Since the RCS ls anticipated to be fntact after a locked rotor event, It ls expected that the doses for the ctaxlsua hypothetical sccMent <<ill substantially bound the locked rotor event doses.
- Attachment to AEP:NRC:1159E
RESPONSE
TO RAI ITEM 2 This item requested information pertaining to a) 'the need to perform a pre-operational end-to-end check of the new equipment, and b) information related to the effect of resistor tolerance on equipment calibration.
Regarding item a, as discussed with your staff during the December 20, 1993
- meeting, a pre-operational end-to-end loop check is not necessary, based on the pre-operational test methodology that willbe employed.
Pre-operational testing is comprised of the following elements:
Electrical wiring and basic functional checks of the racks, using standard plant installation procedures.
2.
Electrical wiring and basic functional
- checks, from the rack bistable output to driven devices external to the racks, using project-specific installation procedures.
3.
Calibrationi'from the transmitter to the first rack test point, using standard plant calibration procedures.
4.
Calibration from the rack test jack/first test point to the end panel or control
- device, using standard plant calibration procedures.
It is important to note that the first rack test point is the key overlap point, and that loop current is monitored at each calibration test segment (via test point resistors).
This test program results in a total end-to-end loop check through-overlapping.
This methodology is the current practice at the Donald C.
Cook Nuclear Plant and is common for the industry.
The test methodology adequately complies with IEEE Standard 338-1977.
Regarding Item b, as discussed during the December 20, 1993
- meeting, the calibration methodology adequately compensates for test resistor tolerance effects.
Test point resistor tolerances do not impact loop accuracy or performance.
There are no effects caused by test point resistor tolerances because these effects are calibrated out per the system design and the calibration methods.
This is accomplished by calibration of the field device and the rack components using a common reference test point as the key overlap.
point.
Use of this common test point allows the technician to adjust the calibration of the rack components so that test point resistance tolerance effects are eliminated.
0 0