ML17331B169
| ML17331B169 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 12/07/1993 |
| From: | INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG |
| To: | |
| Shared Package | |
| ML17331B167 | List: |
| References | |
| 2985-VDV-01, 2985-VDV-01-R00, 2985-VDV-1, 2985-VDV-1-R, NUDOCS 9401060210 | |
| Download: ML17331B169 (14) | |
Text
REACTOR PROTECTION AND CONTROL PROCESS INSTRUMENTATION REPLACEMENT PROJECT AT DONALD C. COOK NUCLEAR PLANT UNITS 1 AND 2 REACTOR PROTECTION SYSTEM FUNCTIONAL DIVERSITY ASSESSMENT REPORT NO. 2985-VDV-01I REV 0 Prepared by: Date Concurred by: Lfk~P Date ~~ A~ P-Approved by: s ./ Date P 1 9401060210"931222 PDR ADOCK 05000315 P , PDR
UALITATIVE FUNCTIONAL DIVERSITY ASSESSMENT EXECUTIVE
SUMMARY
On April 21, 1992, AEPSC representatives had a meeting with the NRC on the
'eplacement of existing analog reactor protection process instrumentation with digital Foxboro Spec 200/Spec 200 Micro Electronics instrumentation. During this meeting, AEPSC was asked to assume a common mode failure (CMF) of the software of the new digital equipment during a postulated accident and then provide details as to whether operators could mitigate the consequences of the accident.
In response to this request, a functional diversity assessment of each updated FSAR (UFSAR) event assuming a common mode failure of the software has been performed. In this assessment, all the events for both Units 1 and 2 of the Cook Nuclear Plant given in the UFSAR were considered. A review was performed to divide events into potentially affected and not affected. Table-1 lists these events and indicates whether they would be potentially affected or not affected if a CMF were to occur. The potentially affected transients were then individually evaluated qualitatively in light of the FSAR analysis.
Each event evaluation was recorded on a form of the type shown in Appendix A.
This form outlines the thought process employed. The first column in Appendix A contains the UFSAR transient number listed in Table-1. The second column includes the name of the transient. The third column depicts the trip/safeguard function for reactor trip. This information was obtained from the UFSAR. The fourth column includes the information on the impact of common mode failure on the reactor trip function. If the trip function is processed outside of the new digital reactor protection system, then the trip is available, e.g., trip on nuclear instrumentation system high flux. If the trip is processed by a function that is a part of the new digital equipment, then the trip/ESF function is assumed to be lost. However, for some functions, alternate indications and/or diverse alarms are available. The alarm/alternate indications that are available to the operator to mitigate the transient are given in the next column. The sixth column lists pertinent diagram numbers. The seventh column summarizes the consequences of the unavailability of diverse alarm. The last column provides the evaluation of the event. In this column, we have discussed the consequences of the operator's response on reactor safety.
Based on this evaluation, we have concluded that the CMF of the new digital equipment has no significant adverse impact on the public safety, Some reactor trips are not affected by the installation of the new digital equipment. Among these trips are neutron high flux and high rate trips, undervoltage and underfrequency trips and reactor trip on turbine trip. However, for events protected by trip actuations affected by the CMF, the operator will be alerted to the event by an alarme will then provide the appropriate actuations manually and enter the emergency operating procedures. For some accidents, such as locked rotor, the consequences could be more severe than currently analyzed due to the longer response time for the required actuation. However, our evaluation indicates that the affected unit can be brought to a safe condition and the current LOCA offsite dose evaluation will remain bounding. From these results, it is believed that a CMF of the of new digital public.
system would have no adverse effect on the health and safety the
Table-1 UFSAR POTENTIALLY TRP"tSIENT ~ TRANSIENT AFFECTED (A)/
NOT AFFECTED(NA) 14.1.1 ncontrolled RCCA Withdrawal from a Subcritical Condition A 14.1.2 ncontrolled RCCA Withdrawal at Power A 14.1.3 od Cluster Control Assembly Misalignment A 14.1.4 CCA Drop A 14.1.5 Chemical Volume and Control System Malfunction A 14.1.6 Loss of Reactor Coolant Flow A 14.1.7 Startup of an Inactive Reactor Coolant Loop A 14 '.8 Loss of External Electrical Load A 14.1.9 Loss of Normal Feedwater Flow A 14.1.10 Excessive Heat Removal due to Feedwater System Malfunction A 14.1.11 Excessive Load Increase Incident A
- 14. l. 12 Loss of All A.C. Power to the Plant Auxiliaries A 14.1.13 urbine-Generator Safety Analysi.s A 14.2.1 Fuel Handling Accident A 14.2.2 ccidental Release fof Radioactive Liquids A 14.2.3 ccidental Waste Gases Release A 14.2.4 Steam Generator Tube Rupture A 14.2.5 upture of a Steam Pipe A 14.2.6 upture of a Control Rod Drive Mechanism Housing (RCCA A Ej ection) 14.2.7 Secondary System Accidents Dose Consequences A 14.2.8 ajor Rupture of a Main Feedwater Pipe A 14.3.1 Large Break LOCA Analysis A 14.3.2 Loss of Reactor Coolant from Small Ruptured Pipes or from A Cracks in Large Pipes which Actuates the Emergency Core Cooling System 14.3.3 Core and Internals Integrity Analysis NA 14.3.4 Containment Integrity Analysis A 14.3.5 Environmental Consequences of a Loss of Coolant Accident ~
A 14.3,6 ydrogen in the Containment After a Loss of Coolant A ccident 14.3.7 Long Term Cooling NA 14.3.8 Nitrogen Blanketing NA 14.4. 2 Postulated Pipe Failure Analysis Outside Containment NA 14.4. 3 nalysis of Emergency Conditions NA 14.4.4 Stress Calculations NA 14.4.5 Description of Pipe Whip Analysis NA 14.4.6 Compartment Pressures and Temperatures NA 14 '.7 Description of Jet Impingement Load Analysis NA ..
14.4.8 Containment Integrity NA 14.4. 9 Plant Modifications NA 14.4.10 Environment NA 14.4.11 Electrical Equipment Environmental Qualification A
~PPENDZX A UNI I I end UNIT N fSAR TRANSIENT TRIP/SAfECUARO FUNCTION fOR INPACT Of COONNI HCOE ALARN/ALTERNATE INDICATION OIACRAH N CONSEOUENCES Of IRANSIENI t RX TRIP fSAR fAILURE (CNF) ON TRIP STSTEH AYAILASLE UNAYAILANILITYOf EVALUATION OF EVENT FUNCTION DIVERSE ALARN
~ ~
< r V
'v, l,g
\~
~
k' ~
~
r
~
~ ra' UMIT 1 srd UNIT 2 Of ALARHIALTE RNAT E I ND I CAT I Ol DIACRAH g coNBEDUENcEs 0F EVALUATION OF EVENT ISAR TRANSIEMT TRIP/SAFEGUARD FUNCTION FOR IMPACT CONNCH NCOE III TRANSIENT N RX TRIP @SAR ttf.t. g.t) FAILURE (CNF)
FUNCTIOH OM TRIP SISIEN AVAILABLE UMAVAILABIL DIVERSE ALARM OF Loss of Forced Reactor 1. Rx trip on reactor Not Affected Reactor Coolant Purp Ihe Rx trip cn reactor coolant pop power apply 1(.1.6.1 urdervot tsge Nd under frequency remains Coolant flaw coolant parp power svfpty undcrfrcqucncy snd undervoltsge or undervoltage stern tmaffcctcd by a cccoen cede failure (CNF) of the (Procedure I, 2.OMP, C02C, ncw digital fnstrtzaentat loA urdar frequency Ihc reactar trip on toss of flow In a coolant 107, 207) loop ls lost on CNF for each loop. These are no Diverse Alarms available; however, panel
- 2. Rx trip on low reactor Low flow Rx trip lost (for Indica Ion Ave t table FD.2101 lf the Rx ls at paver Indlcat ton and cocputer Irdlcatlon sre available coolant loop ftow. sll four loops> Panel Indtcat lan Sheet 3 st the time of the for the low coolant loop flow.
cacpvtcl .IAdlcet f oA and C accident, the Dlvcrsc Aterm AvellabLc Imacdlate effect of a Two cases of loss of flow sre discussed tn fSAR loss of coolant flow (IC.1.6). The slrultaneous Loss of paver to all is a rapid Increase In C RCPC can occur due to ~ Ither undcrfrequcncy or the coolant vndcrvattage, ahtch la not lapacted by CNF. This
~ah I&I tecperature which ls sltvatlon ls highly taltlkety, since each pap ls Pressurizer pressure panel magnified by a connected to a separate bus, vhtch ts stppt ted indi cit I on positive HTC. This by one of twa transformers.
Pressvrlzer pressure Increase could result rccordcr ln DNB with slfasequcnt The cansepenccs of the loss of flow fnclude an Pressurizer prcssure adverse effects to the Increase ln lavg, pressurizer prcssure, and cceputer indication fuel, if the Rx ls not pressurizer water level. Mlde range RCS Pressurizer level panel tripped prccptly. tccperature recorders (mace dated 9/2/92 frua U.
Indication (FSAR, page IC.1.6 1) G. Sotos to V. D. Vandcrgurg) ere avaltable to Pressurtzer leveL recorder the operator to Indicate an Increase tn lavg.
Pressurizer level cccputer There Is no Rx trip on high Tavg. The Irdl cat I on pressurtzer pressure will cant tram to rise talttt Hide range tccperature the operator gets a high pressure deviation records alarm at 2325 psta (2.ONP C02C.200 Drcp 7) far Unit 2 ard 2175 psla for Unit l. The Rx trip on Other Alarms hfgh prcssure (setpofnt < 2COO pals) Is lost dve Pressurizer high prcssure to cNF. However, diverse alarms (cece dated deviation vl ~ control 9/2/92 frau U. G. Sotos to V. D. VandcrBurg) are sys'teal available. It ls evident that the high pressvre four htgh pressure alarms deviation ~ Lane util draw the operator's via central systcaa attcnt ten, and he wlLL trip the Rx carnally.
Pressurizer htgh level The operator will atso be Likely to see the hfgh devlatlcn via ccntrol tevel deviation alarm at SX above pragren. Ihe sys Icc4 consequences of this awxaat Rx trip are Nigh LcvcL via coAtroL discussed belew.
sys'tccl Acoust tc sent tor flow Crude extrapolations of DNBR for these events detected suggest that IONBR could be reached within rI6 to lb seconds for loss af flow In one loop.
Stutter extrapolations suggest that the high prcssure dcvlatfon atana would first be received 4 seconds Into the transient although the ~
operstlan of pressvrl ter sprays will IACreaae this estimate. Altowlng W seconds for operation response It ls clear that DNB could 7
4 I ~
L
~ 'l UNIT I and UNIT 2 FSAR TRANSIENT TRIP/SAFECUARD fUNCTIOH FOR IKPACT OF COKKON KOOE ALARM/ALTFRNATE INDICATIOI DIAGRAM H CONSEQUENCES OF EVALUATION OF EVENT TRANSIENT H RX TRIP(FSAR 1(f,l.(.I') FAILURE (CKF) OH TRIP STSTEH AVAILABLE UNAVAILABILITTOF NNCT I ON DIVERSE ALARH IL 1.6.1 occur resulting ln clad chxasge. Since a nasslve (cont'd) cultlple failure Is accused for this event, this ls bcLleved to be acceptable Vlth a loss of f(ou ln one loop total core f lou should rccteln MX recoovlng the bulk of thc heat frees the core, llnltlng the detcrloratlcn of the core prior to svuxcal reactor trip. 1hc portion of the core that experiences DNB ls expected to heat up cntIL thc Doppler coefficient shuts It doccn. fuel is not expected to ne(t but c(ad burst and oxldatfcn ere antfclpsted. It should also be noted that this event uas analyzed ulth a positive noderatfcn coefficient (KIC) of +5 pcn/'F. Thfs value Is nore llnltlng than the Technical Specification lfnlt at IDOX RTP. It Is conservative and provides scbstantfai nargfn throughout coast of the life. This causes pc+sr to Increase as the coolant tecperature Increases. A sore realistic ssscnptfon for beginning of cycle ls -(pccc/oF. A negative KTC ulll tend to shutdown the core as tecperaturc Increases nltlgatlng the event. The HTC becones scgntantfaily sore negative as burncp progresses. The Cook Units are base loaded and operate ulth control roch ln the alL out posltlcn at full pouer. Therefore, the possibility that automatic rod control night ulthdrau rods Hill have no Icpact because rods are essentially fully ufthdravn. After reactor trip, the ecoergency operating procedures provide for nltlgatlon activities to bring the nachlne to a safe condltlcn.
In the evaluatlcn of the previous paragraph, an operator response tine of assessed.
~ seconds uas Vf thouc a reactor trip, pressurlter pressure and level sre expected to ccnticae to Increase after the first atones are received.
uhen pressure reaches 2250 pale, the poRY's Hill open resultfng fn an acoustic aonltor f lou cietected clara. Extrapolating the analysis curves, uhlch do not codel pressurlter spray, this could occur before KDMBR ls reached.
'therefore, It ls likely that sn acccnutatlon of slams ulll occur before 60 secceds have elapsed. Ihercfore, the operators response tice ccay be less than 60 seconds for this event.
,T sl
't 44 s
i
~ 5 ~ \
~'
UNIT I and UNIT 2 TRIP/SAF EGUARO FUNCTION fOR IHPACT OF CCHHON HCOE ALARH/ALTERNATE INOICATION OIAGRAH g CCNSEOUENCES OF EVALUATION Of EVENT TSAR TRANSIENT TRANSIENT g RX TRIP (CESAR (LI. I,g,I) FAILURE (CHF) ON TRIP FUNCTION STSTEH AVAILABLE UNAVAILABILITTOF DIVERSE ALARH IS+I+6.1 The cxet likely cause of an event of this type, (cont'd) ls a failure of the reactor coolant purp (RCP) or Its notor. The operator ls prov(dad ulth a slgnlf leant rasher of a(arne to give hln lnfonaat Ion regardfng the RCP's end enters.
Ihese a(aran Include RCP notor dlfferent I ~ I trip, RCP actor overload trip, axl RCP eater overheated. Therefore, It Is likely that the operator Hill have Inforeatlon available eh(eh Hill ~ (lou hta to antlclpate and, therefore, ad+tant(a((y alt(gate the event.
,c UNIT I and UNIT 2 FSAR TRANSIENT TRIP/SAFEGUARD FUNC'TION fOR IMPACT Of COONCI NCOE ALARN/ALTERNATE INOICATICH OIAGRAN ¹ CONSECUENCES OF EVALUATION OF EVEN'I TRANSIENT ¹ Rx TRIP (FsAR LLI~ I, gi 2) FAILURE (CNF) CN 1RIP SYSTOL AVAILASLE UNAVAILABILITTOF FUNCTIOI DIVERSE ALARN TS.T.6.2 Locked Rotor/Shaft Reactor trip on low flow Low flow reactor trip lost Indications Avallab e fg 2101 If the Rx fs at power The FEAR analysis for this event assuces an greek Accident signal (swee 9/2/92 cece frees V. Panel Irdication Sheet at thc tice of instantaneous seizure of a reactor coolant Fcrp W. Sotos to V. D. Cocputer Indication 3 and 4 accident, the rotor. for this event, the reactor trips on low Vendergurg) Iverse ALare Avai ab Iceediate effect of ~ flow signal. The cccren cede failure (CNF) of loss. of flow (seizure the ncw digital Instrucentatfon would result In of a RCP rotor) ls an ~ loss of low flow Rx trfp signal.
OJhl&l tl Increase In the Pressurizer pressure panel coolant tecperature. 'the loss of flow will Increase the coolant Irdication 'This Increase could tecperature end an Increase ln pressurizer Pressurizer pressure result In DKB with pressure due to a reduction In hest rceoval.
recorder subsequent adverse Thc wide range RCS tccperature recorders (cece Pressurizer pressure effects to fuel, lf dated 9/2/92 froa V. G. Sotos to V. D.
cocpJter Ifdfcatfon the Rx ls not tripped Vsndergurg) are available to the operator. The Pressurizer leveL panel procptly (fSAR, Page pressurizer pressure will ccntlfMJe to riscg and Irdicatlon LS.1.6 1) the operator will get a high pressurizer Pressurizer level recorder deviation ~ Larcs at 2325 pele (Procedure 2-ONP Pressurizer Level cccputer (02(.200 Drop 7) for Unit 2 ard 2175 pals for lrd lest Ion Unit 1. 1he reactor trip on high pressure Vide range tecperature (<2(00 ps(a) Ic tost due to CNF. Kowever, hfgh records prcssure diverse elarce sre available (cece Sourd of pressurizer dated 9/2/92 (rect V. G. Sotos to V. D.
safety valves Vandergurg). Therefore, the high pressure deviation aiarcc will draw the operator's Other Al cree attention to trip the reactor coreatiy.
Pressurizer high pressure devlatlcn via control This event Is very euch like the loss of forced systue reactor coolant flow ln cne loop. Kowever, lt four high pressure alares Is cere severe In that total core flow Is vl ~ control systua reduced nore rapidly to a lower value. The Pressurizer high level total core flow ls reduced to ~70X within ~2 deviation via control seconds. As the coolant heats up, ~ significant systua Increase In prcssure occurs. The peak analyzed Nigh level via ccntrol pressure for both tcdts ls ~2590 psla. This cyst us peak occurred at .2 seconds after the reactor Acoustic cenltor flow trip at I second. This pressure Is less then detected 110X of the design pressure, I.e. 2750 psla.
Kowever, lf reactor trip is delayed M seconds, lt corset be stated with certainty that this prcssure would not be exceeded. Kowever, the or the pressurizer PORV's. 't analysis takes no credit for pressurizer spray Is also the case as with the loss of forced reactor coolant flow that the analysis was perforeed with a positive cederator tecperature coefficient (NTC) of +5 pccc/'F. This value ls cere (la(ting than the Tcchnical Specification LINIt at 100X RIP. It Is conservative and provides substantial eargin throughout the core life.
UNIT 1 snd UNIT 2 FSAR TRANSIENT TRIP/SAFEGUARD fUHCTIOH FOR IHpAcT of cororou HcoE ALARH/ALTERNATE IN)ICATION DIACRAH y CONSEQUENCES OF EVALUATION OF EVENT y RX TRIP (FSAR r ( ~ 2) FAILURE LCHF) ON TRIP STSIEH AVAILABLE UNAVAILABILITYOF TRANSIENT L q c L fUNCTLON DIVERSE ALARH TS 1.6.2 Therefore, as Tavg ls Increased, pouer lncressts (con't) In the analysis. As Indicated ln the loss of forced reactor coolant f lou, a raore realistic begirniny of cycle HTC, voutd be
~ -Spear/'f. Throughout core life the HIC vould decrease to the r.20pcra/'f. The feerhack froa the HTC uould therefore tend to shut the reactor doun rather than Increase pouer ln an actual event. The Cook ralits art base Loaded and operate vlth ccntrol roch fn the all out positlcn st fuLL povtr. The possibility that autocatlc rod ccntrol raight vlthdrau roch vill have no fapsct because roh sre essentially fully vlthdraun. These consideraticns lead us to conclude that It fs rxlllkciy that prcssuriaer prcssure vould exceed 2730 pale snd virtually laposslble to exceed 3200 pslg, the ASNE goiter ard Pressure Vessel Code Ltvel C crltericn, vhlch vas used for AHSAC design.
In the analysis, DNS ls expected to occur. In thc event of a delay of reactor trip by ~
seconds, thfs sltuatlcn can only be cxaccrbated.
The operatlcn of pressurizer sprays erd PORV's vhich vere not axdeicd ln the analysis vill also rcsu'Lt in an Increase In fuel re ln DNS.
Kouever, It Is believed that the available flou vill prevent the core frere degrading to conditicn uhere it carnot be cooled after trfp.
The portion of the core that experiences DNB ls expected to heat up rxltft the Doppler coefficient shuts It dovn. Fuel ls not expected to trait but clad burst and oxidation are anticipated. Srbstantlal core darvrge Is acceptable for this event vhlch is an ANS cordition I)l event vlth arassive axrltipte failures In the evaluation of the previous tvo parsgraffrs, an operator response tlrac of M seconds vas assraaed. Koucvcrr 'this cvctlt ls cxpcc'ttd to bc wry draraatic Several pressurizer sierras can be expected vithin seconds of the start of the event includiny the acoustfc cxxlltol f lou dc'tcc'tcd elena 1he pressurlaer safety valves csn be expected to Lift vhlch creates sn lapresslve sand in the control rocra. Therefore, tht operators response rvry be less than 60 stconds for this event.
UNIT I and UNIT 2 fSAR TRANSIENT TRIP/SAFEGUARD FUNCTION fOR IHPACT OF CCHHON HCOE ALARH/ALTERNATE INOICATIOH DIAGRAH ¹ CONSEOUENCES OF EVALUATION OF EVENT
'IRANSIENT ¹ RX TRIP (fSAR fq.I.L.S.] FAILURE (CHF) OI TRIP STS'IEH AVAILASLE UNAVAI LAB I LITT OF FUNCTION DIVERSE ALARH Irh I.ff.2 As In the ease of toss of forced reactor coolant (ccn't) flow, the cost likely cause of event of this type, is the failure of the reactor coolant Fxrp (RCP) or cater. The operator Is provided with a significant rxcber of a(arse to give hln Infonaat ion regarding the RCP's and notors.
These a(arcs Include bearing tccp high, lower bearing seel water tccperature high, lower bearing coolfng water flow low, upper oil pot level high or Iow, and lower oil pot level high or low. Therefore, It ls likely that the operator will have lnforcfatlcn available which wilt allo<< hln to anticipate snd therefore, stfxstantfel(y nit f gate the event, For Unit 2 an offslte dose calculation was per(arched ss s part of the transition to westinghouse vantage 5 fuel. Jhe site bouxfary doses were 3 rcfs, thyroid and 0.3 rafa whole body. These are very saaII fractions of the IOCfR100 criteria. However, with a delay In reactor trip of M seconds, It Is anticipated that <<ore dafaage will be increased significantly. Nevertheless, the 10CfR100 criteria are expected to be satisfied for this condition IV event. In section IL.3.5, an offslte dose analysis tor LOCA which ls Ident l fled ss the naxicua h)pothet 1 eel accident ih t ttft f th hatt f th ~ll ~l ls described. For this analysis, It Is accused f ~tf h tht released 'to contal nfhCtlt ataOSphere h
Table I(.3.5-10 of the Unit 2 UFSAR snd Table I(.3.5.7 of the Unit I UFSAR display the doses for this analysis. They satisfy the criteria of IOCfR100. Since the RCS ls anticipated to be fntact after a locked rotor event, It ls expected that the doses for the ctaxlsua hypothetical sccMent <<ill substantially bound the locked rotor event doses.
- Attachment to AEP:NRC:1159E RESPONSE TO RAI ITEM 2 This item requested information pertaining to a) 'the need to perform a pre-operational end-to-end check of the new equipment, and b) information related to the effect of resistor tolerance on equipment calibration.
Regarding item a, as discussed with your staff during the December 20, 1993 meeting, a pre-operational end-to-end loop check is not necessary, based on the pre-operational test methodology that willbe employed. Pre-operational testing is comprised of the following elements:
Electrical wiring and basic functional checks of the racks, using standard plant installation procedures.
- 2. Electrical wiring and basic functional checks, from the rack bistable output to driven devices external to the racks, using project-specific installation procedures.
- 3. Calibrationi'from the transmitter to the first rack test point, using standard plant calibration procedures.
- 4. Calibration from the rack test jack/first test point to the end panel or control device, using standard plant calibration procedures.
It is important to note that the first rack test point is the key overlap point, and that loop current is monitored at each calibration test segment (via test point resistors). This test program results in a total end-to-end loop check through- overlapping. This methodology is the current practice at the Donald C. Cook Nuclear Plant and is common for the industry. The test methodology adequately complies with IEEE Standard 338-1977.
Regarding Item b, as discussed during the December 20, 1993 meeting, the calibration methodology adequately compensates for test resistor tolerance effects. Test point resistor tolerances do not impact loop accuracy or performance. There are no effects caused by test point resistor tolerances because these effects are calibrated out per the system design and the calibration methods. This is accomplished by calibration of the field device and the rack components using a common reference test point as the key overlap.
point. Use of this common test point allows the technician to adjust the calibration of the rack components so that test point resistance tolerance effects are eliminated.
0 0