ML18018B510
| ML18018B510 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 09/30/1983 |
| From: | Buckley D, Finn S CAROLINA POWER & LIGHT CO., SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | |
| Shared Package | |
| ML18018B509 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 8207NLU, NUDOCS 8312120253 | |
| Download: ML18018B510 (73) | |
Text
SAFETY AMALYSIS OF THE SHEARON KQUUS SAFETY PARAK~R DISPLAY SYSTEM Prepared by CAROLINA POWER 6 LIGHT COMPANY Technical Document Prepared by Stephen P. Finn Dennis W. Buckley Science Applications, Inc.
P.O. Box 2351, 1200 Prospect Street La Jolla, California 92038 September 1983 8312120253 831202 PDR ADOCK 05000400 PDR
TABLE OF CONTENTS Section ~Pa e INTRODUCTION. ~ ' ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~
'1 CRITICAL SAFETY FUNCTIONS... ~ ~ . ~ ~ ~ ~ ...... .. ~ ~ ~ ~ . ~ .... ~ . ~ .o ~ ~ 2 2.1 Barriers to the Release of Radioactivity............ 2 2 2 Relationship of Critical Safety Functions
'to Barriero ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 3 CRITICAL SAFETY FUNCTION STATUS TREES...... ~ . ~ ~ ~ ~ .o.. ~ ~ ~ ~ .. 5 3.1 . Prioritization of Tree Branches..................... 5 3.2 Function Restoration Guidelines..................... 6 BASIS FOR CRITICAL SAFETY FUNCTION TREES PARAMETER SECTION.oo.woo ~ .o ~ ~ .~ ~ .. ~ o. ~ ~ ~ ~ os.owe. ~ ~ oo ~ ~ a...o..oooo ~ ~ ~ ~ ~ 7 4.1 Subcriticality Tree. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 7 4.2 Core Cooling Tree... ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 10 4.3 RCS Integrity Tree.. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 12 4,4 Heat Sink Tree...... ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 16 4.5 Containment Tree... ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 19 4.6 RCS Inventory Tree.. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 21 SPDS CRITICAL SAFETY FUNCTION STATUS BLOCKS. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 24 5.1 Parameter Validation.. ~ ~ ~ .~ ...... ........ .. ......
~ ~ ~ 24 5.2 Arrangement of Status Blocks and 5.3 Prioritization of Response......................
Status Blocks and Plant Safety................ .. .. ~
~ ~
25 27 EXAMPLES OF SPDS RESPONSE TO TRANSIENTS ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 28 6.1 6.2 Steam System Loss Piping Failure............."
of Normal Feedwater.....................
." ~ ~ ~ ~
~ ~
~ ~ ~ ~ ~
~ ~ 28 33 6.3 Complete Loss of Forced Reactor Coolant Flow. ~ ~ ~ ~ 38 6.4 Uncontrolled Rod Cluster Control Assembly 6~5 Bank Withdrawal at Power.
Inadvertent Operation of the Emergency Core-
". ~.........." ~ ~" ~ ~ ~ ~ ~ ~ ~ 39 Cooling System During Power Operation.... ~... ~ ~ ~ ~ 40 6.6 Large Loss of Coolant Accident............... ~ ~ ~ ~ 41
- 2. CRITICAL SAFETY FUNCTIONS In order to maintain a nuclear power plant in a safe condition, there is a set of functions that must be performed. The full set of functions that must be performed in order to fully safeguard the general publi,c from possible consequences of nuclear power plant operation is commonly referred to as the set of critical safety functions (CSFs). For a PPR, the set of critical safety functions consists of the following:
- l. Subcriticality 20 Core Cooling 34 RCS Integrity 4~ A Heat Sink 5~ Containment Integrity
- 6. RCS Inventory 2~ 1 BARRIERS TO THE RELEASE OF RADIOACTIVITY The functions listed above were chosen because they relate directly to one or more plant barriers to the release of radioactivity. Satisfying these functions will keep the barriers intact The barriers that are provided in every nuclear power plant installation consist, at the minimum, of the fuel matrix and fuel clad the reactor coolant system pressure boundary containment distance For the purposes of the SPDS, only the first three barriers are considered. The "distance" barrier and portions of the general containment barrier other than the main containment vessel are considered to be included, within the scope of the Site Emergency Plan These first three are direct physical barriers to the transport of radioactive materials and together provide the required "defense in depth".
The reactor coolant system pressure boundary blocks the transport of radionuclides that escape through the fuel rod barriers and those that are (8207NLU)
produced outside of the fuel rods themselves. Containment blocks the release of radionuclides that pass through the reactor coolant system pressure l
~
boundary and those few radionuclides that form outside the reactor coolant
~1 system. In its most general form, "containment" includes the main containment vessel, the boundaries of those systems that penetrate the main containment vessel (the steam and feedwater systems and various auxiliary systems) and the boundaries of the separate waste storage facilities (waste gas storage tanks, 0c.
spent fuel storage, etc.).
As long as the fuel rod, reactor coolant system pressure boundary and containment barriers are intact in a nuclear power plant, that plant poses no threat to the health and safety of the general public., Should one or more of the barriers be faulted, the threat to the general public increases. If all barriers are lost, the threat becomes significant and, external emergency actions may be called for. Therefore, the goal of nuclear power plant operation, in terms of nuclear safety, is the assuring that as many &s possible of the three primary barriers remain intact at all times and under all conditions and/or circumstances that may exist.
2 ' RELATIONSHIP OP CRITICAL SAFETY FUNCTIONS TO BARRIER The six critical safety functions can be associated with the barriers in the following manner:
Barrier Critical Safet Function Maintenance of Subcriticality, (minimize energy release in the fuel)
Fuel Matrix Maintenance of Core Cooling and (provide adequate heat removal from the fuel)
Fuel Clad Control of RCS Inventory (maintain coolant inventory for effective heat removal from the core)
(8 207NL U)
Barrier Critical Safet Function Maintenance of a Heat Sink (provide adequate heat removal from the reactor core)
Reactor Coolant Maintenance of RCS Integrity System Pressure (prevent overpressurization of the RCS)
Boundary Control of RCS Inventory (maintain coolant inventory for effective heat removal from the reactor core)
Containment Vessel Maintenance of Containment Integrity If the critical safety functions are maintained, the barriers will remain intact. The SPDS provides a means of monitoring the critical safety functions and provides guidance- for restoring any function which may be challenged. In this way, the SPDS provides an additional line of defense for the plant, independent of the Plant Protection System and Engineered Safeguards System. The manner by which the SPDS monitors the critical safety functions is described in the following section.
(8207NLU)
3~ CRITICAL SAFETY FUNCTION STATUS TREES In order to determine whether a critical safety function is satisfied, it is necessary to check only a few parameters. However, these parameters cannot be considered individually, since their significance is often affected by some other parameter For example, for Shearon Harris, the Heat Sink critical safety function is challenged if the total feedwater flow to all steam generators falls below 430 gallons per minute. However, this low feedwater flow is not of concern if the water volume in at least one steam generator is at least 20 percent of narrow range indication. Therefore, the important parameters for each function have been combined in a logical array called a "status tree " The combination of parameters existing at any time defines a unique path through the tree, and also a unique "status" of the critical safety function.
The branch points of each tree are based on a comparison of the parameters with a reference value indicating a safe condition. In the previous example, the Heat Sink tree contains a branch for total feedwater flow relative to 430 gpm. If the total feedwater flow to all steam generators is less than 430 gpm, the path through the tree will indicate that the Heat Sink function is challenged. If feedwater flow is greater than 430 gpm, the path through the tree will progress towards other branches where other parameters will be checked. When each of these branches is resolved, the final path will indicate success in maintaining the Heat Sink function or the mode of impairment of this function. A more detailed description of the trees is presented later.
3 1 PRIORITIZATION OF TREE BRANCHES Since there are a number of parameters of importance to each function, the trees contain several branches and paths. The end point of each path defines a unique set of plant conditions, expressed as a combination of current values of the parameters Each set of conditions reflects how nearly adequate the critical safety function is satisfied, and thus the priority of the required response. In order to quickly inform the operator of the nature of the current conditions, each path is color coded- The color tells the (8207NLU)
operator immediately if the critical safety function is challenged and tells him the relative severity of the challenge The SPDS presents this color-coded status in two ways- First, all SPDS displays contain status blocks for each of the six critical safety functions Each block will appear on the screen in the appropriate color indicating the current status of that function. Thus, the operator can see at a glance the status of all six functions. Second, on the display of each critical safety function status tree, the path defining the current conditions will be drawn through the tree in the appropriate color. Because each path defines a unique set of conditions only one path is colored at any time.
The scheme of color coding used to identify the priority of the current conditions is as follows:
4 GREEN the critical safety function is satisfied; no operator action is called for.
~ YELLOW the critical safety function is not fully satisfied; operator action may eventually be needed
~ MAGENTA the critical safety function is under severe challenge; prompt operator action is necessary.
~ RED the critical safety function is challenged; immediate operator action is required 3.2 FUNCTION RESTORATION GUIDELINES In addition to providing information on the current set of conditions and their importance, the critical safety function trees provide information which can be used as a basis for execution of corrective action The end point of each path in the status trees directs the operator to a particular "function restoration guideline" ~ These guidelines differ depending upon the seriousness of the threat to the critical safety function. The guidelines direct the operator to perform various actions designed to restore the threatened function to a satisfactory status.
(8207NLU)
- 4. BASIS FOR CRITICAL SAFETY FUNCTION TREES PARAMETER SELECTION The six critical safety function trees are shown and described in this section. The basis for the selection of each of the parameters in the trees will be discussed. In addition, the state (of the critical status function) which results from following each tree path will be established. In this analysis, the following letters are used in place of color coding: "R" .
for RED, "M" for MAGENTA, "Y" for YELLOW, and "G" for GREEN.
4.1 SUBCRITICALITY TREE The Subcriticality Tree is shown in Figure 4.1-1 ~ Since this tree is gauging the reactivity state of the core, the parameters selected are those characterizing neutron flux behavior as measured by the nuclear instrumentation system. The basis of this tree is that the Subcriticality Function is satisfied whenever the indicated core neutron level is in the source range and core neutron level is steady or decreasing (as indicated by a zero or negative startup rate) ~
Immediately after a reactor trip, a few minutes Iwill elapse before the source range instruments become energized.
During this time, it is still possible to satisfy the Subcriticality Function by having a sufficiently negative startup rate in the intermediate range. For the purposes of this tree, the Subcriticality Function is considered satisfied if the neutron flux has dropped into the intermediate range with a startup rate more negative than 0 ' decades per minute (dpm).
The tree is arranged in a logical downward progression through the ranges of neutron flux instrumentation, starting with power range and proceeding through intermediate range to source range. For power range, the tree branches at a power level of five percent. This level is well above the power level following reactor trip, and is considered easily readable on power range instruments. Confirmation of a power level in excess of five percent is a RED path, status since it represents a serious challenge to the integrity of the fuel matrix/cladding barrier.
(8207NLU)
Z.fLHZR.M9111/
GO TO FR-S.I 1IITI:Rfff:0I ATI;.
M'l'..1 RAIIGC II.I~IO.TJ' GA TO I NTf: RII CO I A Tf:
Rau.dr~ II I GO TO
-O. f R-5.2 2 OPfI s% nmz~smr c IIOT LflrfiOIZf:0 r.sr
-0 . 2 II I'l sflT.
"I)II ff I:I:
li.lI ll.h I:...'s.ll If ll..+ Ci fl T 0 I'lll I(141 Z I'l Figure 4.1-1. Subcriticality Status Tree.
If power is below five percent, the flux may be at a level where the intermediate range instruments provide the best means of tracking it. Here we are not concerned with the level of flux, but whether it is decreasing. If the neutron flux in the intermediate range is increasing (positive startup rate), then it is only a matter of time before the flux level becomes sufficiently high to remnter the power range. This condition is not as serious as the RED path described above, so it is coded MAGENTA, indicating that operator action is required promptly. Notice that both the RED and IfAGENTA paths direct the operator to function restoration guideline FR-S.l.
The required actions are the same, but the degree of urgency is different.
If neutron level is in the intermediate range and the source range instruments are not yet energized, the Subcriticality Function is considered satisfied if the startup rate (SUR) is sufficiently negative (< -0 2 dpm).
The existence of this set of conditions implies that the core is, in fact, subcritical. This branch is designed to allow the Subcriticality Function block to remain GREEN following a trip, but before long-lived delayed neutron precursors have decayed. If neutron level is in the intermediate range and SUR is not sufficiently negative, the path is colored YELLOW. If the source range is energized; the reactor still may not be subcritical. If the flux is in the source range, but increasing (positive SUR), the reactor is not subcritical and the function is not satisfied. However, this does not represent an immediate threat since the flux level is far below power production levels, so this path is also coded YELLOW If the flux is in the source range and stable or decreasing (zero or negative SUR), the Subcriticality Function is satisfied and the path is coded GREEN.
It should be noted that since this tree is designed to measure the extent to which the core is shutdown, the Subcriticality Function cannot be satisfied during power operation. Therefore, the SPDS soft~are will consider the Subcriticality Function to be GREEN when the plant is in the power operation mode, until a reactor trip signal is generated by the Reactor Protection System. At this time, it becomes necessary to satisfy the Subcriticality Function, and the SPDS will begin to monitor the tree.
(82O7NLU)
Cl In summary, the parameters chosen for the Subcriticality tree are those "which give an indication of the reactivity state of the core. The function is considered satisfied if neutron flux is in the source range with a zero or negative startup rate, or if power is below five percent with a startup rate less than -0.2 dpm.
4.2 CORE COOLING TREE The Core Cooling tree is shown in Figure 4.2-1. The tree gauges the plant's capability for removing decay heat from the core. Failure to remove decay heat could result in failure of the fuel matrix/cladding barrier due to fuel melting or zirconium~ater reactions. Therefore, the parameters used in this tree were selected on the basis of their'bility to indicate either the temperature or level of the water in the core. The definition of an adequately cooled core is one in which the average core exit thermocouple temperature is less than 1200'F and the RCS water is subcooled. (See footnote (1) on Figure 4.2-1 for the definition of subcooling used by the'SPDS) ~
A temperature of 1200'F indicates that most liquid inventory has been removed from the RCS and the. remaining steam is being superheated by core decay heat ~ This represents a severe challenge to the fuel matrix/cladding barrier, and this branch of the Core Cooling tree is color-coded RED. If the temperature is less than 1200'F and RCS water is subcooled, the path is coded.
GREEN since the Core Cooling Function is satisfied. If the RCS is not subcooled, but the core exit thermocouples are below 1200'F, there is some inventory left in the RCS so questions about reactor vessel level and reactor coolant pump status must be answered to determine how effective this coolant inventory will be in maintaining core cooling.
If at least one RCP is running and sufficient coolant inventory is present, the core can be effectively cooled, even by a two-phase mixture, because of the forced flow. Coolant inventory is indicated by the Reactor Vessel Level Indicating System (RVLIS). 'he satisfactory level of inventory depends upon how many of the three RCPs are running. The level chosen for the tree is the plant-specific value which corresponds to a system void fraction of 50 percent with the current number of pumps running. If average core exit (8207NLU)
GO TO FR"C.I l200 OCGF
~LS H GO TO FR"C.I MLT 7I)0 JJ~f~
STOI'VLO GO TO IR-C.2 I2)%
aLIZn)U LIIr, 700 GO TO R-C.
OCGF I 3 s II) OCGF )2)%
GO TO FR-C.2
~fLSX Ctt 1200 RCP RUHHIHG GC To OCGF FR"C.3 CSF SIIT OCGr Ix) - fI )
)
HIT)l Hl Tll 3
) II I TII I RCV (l) sum of temperatu)e and pressure measurement system errors translated into temperature using saturation tables (40 F).
(2) plant spucitic-value which is 3-1/2 feet above the bottom of active fuel in core with zero void fraction. plus uncer ta inti es.
(3) plant speci I'ic-value corresponding to an average system void fraction of 50 percent with 3 RCPs running.
(4) plant-specific value corresponding to an average system void fraction of 50 percent with 2 RCPs running.
(5) plant-specific value corresponding to an average system void fraction of 50 percent with l RCP running.
Figure 4.2-1. Core Cooling Status Tree.
thermocouple temperature is less than 1200'F and RCS water is not subcooled and at least one RCP is running and sufficient coolant inventory is available, then the core cooling function status is considered YELLOW since adequate core cooling can be maintained. However, heat removal is being accomplished using a two-phase mixture which is an abnormal mode of operation for a pressurized water reactor. If the RVLIS criterion is not met, the function status is considered MAGENTA because the RCS inventory is seriously depleted.
If no RCPs are running, then the amount of available inventory becomes much more important because of the absence of forced flow. Also, the current core exit thermocouple temperatures are important as a measure of core dryout by their indication of superheated steam temperatures. A core exit temperature of 700'F indicates that the fuel has heated up enough to superheat the cooling steam flow. The presence of the minimum coolant inventory which is sufficient to ensure core cooling for an extended period of time is indicated by a water level (with no void fraction) of at least 3-1/2 feet above the bottom of the active fuel. Figure 4.2-1 shows how the various combinations of temperature and level are color-coded for status, ranging from RED for temperature greater than 700'F and level less than 3-1/2 feet to YELLOW for the reverse situation.
In summary, the parameters chosen for the Core Cooling tree are those which give an indication of the temperature of the water in the core or the amount of inventory in the reactor vessel. The function is considered satisfied if the core exit thermocouples read less than 1200'F and the RCS is subcooled-4.3 RCS INTEGRITY TREE The RCS Integrity tree is shown in Figure 4.3-1. This tree gauges the thermal stresses on the reactor coolant system with the reactor vessel as the limiting component. The RCS Integrity tree is unique among all the critical safety function status trees in that the reference values against which current plant parameters are compared do not appear explicitly at the branch points. Rather, the reference values are lines separating entire operating regions in pressure-temperature space, and are shown in Figure (8207NLU)
ROS PRVSSUIIE I.EJ IZE lLILLILR ~~T TO RCS TEIIP I)LCREASL 100 OCGF'N LAST 60 tf I fl ~
LEFT OF L I tl I T fl
~ OEGF'O I I )
l1LLRfLDJ.BZ GO TO FR"I'.I R IGIfT Or A s 12)
OCGF'SF OCGF'2)
I 1 I DEGF SAT
%~I<.E 5 S.I1 RS GO TO F'R-I'. 2 RI~ TJ J1P..MHZ.II Ix)
DLGI" Ix) - COLD OVERPRESSURI:
I. I tl I T (I) plant-specific temperature corresponding to temperature Tl (291 F).
(2) plant-specific temperature corresponding to temperature T2 (321 F).
(3) plant specific temperature below which cold overpressure protection system is in service.
Figure 4. 3-1. RCS Integri ty S ta tus Tree.
4.3-2. The main concern of the Integrity tree is the reactor vessel wall and its degraded material properties due to radiation embrittlement. As the thick-walled vessel ages, it tends to lose its ductility, and its nil-ductility temperature (that temperature at which it begins to exhibit brittle behavior) increases. Operators are normally aware of the brittle fracture concern, and are required by Technical Specifications to limit heatup and cooldown rates precisely to avoid a stackup of stresses, especially the thermal stresses, which might exceed a critical yield stress, and cause a postulated internal flaw to grow. This flaw growth could eventually lead to vessel failure. The concern of this status tree is for those serious transients which produce extremely large cooldown rates, and thus extremely large thermal stresses. Cooldown at the vessel wall could be caused by a secondary break cooling down the entire RCS, and/or the addition of cold injection water into the cold legs and downcomer region of the vessel. The final temperature reached and the cooldown rate determine the severity of the challenge to the vessel wall. Technical specifications require that cooldown be limited to 100'F/hour, As can be seen in Figure 4.3-1; as long as this requirement is met, the status of the RCS Integrity function will be no worse than YELLOW.
the cooldown . is greater than 100'F/hour, the RCS Integrity function may be challenged. Figure 4.3-2 is a plot of the operational limits for the reactor. It is representative of the plant-specific plot, which will be developed based on the reactor vessel material properties and weld composition, and on the power history of the plant. The three lines on the plot divide the pressure-temperature space into four regions, in which there are varying threats to vessel due to crack initiation and growth. These lines exhibit very little pressure dependence, except for Limit A at high pressures. The lack of significant pressure dependence implies that the primary cause of crack initiation or growth is thermally induced stress resulting from rapid cooldown. In the region to the left of Limit A, a crack can initiate at constant pressure. Such a condition is a severe challenge to the reactor vessel wall, so this region on the plot and the corresponding branch of the tree are given a RED status. Between Limit A and temperature T1 (8207NLV)
LIJ CL CA Vl LJLI CL RED MAGENTA YELLOW GREEN T] T2 COLD LEG TEt1PERATURE Figure 4.3-2. Operational Limits Curve for RCS Integrity Status Tree.
a cxack could initiate with some increase in pressure. This condition represents a serious threat to the Integrity function, or a MAGENTA status.
Between temperatures T> and T2 it is unlikely that a crack would initiate, but the condition is sufficiently offmormal to warrant operator vigilance.
Therefore, this region and the corresponding branch of the tree are given a YELLOW status. If the temperature is above T2 there is no threat to the Integrity function, despite the rapid cooldown, hence the GREEN status.
In summary, the parameters selected for the RCS Integrity tree are those which reflect the degree of thermal stress on the reactor vessel.
Cooldown rate and the combination of RCS pressure and temperature provide this indication. The function can be satisfied in several ways, but it is desirable to have a cooldown rate lower than 100'F/hour.
4.4 HEAT SINK TREE The Heat Sink tree is shown in Figure 4.4-1. This tree gauges the plant's ability to remove heat from the RCS, thus protecting the barrier to release provided by the reactor coolant system pressure boundary. The parameters used in this tree are those which indicate the ability of the steam generators to remove heat from the RCS. The residual heat removal system (RHR) is not considexed in this tree because it must be manually aligned and the operator would readily know if it is functioning. Prior to RHR actuation, if all three steam generators have sufficient inventory, are receiving adequate feedwater flow, and are not overpressurized, then an adequate heat sink exists ~
One steam generator is sufficient to xemove decay heat from the RCS. The tree begins by determining whether at least one steam generator has sufficient water level. The reference water level corresponds to a level gust inside the narrow range (including allowances), and implies that the operator has a reliable level indication. In this case, the Heat Sink function status can be no worse than MAGENTA. If none of the steam generator levels is high enough. to be in the narrow range, the Heat Sink can still be maintained if there is adequate feedwater flow. The flow from one motor driven auxiliary feedwater pump is adequate for decay heat removal. If this flow is not available and none of the steam generator levels is in the narrow range, the (S207NLU)
TOTAI. I L'VOIIATPR I nII TA Sr.~ GO TO R" II.
I I II'L s (2 I GPI'I I'. rm.l! I'.
0 I. L I I I I s. PIU:~ GO f
TO R-II. 2 ANY ? (3) PSIG 12)
Gr GO TO f R-II.3 IINY > (4) PSIG ANY > I I ) Z
~CREE.YJ J. GO TO R-II.4 IILI. f
!3) flN Y z (5!%
PS I G A I. L 5 f.'lKI I J:.Y R
GO TO I <l I R-II . 5 I'S I0 I!NY I I )%
CSF'AT.
I! I. I.
I I )%
(I) plant-speclflc value showing level Just In narrow range, Including allowances for normal channel accuracy, post-accldont transmitter errors and reference leg process errors not to exceed 50 porcent (20$ ) ~
(2) the mlnlmum safequards (condltlon IV) AFW flow requirement corresponding to one HD AFW pump at SG design pressure (430 gpm) ~
(3) plant-speclf Ic pressure for highest steamllne valve setpolnt.
(4) plant-speclflc pressure for lowest steamllno valve setpolnt.
(5) plant-speclf lc value corresponding to steam gonorator Hl-Hl level feedwater Isolation setpolnt (82.4$ ) ~
Figure 4.4-1. Heat Sink Status Tree.
steam generator heat sink is severely challenged. This path through the tree is color-coded RED.
Xf eithe r the level requirement or the feedwater flow requirements is met, the Heat Sink function is not severely threatened. However, in order for the function to be satisfied, all three steam generators must be able to serve as useful heat sinks. The remaining branches of the tree determine the pressure and level status of all steam generators.
If any steam generator pressure is greater than the highest setpoint of any steamline safety valve, that steam generator is unable to relieve pressure. Basically this indicates that steam is being produced too quickly to be adequately relieved. This is a serious threat to the Heat Sink function and the branch of the tree is coded MAGENTA. If any steam generator pressure is greater than the lowest safety valve setpoint, the threat is not as serious and this path is coded YELLOW.
Given adequate steam generator pressures, the adequacy of water levels must be investigated next. Adequate water level in the steam generators is determined as follows. A level above the steam generator hi-hi setpoint (level at .which turbine trips and feedwater isolation occurs) is considered undesi,rable because of excessive moisture carry-over. Also, the possibility exists for filling the steam lines with water and relieving water through t'e safety valves. If the level is too low to be in the narrow range, there may be insufficient water to provide adequate heat removal, and the operator will not have a reliable level indication. In either case, the status is coded YELLOW. If all steam generator levels are between the low value and the hi-hi setpoint, the Heat Sink function is satisfied and the status is coded GREEN.
In summary, the parameters selected for the Heat Sink tree are those which indicate the ability of the steam generators to serve as effective heat sinks. The function is satisfied if all steam generators pressures are below the safety valve setpoints and all steam generator levels are in the narrow range but lower than the hi-hi level setpoint.
(8207NLU)
4.5 CONTAINMENT TREE The Containment tree is shown in Figure 4.5-1. The parameters used in this tree serve to evaluate several possible threats to containment integrity. The function is satisfied if none of these threats are present.
The most serious threat to the containment results if pressure inside the containment exceeds the design pressure, which is 45 psig at Shearon Harris'n this case, the threat comes not from the existing pressure but from the possible burning of hydrogen. Typically, containment buildings can withstand up to twice the design pressure. However, if at design pressure there were sufficient hydrogen present to cause a burn, the sudden increase in
. pressure could exceed the design pressure of the containment. Since the Containment function is severely threatened, this branch of the tree is color-coded RED. The function restoration guideline associated with this path directs the operator to check the containment hydrogen concentration If containment pressure 4s below design pressure, then is it unlikely that even with a hydrogen ,burn, the containment would fail from although significant equipment damage could result- There is 'verpressure, still danger if the containment pressure is above the Hi-2 setpoint, which at Shearon Harris is 12 psig. A pressure this high indicates a significant energy release into containment and requires some operator action to evaluate the containment atmosphere .composition and pressure suppression equipment.
This branch of the tre'e is coded MAGENTA.
If containment pressure is below the Hi-2 setpoint, the tree then considers the water level in the sump. Equipment necessary for extended containment cooling (or for other long-term functions) located in the containment should not be threatened by water in the containment ~ A plant-specific reference value of water level, corresponding to the total volume of the RCS, the RWST, all the accumulators, and one-half of the condensate storage tank, is used. This volume of water is close to the maximum which could ever be pumped into the containment, and therefore, represents a close approach to the design flooding level. A water level above this reference value represents a serious threat to the Containment function because of possible equipment damage, and this branch is coded MAGENTA (8207NLU)
00 TO f'R" 2 . I I'S I 6 M3'JLL)LCNX~IHJ~~EXf (0 "Z.2 To I I ) f R l3)
RON TA I NliEN T I 2) l'S IC Jl O.I'LL(it) QO TO f'R-Z . 3
(>OII/O tltIII IT I (4 ) B/IIR (3) . Cot(TA I Htll NT .
( 'I ) I< / II R (1) plant specific containment design pressure (45 psig).
(2) plant specific contaiw)ent Ili-2 setpoint (l2 psig).
(3) plant specific level corresponding to.the combined volumes of: RWST + Accumulators + RC + 1/2 CST.
(4) plant specific value corresponding to radiation level alarm setpoint for post accident containment radiation mani tor.
Figure 4.5-1. Containment Status Tree.
If containment sump level is below the reference value, the tree then considers radiation in containment. While the presence of radiation does not directly threaten containment integrity, it makes proper isolation all the more important. A reference value of radiation level corresponding to the plant-specific setpoint for containment ventilation isolation is used in the tree. If radiation is above this reference value, the condition is considered offmormal and the path is coded YELLOW. Isolation of ventilation penetrations is required. If radiation is below the reference value, and there are no threats to the containment due to excessive pressure or sump level, the status of the Containment function is GREEN.
In summary, the parameters selected for the Containment tree are those which indicate possible threats to containment integrity. The threats considered are excessive pressure and sump level, with consideration also given to high radiation. The function is satisfied if none of these threats exist.
4.6 RCS INVENTORY TREE The RCS Inventory tree is shown in Figure 4.6-1. RCS Inventory represents a critical safety function which supports Core Cooling and RCS Integrity. Inadequate inventory is a consideration in Core Cooling and excessive inventory is a consideration in RCS Integrity. Therefore, the RCS Inventory tree contains no branch coded more urgent than YELLOW. The parameters used in the tree are pressurizer level and RVLIS reading. The function is defined as satisfied if pressurizer level is between the high level reactor trip setpoint and the low level letdown isolation setpoint, and if the RVLIS indicates the upper head is full'i.e., no steam bubble is present in the vessel) ~
As indicated in the tree, there are four paths which result in a YELLOW condition. If the pressurizer level is high and RVLIS indicates the upper head is full, then there is a problem of excessive inventory in the RCS. If the pressurizer level is high and the RVLIS indicates the presence of a bubble in the upper vessel head region, then the problem is one of having two separate bubbles controlling pressure in the system. If, on the (8207NLU)
RVL I S I L LS f~J I C II rn CJt CSSU ILLZ.ElI J I3I/
I'R" TO I . 3 II)/
I3)%
~I;o Io P R I: S S U R I Z O' I I:.V.EI roR-I.2 ro I
(
I 2l/
([')I)SLSURIZCR RVLIS c III% U P.PZRMILAll 00 f'R- T 0 I .3 I3)%
I 2 l%
osr SENT.
I3)%
(I) plant specific pressurizer high level reactor trip setpoint (92%).
(2) l>lant specific pressurizer luw level letdown isolation setpoint (17$ ).
(3) plant specific instrunient channel and setpoint which indicates upper head is full.
Figure 4.6-1. RCS Inventory Status Tree.
other hand, pressurizer level is low, there is a problem with inadequate inventory in the RCS. If pressurizer level is between the high and low Qs setpoints, but there is RVLIS indication of a bubble, the problem again is one of having two steam bubbles controlling pressure Each of these four conditions is considered off-normal and coded YELLOW.
In summary, the parameters selected for the RCS Inventory tree are pressurizer level and RVLIS. They give an indication of either excessive inventory, inadequate inventory, or a problem with pressure control. The function is satisfied when pressurizer level is between the high and low setpoints and the RVLIS indicates that the upper vessel head is full.
(8207NLU)
- 5. SPDS CRITICAL SAFETY FUNCTION STATUS BLOCKS Each SPDS display contains along the bottom a row of six boxes, each bearing the name of a critical safety function These "boxes are known as the critical safety function, status blocks'he blocks change color to reflect the color-coded status of each critical safety function, either RED,,MAGENTA, YELLOW, or GREEN.
The logic for changing the color of the status blocks is based on the critical safety function trees and validation of parameters. The SPDS checks the current values for each parameter in the trees, compar'es these values with the tree setpoints based upon the parameter validation scheme described below, and determines the appropriate path through the tree. As described in the previous section, each path through the trees represents a unique set of plant conditions with a specified priority of response. Based upon this priority, each path is color-coded for status'he SPDS status block for each critical safety function will appear in the same color as the color-coding for the current path through its tree. That is, the status color of the tree is used in the function status block.
5.1 PARAMETER VALIDATION In order to determine the status of each of the six critical safety functions, the current values of the relevant parameters are checked against the various setpoints in the critical safety function trees. In many cases, there is more than one analog signal for a given parameter. When this is the case, the analog values are averaged, or if the parameter is one which is used by the reactor protection system (RPS) or engineered safety features actuation system (ESFAS), the values are combine in a different manner, using the RPS or ESFAS logic. This method is described below.
In the RPS or ESFAS logic, signals are combined in an M out of N coincidence. For example, there are four signals for power range flux, and if two of these signals are above the RPS power range high flux setpoint, the reactor will trip. This is an example of two out of four coincidence. In the SPDS Subcriticality tree, there is a branch at power range greater than five (8207NLU)
percent. The SPDS software compares each of the four analog signals for power range flux with the five percent po~er value. If two or more values are greater than five percent power, the SPDS will consider power range to be greater than five percent, which is a RED condition. If less than two of four are greater than five percent, the criteria for the "power range > 5 percent" path are not met, so the status block will have the color of the path whose selection criteria are completely met.
The SPDS also checks for signals of bad quality. Any signals of bad quality are discarded, and a reduced logic used. For example, if a parameter normally has two of four logic, but one signal is of bad quality, the logic will be reduced to two of three. Listed below is the order in which the SPDS logic will reduce when there are bad quality signals.
2 of 4 2of 3 1 of 2 loft If there are no signals of good quality, a value for the parameter cannot be determined. In this case, the critical safety function will be given a status color of WHITE, and the tree will be filled in up to the point where the bad quality data occurs.
If a particular SPDS parameter is not included in the RPS or ESFAS, a straight arithmetic average of all available signals will be used to calculate the current value. Instead of comparing each individual signal with the tree setpoint, the average value will be used to determine the status of the critical safety function.
5.2 ARRANGEMENT OF STATUS BLOCKS AND PRIORITIZATIN OF RESPONSE The six critical safety function status blocks are arranged on the SPDS displays in a hierarchical order, based directly on the barrier concept. The importance of the function blocks decreases from left to right on the display.
(8207NLU)
The first barrier to the release of radioactive materials is the fuel matrix/clad. The critical safety functions directly related to the integrity of this barrier have the highest priority. Subcriticality is the most important function because of the necessity of maintaining an adequately shutdown core following a transient. Failure to shutdown could result in additional challenges to other barriers and functions due to excessive heat production. Core Cooling is ranked second because once the core is shutdown it is still necessary to remove decay heat in order to maintain the integrity of the fuel/clad.
The second barrier is the reactor coolant pressure boundary. The primary threat is due to the thermal stresses acting on radiation"embrittled reactor vessel. Therefore, RCS Integrity is ranked third in importance.
Another threat to this barrier comes from inadequate heat removal from the primary system resulting in an unacceptable energy accumulation within the RCS. Heat Sink is considered the fourth most important function.
The containment is the third barrier to release, so the Containment unction is ranked fifth. The importance of RCS Inventory is reduced since nadequate inventory is a consideration in Core Cooling and excessive inventory is a consideration in RCS Integrity. Therefore, RCS Inventory is assigned the sixth and lowest priority among the set of critical safety functions.
The priority of operator action during an event is determined by the hierarchy of the critical safety functions and by the color-coded status of each function- Functions whose status blocks have been coded RED have the highest priority, followed by MAGENTA and YELLOW. The rules for operator response are as follows:
- 1. Respond to all RED functions, starting with the most important function (i.e., the order of importance is Subcriticality, Core Cooling, RCS Integrity, Heat Sink, Containment, RCS Inventory).
- 2. Respond to all MAGENTA functions, starting with the most important function.
(8207NLU)
- 3. Respond to all YELLOW functions, starting with the most important function.
- 4. If, while responding to one function, a change occurs resulting in a different function having higher priority (due to either it being more important or having a more serious color code) suspend current actions and respond to the new threat.
For example, a RED in'ore Cooling is more important that a RED in Heat Sink, due to the hierarchy -of the critical safety functions. However, a RED in Heat Sink is more important than any MAGENTA, due to the hierarchy of the color codes. As an example of item 4, if the operator is performing the function restoration guideline for a'ED Heat Sink when the Subcriticality block tuxns RED, he must leave the Heat Sink guideline and respond immediately to the threat to Subcriticality. If Core Cooling is MAGENTA when RCS Integrity turns RED, the operator must leave Core Cooling and respond to RCS Integrity because any RED condition is more serious than any MAGENTA condition.
STATUS BLOCKS AND PLANT SAFETY To maintain the Shearon Harris plant in a safe state, it is necessary to keep the barriers to the release of radioactive material intact- It has been shown how the set of critical safety functions relate to the barriers, and that satisfying the functions will maintain the integrity of the barriers. The SPDS critical safety function status blocks provide a quick and easy way to determine if any of the critical safety functions are threatened. The operator can then examine the trees for the threatened functions, determine the nature of the threat, and be directed to the appropriate function restoration guideline. Since the trees provide accurate information on the status of each function, and satisfying the functions results in a safe plant, the SPDS provides an aCcurate and timely determination of the safety status of the plant.
.27- {8207NLU)
6~ EXAMPLES OF SPDS RESPONSE TO TRANSIENTS It has been shown that the SPDS is designed to provide the operator with accurate information concerning the safety status of the plant. The function of the SPDS during six ma)or classes of events is discussed in this section. Emphasis is on the color of the CSF status blocks at points during the postulated events. Operator response to threatened functions should be accomplished based on the rules discussed in Section 5.2. Information for this section is taken from the Shearon Harris FSAR, Chapter 15 (Accident Analysis).
In Chapter 15 of the FSAR, six ma)or classes of events are discussed:
- l. Increases in heat removal by the secondary system
- 2. Decreases in heat removal by the secondary'system
- 3. Decreases in RCS flow rate
- 4. Reactivity and power distribution anomalies
- 5. Increase in reactor coolant inventory
- 6. Decrease in reactor coolant inventory One event of each type is examined in this section 6.1 STEAM SYSTEM PIPING FAILURE The steam release arising from a rupture .of a main steam line would result in an initial increase in steam flow which decreases during the accident as the steam pressure falls. The energy from the Reactor Coolant System (RCS) causes a reduction of reactor coolant temperature and pressure In the presence of a negative moderator temperature coefficient, the cooldown results in an insertion of positive reactivity. If the most reactive rod (8207NLU)
5 cluster control assembly (RCCA) is assumed stuck in its fully withdrawn position after reactor trip, there is an increased possibility that the core will become critical and return to power. A return to power following a steam line rupture is a potential problem mainly because of the high power peaking factors which exist assuming the most reactive RCCA to be stuck in its fully withdrawn position. The core is ultimately shut down by the boric acid injection delivered by the Safety Injection System.
Figures 6.1-1 through 6.1-3 provide data for this event. During the first 200 seconds, the critical safety function status codes are expected to be:
Subcriticality MAGENTA Core Cooling GREEN RCS Integrity GREEN Heat Sink YELLOW Containment YELLOW or MAGENTA RCS Inventory YELLOW Subcriticality will initially be MAGENTA. Following the steam line rupture, the reactor will be tripped and power will drop below five percent.
However, the cooldown will result in a positive reactivity insertion and thus a positive intermediate range startup rate. The operator will be directed to function restoration guideline FR-S.1 which calls for initiation of boration and isolation of the faulted steam line. Boration will begin automatically due to actuation of the Safety Injection System. As boron enters the core, the status of Subcriticali.ty will shift back to GREEN.
The Core Cooling function is satisfied because of the low RCS temperature and adequate subcooling. Although the initial cooldown rate will be greater than 100'F per hour, RCS Integrity will also be satisfied because RCS temperature will remain above T2 on the Operational Limits Plot (Figure 4.3-2).
(8207NLU)
0.260 I i I I I I I l C z
0 z 0.200 0.150 o 2 0.100 HAJJ
< O D 0.050 z
0.250 X
0.200 I- ~z < 0160 4
l~
z
= ocC O 2 0.100 L'J ~ z O 0.050 o
2500 2250 2000
~
cn g 1750 1500 1250 1000 750 500 800 700
~ I 600 500 o
N ~
400 c" g 300 200 CQ 1OO I I I I I 0
0 0 75 . 100 . 125 150 175 200 TlME (SaCONOS) 2 Fioure 6.1-1. 1.4 Ft Steamline Rupture, Offsite ?0'ver Available.
, 600
~ 550 I I l I I I I 500 INTACT LOOPS us C=
450 Z }
400 350 FAULTED 300 LOOP 250 600 u 0 0
< m .500 450 0 }
400
~~ 350 0
300 250 2000 o
1000 0
0 0
}
o -1000
-2000 500
~ 400 oZ 300 Q 200 100 Q
I I I I l 25, 75 100 125 150 175 200 TIME {SECONDS)
Fiaure 6.1-2. 1.4 Ft Steamline Rupture, Of, site Power Available.
1.2 I I I I I I 1.0 Ou 0.8 Z
oz 0.6 (CD 2 g<0 0,4 LL 0.2 4.0 3.5 U
oo 3.0 2.5
~az Q INTACT LOOPS 2:
2.0
~goZ CD 1.5 CO g 1.0 FAULTED h.OOP 0.5 0
1200 1000 800 INTACT LOOPS
- c. 600 400 FAULTED LOOP 200 1.2 1.0 P 0 0 z~ 0.8
~ 0 <<Z 0.6
>>~>> P 0< 04'.2 1 I I I 0 25 75 100 125 150 175 200 TIA(1E (SECONDS) 2 Fiaure 6.1-3. 1>>4 Ft Steamline Rupture, Offsite Power Available.
3'7
Heat Sink will be YELLOW because of low level in the faulted steam generator. FR-H.5 directs the operator to determine the cause of the low level, which is an uncontrolled steam release. He is then directed "to the Loss of Secondary Coolant guideline. Containment pressure may exceed the Hi-2 setpoint, resulting in a MAGENTA status. FR-Z ~ 1 directs the operator to check containment isolation, containment spray system, emergency fan coolers, and hydrogen concentration. If pressure does not exceed Hi-2, Containment status may still be YELLOW due to high radiation. RCS Inventory will be YELLOW because of low pressurizer level. Automatic injection by the Safety In]ection System will restore this function.
6.2 LOSS OF NORMAL FEEDWATER A loss of normal feedwater (from pump failures, valve malfunctions, or loss of offsite AC power) results in a reduction in capability of the secondary system to remove the heat generated in the reactor core. If an alternative supply of feedwater were not supplied to the plant, core residual heat following reactor trip would heat the Reactor Coolant System water to the point where water relief from the pressurizer would occur, resulting in a substantial loss of water from the RCS. Since the plant is tripped well before the steam generator heat transfer capability is reduced, the reactor coolant system variables never approach a departure from nucleate boiling (DNB) condition.
The following events occur upon loss of normal feedwater (assuming main feedwater pump failures or valve malfunctions).
- a. As the steam pressure rises following reactor and turbine trips, the steam generator power-operated relief valves are automatically opened to the atmosphere. Steam dump to the condenser is assumed not to be available. If the steam flow rate through the power-operated relief valves is not available, the steam generator self-actuated safety valves will lift to dissipate the sensible heat of the fuel and reactor coolant plus the residual decay heat produced in the reactor.
(8207NLU)
- b. As the no-load temperature is approached, the steam generator power-operated relief valves (or the self-actuated safety valves, if the power-operated relief valves are not available) are used to dissipate the residual decay heat and to maintain the plant at the hot standby condition.
The reactor is protected by a trip on low-low water level in any steam generator. The Auxiliary Feedwater System is started automatically to provide makeup to the steam generator.
Figures 6.2-1 through 6.2-3 provide data for this event. Reactor trip occurs at time equal to 54.6 seconds, causing an initial decrease in most parameters. RCS temperature and pressure then increase until approximately 2100 seconds when total heat generation (core decay heat plus pump heat) decreases to the auxiliary feedwater heat removal capacity During this time, all critical safety functions are expected to remain GREEN, except for Heat Sink which may initially be RED, if the loss of normal feedwater causes all steam generator levels to decrease'ut of the narrow range. FR-H.1 directs the operator to initiate auxiliary feedwater flow, which should occur automatically. If at least one steam generator level stays in the narrow range, the status of the Heat Sink function will be no worse than MAGENTA, due to high steam generator pressure. FR-H.2 directs the operator to release steam from the affected steam generators.
Subcriticality remains GREEN because once a reactor trip is initiated neutron flux will drop at a normal rate into the source range. Core Cooling is satisfied because RCS subcooling stays within range. (Subcooling may briefly go out of range, resulting in a YELLOW status.) RCS Integrity is satisfied because there is no rapid cooldown and temperature stays above the T2 setpoint. Release of steam from the steam generators is not expected to affect the Containment function, and RCS Inventory- is satisfied because pressurizer level stays between the setpoints and no bubble is expected to form in the vessel head. (Towards the end of the time line, pressurizer level may increase above the high level setpoint, resulting in a YELLOW status.)
(8207NLU)
1.2 z 1.0 0
0 0.8 z0 I
O 0.6 K
CC 0.4 0
IX
~ ~ 0.2 O
z 1.2 z 1.0 O
z 0 0.8 0
z I-O 0.6 0.4 0
100 2 5 101 2 5 102 2 5 10~ 2 5 104 TIME (SECONDS)
Figure 6.2-1. Loss of Norma1 Feedirater.
700 LL 0
650 0
z 0
0 CD 600 Ul cr 550 LU LU I-CL 500 "O
O 450 1500 CO ci5 1250 0
O 1000 Lll CC 750 O
I- 500 U 250 I
C/7 0 100 2 5 10" 2 5 102 2 5 103 2 5 104 TIME (SECONDS)
Figure 6.2-2. Loss of Normal FeedIlater.
2700 2500 C/7 CC 2000 D
6'250 1750 K 1500
.1250 1000 900 2000 1750 1500 0 1250 0
K l 1000 K 750 N
D 500 250 100 2 5 101 2 5 102 2 5 10~ 2 5 10 TIME (SECONDS)
Figure 6.2-3. Loss of Normal Feeds(ater.
6.3 COMPLETE LOSS OF FORCED REACTOR COOLANT FLOW A complete loss of forced reactor coolant flow may result from a simultaneous loss of electrical supplies to all reactor coolant pumps. If the reactor is at power at the time of the accident, the immediate effect of loss of forced reactor coolant flow is a rapid increase in the reactor coolant temperature. This increase could result in DNB with subsequent fuel damage if the reactor were not tripped promptly.
Normal power for the reactor coolant pumps is supplied through buses from a transformer connected to the turbine generator. When a generator trip occurs, the buses are automatically transferred to a transformer supplied from external power lines, and the pumps will continue to supply reactor coolant flow to the core. Following any turbine trip where there are no electrical faults which require tripping the generator from, the network, the generator remains connected to the network for approximately 30 seconds. The reactor coolant pumps remain connected to the generator, thus ensuring full flow for 30 seconds after the reactor trip before any transfer is made.
Reactor trip will occur on either reactor coolant pump power supply undervoltage or underfreq'ency, or on low reactor coolant loop flow.
It is assumed that the reactor is tripped sufficiently fast to ensure that the ability of the reactor coolant to remove heat from the fuel is not greatly reduced. Thus, the average fuel and clad temperatures do not increase significantly above their respective initial values Because a fast trip is assumed, Subcriticality should remain'REEN.
Core cooling may go to YELLOW, or MAGENTA, depending on how high the
'CS temperature goes and whether RCS subcooling decreases below the tree setpoint. The conditions for Core Cooling going RED (e.g., core exit TCs greater than 1200'F) are not expected to occur. Since this event does not involve a rapid cooldown, RCS Integrity will stay GREEN. The increase in RCS temperature will result in more steam production and thus high steam generator pressures, so Heat Sink may go to YELLOW or MAGENTA. Containment and RCS Inventory status should remain GREEN (8207NLU)
6.4 UNCONTROLLED ROD CLUSTER CONTROL ASSEMBLY BANK WITHDRAWAL AT POWER Uncontrolled RCCA bank withdrawal at power results in an increase in the core heat flux. Since the heat extraction from the steam generator lags behind the core p'ower generation until the steam generator pressure reaches the power-operated relief or safety valve setpoint, there is a net increase in the reactor coolant temperature. Unless terminated by manual or automatic action, the power mismatch and resultant reactor coolant temperature rise could eventually result in DNB. Therefore, in order to avert damage to the fuel clad, the Reactor Protection System is designed to terminate any such transient before the DNBR falls below 1 ~ 30.
The automatic features of the Reactor Protection System which prevent core damage following the postulated accident include the following:
- a. Power range neutron flux instrumentation actuates a reactor trip if two out of four channels exceed an overpower setpoint.
- b. Reactor trip is actuated if any two out of three' T channels exceed an overtemperature A T setpoint. This setpoint is automatically varied with axial power imbalance, reactor coolant temperature and pressure to protect against DNB.
C~ Reactor trip is actuated if any two out of three A T channels exceed an overpower t T setpoint. This setpoint is automatically varied with axial power imbalance to ensure that the allowable heat generation rate (KW/ft) is not exceeded.
- d. A high pressurizer pressure reactor trip activated from any two out of three pressure channels, which is set at a fixed point. This pressure is less than the set pressure for the pressurizer safety valves.
- e. A high pressurizer level reactor trip actuated from any two out of three level channels when the reactor power is above approximately ten percent (Permissive-7).
For this event, all critical safety functions are expected to remain GREEN. The high neutron flux and overtemperature A T trips occur before core heat flux and RCS temperature can increase significantly, for a wide range of (8207NLU)
possible reactivity insertion rates. The reactor is tripped sufficiently fast to ensure that the ability of the reactor coolant to remove heat from the fuel rods is not reduced.
6.5 INADVERTENT OPERATION OF THE EMERGENCY CORE COOLING SYSTEM DURING POWER OPERATION Spurious Emergency Core Cooling System (ECCS) operation at power could be caused by operator error or a false electrical actuation signal. A spurious signal may originate from any of the safety injection system actuation channels.
Following the actuation signal, the suction of the coolant charging pumps is diverted to the refueling water storage tank from the volume control tank. The valves isolating the boron injection tank from the charging pumps I
and the valves isolating the boron injection tank from the injection header then automatically open. The charging pumps then force highly concentrated (20,000 parts per million) boric acid solution from the boron injection tank, through the header and injection line and into the cold leg of each reactor coolant loop. The passive injection system and the low head system provide no flow at normal RCS pressure.
A Safety Injection System (SIS) signal normally results in a reactor trip followed by a turbine trip. However, it cannot be assumed that any single fault that actuates the SIS will also produce a reactor trip. If the Reactor Protection System does not produce an immediate trip as a result of the spurious SIS signal, the reactor experiences a negative reactivity excursion due to the injected boron causing a decrease in reactor power. The power mismatch causes a drop in Tavg and consequent coolant shrinkage, pressurizer pressure and water level drop. Load will decrease due to the effect of reduced steam pressure on load after the turbine governor valve is fully open. If automatic rod control is used, these effects will be lessened until the rods have moved out of the core. The transient is eventually terminated by the reactor protection system low pressure trip or by manual trip.
(8207NLU)
For this transient, the concern is for the RCS Integrity function, due to the injection of cold RWST water and the decrease in temperature caused by the negative reactivity insertion. However, as can be seen from Figures 6.5-1 and 6.5-2, the degree of cooldown is limited to approximately 40'F during the first 30 seconds, with average core temperature slowly increasing beyond that time following reactor trip. Core temperatures stay above the cold overpressure point, and subcooling remains greater than the Core Cooling tree setpoint. Therefore, all functions remain GREEN.
6.6 LARGE LOSS OF COOLANT ACCIDENT A loss-of-coolant accident (LOCA) is the result of a pipe rupture of the Reactor Coolant System (RCS) pressure boundary. A major pipe break (large break) is defined as a rupture with a total cross sectional area equal to or greater than 1.0 ft2 ~ Should a major break occur, depressurization of the RCS results in a pressure decrease 'in the pressurizer. The reactor trip signal subsequently occurs when the pressurizer low pressure trip setpoint is reached. A safety injection actuation signal is generated when the appropriate setpoint is reached. These countermeasures limit the consequences
'of the accident in two ways:
a Reactor trip and borated water injection complement void formation in causing rapid reduction of power to a residual level corresponding to fission product decay heat.
- b. Injection of borated water provides for heat transfer from the core and prevents excessive clad temperatures'efore the break occurs, the unit is in an equilibrium condition, i.e., the heat generated in the core is being removed via the secondary system. During blowdown, heat from fission product decay, hot internals and the vessel continues to be transferred to the reactor coolant. At the beginning of the blowdown phase, the entire RCS contains subcooled liquid which transfers heat from the core by forced convection with some fully developed nucleate boiling. Thereafter, the core heat transfer is based on (8207NLU)
1.2
- 1.0 0.8 Ea 02
~o 08 Z
aO CD ~
CD 0
0.2 0.0 600 0~
LLL 580 LQ ~
~60 0'~
I~o I I I I I I I 25 50 75 100 125 150 175 200 TIMF l'Sc QNDSj Figure 0.5-1. Ina4vertent Actuation of ECCS During Power Operation.
2400 2300 2200 N
2100 C
2000 AO 1@00
'JJ 1800 1 Too 1600 1400 1200 C 1000 LQ SOO i'4 600 Cfl LQ 400 200 25 60 75 100 125 160 175 200 TtME {SECGiNDSj Figure 6.5-2. Inadvertent Operation of ECCS During Power Operation.
local conditions with transition boiling and forced convection to steam as the major heat transfer mechanisms.
The heat transfer between the Reactor Coolant System and the secondary system may be in either direction depending on the relative temperatures. In the case of continued heat addition to the secondary, secondary system pressure increases, and the main steam safety valves may actuate to limit the pressure. Make-up water to the secondary side is automatically provided by the Auxiliary Feedwater System. The safety injection actuation signal isolates the steam generators from normal feedwater flow and initiates emergency flow from the Auxiliary Feedwater System. The secondary flow aids in the reduction of reactor coolant system pressure.
When the Reactor Coolant System depressurizes to 600 psia, the accumulators begin to inject borated water into the reactor coolant loops.
Since the loss of off-site power is assumed, the reactor coolant pumps are assumed to trip at the inception of the accident. The effects of pump coastdown are included in the blowdown analysis.
The blowdown phase of the transient ends with the RCS pressure (initially assumed at 2250 psia) falls to a value approaching that of the containment atmosphere. Prior to or at the end of the blowdown, some amount of injection water begins to enter the reactor vessel lower plenum. At this time (called end of bypass) refill of the reactor vessel lower plenum begins'efill is complete when emergency core cooling water has filled the lower plenum of the reactor vessel which is bounded by the bottom of the fuel rods (called bottom of core recovery time).
The reflood phase of the transient is defined as the time period lasting from the end of refill until the reactor vessel has been filled with water to the extent that the core temperature rise has been terminated. From the later stage of blowdown and the beginning of reflood, the safety injection accumulator tanks rapidly discharge borated cooling water into the RCS, contributing to the filling of the reactor vessel downcomer. The downcomer water elevation head provides the driving force required for the reflooding of (8207NLU)
the reactor core. The RHR (low head) and charging (high head) pumps aid the filling of the downcomer and subsequently supply water to maintain a full downcomer and complete the reflooding process.
Continued operation of the ECCS pumps supplies water during long-term cooling. Core temperatures have been reduced to long-term steady state levels associated with dissipation of residual heat generation. After the water level of the refueling water storage tank (RWST) reaches a minimum allowable value, coolant for long-term cooling of the core is obtained by switching from the injection mode to the cold leg recirculation mode of operation in which spilled borated water is drawn from the containment sumps by the pumps and returned to the RCS cold legs. The Containment Spray System continues to operate to further reduce containment pressure. Approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after initiation of the LOCA, the ECCS is realigned to supply water to the RCS hot legs in order to control the boric acid concentration" in the reactor vessel.
Figures 6. 6-1 through 6. 6-4 provide data for a laxge LOCA. The expected critical safety function status codes are:
Subcriticality - GREEN or YELLOW Core Cooling - RED RCS Integrity - GREEN Heat Sink YELLOW OR MAGENTA Containment - MAGENTA RCS Inventory YELLOW Following the blowdown phase of LOCA, the reactor will be shutdown, with or without the control rods, due to the absence of moderating water.
During the reflood phase as borated water is injected, the reactor will remain shutdown by the combination of control rods and boron. However, with the addition of a moderator (water) to the core, there may be periods of increase in subcritical neutron multiplication, resulting in a YELLOW status.
Core Cooling will be RED because core exit temperatures will exceed 1200 F during the early stages of the LOCA. On Figure 4.2-1 this corresponds to the top path of the status tree. Later, when temperatures decrease below (8207NLU)
10 0.8 O 0.6 ~
L O 04 0.2 0
0 10 20 30 TIME (SECONDS)
Figure 6.6-1. Large LOCA.
2000
~
1750 1500 0
K 1250 I-1000 I-750 D
500 250 0 100 200 300 TIME (SECONDS)
Figure 6.6-2. Large LOCA.
2500 2000 CO 1500 CC D
1000 500 0
0 10 20 30 TiME (SECONDS)
Figure 6.6-3. Large LOCA.
22 20 W
D 14 M
"'Z K
z W
10 Z 8 I-6 O
0 0 40 80 120 160 200 240 280 320 360 400 TIME (SECONQS)
Figure 6.6-4. Large LOCA.
v 1200 F, the status will remain RED, if offsite power is assumed lost, with conditions corresponding to the second path of the tree. These conditions are low subcooling, no reactor coolant pumps operating, core exit temperature greater than 700 F, and low reactor vessel levels Continued injection will lower temperature and increase level, resulting in MAGENTA and eventually YELLOW status.
The RCS Integrity status tree is concerned only with overpressurization or rapid cooldown of the RCS, conditions which do not apply to a LOCA. The Core Cooling tree is designed to deal with LOCA conditions, particularly lack of inventory. Also, with the reactor coolant pressure boundary already forfeit, the operator will need to be concerned with maintaining the fuel/clad and containment barriers.
Secondary system pressure may increase to the safety valve setpoints during blowdown. This would cause the Heat Sink status to become YELLOW or MAGENTA, depending upon the extent of the pressure rise. Containment status will be MAGENTA due to pressure exceeding the Hi-2 setpoint. From Figure
- 6. 6-4, it can be seen that pressure will not exceed the Shearon Harris design pressure of 45 psig, so the status will not become RED. RCS Inventory status will be YELLOW due to low pressurizer level.
The function restoration guidelines to which the operator will be directed deal mainly with initiation of systems which should be automatically actuated by the Engineered Safety Features Actuation System, e.g., the Safety Injection System and Containment Spray. Other tasks include making sure the accumulator isolation valves are open, re-aligning the SIS to cold leg recirculation when the RWST water level becomes low, switching over to RHR heat removal, and checking containment hydrogen concentration.
(8207NLU)
- 1. INTRODUCTION The SPDS is part of CPSL's response to NUREG-0737 Supplement 1; CPGL's commitments with regard to this NRC document were submitted to the NRC in April 1983. The SPDS is a subunit of the Shearon Harris Emergency Response Facility Information System (ERFIS) ~ Processing of plant parameters by ERFIS is presented on two SPDS terminals within the main control room. The logic and typical displays by the SPDS are presented within this report.
The purpose of the safety parameter display system (SPDS) is \ to assist operating personnel in evaluating the safety status of the plant. The SPDS provides a continuous indication of plant parameters or derived variables which are representative of the safety status of the plant during both normal and emergency use. The primary function of the SPDS is to aid in the rapid detection of abnormal operating conditions. Secondary functions include analyzing and diagnosing the abnormality and providing an 'informational basis for corrective action execution.
This report analyzes the SPDS for the Shearon Harris Nuclear Power Plant (SHNPP) with regard to its capabilities for assessing the safety status of the plant. The basis for selection of the parameters used by the SPDS will be discussed and will be shown to be sufficient for asses'sing the status of each critical safety function for a wide range of events.
Reference should be made to Shearon Harris Nuclear Power Plant Final I
Safety Analysis Report for complete design and transient parameter conditions/setpoints/assumptions. As a controlled document, the information C
contained therein is the most accurate and up to date.
SHNPP Emergency Operating Procedures will be based on Revision 1 of the Westinghouse Owners'roup Emergency Response Guidelines. These emergency operating procedures provide a manual, independent means of monitoring the critical safety function status trees which are incorporated into the SPDS ~
The final issue of the above guidelines (dated September 1, 1983) contains refinements in three status trees (Core Cooling, Heat Sink., RCS Integrity).
Also, the appearance .of the status trees at SHNPP may be changed to resemble other flow chart type emergency procedures.. These changes will not alter any conclusions or analyses contained in this document.
(8 207N LU)