ML18046A959

From kanterella
Jump to navigation Jump to search
Forwards Evaluation of SEP Topic VII-3 Re Sys Required for Safe Shutdown.Util Requested to Upgrade Dc Batteries to Provide 2-h Capacity,Provide Capability to Establish Delayed Access Path within 2-h & Provide Redundant Instruments
ML18046A959
Person / Time
Site: Palisades Entergy icon.png
Issue date: 09/30/1981
From: Crutchfield D
Office of Nuclear Reactor Regulation
To: Hoffman D
CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.)
References
TASK-07-03, TASK-7-3, TASK-RR LSO5-81-10-080, LSO5-81-10-80, NUDOCS 8110150522
Download: ML18046A959 (37)
v  d  e


Text

{{#Wiki_filter:f September 30, 1981 Docket No. 50-255 LSOS-81-10-080 Mr. Dav1d P. Hoffman Nuclear Licens1ng Adm1n1strator Consumers Power Company 1945 W Parnall Road J.ackson, Michigan 49201 1-.,

Dear Mr. Hoffman:

SUBJECT:

PALISADES - EVALUATION OF SEP TOPIC VII-3, SYSTEMS REQUIRED FOR SAFE SHUTDOWN (EICS MATTERS) Enclosed is a copy of our evaluat1on of the electrical, 1nstrumentat1on and control aspects of Systematic Evaluation Program Top1c Vll-3. This report is a companion to our systems report forwarded It~, my letter dated November 5, 1980, and provides the reactor protection *and electrical systems reviews that were excluded from the systems rev1ew. Th1s evalua.t1on and the system evaluat1on you received previously const1tute. the staff's evaluat1on of th1s topic. The enclosed report has been revised to reflect the corffillants provided in your August 17, 1981 letter. The enclosed report proposes that the licensee: (1) Upgrad~ de batteries to provide a two hour.capac1ty, (2) Prov1de the capability to establish the delayed access path within two hours~ and (3) Provide redundant instruments to monitor certain critical parameters. The need to actually implement these changes will be determined during the integrated safety assessment. This topic assessment may be revised in the future if your faci 11 ty design is changed or 1 f NRC cr1 ter1 a re-f 0 I lating to this topic are :modified before the integrated assessment is S, completed. -1 1/I Sincerely. a.J "'\\. ~Cc '-f \\,,O.Y I e110,!B8s22 e10930 ~ PDR *AD CK 05000255 P. Ai>i>~ -r. "~,.&IS ,_I PDR: 0 . CIAL RECORD COPY USGPO: 1981-335-960

50-255 Mr. Dav P. Hoffman Nuclear l ensing Administrator Consumers er Company 1945 W. Parn 1 Road Jackson, Michi n 49201 Dear Mr.

SUBJECT:

PALISADES - REQUIRED FOR ALUATION OF SEP TOPI VII-3, SYSTEMS FE SHUTDOWN (EICS TTERS) Enclosed is a copy of our e luation of he electrical, instrumentation and control aspects of Syste tic Evalu tion Program Topic VII-3. This report is a companion to our s terns r port fon1arded by my letter dated November 5, 1980, *and provides t r ctor protection and electrical systems reviews that were exclude f m the systems review.

  • This*

evaluation and the system evaluat1 you received previously constitute the staff's evaluation of this to c. The enclosed report has been revised to reflect the comments vi din your August 17, 1981 letter. Further changes to the system ort en losed in our November 5, 1980 letter are under study. The enclosed report proposes hat the: (l)_.Staff continue or review of complia e with GDC 17, (2) *staff continue with our fire protection eviews, and (3) licensee pro ide redundant instruments critical p ame~ers.

Enclosure:

As stated cc w/enclosure:

See next page ** Sincerely; Dennis M. Crutchfield, Chief Operating Reactors Branch #5 Division of Licensing SURNAME i.; *~*~*h*. *~~!*~!:*~*~.. *~~~*~* :*:~*f ~*~*. *~t~*~::*:*~/. P.~..b ~;.Q.R~.~.?~.~.~...0.~.;.~OJ.S.A....... ~.......................................................,....................................C.r.1.1.t.<:... f1e.l.o.G.laJ.nas.......... DATE. *** *** 7.9..l.?.~......... ~(o/.l?~........... ~(../.?~........... ~(../.?~........... ~(../.?~........... ~(../.?~...... NRC FORM 318 (10-80) NRCM 0240 OFFICIAL RECORD COPY USGPO: 1981.,.,.335-960

,, t' e cc .vid P. Hoff:i..:n M. I. Miller, Esquire Isham, Lincoln & Beale Suite 4200 One First National Plaza Chicago, Illinois.60670 Mr. Paul A. Perry, Secretary Consumers Power Co~any 212 West Hichigan Avenue Jackson, Michigan 49201 Judd L. Bacon, Esquire Consumers Power Cofi+'any 212 ~est Michigan Avenue Jackson, Michigan 49201 ~yron M. Cherry, Esquire Suite* 4501 0 ne I BM P 1 a z a Chi ca go, I 11 i no i s 6 0611 Ms. Ma :-y P. Si nc 1 a i r Great Lakes Energy Alliance 5711 Summerset Ori ve Midland, Michigan 48640 Ka1ai71azoo P~blic Library 31~ Scu~h Rcse Stree~ Kc.1:.iii~ZCC, ~~:higcn 49C:06 Township Supervisor Cove rt ion n ship Rcv~e l, Sox 10 Van Buren County, Michi~an 49043 Office of the Governor (2) Room l - Capitol Building Lansing, Michigan 48913 Director; Technical A~sessment Division Office of Radiation Programs (AW'-459)

u. s. Environmental Protection Agency Crystal Mall #2 Arlington, Virginia 20460 PALIS:..DES DOCKET NO. 50-255 U. S. Environmental Protection Agency Federal Activities Branch Region V Office ATTN:

EIS COORDINATOR 230 South Dearborn Street Chicago, Illinois 60604 Charles Bechhoefer, Esq., Chai rm.:.n Atomic Safety and Licensing Board Panel U. S. Nuclear Regulatory Corrrnission Washington, O. C. 20555 Dr. George C. Anderson Department of Oceanography University of Washington Seattle, Washington 98195 Dr. M. Stanley Livingston 1005 Calle Largo Santa Fe, New Mexico. 8750} Resideht Inspector c/o U. S. NRC P. O. Box 87 South Haven, Mic~igan 49090 ?alisades ?iar:t

., TIN

Mr. J. G. Lewis P.iant Manaoer Covert, Michigan -49043 William J. Scanlan, Esquire 2034 Pauline Boulevard Ann Arbor, Michigarr 48103

TOPIC VII-3 ELECTRICAL, INSTRUMENTATION AND CONTROL ASPECT OF THE SYSTEMS REQUIRED FOR SAFE SHUTDOWN I. INTRODUCTION A report on 11 SEP Review of Safe Shutdown Systems for the Palisades Nuclear Plant 11 was issued on November 5, 1980. The 11Safe Shutdown 11 report generated by the NRC/SEP staff identifies the systems required for safe shutdown. This report reviews the electrical, instrumentation and control aspects of the identified systems as they are utilized from inside and outside of the control room. II. REVIEW CRITERIA GDC 17 titled 11 Electric Power Systems 11 states in oart that an onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. GDC 18 titled 11Control Room 11 states in part that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe conditi-0n under accident conditions, including LOCAs. Equipment at appropriate locations outside the control room shall be provided with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain. the unit in a safe condition during hot shutdown and with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. GDC 21 titled 11Protection System Reliability and Testabil i ty 11 states in part that redundancy and independence designed into the protection system shall be sufficient to assure that:

1.

no single failure results in loss of the protection function.

2.

removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. Standard Review Plan (NUREG-75/087) Section 7.5 titled 11Safety-Related Display Instrumentation 11 states in paragraph II.2 and 3 that:

f

  • All monitoring channels should be redundant. to assure that wrong indication due to device malfunction will not cause false action or inaction on the part of the operator.

Indication malfun'ctions can be identified by cross checking between redundant channels. Redundant channels of safety-related display instrumentation should be isolated physically and electrically to assure that a single failure will not result in complete loss of information about a monitored variable. III. REVIEW GUIDELINES Identify the systems and equipment necessary to achieve safe shutdown of the plant. The "Safe Shutdown" report generated by the NRC/SEP staff should provide this information. Verify that the systems and equipment identified above are capable of receiving power from both normal and emergency sources. (GDC-17) Verify that the instrumentation and control systems necessary for safe shutdown possess sufficient redundancy. (GDC-21) Verify that the instrumentation and controls necessary for safe.. shutdown are available in the control room. (GDC-19) Identify the instrumentation and control equipment that is located outside the control room that is available to achieve and maintain hot and cold shutdown. The "Safe Shutdown" report generated by the NRC/ SEP staff should be a useful source of information in this determination. (GDC-19) Verify that the safe shutdown display instrumentation in the control room meets the sfngle failure criterion. (SRP 7.5 11.2 and 3) Compile a list of electrical structures, system~ and components that are necessary for safe shutdown of the plant. IV. SYSTEM DESCRIPTION A system description has been provided in the report of "SEP Review of Safe Shutdown Systems for the Palisades Nuclear Plant. 11 This report only addresses the electrical, instrumentation and control aspects of the systems required for safe shutdown. The review identifies those aspects of the electrical design of the safe shutdown systems that do not meet current criteria.

  • 1. Offsite Power System A simplified diagram of the Palisades offsite power system is presented in Figure 1. The offsite power system consists of one switchyard, six transmission 1 ines connecting the grid network to the switchyard, and two circuits connecting the switchyard to the ons-ite Class lE power system.

A. Switchyard The switchyard is common t~ each of the preferred offsite power circuits. The switchyard uses a breaker and one-half design with two 345 Kv buses. Each breaker has two trip devices and one close device. Each breaker is supplied with an air accumulator device so that the breaker may be manually tripped open on loss of control power. Each breaker trip and close device is supplied power from a single distribution system. The single distribution system consists of two power distribution panels, one 125 volt battery and two battery chargers. GDC 17 requires that each circuit be available in sufficient time to prevent fuel design limits and design conditions of the* reactor cool ant pressure boundary from being exceeded. To meet GDC 17, the switchyard control system design and implemen-tation should be such that any incoming line, switchyard bus, or any path to the onsite Class lE power system can be isolated. This is generally achieved on current licensing applications by separate and redundant breaker tripping and closing devices with each circuit independent of its redundant counterpart including control circuit power supplies. The Palisades design, however, with a single distribution system and single breaker closing devices, does not meet current licensing practice. The Palisades design, with air accumulator devices on each breaker, does provide a redundant means to isolate faults. However, the design does not provide redundant means to close breakers to reestablish an offsite power circuit to the onsit~ Class lE power system. Therefore, given the single failure of the single switchyard battery or distribution system and ne-glecting the presence of the diesel generators, offsite power may not be reestablished in time to prevent fuel design 1 imits and design conditions of the reactor coolant pressure boundary from being exceeded. This is an exception to GDC 17.

~,.

  • 1
  • To transmission system Bus R i-----r------.J 1 [ __ =t-1-j,.-----:__ __

-i Bus F 'Removable L inks-f! I ~/ I I, ,J; I u_ -2400 V Bus 1 C 2400 Bus 10 FI GUR:: 1

  • SIMPLIFIED OFFSITE POWER SYSTEM B.

Six transmission lines connecting the grid network to the switchyard The six transmission lines connecting the grid network to the switchyard are routed on three double line tower poles. Each of the three double line poles is routed on separate rights-of-way so that no single event such as pole falling or line breaking can simultaneously affect all lines in such a way that none of the lines can be returned to service in time to prevent fuel design limits or design conditions of the reactor coolant pressure boundary from being exceeded. This meets current licensing requirements. C. Two Circuits connecting the switchyard to the onsite Class lE power system The two circuits connecting the switchyard to the onsite Class lE power system consists of one immediate and one delayed access circuit. The immediate access circuit consists of a 345 Kv transmission line, 345 Kv to 2400 volt step down transformer, and 2400 volt bus duct. The delayed access circuit consists of one 345 Kv transmission line, 345 Kv to 24 Kv main transformer, 24 Kv bus duct, 24 Kv to 2400 volt station power transformer, and 2400 volt bus duct. The 2400 volt b~s ducts associated.with each access circuit (immediate and delayed) are routed in physically seoarated ducts through the turbine building to the Class lE onsite power system. The physical separation between these two ducts is such that no single event can simultaneously affect both ducts in such a way that neither can be returned to service in time to prevent fuel design li~its or design conditions of the reactor coolant pressure boundary from being exceeded. This meets current licensing requirements. The delayed access circuit is established by removing disconnect links at the main generator. In accordance with General Design Criteria 17, this delayed circuit must be designed to be available in sufficient time, following a loss of all onsite ac power supplies and the other offsite inmediate access circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. In the Palisades design, the time required to remove the disconnect links is 4 to 6 hours. The Palisades de battery system is designed to supply the required shutdown loads, with total loss of ac power, for 30 minutes. After this 30 minutes, it is necessary to operate valves manually to maintain a secondary heat sink. However, sufficient water is available to maintain the plant at hot shutdown for more than six hours. Also, the licensee is in the process of upgrading the batteries to 2 hour capacity.

I Accordingly, the judgement as to Palisades meeting,GOC 17 or not is centered on the acceptability of manual control of the auxiliary feedwater system and the improvement in offsite power that might be realized from providing a second immediate access path from the switchyard. TMI Task Action Plan Item II.E.1.1 will evaluate the auxiliary feedwater system and the staff review of plant modifications being made as a part of Appendix R to 10 CFR 50. \\An example of these changes is the provision of sufficient compressed nitrogen to operate the auxiliary feedwater system valves for 2 hours without station service air.) These mod1fications notwithstanding, the fact remains that the operators will not have sufficierit instrumentation after 2 hours to cooldown the plant if all ac power is lost. Accord-ingly, GDC 17 is not met. Station loads including the safety loads are normally supplied from the main generator through the station power transformer. On loss of the main generator there is an automatic transfer from this normal source to the immediate access offsite power circuit. The Palisades design includes provisions to test this during plant operation, This meets current licensing require-ments.

2.

Ons ite Cl ass 1 E Power Sys terns A simplified diagram of the Palisades onsite Class lE power system is presented in Figure 2. The onsite Class lE power system is divided into two distribution divisions (or channels) and into two load groups. Each distribution division consists of one diesel generator, one 2400 volt bus, one 480 volt load center, one 480 volt motor control center, two battery chargers, one battery, one de distribution center, two de to ac inverters, two preferred ac buses, and associated interconnecting cable and breakers. The physical and electrical separation of the two distribution . divisions and their vital support systems is the subject bf this section. The physical separation of the two load groups and their associated cables is the subject of subsequent secti ans.

- p - A. Electrical Isolation Electrical interconnections between division 1 and 2, between divisions 1 or 2 and non-safety buses, and between division ' 1 or 2 and non-safety loads was evaluated as part of topic VI-7.C.l. The objective of the evaluation is to identify single failures that will cause simultaneous failure of both division 1 and 2. B. Physical Separation The physical separation of redundant equipment and cabling associated with the two distribution divisions was evaluated most recently as part of the fire protection review. That review was based upon the acceptance criteria of Appendix A to BTP 9.5-1. These criteria were established to prevent a single fire in any area from disabling both redundant divisions. As a result of that review the following areas of the plant were identified as containing redundant divisions of safe shutdown equipment, cabling, or components without sufficient separation or barriers to prevent disabl.ing both divisions as a result of single fire: *

1.

Control Room 2, Cable Spreading Room

3.

Engineered Safeguards Panel Room and Adjacent Stairwell 4, Corridor between the Charging Pump Room and Switchgear Room 1-C, In addition, the revised 10 CFR 50.48, effective date February 17, 1981, requires the licensee to re-evaluate all areas*of the plant to the new separation criteria specified in paragraph G. of Section III of Appendix R to 10 CFR 50. These criteria require one of the following:

a. Separation of cables and equipment and associated non-safety circuits of redundant trains by a fire barrier having a 3-hour rating; or
b.

Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with na.intervening combustibles or fire hazards; or c, Enclosure of cable and equipment and associated non-safety circuits of one redundant train in a fire barrier having a 1-hour rating and fire detectors and an automatic fire suppression system installed in the area; or

d.

Alternative or dedicated shutdown capability and its associ.ated circuits independent of cables, systems, or components in the area, room or zone under consideration shall be provided. The licensee submitted plans, schedules, and design descrip-tions for any necessary modifications to meet the above criteria on March 19, 1981 and May 19, 1981. Because the licensee proposed alternative or dedicated shutdown capability (alternated, above), the NRC must review and approve that modification and that evaluation report will be issued at a later date. C. Vital Support System~ Ventilation for each division's diesel generator room is supplied by two fans, One of the two fans is Class lE and receives power from its associated Class lE distribution system. This meets current licensing requirements. The staff's review of SEP topic II-2.A indicates that severe weather phenornina do not present a significant hazard to plant equipment (designed for 10° to 40°C) ~hi le the plant is operating because simple air exchange will maintain adequate temperature control. The adequacy of the plant ventilation system was reviewed under SEP topic IX-5. However, the licensee has noted that it may be necessary to operate the diesel generators during the winter if the normal plant heating systems fail. Other vital support systems associated with each divisions diesel generator include a fuel oil system, air starting system, lube oil system, jacket water system. two independent starting circuits, and two load sequences. Each system is designed Class lE and is located in a separate room from its redundant counterpart. This meets current licensing require-ments. Each diesel generator's fuel oil system is supplied fuel

  • oi 1 by a common trans fer sys tern.

The trans fer ~ys tern. consists of a 30,000 gallon fuel oil storage tank, a s~ngle supply line, and two transfer pumps. This does not meet current licensing requirements in that the transfer system is non-Class lE, one of the two pumps is supplied power from a non-Class lE*source, there is a single fuel oil supply line for both diesels, and the two transfer pumps are not physi'cally separated.

However, each diesel has a day tank capacity of 27.6 hours and the

I . -*~) .. :fffj) - 9.. *-, FIGURE 2 S IMP LI Fi ED OMS ITE CLASS lE POWER SYSTC*I r i~ OFFS ITE POWER (SEE FIGURE r I ) I) . ) I ) __.I_..--...... _, 2400 V Bus lC. I 1 I

  • I

\\ \\

)

i I I

  • I Division 1 Division 2 2400 \\f Bus l D f I' llu /+\\

t,'--./'.* I '1: ___.__1.0 Diesel. Generator Il [ 1 __ __,: Load.group I \\ I \\ I I

ao v a 1

us l l \\' 1 480 !v Bus ;: \\. \\ \\ ) I } I I I ! i I ~.. I _ _ I I.._ _ __, _,j, I I f ) l l ) Battery Chargers I, J I 480* V MCG- *2-k

a.

) 'I

Zc4 C3 ~

I I C2 3Z I..___ _______, I) ~ii!

1) I 125 V de Buses

~ } ) ) ) r--1} I) 12~.. tI4 I ) (2:) ~ Inverters Bypass

  • J

.*1. . Regulator ) Preferred .* ) ) Preferre_) ) I I 1 ) Bus es 8 ~~es

  • I

\\ ) ).\\ I I

  • A2

\\ -r I I('--_______ *

  • _ __.I]

I.

- l 0 - day tanks can be refilled by tank truck via a refueling trunk outside the diesel generator rooms.

3.

Primary Coolant System Following a loss of turbine generator load, the reactor is tripped on high primary system pressure or on a turbine trip signal. Steam pressure relief is provided through two solenoid. operated power relief valves or three spring loaded safety valves. Pressure is maintained by pressurizer heaters. Level is maintained by the chemical and volume control system. Instrumentation needed includes pressure, temperature, level and flow. The first three of these parameters are required as a part of the plant operating procedures. The charging ~low is required to know the status of the charging pumps. As noted in SEP topic V-11.A, the charging pumps are a boundary between the high pressure and low pressure systems. A. Reactor Trip The reactor is tripped on high primary system pressure or on a turbine trip signal. (1) High Primary System Pressure Trip Signal High primary system pressure is measured in the pressurizer by four electronic pressure transmitters (PT 0102A, B, C and D). The transmitters produce a de current output that is proportional to the pressure sensed. This de current is used to generate an output signal when a preset value is exceeded (< 2250 psi a)... When two of the four transmitters generate an output signal, the reactor protection system trips the reactor. The reactor protection system also trips the reactor when two out of three transmitters (one of four bypassed) generate an output signal and when one out of three transmitters (one of four tripped) generate an output signal. Each pressure transmitter is provided power from separate preferred ac buses. The cabling between the four transmitters and the reactor protection system, and between the transmitter and the preferred ac buses, are routed in two physically separated raceways.. Cabling for two of the transmitters is routed in a single raceway with cables separated by a metal barrier within the raceway.

I An output signal from the transmitters is needed to trip the reactor. Thus, failure of the transmitters, the transmitter associated cabling, or the transmitter power source will not trip the reactor. The transmitters, cables, raceways, power source, and reactor protection system, that are associated with high pressure reactor trip, are design Class lE. The four transmitters and associated cabling are located inside containment and have been qualified to operate in an accident environment for a short time. The cables are run in two cable trays. Because the Technical Specifications permit operation with only 2 operable channels (if one of the inoperable channels. is tripped), there are several scenarios in which the high pressure trips fail. The most simple of these is to fail the de source which is assumed to be common to the remaining channels. Alternatively, assuming one of the four reactor protection system channels is bypassed but not tripped (operating in a two out of three 1 ogi c arrangement for reactor trip) and assuming the single fa.ilure of one raceway or one de power source causes failure of two high pressure trip signals, the reactor would not trip when required. This is an exception to current licensing requirements. (2) Turbine trip signal A turbine trip signal will initiate a reactor trip. The turbine trip signal is initiated when one of two relays is energized by a turbine low auto stop oil condition. Each relay provides a signal to two of the four protection systems channels. The turbine trip signal is not designed Class lE nor has credit been taken for its operation's to protect the reactor. The trip signal is isolated from the reactor protection systems by the relays. The acceptability of these relays is addressed in SEP topic VII-1.A.

  • B.

Steam Pressure Relief Steam pressure relief for the primary coolant system (PCS) is provided by two power-operated relief valves at low temperatures and by three spring-loaded safety valves at operating temperatures. (1) Pressure Relief Valves Each power-operated relief valve (PORV) has sufficient capacity to protect the primary coolant system from overpressurization at lower temperatures. Limiting transients that each PORV is capable of handling are~ (1) the start of an idle primary coolant pump when secondary water in the steam generator is up to 70°f hotter than the PCS cold leg temperatures; and-(2) the start of an HPSI pump when the PCS is in the water solid condition. The applicable technical specifications are discussed in topic XV-1 and low temperature overpressure protection system is discusserl in topic V-3, Each pressure relief valve is blocked by an individual block valve. The PORVs are solenoid operated and designed to fail closed, while the block valves are motor operated. Direct indication of PORV position is provided in the control room. The block valves, controlled by handswitches in the control room, have been modified to provide ~ direct valve position indication. The PORVs block valves are closed in. normal operation. Power for the PORVs and their respective block valves is supplied by safety-related Class lE MCCl for one train and safety-related Class lE MCC2 for the other. All valves may be operated with either offsite or ons i te power. (2) Safety Valves Three spring-loaded safety valves (RV1039, RV1040, RV1041) open on high PCS pressure. No electric or air power is required to operate these valves. Positive valve position indication is installed in the control room. .'1*:.

.. FIGURE 3 SIMPLIFIED CHEMICAL ANO VOLUME CONTROL SYSTEM ' ( FO CV 2111 <§ Heat Exchangers ~ FO CV 2113 01.de To Loop lA FO CV 2115 9-2 _de I To Loop 2A ~______J MO 3072 2 ac c Volume~ Controt Tank

  • To Boric

..------------Acid Pumps ' I l i A I I I ~ Concentrated Boric Acid Tanks u ~ ~O 2087 f MO ~

2170 MO

~

2169 '----- MO 3068 D 2 ac MO 3066 Z ac To Loop lA 1---11,....-* To ~oop 1 B .MO 3064 1 ac 1--~1---... To Loop 2A MO 3062 1 ac MO 2160 CJ2 ac I T-58 Safety Injecti and Refue 1 i ng

  • Water Tank

./ C. Pressurizer Heaters (pressure tontrol) The heaters are single unit sheath type immersion heaters. Approximately 10 percent of the heaters are connected to proportional controllers with the remaining backup heaters connected to on-off controllers. All heaters can be turned on and off from the control room by hand switches. The source of electric power for 50 percent of the heaters (750 KW) is from 480 volt non-safety bus number 15. The source of power for the rematning heaters is from 480 volt bus number 16. Bus number 16 can be connected to division 2 safety bus 10, There is direct indication in the control roo~ of the heaters on-off status. Because of the ~ow rate of heat loss under normal shutdown situations, pressurizer pressure measurement also provides timely method of inferring heater status. D. Chemical and Volume Control System A simplified flow diagram of the Palisades chemical and volume control system (CVCS) is presented in Figure 3. The system design is summarized fn the SEP Review of Safe Shutdown Systems for the Palisades Nuclear Plant, reference (E). Electrical components in the CVCS include three motor-driven charging pumps and several valves. In addition the boric acid tanks and lines to the eves must be heated to keep the boric acid in solution. The three pumps provide flow to the: PCS through: (1) the normal charging line; (2) the pressurizer auxiliary spray valve; or (3) the alternate high pressure safety injection (HPSI) line. A failure of non-safety-grade control and instrument air disables flow paths to the pressurizer aux-iliary spray valve. However, the other charging paths remain available and the boric acid pumps may be bypassed. Motor-driven pumps P55A and P55B are powered from division 2, 480 volt bus 12, while pump P55C is supplied with power from division l, 480 volt bus 11. The capacity of one charging pump is sufficient to compensate for coolant contraction during normal cool down. All electrically controlled valves are powered from emergency buses. In addition, the motor-operated valves have manual overrides which permit local control if necessary.*

  • The boric acid heat tracing and boric acid concentrated tank heaters are supplied from non-Class lE power sources (480v motor control centers 7 and 8).

The temperature of the boric acid in the lines is monitored. by three redundant sensors, two indicators at local panels with alarms in the control room and the other indicator in the control room itself. The non-Class lE power source and non-Class lE heat tracing does not meet current licensing requirements. Because non-Class lE instrumentation and power sources are used, the staff is concerned about the capability to detect heater failures and the ability to maintain sufficient boron in solution from the time that a failure was detected to the time that cold shutdown was achieved using only onsite power.

4.

Instrumentation Instrumentation needed for monitoring the reactor system status includes pressure, temperature, level, and flow indications. A. Pressure Primary coolant system pressure is measured in the pressurizer. There are eight pressure transmitters, PT-0102A, B, C, D, PT-0103, PT-0104 and PT-0105A, and B. The PT-0102 transmitters are the same transmitters used for high-pressure reactor trips that are described in Section 3.A(l) above. The transmitters have a range of 1500-2500 psi. Each transmitter is indicated in the control room and is provided power from a separate preferred a-c bus but share de buses on a**paired basis. PT-0103 is used to monitor and record the pressurizer pressure in the control room and the remote safe shutdown Panel C-33. This transmitter has a range of 0-3000 psi. The power is pro-vided from the instrument a-c Panel Y-01. This instrument is the preferred instrument for cold shutdown. Panel Y-01 is not Cl ass 1 E. PT-0104 is used for overpressure protection interlocks for the suction line valves M0-3015, 3016 for shutdown cooling. This transmitter has a range of 0-600 psi. The transmitter is in-dicated and recorded in the control room and is provided power from a referred a-c bus. The PT-0105 transmitters are used for overpressure protection in connection with the presurrizer relief valves PRV-1042B and .PRV-1043B, and supply the subcooled margin monitor. These transmitters have a range of U-2500 psi. Each transmitter is indicated in the control room and each redundant transmitter is provided pbwer from a separate preferred a-c bus~

  • B.

Temperature Primary coolant system temperature is measured in both the hot and cold legs by resistance temperature detectors. Hot leg temperature is measured by four temperature elements: TE 0122HA, B, C, and D for loop 2 and TS 0112HA, B, C, and D for loop 1. Each temperature element output is indicated in the control room. One of four instruments in each loop is required for shutdown. Each temperature element in each loop is provided power from a separate preferred ac bus. Cold leg temperature is measured by four temperature elements in each loop. TE 0112CA and TE Oll2CC in loop lA, TE 0112CD and TE Oll2CB in loop lB, TE 0122CA and TE 0122CC in loop 2A, and TE 0122CB and TE Ol22CD in loop 26. Each temperature element output is indicated in the control room. Each temperature element in each loop is provided power from a separate preferred ac bus. One of the four temperature elements in each loop is required for safe shutdown. The temperature elements listed provide narrow range monitoring (515 to 615°F) to be used with PT-0102A, B, C, and D for thermal margin tripping. The hot legs are also monitored by TE OlllH and TE 0121H. The cold legs are also monitored by TE OlllA, B and TE 0121A, B. Th~ temperature element outputs for the cold legs are indicated and recorded in the control room. These are wide range instruments (0-600°F); one of the two wide range iristruments in each cold leg is required for cold shutdown. C. Pressurizer Level Pressurizer level is measured by four level transmitters, (LT 0102A, B, C and D), Each transmitter measures the pressure difference between a reference column of water and the pressurizer water 1 evel. The pressure difference is converted to a de current signal proportional to th~ level of water in the pressurizer, Each level transmitter is provided power from a separate preferred ac bus. Each transmitter output current is indicated in the control room. One of the four indications is needed for safe shutdown.

  • The range for LT-0102A, B, C, and Dis 100.7" to 236".

Pressurizer level is also measured by LT-0103 (range is 0 to 260 in. of water= 0 to 100% level) which is indicated in the control room by LI-0103A and in the remote Panel C-33 by LI-0103B. D. Steam Generator Level Instrumentation Each steam generator has four level transmitters for protec-tion channels and two transmitters for control function. The protection channels A, B, C, and Dare each provided with physically separated sensing taps. Each channel has level indication in the control room. Two wide range level channels per steam generator are being installed. E. Chemical and Volume Control System (1) Boric Acid Tanks level indication The tank level instrumentation is actually designated LT-0206 and LT-0208, LIA-0206A, B and LIA-0208A, B. Drawing E-90 shows that LIA-0206A and LIA-0208A* are located on the wall in the boric acid room, so that they are accessible for operations remote from the control room, Whenever the reactor is critical, Technical Specifications require that sufficient boric acid be maintained in the tanks to bring the reactor to cold shutdown. In the event of an accident, boric acid is drawn from the tanks automatically; During a controlled shutdown several means are available to monitor boric acid injection including the roYtine samples of the PCS to verify boron concentration. In addition, the SIRW tank serves as a backup source of boron for shutdown, Thus, failure of the level instrumentation on the tanks will not prevent safe shutdown of the plant, and they are not essential.

  • (2)

Safety Injection and Refueling Water Storage Tank Level Redundant level switches (LS-0323, 0327, 0329, and 0330} are provided to automatically initiate safety injection system switch-over to recirculation on low SIRW tank

level, Loss of SIRW tank level indication will not prevent. safe 'shutdown of the pl ant.
  • (3)

Chemical and Volume Control System Pumps Flow ( FT & FI A 0212) : Only one flow transmitter provided at charging pumps discharge line. Flow indication and alarm are provided in control room. There is no mention in the FSAR of indications ou~side the control room. F. Service Water System There are two pressure transmitters (PT-1318, 1319) at Service water pump discharge header. Both pressure channels have indicators in the control room. Separate local pressure indicators (PI-1320, 1321, 1322) are provided at each pump. There is no mention in the FSAR of other indications outside the control room,

5.

Auxiliary Feedwater Systems A simplified fiow diagram of Palisades auxiliary feedwater system;. is presented in figure 4, The auxiliary feedwater system consists of a motor driven pump and a turbine-driven pu~p with associated valves, instrumentation and*controls. The auxiliary feedwater system does not meet the current require-ments for power diversity. Although the valves (SV0522A&B) in the steam supply lines to the turbine driver are controlled from the de emergericy buses, the air required to operate the valves is . derived from a header supplied by redundant non-Class lE compressors which receive power from the ac Class lE buses. Thus, loss of both onsite and offsite ac power may result in a delayed loss of air which will cause the closure of the steam admission valves. Thus, the supply of motive~power steam to the turbine driver fnay __ b_e_}_~~~! _ However, in the event of loss of both onsite and offsite a-c, the operator is instructed to open the turbine driven auxiliary feed pump steam admission valves using the hand cranks that already exist on the valves. In addition, a modification relating to fire protection is planned in which nitrogen bottles will be installed on the air header supply CV 0522B to assure at least two hours of valve operability from the control room. This modification is discussed in CPCo letter of March 19, 1981.

    • FIGURE 4 SIMPLIFIED AUXILIARY FEEDWATER SYSTEM io atmosphere 1

I . From Fire System FQ CV0521 FC

Q
0. CV 0522A

,--{/--11---__.____.M!W'r-, -d_..;.e -~><"-I i I I FC I I. 9.CV 05228 I L ~ l.:..t VL-I v r--n Y'-1 2 de / I - I

p !

s I I l A 1! I ,__ __ __.;. l-; ~*,_ / s \\ I G 1 j 8 I ) FO ~~ - - ~

de

....._! -"ll ~' -~~IL~ ~~* --~~- c v 0737A

1.

~....._~ u;;\\ ~ l Aux. Fw. Pumps $ s I I Condensate Storage Tank FT FO i Q- --o 2 de ~ N,___* --------~ I CV 0736A

  • There are two flow paths for supplying steam to the driver and water from the auxiliary feedwater pumps.

Flow path A consists of flow control valve CV0737A, steam generator A, and steam supply valve SV0522B. Flow path B consists of flow control valve CV0736A, steam generator B, and steam supply valves SV0522A and SV0521. For flow path A valve CV0737A is powered fro~ division 1 while SV0522B is powered from division 2. For flow path B valve CV0736A is powered from division 2 while SV0522A and SV0521 are supplied power from division 1~ The steam valves fail

clqsed, The water valves fail-safe or in the open positions, on loss of air or power, to permit water flow to the steam generators; but, because valves of both divisions are used in each path, it cannot be concluded that all failures will result in proper operation of the auxiliary feedwater system; Therefore, single failure or degradation of either division may result in the failure of the auxil 1ary feedwater sys tern until an operator jacks the appropriate valve.

Condensate storage tank level indication has been identified as* being required for safe shutdown. This level indication is provided by a single level sensor and transmitter (LT-2021) located at the condensate storage tank and a single level indicator located in the control room. Local or remote level indications is not provided and as such is an excepti~n to current requirements. The single indicatot in the control room does not meet current requirements in that two redundant and independent Class lE indicators are currently required. Redundant safety grade condensate tank level instrumentation will be installed during the 1981 refueling outage (see page 80 of CPCo letter dated December 19; 1980), Al~hough such indication is not provided on the alternate shutdown panel, redundaMt pressure switches (three switches; 2 of 3 required for trip) are provided to trip the auxiliary feedwater pumps on low suction pressure, thus avoidi-ng pump failure due to low or non-existent tank level.

  • A backup water source (ultimate heat sink) is provided from Lake Michigan independent of tank level indication. It should be noted that failure of the tank level indication per se will not prevent safe shutdown of the plant.
  • There is only one auxiliary feedwater flow channel for each steam generator loop.
6.

Shutdown Cooling System The shutdown cooling system is a subsystem of the low pressure safety iiljecti,on system, A simplified flow diagram of the Palisades shutdown cooling system is presented in Figure 5. The system consists of a single drop line from the primary coolant system through the low pressure safety injection pumps and safe shutdown heat exchangers. The equipment in this system requiring electric power consists of low pressure safety injection pumps P-67A and P-67B, motor operated valves, solenoid operated valves, and associated instrumentation and controls. Alternate modes of shutdown cooling are available. See page 20 of the staff's evaluation of Safe Shutdown Systems (October 1980 revision) transmitted by NRC letter of November 5, 1980. There are five flow tr~nsmitters in the shutdown cooling (LPSI)

lines, FT-0306, 0307, 0311, and 0314.

FT-0306 has a flow indicating controller in the control room and a hand indicating cont~oller at C-33. The remainder of the transmitters have indi~~tors tn the control room and C-33. This meets the single failure criteria.

7.

Component Cooling Water System A simplified flow diagram of the Palisades component cooling water system is presented in figure 6. The component cooling water systems is a closed loop system. The equipment in this loop requiring electric power consists of three motor-driven circulating pumps (P52A, P52B, P52C), solenoid operated valves, and associated instrumentation and controls. Motor~driven pumps P52A and P52C are supplied power from division 1 while pump P52B is supplied power from division 2. During normal full power operation, one pump and one CCW heat exchanger can accomodate heat removal loads. Two pumps and heat exchangers are normally used for plant cooldown.

However, one CCW he at ex changer is capab 1 e of PCS* coo 1 down at a reduced rate.

Further details are available in the SEP review of safe shutdown systems, Ref. (E).

I CV 3223 10 E-~h

  • FIGURE 5 SIMPLIFIED SHUTDOWN COOLING SYSTEM LPSI Pumps

~-..

P-678' I

~ To containment spray valves \\1 ac.** II ~ M03016 M03015 S? From hot -,-i l eg l oo p 2 / -* -~*-*~~'--- L.V3025 I 2 ac l ac (P67A\\ I "f \\~

  • I HX 0

C V3224,.....__; r-..

  • .a--":111),....

.,_.___.~,.._-0:1 ., 'J ,. CV30o5 T

~

I i CV3213.i=-1) I

  • --+s I l 't=-b'os 1 l

..,. i I i *.,k;. I --CV:j2,2 ~ I CV 3006 I* I I I* l I I I i I [ ' i z I I Safety Injection and Refuel- ~ ing Water Tank r T58 \\ r~~Ja~nment \\ -.1 CV3030 !.

  • --1 Q:

8 I '-t><~':-. -Q-~ I {~ CV303.l I

  • ---"-4 r

v~ I. . CV3057 I CV3029 I I >1*-__..!i_._ ___ ~; To HPSI Pumps Suction j ---~.*~ \\__) vi l .._ ___________ a.-.::x1-- ~~ i M03008 1 ac.. To Loop lA M03010 1 ac To Loop lB D M03012

  • a

~ 2

  • ac
  • To Loop 2A I. -, M03014

~To Loop 28 I I I j i i l I . J.: /I

  • Solenoid operated valves CV0945 and CV0946 are used as supply valves to the two heat* exchangers (E-54A and E-54B).

CV0946 is the supply valve for heat exchanger E-54B and CV0945 is the supply valve for heat exchanger E-54A. Each heat exchanger provfdes 50 p~rcent of the ~hutdown cooling requirements. The single failure of either of the two valves (CV0945 or CV0946) would cause faflure of one heat exchanger. This single failure reduces the shutdown cooling systems capacity to 50 percent. The output pressure of the component cooling circulating pumps ts measured by a single pressure sensor and transmitter (PT 0918) wi-th indication provided in the control room. This does not satisfy Section 4,20 of IEEE Std. 279-1971, The surge tank level is measured by a single transmitter (LT 0917) with indication provided in the control room. This, like the pressure indication described above, does not meet current criteria. A direct indication to the control room operator of cooling water flow to the following essential loads has not*been provided, (1) Shutdown cooling heat exchangers, (2) Charging pump cooling, and (3) Engineered safeguards pump cooling. This also is an exception to Section 4.20 of IEEE Std. 279-1971. The licensee maintains the following indications and alarms are sufficient: (1) Shutdown cooling heat exchanger - flow to the heat exchanger can be determined by local flow indication, FI-0938. (2) Charging pumps - flow to the charging pumps can be determined by local flow indication, FI-0971, 0972, 0973. (3}_ Engineered safeguards pumps - flow to pumps P-67A, P-54A, and P-66A can be determined in the control room by an alarm from FS-0958, Flow can also be determined by local flow indication, FI-0958, 0955, and -0952, respectively. Flow to Pumps P-66B, p,..67B. P-54C and P-54B can be determined in the control room by an alarm from FS-0954. Flow can also be determined.by local flow indication FI-0954, 0953, 0957 and 0956, respectively.

  • FIGURE 6 SIMPLIFIED COMPONENT COOLING WATER SYSTEM r

1 FAI Q. AI CV490 ~CV911 *ESB

  • i r-4"1-~---:' =.

I.

r---~-------~----~'-*~,

~l~-----11;-: Charging Pump*\\ FO,- I Coolers 1

..-------.-----~~----lv<!.-1'<-~~i I

CV0910 , FO r1 ~£. I cvo9~a I

  • -~...

c1o937 I E60A ! E60B .~ /~\\ ~ \\.::::;- I (See I , Figure l 5) I l I CV0950 FO f1 'WG M-202 l>WG M-207 N ..:0 OWG M-202 OWG M-204 IJWG M-209 DWG M-209 OWG M-213 I

T/\\13LE 3. 3. JCont.l_ Co111po11ent/System lnstrumeut Primary Coolant System Pressur1zer level Pressurizer pressure PCS Temperature TE 0121 Instrument Location Reference LT Inside containment DWG M-201 LI Control n oom LI Ren~te Shutdown Panel PT Inside containment DWG M-201 Pl/\\ Control Room PI Remote Shutdown Panel lT, TH, llS Control Room DWG.M-201 TE *inside Containment TI Remote Shutdown Panel w 0 \\.....

-~... *

  • t p
  • Venti.lation for the remaining distribution system rooms - the cable spreading room, the two 2400 Volt bus (switchgear) rooms, and the two battery rooms - is supplied from a single duct system.

The duct sys.tern has one supply fan, one exahust fan, and one recirculation fan. The one recirculation fan is redundant to the supply and exhbust fans. The ventilation systems are evaluated under SEP Topic IX-5. Each diesel generator~s fuel oil system is supplied fuel oil by a* common transfer system. The transfer system consists of a 30,000 gallon fuel oil storage tank, a single supply line, and two transfer pumps. However, the staff has concluded that the present design is acceptable.because of the following design features:

1.

One transfer pump is powered from a Class lE source, and

2.

The 27. 6 hour day tank capacity provides adequate time to rig the alternate pump to a Class lE source or to refuel the day tank from a fuel truck.

4.

Instrumentation and Controls Concerns for the Safe Shutdown Systems A. Stearn Generator Level Instrumentation Each steam generator has four level transmitters for protection channels and two transmitters for control function. The protection channels A, B, C, and Dare each provided with physically separated sensing taps. Each channel has level indication in the control room. In response to the Three Mile Island - Lessons Learned and NUREG-0635, Item X.6.3.3.4(c), the licensee has committed to install wide range steam generator level instrumentation during the 1981 Palisades refueling outage. (Ref: CPCo letter dated September 18, 1980 to Mr. D.M. Crutchfield.) There is one level indicator for* each steam generator on local control panel C-33 (remote shutdown panel outside control room). Note: Current licensing criteria (GDC-19) require capability for a remote shutdown from outside the.control room.. In addition, Appendix R to 10 CFR 50, which became~-: effective February 17, 1980, requires remote shutdown capability independent of the damage (hot shorts and grounds) caused by a fire in the control room. The licensee has submitted schedules and design descriptions of all modifications required to meet the requirements of Appendix R for remote shutdown capability independent of the control room. Our evaluation report for thos~ modifications will be issued later. The following evaluations concern only what presently exists at the plant.

32 - B. Auxiliary Feedwater Systems (1) Condensate storage tank level indication Level indication is provided by a single level transmitter (LT-2021) located at the condensate storage tank and a single level indicator located in the control room. GDC-21 requires sufficient redundancy for the safety system. The safety related display instruments used by the operator for safety action should. be redundant Class lE instruments. The single indicator in the control room does not meet current requirements. However, the pumps are protected against low suction pressure by redundant pressure switches thus inferring the need to switch to the ultimate heat sink. Accordingly, the present design is acceptable. (2) Auxiliary feedwater flows There is only one auxiliary feedwater flow channel for each steam generator loop. Our current requirements are presented in NUREG-0737, Clarification of TM! Action PTan Requirements. Our evaluation of the licensee's response to these requirements will be issued later. C. Component Cooli~g Water System (1) CCW Pump Discharge Pressure Only one pressure transmitter is provided a the CCW pump discharge. One indicator and alarm is providedin the control room. This does not meet the requirements of GDC-

21.

There is no indication outside the control room. This does not meet the requirements of GDC-19. (2) CCW Surge Tank Level Only one level transmitter is provided at CCW Surge tank. One indicator and alarm is provided in the control room. There is no indication outside of the control room. D. Primary Coolant System (1) Pressurizer level There are five pressurizer level transmitters inside containment, and four level indicators in the control room. There is a single pressurizer level indicator on.local control panel C-33 (remote shutdown panel outside control room).

-".J..

  • (2)

Pressurizer pressure There are eight pressurizer pressure transmitters inside containment, and four pressure indicators in the control room. There is a single pressurizer pressure indicator on local control panel C-33 (remote shutdown panel inside control room). (3) Primary Coolant System Temperature Eight temperature channels are provided, and two recorders in the control room. There is also a temperature indicator from each cold leg on local control panel C-33 (remote shutdown panel outside control room). (4) A second charging flow channel should be provided.

5.

Boric acid heater circuits should be transferred to Class lE sources and the heat tracing sho~ld be replaced by a Class lE syst~m or a Clas~ lE temperature monitoring system should be installed. VI.

SUMMARY

. The electrical, instrumentation and control aspect of the systems required for safe shutdown on Palisades have the following deficiencies which should be evaluated during the integrated assessment review. Proper action should be taken to address these deficiencies. A. The delayed access circuit to the safety load does not meet Design Criteria 17 requirements. B. The primary pressure scram channels do not meet single failure criteria when one channel is bypassed. C. The safety related display instruments do not have sufficient redundancy to satisfy GDC-21. Those instruments, which the operator has to rely upon to take safety action, should be redundant Class lE instruments satisfying the requirements of IEEE Std. 279-1971.

~. *4 ~, VII. REFERENCE A. Palisades Final Safety Analysis Reports B. Consumers Power Company letter dated March 4, 1980 on Action taken in response to TMI-2 lessons learned requirements. C. Technical Specifications for Palisades Plant, Section 3.1.8, page 3-25a. D. Palisades Safety Evaluation Report Amendment 51 dated September 10, 1979. E. SEP Review of Safe Shutdown Systems for the Palisades Nuclear Plant, Revision l dated September 9, 1980. F. Consumers Power Company letter dated August 17, 1981 on draft report for SEP Topic VII-3.}}

Retrieved from "https://kanterella.com/w/index.php?title=ML18046A959&oldid=5024351"