ML18092A981
| ML18092A981 | |
| Person / Time | |
|---|---|
| Site: | Salem  |
| Issue date: | 01/03/1986 |
| From: | Corbin McNeil Public Service Enterprise Group |
| To: | Varga S Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML18092A982 | List: |
| References | |
| NLR-N86001, NUDOCS 8601140346 | |
| Download: ML18092A981 (43) | |
Text
__ -....... *'.,:
Public Service Electric and Gas Company Corbin A. McNeil!, Jr.
Vice President -
Public Service Electric and Gas Company P.O. Box236, Han cocks Bridge, NJ 08038 609 339-4800 Nuclear January 3, 1986 NLR-N86001
- u. S. Nuclear Regulatory Commission Off ice of Nuclear Reactor Regulation Division of Licensing Washington, D. c. 20555 Attention:
Mr. Steven A. Varga, Chief Operating Reactois, Branch 1 Divisioh of Licensing*
Gentlemen:
I SEMIAUTOMATIC.ECCS.SWITCHOVER FROM INJECTTON *TO* RECIRCULATI*ON SALEM GENERATING STATION UNIT NO. 2 Pursuant to our meeting with NRC staff members in Bethesda, Maryland on December 3, 1985, we are enclosing a package of current information to support your completion of a safety evaluation for our long standing amendment request (LCR 82-16).
The package contains a description of the present semiautomatic ECCS switchover design, our proposed system configuration and the procedural changes necessary to resolve the concerns shared by the NRC and ourselves.
PSE&G hereby requests your timely approval of our submittal to incorporate the semiautomatic switchover features on Salem Unit 2.
Consistent with our desire to maintain design commonality on the Salem units and our belief that some portions of the design (which was installed to satisfy a License Condition on Unit 2) are not cost beneficial, it is our intention to submit a request in the near term identifying those aspects of the switchover design that we would like to maintain on Unit 2, add to Unit 1, and those features that we want to eliminate.
Mr. Steven A._Varga 1/3/86 Should you have any further questions, we will be pleased to discuss them with you.
Enclosure C
Mr. Donald c. Fischer Licensing Project Manager Mr. Thomas J. Kenny Senior Resident Inspector Sincerely,
SEMMUTOMArIC ECCS SlflTCHOVER FROM INJCETION TO RECIRCULATION Dbcket #
5()-- '?;./ J Omtrol # IJ{p o I 14-0 "Yfb, Date o I
- D~
- c b of Doicument BEGULAtOORY OOCKET'FU
.- NOTICE THE ATTACHED FILES ARE OFFICIAL RECORDS OF THE DIVISION OF ~OCUMENT CONTROL. THEY HAVE 8EEN CHARGED TO YOU FOR A LIMITED TIME PERIOD AND MUST BE RETURNED TO JHE RECORDS FACILITY BRANCH 016.
PLEASE DO NOT SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAL OF ANY PAGE(S) FROM DOCUMENT FOR REPRODUCTION MUST BE REFERRED TO*FILE PERSONNEL.
DEADLINE RETURN DATE RECORDS FACILITY BRANCH
r** :-*
\\.*
1*'
i*'
.i.
... '. -~* '
{
,1
\\. *.
t' "t *:_;:.
I: *.
1,,.*
1)...*...
I'.;~
1::*
1t *. **
( *.,..
- .*1
. / ~
-. *~:* ~' _: i
' :*:*~ -~ ~* j
- ~
'1 C: ' ' : 1:
~... :: ~
.... j *.
. ~: '
~* * -
't
.,' i',*-
- I SALEM UNIT 2 SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION SYSTEM DESIGN The present design of the Salem Unit 2 Semiautomatic Switchover from Injection to Recirculation System is described herein.
This system is considered part of the Protection System and has been designed as such
- A.
Background Information B.
A method to automatically transfer the Emergency Core Cooling System (ECCS) pumps from RWST suction to containment sump suction upon achieving RSWT low level has been required by the NRC per Attachment A.
In summary, the system is provided to protect the reactor core from possible detrimental effects which may be caused by a LOCA.
General Design Features The basic design criteria for the semiautomatic switchover system has been stated by the NRC in Attachment A.
The main features are summarized below:
- 1.
The switchover of the ECCS from the injection to the recirculation mode of operation is automated to the maximum feasible extent, such that required operator actions are minimized, and uninterrupted ECCS flow is provided to the core.
The extent to which switchover is automated is as follows:
- a.
Open Residual Heat Removal (RHR) pumps suction valves to containment sump 21SJ44 and 2 2SJ44 *
.. ***. ***. 'NP8512/06 l mtATORY DOCKET RlE COPY
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION NP8512/06 2 Component cooling to Residual Heat Exchangers (RHX's) valves 21CC16 and 2 2CC16.
Crosstie valves 21SJ113 and 22SJ113 between Safety Injection (SI) and Charging (Chg) pumps suctions *
- b.
Close Refueling Water Storage Tank (RWST) to RHR pumps suction valves 21RH4 and 22RH4 (closing interlocked by 21SJ44 and 22SJ44 fully open).
The functions which have remained manual are:
- a.
Close SI pump minif low line isolation valves to RWST (2SJ67 and 2SJ68).
RHR crosstie valves 21RH19 and 22RH19.
- b.
Open RHR pump discharge to SI and Chg pump suctions 21SJ45 and 22SJ45.
- 2.
The system is able to perform its function despite any single postulated instrumentation and control failure, or any postulated single failure of a fluid system.
- 3.
The possibility of spurious transfer to the recirculation mode of operation has been minimized by designing the system as a two train system which meets the single failure criterion.
In addition, initiating signals from 4 RWST level transmitters are combined into a 2/4 logic for each train of the system thereby eliminating the possibility of a transfer failure due to a failed instrument.
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION In addition, the initiating devices are designed as energize to operate.
This combined with the 2/4 logic prevents the system from initiating prematurely due to a failed or misoperating transmitter.
An interlock from the Solid State Protection System (SSPS) prevents initiation of semiautomatic switchover under any plant operating condition which does not normally result in safety injection (SI).
C.
Functional Features NP8512/06 3
- 1.
General
- 2.
The semiautomatic switchover design is based on the requirement that the RHR pumps must be protected from a loss of suction source if a LOCA is postulated.
Attachment B provides an ECCS Switchover Evaluation Summary which stipulates that automation beyond the four steps included in Section II.B of this document would expose the switchover design to unacceptable single failures which could reduce ECCS flow to the reactor coolant system below minimum requirements
- The portions of the switchover procedure which are not automated are few in number and are manually implemented based on operator verification that switchover is required.
The switchover procedure is structured to minimize and emphasize the operator actions that must be performed to protect all ECCS pumps from'a loss of suction.
Furthermore, the procedure can be performed independently of any prior ECCS single failure.
IEEE-279 The semiautomatic switchover system design conforms to IEEE 279-1971 with the following exceptions:
- a.
Completion of Protective Action Once Initiated
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION NP8512/06 4 The semiautomatic switchover design does not prevent the operator from resetting the switchover sequence from the control room at any time on a single train basis.
The operator also has available the ability to manually control any equipment affected by the semiautomatic switchover design on a component level.
This deviation from IEEE 279-1971 is allowable with the intent that the operator will take any action necessary to protect ECCS equipment and thusly the reactor.
- b.
Manual Initiation Manual initiation at the system level is not provided.
This deviation of IEEE 279-1971 is permitted to preclude premature or inadvertent operation of the equipment controlled by the semiautomatic switchover system.
This is due to the fact that if certain plant conditions do not exist when semiautomatic switchover is initiated, damage to ECCS equipment may occur.
- 3.
System Inputs The system is designed so that action is taken when RWST level falls to its low-level setpoint (2/4 logic) concurrent with a safety injection signal.
- 4.
Identification of Protective Actions and Information Readout The semiautomatic switchover system provides accurate, complete and timely status information to the control room operator.
The design of the system minimizes the development of conditions which cause erroneous alarms and/or indication in the control room.
In order to aid the control room operator in determining the status of the semiautomatic switchover system, a mimic display of the logic involved in actuating the system is provided on Recorder Panel 4 (Status Panel).
This mimic displays the actuation of all RWST level transmitter bistables and their combination into a 2/4 logic, the initiation of SI, and the
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION combination of SI and RWST level inputs which actuate switchover.
This display conforms to the methodology used in providing the SSPS logic mimics which already exist on RP4.
As part of the display, valve position indication is provided so the control room operator may adequately determine that semiautomatic switchover has occurred.
The valve position indications provided are:
21SJ44 OPEN 22SJ44 OPEN 21RH4 CLOSED 22RH4 CLOSED 21CC16 OPEN 22CC16 OPEN 21SJ113 OPEN 22SJ113 OPEN A sketch of this display is presented in the attached Figure 1.
Information concerning control console indications is contained in Section I.D.4
- D.
System Operation NP8512/06 5
- 1.
The semiautomatic switchover system uses 4 independent and separated RWST level transmitter bistable low-level signals which combine into two redundant 2/4 low-level signals.
Those signals are then combined with SI signals to actuate the semiautomatic switchover system.
The functions of the various components are depicted in Figure 2.
The system automatically performs the functions listed in Section I.B.
The purpose is to automatically open the RHR pumps' sump suction valves and upon achieving that goal, close the RHR to.RWST isolation valves.
This action provides an uninterrupted flow from the RHR pumps to the core under postulated LOCA conditions.
Additional functions of the system are to automatically provide component cooling water to the RHX's in
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION NP8512/06 6 order to facilitate reactor cooldown.
Also the crossconnect valves between the SI and CHG pumps' suctions are automatically opened by the system to further aid in shortening the time required to switch from injection to recirculation, thus adding to the margin of safety required for the ECCS pumps' suctions.
The final steps of the switchover procedure are manual.
One in particular is the opening of the RHR pump discharge to SI and CHG pumps' suctions (21SJ45) and 22SJ45).
The operator is left with this action so that before the valves are opened, verification of adequate supply to the SI and CHG pumps may be ascertained.
The system is designed to protect the RHR pumps from a loss of suction.
- 2.
As described in Attachment B, automation of the switchover functions beyond the extent already provided would subject the ECCS to untolerable single failures and cause problems with the testing required to be performed on this system.
In addition, vital power train separation criteria would be jeopardized *
- 3.
An SI signal is required to ensure that the system actuates only under concurrent SI and RWST low-level conditions.
The input of the SI signal into the logic scheme of the system is via a latching relay.
A latching relay is used because the SI signal will be reset by the operator prior to switchover, and if no mechanism is provided to retain the signal, the semiautomatic switchover system will never actuate.
The latching relay is designed to reset upon reset of the semiautomatic switchover system only.
Figure 2 depicts the functions of the latching relays.
- 4.
In addition to semiautomatic switchover inputs and displays on RP4, the four RWST level transmitters provide analog level indication on the control console.
Two of the four RWST level transmitters provide alarms on the control console.
The indicators and alarms are grouped together to provide a concise display to the operator.
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION The redundant alarms provided are:
- a.
RWST Hi-Level.
- b.
RWST Lo-Level.
- c.
RWST Lo-Lo Level.
Since semiautomatic switchover provides ample indication and annunciation of RWST low-level, and the volume of water required for switchover is greatly reduced, the tank level setpoints have beeri modified.
The Lo-Level Backup Alarm is no longer required.
In addition, the Lo-Lo Level alarm setpoint been raised to ensure an adequate margin of volume when instrument error is considered.
new Lo-Lo Level alarm setpoint is at 31,700 gallons (measured from tank bottom) or 1.24 (measured from instrument taps).
The new setpoints are shown on Figure 3.
has tank
~e ft.
E.
An additional Licensing requirement has been imposed upon the ECCS by the NRC Staff.
This is in the form of check valves in the RHR pumps' suction lines.
(Figure 4).
A check valve is installed in each RHR pump suction line between the pump suction and associated RH4 valve.
These are required in the event one SJ44 valve fails to open.
If this occurs and no check valves are provided, both RHR pumps will attempt to draw suction from the same sump suction line while the RH4 valves are still open.
This could result in starvation of both RHR pumps.
F.
Originally, it was desirable to install check valves in each sump suction line.
In the event one or both SJ44 valves are inadvertently opened, the check valves would have prevented the RWST from draining into the containment sump.
However, it was determined that the installation of the valves would adversely impact RHR pump Net Positive Suction Head (NPSH) from the containment sump.
Therefore they have not been installed.
NP8512/06 7
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION II.
PRESENT SYSTEM CONFIGURATION The present configuration of the system has power for the containment sump suction valves (SJ44's) turned off at their respective motor control centers (MCC's).
This action has been required due to the delay in receiving approval for LCR 82-16.
LCR 82-16 proposes to remove the power lockout Technical Specification (TS) requirement for the above noted valves.
In order to be in TS compliance for power operation, power for the valves must be removed.
The MCC's are the only location where the requirement can be met.
The aforementioned results in disabling a portion of the semiautomatic recirculation system (SJ44 opening and subsequent RH4 closure).
This situation leaves Salem Unit 2 in the condition whereby upon receipt of a Safety Injection signal an operator must be dispatched to the MCC's to restore power to the SJ44 valves.
Section 3.11 of Procedure EOP-TRlP-1, "Reactor Trip or Safety Injection", (Attachment C) calls out the requirement for an operator to be dispatched to the appropriate MCC's in order to restore power to the valves.
The power restoration will then allow semiautomatic recirculation to function as designed.
If a LOCA is postulated, EOP-TRIP-1 directs the control room operator to Procedure EOP-LOCA-1, "Loss of Reactor Coolant", (Attachment D).
Within EOP-LOCA-1, Section 3.16 requires the operator to confirm RWST.Low-Level and subsequently transit to EOP-LOCA-3, "Transfer to Cold Leg Recirculation", (Attachment E).
Section 3.4 of EOP-LOCA-3 requires the control room operator to confirm adequate containment sump level.
If sump level is adequate, the operator continues through the procedure.
Subsection 3.9.3 of EOP-LOCA-3 instructs the operator to monitor RHR pump suction switchover.
In the unlikely event that either train of semiautomatic switchover fails, the COMMENTS/CONTINGENCY ACTION portion of Subsection 3.9.3 directs the operator to manually perform switchover for the affected equipment.
Subsections 3.9.4 and 3.9.5 of EOP-LOCA-3 direct the operator to check-open or open as appropriate 21CC16, 22CC16, 21SJ113 and 22SJ113.
Subsections 3.9.6 through 3.9.9 of EOP-LOCA-3 are the manual steps of the switchover procedure.
NP8512/06 8
III.
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION PROPOSED SYSTEM CONFIGURATION In order to facilitate the semiautomatic recirculation functions and to rely on direct indication of containment sump level as the controlling factor in shifting from injection to recirculation, it is proposed to restore power to the SJ44 valves during power operation and to require the valves to be maintained in the CLOSED rather than AUTO position.
This system operating configuration would eliminate the necessity to dispatch an operator to the SJ44 MCC's to restore power upon receipt of a Safety Injection Signal.
Consequently, Section 3.11 of EOP-TRIP-1 would be revised as indicated in Attachment F.
The revision requires the control room operator to verify that the SJ44 valves are disarmed (in CLOSED rather than AUTO).
With the proposed system configuration, the control room operator will place the SJ44 valves in AUTO upon coincidence of Safety Injection and containment sump level of at least 68% (Subsection 3.4 of EOP-LOCA-3).
This action will be specified in an additional step to be placed in EOP-LOCA-3.
The proposed revision is the addition of Subsection 3.4.1 to EOP-LOCA-3 and is included as Attachment G.
The above will assure that the RHR pumps will not be shifted to recirculation unless adequate NPSH is available.
Placing the SJ44 controls in the manual-closed position on the control console prevents RHR transfer to recirculation but does not disable the entire system.
Valves 21CC16, 22CC16, 21SJ113 and 22SJ113 will still be automatically manipulated by the system.
The proposed configuration eliminates the requirement of dispatching an operator to the MCC's and the possibility of premature SJ44 valve opening via either a valid RWST Low Level signal without adequate containment sump level or an invalid initiating signal due to a postulated logic failure.
However, an SJ44 valve could potentially open via other spurious electrical signals.
The issue of spurious electrical signals was part of the Salem Unit 1 licensing process and resulted in the installation of a lockout switches in both Salem control rooms.
To meet the functional requirements of semiautomatic switchover for Unit 2 the lockouts were removed.
Although the proposed system configuration has the potential for a spurious signal to open a containment sump suction valve, the possibility of such an event occurring is considered extremely remote.
NP8512/06 9
SEMIAUTOMATIC SWITCHOVER FROM INJECTION TO RECIRCULATION Therefore, it is concluded that the benefits of operating the system in the proposed mode far outweigh any potential risks.
NP8512/06 10
FIGURE.L STATUS PAN£L DI.SPLAY RECIRCULATION PHA5£.
R'WST 'WATER LlVEL LOY/ 2/41 I
IY> 'Il ill
{Y)
S'W. OVER SEQ.TRI?
.S 16,AJAL{~
I'll IT (Y) 5£/'1.tA urortA r.Ic.
REt:.J~~ ut.A -n:aN 21.S:S4"'1 2..2..SJ'44 21c.e 11:,
(.R)
(R)
~R) 211?11-4 URJ14
(~)
(<$~
2..2.CC.//J (R) z1.s.:r 113 u.s.:r 11.:j lR)
(.R~
.8ACK.L/t;J.ITS Y-YELLOW R.- Reb G;- <;R.e~
s R 0 LB 2f1 OPE.N 2.JCCJ6 LB LB I
I L8-RWST LEVEL BJ.STA8L£ S
-.5AF£TY IN.:I"£t!TIO.AI.Sl<i.NAL LlJ OPEN 2,l.CCI' s
OR CLOS£ Zi!RH4
. 72~:r7 37~,,,,s-nl?"n cr"'"' r ~""'a-""?tf' CJ"?-o.,,
r<=7 ~h' f*i?'/h" *~;r:ts 'lt'~3~ "f!!!(;'.f
- T:;Jn-'~<1'~;.:7Cf' S-"1' r:r~>Y? ~~og
- l'IY6"~
~Yl'iC'IT:/~/(11 S"
~
'? '"'F9 o o -e rl ~ !> c;( 11"'
..z-:F~ ~I' s7P9 oot.. '1£' Hi!f'Y7/?" o7
- t; I= 711'!? ~8bB
'.t.:I 0
- .t:lf?'I
<t'O/
- .£..T ~5 //
.f7PY7/ t-'/f P'
.. '70j\\ '(>'/ft'
..,6"~009' ~6 M::r'.J.'?;..L-n?' '?fO.:{
- ?;; Y71t;)./1"
. 7011 'rY'lh' 7/1' ~ 000 'E-61
'S7f?/~OOl'c!
- >?p-!;/ 001 '71
- 'S7l"°Foo.:;- /rt;;:--:-(Yth' *;:;~d s
- 11"'""'3~I
- S7?'_900°Y'?t.T' H'tIY7Y"-l'lf
b&*~.__ ______________________________________ _
~07~~;1-0
'S"'..J.fY/Qc.L.as;- N;N
- ¥tY~.75-Y~O_L.s ;
- t.7J-fr'(1
~/7'7t?.:r'3Zf E'
~<1n!;0'
)
RWST I:
II' CONTAINMENT SUMP Ill' 12' Ill' II' 2Sl2
- u.
r 14' CONT. SPRAY PUMPS fl'
- o.
CHARGING 2
SAFETY IN.I.
PUMPS o.
21 li.
ECCS COMPOSITE II' N0.2 BORON fl'
- INJ, TANK c! -*
~
I I
~-------------------*
c-i l211<1!
II' I
REFERENCE DRAWINGS:
111.Z l.l<ll 11£111UL !£Al 11£1fJYll. ________ 211Jll+9JOl 111.Z lMT 5'fffi lllJECTl!ll----------ll5Dl->1*810l 111.Z lMT lllfl~IKNT 51!1AI *---------~8763 ZISJIS ZISJl1 ZSJ151 ZZlllO ZZSJl44
~llMl ZISJHl 241.J~
TO llLZl a>.JIUG TOllLI<
co.om
ATTACHMENT A SALEM GENERATING STATION UNIT NO. 2 SAFETY EVALUATION REPORT SUPPLEMENT NO. 4 PAGES 6-9,, 6-10
,I
.. i Containment Sump Design The su11111 screen design in the Salem Unit 2 containment sump incorporates vortex suppression techniques found to be effective in other pressurized water reactor designs.
Because of the above consideration, there is reasonable assurance that, in the event of a loss-of-coolant accident, the Salem Unit"2 emergency core cooling system (i.e., residual heat removal system) pumps will function in the recirculation mode without damage due to air entrainment or vortices.
However, we require that the applicants perform model tests to verify the adequacy of the Salem Unit 2 sump design.
These confirmatory results, along with a descrip-tion of any sump modifications resulting from the tests, must be submitted prior to startup following the first refueling outage. -In response to our request, the applicants have committed to such testing and have provided their proposed test program.
We have reviewed the applicants' proposed test program and find that additional infbrmation is also needed for us to accept it. Specifically, we require the applicants to address the following areas:
(1) a statement of the tests' objective to confirm the current design or to correct it, (2) identify the model scale, and (3) provide more definition of the range of test parameters and conditions (i.e.,
the test matrix).
We will require that the above information be provided within 90 days after issuance of a low power license.
2>
...... ~s*witchover From Injection Mode to Recirculation Mode In Section 7.3.6 of Supplement No. 1 to the *safety Evaluation Report, we concluded that the_ manual switchover procedure provided for the Salem plant, for changeover from the injection mode to the recirculation mode, was acceptable.
Subsequent to the issuance of Supplement No. 3 to the Safety Evaluation Report, we have reconsidered this matter and have established a requirement for Salem Unit 2 to provide an engineered safety feature design for automatic switchover from the injection mode to the recirculation mode.
We have also rereviewed the manual switchover procedure and conclude that the procedure continues to be acceptable for full power operation, until the automatic switchover feature is installed.
The bases for this.acceptance for the duration of* the interim period are (l) a review of the applicants' analysis shows that th~re is.time available for operator response in the manual mode and (2) the reduced likelihood of a loss-of-coolant accident during this time period
- 6-9
.. --------.....,,--- """**-**-------,-,--.. ~---..........
We have informed the applicants of the above reconsideration and will require that, within 90 days after issuance of a low power license, the applicants submit the proposed conceptual design for automatic switchover, identifying each change, and a schedule for implementation.
6-10
.. :C:Z:Xk. ::~
-<1¥ f
ATTACHMENT B PSE&G LETTER TO NRC JULY 17~ 1980
- __ J- ---
--~ ----,
~ P80 69 15/1 CONCEPTUAL DESIGN ECCS SWITCHOVER MODIFICATIONS NO. 2 UNI'r SALEM NUCLEAR GENERATING STATION
- A.
Salem Unit 2 ECCS Switchover Evaluation Summary A comprehensive review has been performed of the Salem Unit 2 ECCS switchoyer design and procedures with the objective of identifying modifications, if appropriate, to optimize the reliability of achieving a stable long-term recirculation mode of post-LOCA operation.
This review focused on those asp~cts of the ECCS design and procedures that must be accomplished in a timely fashion following receipt of the refueling water storage tank (RWST) low level alarm in order to ensure continued ECCS pump flow to the reactor coolant system while protecting the ECCS pumps from damage as their suction source is being transferred from the RWST to the containment sump.
This review was limited to that portion of switchover that is important in ensuring that all ECCS pumps are protected against loss of suction source.
This evaluation addressed the many interdependencies that affect the switchover aspect of the ECCS design.
- Included in this optimization evaluation were the fol-lowing requirements and guidelines.
a)
.NRC requirements that accompanied the request
- b)
Guidelines for RWST sizing as related to optimizing the effectiveness of the RWST transfer allowance.
c)
Guidelines for operator action.
d)
Guidelines for accident identification and mitigation.
Based on the above, the several switchover steps that are important to protecting the ECCS pumps from loss of.
suction source were evaluated to identify the advantages and disadvantages of automation.
This evaluation, indi-cated that four steps can be automated in order to init-iate switchover ~nd to reduce the number of operator ac-tions required to complete switchover.
Such automation can be initiated with energize to actuate logic consist-ing of two.out of four RWST low level signals concurrent with safety injection signal.
To support this level of automation and. to optimize the automation benefits, it is necessary to add check valves in each of the RHR pump suction lines frorn the RWST and M PBO 69 15/3
~.
- the containment sump.
This level of automation permits the systems to perform their function despite any single postulated instrument or control syst~m single failure.
No single failure will a) prevent automatic initiation of switchover or b) prematurely initiate switchover ac-tions that affect both trains in an unacceptable man-ner.
Automating beyond this extent makes the switchover design sus~eptible to unacceptable single failures that may reduce ECCS flow to the reactor coolant system below minimum requirements.
Reviewing the steps that cannot be automated, it was de-termined that they are few in number and can be struc-tured in a procedure that can be imple~ented based only on operator verifica.tior1 i:l1at switchover to recircula-tion is required (i.e. RWST level is low and sump level is adequate to* support residual heat removal pump NPSH re~uirements). This switchover procedure can be struc-tured to minimize and emphasize the operator actions that must be performed to protect all ECCS pumps from loss of suction source.
The procedure can further be performed independent of prior ECCS single failure or can tolerate an operator etror sinyle *Edilu~8 which re-sults in a) the failure to perform one step, or b) the performance of one step out of sequen~e.
This switchover automation evaluation indicated that a semiautomatic switchover consisting of automatic initia-tion and manual completion combined the advantages of automation with the advantages of an unambiguous proce-dure wherein operator actions are rnini1ni2et1.
'l'he design 1n.01iifications required to implement this semiautomatic switc~over design are described in Paragraph B.
To ver-ify that this combination of automatic and manual ac-tions constituted an optimized design, the proposed de-sign was evaluated relative tn-existing guidelines for RWST sizing, operator action, and accident indentifica-tion and mitigation procedures.
A summary of this eval-uation follows.
The Salem Unit 2 RW.ST design inG:)rporates level set-points (1) which provide approximately 214,000 gallons for injection phase operatic~.
Asuming all ECCS pumps operate at maximum runout(2) during the injection phase, total naximum.RWST outflow is approximately 15,000 gpm.
Assuming that all ECCS pumps operate at ~aximum runout from the initiation of th~ L'.1C.\\, the earliest time after
~ P80 69 15/4
- LOCA initiation that switchover will be automatically initiated is approximately 14.3 minutes.
This early switchover initiation requires rapid depressurization of the reactor coolant system to low pressures (i.e. ap-proximately 0 psig) in order to permit the ECCS pumps to operate at runout conditions from LOCA initiation.
Such a rapid depressurization would be characteristic of the hypothetical double ended large LOCA.
For smaller post-ulated LOCAs, the depressurization transient is not as rapid and ECCS pump flow during the depressurization transient is less than 15,000 gpm.
The effect of this reduced ECCS flow during the depressurization transient results in a longer injection phase.
This effect is demonstrated for small LOCAs < 6 inch in diameter which exhibit depressurization transients that stabilize above approximately ~00 psig, assuming all ECCS pumps operat-ing.
Throughout such depressurization transients, the RHR pumps will not deliver flow to the reactor cool~nt
'system.
Assuming that the remaining ECCS pumps (i.e.
charging and safety injection pumps) and the containment spray pumps operate at maximum runout during. the injec-tion phase, total RWST outflow is approximately 7000 gpm. *Based on this RWST outflow, switchover will be automatically initiated at approximately 30.5 minutes after LOCA initiation.
This time is conservatively short since the charging and safety injection pumps will not operate at runout for this category of LOCA *and the containment sptay pumps will not automatically start simultaneous with LOCA initiation.
The Salem Unit 2 RWST design incorporates level set-*
points which provide approximately 129,300 gallons for the transfer allowance.
The effectiveness of this al-lowance in providing time for the operator to perform any necessary switchover manual actions is also depend-ent on the size of the LOCA and the RWST outflow during switchov~r.
The minimum time available for switchover operations can be conservatively enveloped by comparing the maximum RWST injection phase outflow of 15,000 gpm with the RWST transfer allowance of 129,300 gallons.
This comparison indicates that a minimum time of approx-imately 8.5 minutes is available for the operator to perform the necessary switchover manual actions to en-sure a continued suction source to'the charging and saf~ty injection pumps.
This time includes conser~~tism since the switchover automatic actions of opening the containment sump isolation valve and closing the RWST M P80 69 15/5
- 1
- isolation valves function to automatically reduce RWST outflow to approximately 7000 gpm during the entire switchover period since the RHR pumps will not be deliv-ering flow to the reactor coolant system.
The plant emergency instructions are structured to identify the type of accident and t6 direct the o~erator to the appropriate procedure to mitigate the identified accident.
For any accident that is.characterized by in-creasing containment* radiation, containment pressure or containment sump level, the operator is directed to the LOCA procedure.
The LOCA procedure includes cautions to the operator to prepare for switchover from injection to recirculation.
For any LOCA that is characterized by a rapid depressurization to low reactor coolant system pressures, the cautions include go-to steps to skip di-agnostic and verification.steps and prepare the operator for a timely switchover to recirculation.
In this way the emergency instructions are structured to prepare the operator to anticip*ate the RWST low level alarm and to perform any switchover manual actions in a timely fash-ion.
For the smaller more credible LOCAs (i~e. < 6 inches in diameter"), that are characterized by more gradual depressurization transient~, the operator.will have more tiin*~ to perfo.r111 the necessary diagnostic and verification steps required to identify this category of LOCA.
The proposed scmia~tom~tic switchover was evaluated rel-ative to the NRC requirements and determined to comply with these requirements.
B.
Switchover Modifications The saiem 2 design for manual switchover of the ECCS from the injection phase to the recirculation phase will
.be modified to minimize required operator actions by automatically initiating selected steps of the proce-dure.
The design of this automatic system involves the specific changes identified below which meet the NRC de-sign criteria shown in Attachment 1, except as.noted.
- 1.
RHR Pump Suction P~..Eh~~ from Containment Sump Each line from the containment sump to the suction of its respective RHR pump will be modified by in-stalling a check valve between the pump suction M P80 69 15/6
~*
- connection and the containment sump isolation valve (SJ44).
These check valves will be designed to Seismic Category 1 criteria and will be provided with a mechanism to determine the valve position by inspection at the valve location.
The purpose of these valves is to preclude draining the RWST into the sump if the sump isolation valves were to be opened inadvertently.
- 2.
RHR Pump Suction Piping from RWST Each RHR pump suction line from the RWST will be provided with a check valve rlownstream of the pump suction valve (RH4) and before the connection point of the sump suction piping.
These valves will be designed to Seismic Category 1 criteria and will be
. provided with a mechanism to determine valve posi-tion by inspection at the valve location.
The purpose of these valves is to preclude both 'RHR Pumps attempting to take suction from one sump line in the event of a failure of one sump isolation valve to open.
- 3.
Automatic Switchover Logic Four RWST level transmitters will be used to pro-vide input signals to the Solid-State Protection System (SSPS).
These signals, and the 2 out of 4 Low-Level logic, will be designed to the same criteria as the existing protection system function of safety injection ini tia ti on with the following exceptions:
- a.
The level bistables will be normally de-energized.
A low-level condition will
- result in energization of the bistables to provide inputs to the SSPS.
This is essentially identical to the design provided for initiation of containmnt spray.
b.* The switchover sequence signal may be reset in the Control Room at any time on a single train basis.
M P80 69 15/7
- c.
Manual initiation at the system level is not provided.
The remaining features of the system will meet the re-quirements of IEEE 279-1971.
4~
Sump Isolation Valves
. Prior licensing considerations required that the sump isolation valves (SJ44) be provided with:
- a.
Lockout of power to prevent spurious opening.
- b.
An interlock to prevent opening unless the RWST to RHR. pump sq ct ion valve ( RH4) *is closed.
To fac1litate automatic opening of the sump valve, the power lockout is to be removed and t~e opening interlock from RH4 will be bypassed upon receipt of a switchover
- sequence signal.
For. normal operating conditions, the in~erlock will remain functional to provide f6r test-ability of the automatic switchover sequence signal.
In addition to the design changes described above, simp-lified emergency operating procedures will be developed to further enhance the operator's ability to effectively deal with design basis accidents. is an updated version of the information presented at the meeting with the NRC staff on June 5, 1980
- M P80 69 15/8
ATTACHMENT 1 DESIGN CRITERIA ECCS SWITCHOVER MObIFICATIONS
- 1.
The minimum flow entering the reactor coolant syste~
during ~nd ~f ter the switchover shall be sufficient to remove fission product decay heat assuming any single active failure.
- 2.
The design of the controls and instrumentation Bhall permit manual operation of the ECC and containment spray systems from the control room at the component level both prior to and after the transfer to the recircula-tion mode has beeh accomplished.
- 3.
The. switch:)ve.r of the ECCS from the injection to the re-cirulation mode of operation shall be automated to the maximum feasible extent, such that required operator ac-tions are minimized, and uninterrupted EC~S flow is pro-vided to the core.
- 4.
The systems must be able to perform their function de-spite any single postul~ted single failure of a fluid system.
No
~ingle failure shall:
- a.
Prevent aut6rnatic transfer to the recirculation mode of operation or
- b.
Cause inadvertent automatic transfer to the re-circulation mode of operation of both trains of the ECC or the containment ~ray systems.
5~
The design of the controls and *instrumentation shall*
meet IEEE Std. 279-1971.
- 6.
The ESF switchovec system shall use seismically quali-fied components and the switchover shall be to a seis-mically qualified water supply.
- 7.
To reduce the probability of the operator prematurely performing manual actions in the switchover procedure, the procedures shall include provisions for the verif ic-ation of the water storage tank level prior to beginning.
the manual switchover actions.
M P80 69 15/9 i ! !
I
- I
ATTACHMENT 2 Switchover Automation Evaluation Switchover Modifications Switchover Sequence Logic Switchover Procedure Switchover Features Switchover Failure Mode Effects Analysis M P80 69 15/10
SW I TCHOVEl~--*M~T I ON EVALUATION Action Auto Open 21 SJ44, 22SJ44 Auto Close 21RH4, 22RH4 Auto Open 21 CCI 6, 22CCI 6 Auto Open 21SJll3, 22SJll3 Auto Close 21RH19, 22RHl9 Auto Close 2SJ 67, 2SJ 68 Auto Open*
21SJ45, 22SJ45 NOTES:
< I l Advantages o
Provides sump suctlon/NPSH tor RHR pumps without operator action.
o Minimizes R~ST outflow follow Ing sump valve opening without operator action.
o Provides component corillng water ~o RHR Hx without operator action.
No operator decision/verification required.
o Opens SI/CHG pump suction crossover header without operator action.
No operator decision/verification required.
o Closes RHR discharge crossconnect valves without operator action.
o Isolates SI mlnlflow without operator action.
o Provides suctlon/NPSH for SI and CHG pumps from RHR pump discharge without operator action.
(fl All automatic steps have advantage of reducing oper~tor actions.
Disadvantages o
Failure of one*. sump valve to open on demand could damage both RHR pumps. (2) o Spurious (earlyl opening could damage one RHR pump.
0 Opening could permit ootentlal backflow from RW~T to sump.
3J o
Spurious (early> sequential automatic closure before adequate water exists In sump coufd damage one RHR pump~
o None:
o None o
Spurious (early> sequential automatic closure -reduf~Y ECCS below minimum safeguards.
o Spurious Cearlyl sequential automatlf 5l c I osure cou Id damage both SI pumps.
. o Closure of valves RH19 and SJ67, 68 are required to be completed prior to opening valves SJ45.
l2l Unacceptable Sing le Fal lure -
Failure to open on demand could per~lt two RHR pumps to draw suction from one sump llne.
Resolution requires addition of a 14 Inch check valve In each RWST llne.
(3)
Affects RWST Sizing <Transfer Allowance) -
Requires (al modification to RWST sizing basis, Cbl' addition of 14 Inch check valve In each sump line,. or (cl auto closure of RWST suction.MOV.
Modifications bl and cl wlll prevent and minimize, respectively, potential backflow to the sump when the sump MOV opens.
l4l Unacceptable Single Failure -
Spurious sequential closure results In damage to one RHR pu.mp and.reduces ECCS flow below minimum safeguards.
Resolution requites additional logic/permissive to prevent spurious sequential automatic closure.
(5)
Unacceptable Single Failure -
Spurious s*equentlal closure results In damage to two SI pumps, reducing ECCS flow below minimum safeguards.
Resolution requires modification to locate two MOVs In each SI pump mlnlflow line Cone on train A and one.on train B to ensure Isolation for reclrculatlonl.
Also requires additional logic/permissive to prevent spurious sequential closing of a valve,(e.g., tral,n A valves>
1.n each SI pump mlnlflow.
M P 80 69 I 5 I 1 I I 2
SWITCHOVER MODIFICATIONS Design Modification~
- o-Add sump check valves (verify adequate NPSH).
o Add RWST check valves (verify adequate NPSH).
- o Automate switchover actions (See Switchover Logic).
o Open SJ44 (on RWST "S" signal) 0 Close RH4 (on valves 0
Open CC16 (on RWST.
signal).
0 Open SJ113 (on RWST signal);
o Maintain manual actions o
Close SJ67, 68 o
Close RH19 o
Open SJ45 low level and concurrent SJ44 full open signal).
low level and concurrent
- low level and concurrent o *.Implement simplified switchover procedure o
See Switchover Procedure M P80 69 15/13 "S"
"S"
.\\ _____.. ------
[]
I
~
(~
SN O\\ J.. ::>y
'"°;'v' 0 NVW s('fo' l.Jv
.,, l. 'l;1 1,,--Jo J.('Y
~--
~/{.rs:
~;1c1t.."j "61/10' 3Sir7?
\\___ 7,.J JJ.S
,/:J}):S' L:;~s 3-;01)
~)
t:;]
. l __
y I" '"" ;:;:- 1=s
~
\\
~:-.==i t _ ____,
- SWITCHOVER PROCEDURE No operator action is required prior to.10 minutes after the accident.
Prior to the receipt of the RWST low level alarm, the operator is to:
CAUTIONS Verify that all safeguard pumps are operating and are delivering flow to the RCS cold legs.
(If the SI and RHR pumps are not delivering flow to the RCS, due to the fact that the RCS pressure is
- higher than pump discharge pressure, shut off the applicable pumps. )
Monitor RWST and containment sump level in anticipation of switchover initiation.
The manual switchover steps listed below are to be performed in an orderly and timely ~anner and in the proper sequence.
These operator actions are not to be interrupted until all of the steps in the ta.ble are c.ompleted.
If the RWST low-low level alarm is received at any time prior to completion of Step 3, immediately stop any pumps still taking suction from the RWST, theh complete ~he switchover and restart any. pump which was stopped.
SWITCHOVER STEPS Upon receipt of the RWST low level signal, the ope~ator is to immediately verify RWST low level and containment sump minimum level and to perform the following actions.
Step l Step 2 Step 3 Restore power to and close the safety injection pump miniflow valves (SJ67, 68).
Close the two valves in the crossover line*
downstream of the RHR heat e~changers (RH19).
Open each valve from each RHR pump discharge line to the safety injec*tion pump suction and to the charging pump suction (SJ45).
M P80 69 15/14
Step 4 Step 5 Step 6 Step 7 SWITCHOVER PROCEDURE (Cont'd)
All ECCS pumps are _now aligned with suction flow from the containment sump.
Verify proper position of automatically operated valves.
a)
SJ44 SJ113 CC16 b)
. RH4 Open Open Open
-Close Complete the following manual actions to.provide redundant isolation of the RWST from the recirculation fluid.
Restore power to and close the valve in the common line from the RWST to both RHR pumps (SJ69).
Close the two parallel valves in the line fiom the RWST to the charging pump suction (SJl, SJ2").
Restore power to and close the valve in the common line from the RWST to both safety injection pumps
( SJ3 0 )".
M P80 69 15/15
. ~.
SWITCHOVER FEATURES o
Flow is uninterrupted from all ECCS pumps.during switchover.
o The automatic actions can tolerate any postulated instrumentation and control or mechanical single failure without (a) preventing automatic tran~fer to recirculation, or (b) causirig inadvertent (spurious) automatic transfer to recirculation.
o The complexity of the automatic actuation logic and interlocks is mini~ized.
o The manual actions can tolerate any postulated single failure without preventing transfer to recirculation.
This includes an operator error single failure which results in (a) the failure to perform one step, or (b) the performance of one step out of sequence.
o The operator manual actions are minimized.
o The manual switchover steps can be performed independent of single failure.
Upon verification that switchover is required (i.e., RWST low-low level and minimum sump level), the switchover can be completed without any additional operator decision/verification.
M P80 69 15/16
I. Motor-operated gate valve 21SJ44 (22SJ44 analogous)
M POO 71 07/1 fa( lure Mode al Fal Is to open on demand.
bl Opens on spuri-ous demand.
ECCS SWITCHOVER FAILURE M.ECTS ANALYSIS ECCS Function Reclrculatlon -
sump Isolation.
Ef feet on System Operdtlon al Fa 11 ure reduces redundancy of pro-v Id i ng fluid from the containment sump to the RCS during recircula-tion.
RHR pump 21
<pump 22l wlll not provide reclrcula-tlon flow.
Minimum LHSI flow require-ments w 111 be met through open Ing of Isolation valve 22SJ44 and reclrcu-latlon of fluld by Rlfl pump 22 <pump 21 )
- bl Fal lure prematurely a 11 gns RI-fl pump 21 (pump 22> to the containment sump.
Minimum LHSI reclr-cu I at Ion f I ow re-qu I rements wll I be met through proper opening of Isola-tion valve 22SJ44 and reclrculatlon of t I u Id by Rl-R pump 22 (pump 21).
Fa I lure Detection Method*
Valve position Indi-cation at MCB.
Valve open position non I tor 11 ght and alarm for group mon I tor I ng of can-po nent s at MCB.
Remarks Vol ve Is automatl-cal ly actuated to open by an S signal In coincidence with hlo out of four "low-low*
level" RWST signal.
- 2. Motor-operated gate va Ive 21HH4 M POO 71 07/2
- fal lure Mode al Fal Is to close demand.
bl Closes sequen-tially on spuri-ous demand.
ECCS SWITCHOVER FAILU ECCS Function Reclrculatlon - RWST Isolation*
E EFFECTS ANALYSIS E f feet on System Operation al Failure reduces redundancy' of pro-vldl ng flow lsola-latlon of contain-ment sump fran RWST.
No et feet on safety for system
- operation.
~WST check Isolation valve provides back-up lsolatlon.
b) Failure prematurely Isolates RHR pump 21 (pump 22) from the RWST.
Minimum L~SI reclrculatlon flow requirements w 11 I be met through proper c I os Ing of lsolatlon valve 22RH4 and reclrcu-latlon of fluld' by RHR pump 22 (pump 21 ), _
Fal lure Detect I on Method*
Valve position Indi-cation at MCB.
Valve close position roon I tor I I ght and
- alarm for group roonltorlng of can-ponents at MCB.
Remarks Valve Is automatl-cal ly actuated to close by a ful I open signal from su~ Iso-lation valve 21SJ44.
Component
- 3. Motor-operated gate valve 21SJl13 M PBO 71 07/3 Fal lure Modo al Fal Is to open on demand.
bl Opens on spuri-ous. demand.
ECCS SWITCHOVER F~
EFFECTS ANALYSIS, ECCS Function Reclrculatlon - CHG and SI pumps suction cross connect Isola-tion.
E f feet on Sy stem Op_e_: at I on al Failure reduces redundancy of pro-vi d Ing ~luld f'ow through cross-tie between suet I.on of
- cHG pumps and 5 pumps.
No effect on safety for:
system operation.
Alternate Isolation valve 22SJl13 opens to provide back~up flow path throiJgh cross-tie 11 ne.
bl Failure prematurely opens the crosscon-nect between the CHG puinp and SI pump suction.
No*
ef feet on safety for system operation.
NPSh fran RWST to CHG and SI. pumps ls not affected.
Fal lure Detect I on Method*
Sane method of detection as those stated for. ltan 1.
Remarks Valve ls automatl-cal ly actuated to open by an S slgnal In coincidence with two out of four "I ow-I ow level" RWST signal.
Component
- 4.
Motor-operated gate va Ive 2'1 CCI 6 M POO 71 07/4 Fal lure Mode al Fal Is to open on demand.
bl Falls open on spurious demand.
ECCS SWITCHOVER FAILUR
Effect on System Operation al Fallure reduces redundancy of *pro-v Id l ng fluid flow for coo I I ng of RHR Hx 21 (Hx 22) dur-1 ng recirculation.
No effect on safety for system opera-t Ion. Alternate Isolation valve 22CC16 opens to provide cool Ing to redundant RHR Hx 21 (Hx 22).
bl Fal lure premature! y provides cooling flow to RHR Hx 21
<Hx 22).
No ef feet on safety for system.
Fal lure Detection Method*
Same meth6d of detection as those stated for Item I.
Remarks Valve ls automatl-ca I I y actuated to open by an S signal In coincidence with two out of four "I ow-I ow level" RWST sl gnal.
- 5.
Motor-operated gate valve.21RHl9
- 6.
Motor-operated glove valve SJ67.
M POO 71 07/5 Fal lure Mode Fal°ls to close on on demand.
Fal Is to close on demand.
.CCS
~HOVl
.ILUl~_AN,
.S ECCS Function Reclrculatlon -
RHR pumps discharge crossconnect lsola-t Ion.
Recirculatlon -
SI pump mlnlf low Isola-tion.
E f feet on System Operation Fal lure reduces re-dundancy of provld-1 ng RHR pump tra In separ at I on for rec Ir-cu I at I on of fluld.to cold legs of RCS.
No e f fc~c t on safety. for system operation.
Alternate lsllatlon valve 22RHl9 provld9s back-up Isolation for Rm pump tra In separation.
Fa I I ure reduces re-dundancy of providing Isolation of SI pump mlnltlow to the RWST.
No effect on safety for system operation.
Alternate Isolation valve SJ68 In mini flow llne provides back-up Isolation.
Fa I lure Detection Method*
Same method of oo-tect Ion as those stated for Item 2.
Same method of de-tect Ion as those stated for Item 2.
Remarks Valve.Is not automatl-cal ly actuated to clos*i*
I l Valve Is not auto-matlca I ly actuated to close.
- 2) Valve Is electri-cally Interlocked with I so lat Ion valve 21SS45 and may not be remote-1 y opened unless these valves are closed.
Component
- 7.
Motor-operated glove valve 21SJ45
- 8.
Motor-operated gate valve 22SJ45 Fal lure Mode
- Fa 11 s to open on demand.
Fal Is to open on demand.
EGGS Function Reclrculatlon -
Crossover from RhR 21 d I scharge to S 1 punµ s11ctlon.
Reclrcu lat Ion -
Crossover from RHR pump 22 discharge to CHG pump suction.
E f feet on System Operation
.'SIS Failure reduces r&-
dundancy of providing t-PSH to suet I 011 *.>f S 1 pumps from RI-fl pumps.
No effect of safety for system operat Ion.
Minimum NPSH to SI pump suction wlll be met by flow from RHR pump 22 via cross tie I I ne and open I ng of Isolation valve 21SJ113 or 22SJI 13 and*
Isolation v;1lve 22SJ4 5.
Fa I I ure reduces re-dundancy of prov I ding NPSH to suction of Cl-G pumps.
No effect of safety for system operation. Minimum NPSH to a-t puflll Sl!C-t I on wl 11 be met by f I ow from RI-fl puflll v I a cross-tie llne and opening of Isolation valve 211SJl13 or 22SJ113 and Isolation valve 21SJ45.
Fa I lure Detection Method*
Sane methods of de-tect Ion as. those stated for I tan 1.
Same methods of de-tect I on as those stated for I tern 1 *
- As part of plant operation, periodic tests, survell lance Inspections, and Instrument callbratlons are made to monitor equipment and performance.
Fal lures may be d1~tected during such roonltorlng of equipment In addition to detection.methods noted.
M POO 71 07/6 Remarks 1l Valve Is not a.ito-matlcal ly actuated to open.
- 2) Valve Is electri-cally Interlocked and cannot be remotely opened unless valve SJ68 Is closed and valve RHI or RH2 Is closed.
- 1) Valve Is not auto-matlcal ly actuated to open.
- 2) Valve Is electrl-ca I y I nter I ocked and cannot be remote I y openEid unless valve SJ68 Is closed and valve RHl or RH2 Is closed.
ATTACHMENT C EDP-TR I P-1 "REACTOR TRIP OR SAFETY INJECTION" SALEM UNIT 2