ML18100A323
| ML18100A323 | |
| Person / Time | |
|---|---|
| Site: | Salem  |
| Issue date: | 04/16/1993 |
| From: | Hagan J Public Service Enterprise Group |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| LCR-93-08, LCR-93-8, NLR-N93042, NUDOCS 9304230160 | |
| Download: ML18100A323 (17) | |
Text
.
e
.,0.PS~G Public Service Electric and Gas Company P.O. Box 236 Hancocks Bridge, New Jersey 08038 Nuclear Department APR 16 1993 NLR-N93042 LCR 93-08 United States Nuclear Regulatory Commission Document Control Desk Washington, DC 20555 Gentlemen:
REQUEST FOR LICENSE AMENDMENT CONTROL AIR SYSTEM CONTAINMENT ISOLATION VALVES SALEM GENERATING STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-272 AND 50-311 In accordance with 10CFR50.90, PSE&G hereby requests approval of a containment isolation valve failure position which differs from that described in the Salem Generating Station Updated Final Safety Analysis Report (UFSAR).
The proposed change would add an exception to a general statement in the UFSAR, which states that automatic containment isolation valves that receive signals to close, fail closed on loss of air or power.
The proposed exception would apply to the outside
- containment isolation valves for the control air system, which fail as-is upon loss of vital DC power. includes PSE&G's evaluation to demonstrate the change provides a level of safety consistent with General Design Criterion 56 of 10 CFR 50, Appendix A, and our basis for determining there is No Significant Hazards Consideration. contains proposed revisions to the affected UFSAR pages.
Affidavit Attachments (2) 230029
~\\ ',
TPn-~n.Ta~-~"-~11 Hl:\\1.~r_h')~dc: _________ _
. 9304230160 930416 PDR ADOCK 05000272 P
PDR 95-2168 REV. 11/91
Document Control Desk NLR-N93042 C
Mr. J. c. Stone Licensing Project Manager Mr. T. Johnson Senior Resident Inspector Mr. T. Martin, Administrator Region I Mr. K. Tosch, Chief Bureau of Nuclear Engineering Department of Environmental Protection CN 415 Trenton, New Jersey 08625 APR 1 6 1993
STATE OF NEW JERSEY COUNTY OF SALEM
)
SS.
)
REF:
NLR-N93042 Joseph J. Hagan, being duly sworn according to law deposes and says:
I am Vice President - Nuclear Operations of Public Service Electric and Gas Company, and as such, I find the matters set forth in our letter, NLR-N93042, concerning the Salem Generating station, Unit Nos. 1 and 2, are true to the best of my knowledge, information and belief.
My Commission expires on 1993 SHERRY L. CAGLE NOTARY PUBLIC OF NEW JERSEY My Commission Expires March 5, 1997
NLR-N93042 ATTACHMENT 1 I.
DESCRIPTION OF PROPOSED CHANGES There are two control air system containment penetrations at each SGS Unit.
Each penetration uses an air operated, DC powered valve outside containment (CA330) and a check valve inside containment (CA360).
The CA330 valves fail closed on loss of air and fail-as-is on loss of DC power.
The following changes are proposed to reflect the failure mode of the CA330's.
Underlined text is being added, and overstruck text is being deleted.
- 1)
Revise UFSAR Section 6.2.4.3 relative to containment isolation design:
"Instrumentation and adjunct control circuits associated with air operated automatic isolation valve closures are fail safe f+/-n+/-~+/-a~e-e%esttret upon loss of voltage and/or control air.
Such valves fail closed on loss of voltage, except for the outside containment isolation valves for the control air system (11, 12, 21 and 22CA330).
The CA330's fail closed on loss of air, but fail as-is on loss of vital DC power.
The control air system isolation valves inside containment (11, 12. 21 and 22CA360 check valves) prevent any single active failure from resulting in loss of the containment isolation function.
The air operated isolation valves are air to open, spring return, diaphragm operated; thus providing a fail-safe design."
- 2)
Revise UFSAR Section 7.3.2.5 relative to the post-accident containment flooding analysis:
aA+/-r-e~era~ea-een~a+/-nmen~-+/-se%a~+/-en-va%ves-were-aes+/-~nea-~e-e%ese tt~en-%ess-e£-~ewer-ana-are-s+/-~na%%ea-~e-e%ese-~r+/-er-~e s+/-~n+/-£+/-ean~-£%eea+/-H~* Air-operated containment isolation valves required to close on an isolation signal are signalled to close prior to significant flooding and, except for 11, 12, 21 and 22CA330, close upon loss of power.
In general, the flooding could cause short circuits, thereby tripping the control circuit breaker open and assuring that the safety function is performed.
The CA330 valves are on the control air system supply headers, and fail-as-is on loss of vital DC power.
They are located outside containment, and are above the maximum calculated containment flooding elevation.
Motor-operated isolation valves also perform their function prior to flooding."
11
- The £a+/-%-e%esea-circuitry design assures that loss of power restt%~s-+/-n-va%ve-e%esttre-would not result in loss of the containment isolation function."
.NLR-N93042 II.
REASON FOR THE PROPOSED CHANGES PSE&G prepared Design Change Package (DCP) to replace the CA330's solenoid valves with a similar component with a longer qualified life.
During review of the DCP, a discrepancy was identified between the as-built design and UFSAR Section 6.2.4.3.
The CA330 1 s are air-to-open, spring-to-close gate valves.
Actuating air for each CA330 is controlled by a solenoid valve.
The CA330 1 s solenoid valves are dual coil, which energize to open by pressurizing the diaphragm of the air operator, and energize to close by venting air from the operator.
These solenoids are generally used in applications where it is intended for the actuated component to fail-as-is upon loss of electrical power.
This design is in apparent conflict with current UFSAR Sections 6.2.4.3 and 7.3.2.5, as shown in Section I above.
In order to resolve this discrepancy, PSE&G is proposing to revise the UFSAR to reflect the fail-as-is on loss of voltage feature of the CA330 valves.
Other changes to Section 6.2.4.3 are included to clarify that the discussion-of failure positions applies to air operated valves only.
PSE&G has concluded that the changes relative to the CA330 failure position cannot be performed under 10CFR50.59.
III. JUSTIFICATION FOR THE PROPOSED CHANGES The affected paragraph in UFSAR Section 6.2.4.3 applies only to air operated valves, based on the description of the valves being "air to open, spring closed, diaphragm operated **.
11 Therefore, the changes to clarify that the paragraph applies only to air operated valves is editorial.
Specific considerations for penetrations using.Motor Operated Valves are described elsewhere in the UFSAR (e.g., Section 6.2.4.2).
Upon discovery of the CA330 failure position, Discrepancy Evaluation Forms (DEF's) were generated in accordance with PSE&G's engineering discrepancy control process.
Based on initial screening and prioritization of the DEF's, it was concluded the CA330's are operable per Technical Specifications, and that the discrepancies are not safety significant.
The CA330 1 s are considered operable because they will perform their isolation function upon receipt of a Phase A isolation signal, unless there is a failure of safety related equipment required by Technical Specifications (i.e., loss of vital DC power, or failure of a CA330 valve).
If a 125 V DC bus train is inoperable, the affected CA330 is rendered inoperable.
Vital 125 V DC power has more restrictive Technical Specification action requirements than containment isolation valves (two hours vs. four hours).
Therefore, the fail-as-is design is enveloped by the present Technical Specifications.
Loss of power to a CA330 control circuit is alarmed in the control room on the Auxiliary Annunciator Typewriter.
I I -
NLR-N93042 CA360 check valves serve as inside containment isolation barriers.
Both the CAJJO's and the CA360's are "Type C" leak rate tested in accordance with 10CFR50, Appendix J.
Consequently, in any licensing basis scenario requiring containment isolation, an initiating event plus single active failure will not result in loss of the containment isolation function.
GDC 56 of 10CFR50, Appendix A states in part, "* ** upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety."
Evaluation of the discrepancy included a comparison of the actual fail-as-is design to the fail closed design described in the UFSAR, to determine the position of greater safety for the CA330's.
Based on our evaluation, which is summarized in the following discussion, the fail-as-is design provides a level of safety consistent with GDC 56.
Control Air System Design The SGS control air system consists of two separate headers which are common to both Salem Units.
The headers are normally supplied by three station air compressors, which are backed up by two Emergency Control Air Compressors (ECAC's).
Upon* Loss of Offsite Power (LOOP), loss of the station air compressors, or a low header pressure of 85 psig, the ECAC's will automatically start.
Although they are not in the Technical Specifications, administrative controls are in place to enhance the availability of the ECAC's.
These controls prevent planned maintenance on an ECAC if the other ECAC is unavailable, and require maintenance on ECAC's to be performed under a Priority A work order, which is the same priority used for Technical Specification equipment.
ECAC's are automatically sequenced onto the Emergency Diesel Generator (EDG) in the event of a LOOP or LOCA + LOOP.
Air distribution panels are provided for certain air operated equipment, including the CA330's.
These panels use diaphragm operated valves to align the supplied air operators with the higher pressure control air header, in the event one header's pressure decreases below the spring force of the diaphragm valve.
The control air system capacity and distribution panel arrangement are such that either control air header can provide sufficient air to all loads required for safe operation and shutdown of the Salem Units.
Fail-Closed Design The fail-closed design would ensure performance of the CA330's containment isolation function in the event of loss of vital DC power.
Per the Technical Specifications, the only safety function for these valves is closure on a Phase A containment isolation signal.
NLR-N93042 Fail-As-Is Design In the event of Phase A signal coincident with loss of a DC bus or CA330 control circuit failure, one CA330 valve would remain open.
Assuming the ECAC supplying the header with the open CA330 starts as designed, control air system pressure would remain higher than the calculated peak accident pressure inside containment, preventing a challenge to the containment isolation valves.
A control air system load study shows the minimum header pressure would be 65 psig, vs. containment design pressure of 47 psig.
The contribution of control air to post-accident containment pressurization has been evaluated and determined to be negligible.
If the affected header loses pressure (e.g., if the ECAC fails to start), the CA360 valve would be relied upon to perform the containment isolation.function.
The CA360 c;:heck valve is assumed to perform its function upon loss of 125 V DC power to a CA330 solenoid, consistent with application of the single failure criteria for licensing basis safety analyses.
The fail-as-is design has the advantage of increasing the availability of control air inside containment.
The pressurizer Power Operated Relief Valves (PORV's) are the only safety related components inside containment provided with air accumulators.
As provided in our letter dated April 28, 1992 (NLR-N92053), total loss of control air would result in certain valves failing in an undesirable position for orderly shutdown of the plant.
Table 1 lists such valves located inside containment.
Considering that none of the valves listed are provided with air accumulators, and the redundant CA330's are located in the same penetration area, the fail-as-is position is advantageous for assuring air supply to achieve an orderly shutdown of the units following a fire.
Fail Closed on Loss of Air Feature Consistent with the present UFSAR statements, the CA330's are designed to fail closed upon loss of control air.
The air operators for the CA330 valves use redundantly supplied air distribution panels.
Based on the original configuration of the air panels, it was possible for the CA330 in a depressurized header to remain open, because its operator would be supplied with air from the redundant header.
Because it is advantageous to have the valve fail closed when the header is depressurized, PSE&G changed the distribution panels' valve lineup, to defeat the ability of the CA330 1 s to receive control air from the opposite header.
Although it is not needed for containment isolation system operability, this change increases the reliability of the containment isolation function, without adversely affecting control air availability.
NLR-N93042 Containment Flooding Evaluation UFSAR Section 7.3.2.5 describes the fail safe feature of containment isolation valves relative to the post-accident containment flooding analysis.
The fail as-is feature of the CA330's was reviewed relative to containment flooding.
The CA330's are located in the penetration area outside containment, above the maximum calculated flooding level.
The CA330 DC power circuit does not serve any components other than the CA330 solenoid.
No part of the circuit is inside containment.
Therefore, the fail-as-is design does not impact the containment flooding analysis.
PRA Considerations SGS has a Level 1 (core damage frequency) and Level 2 (containment performance) Probabilistic Risk Assessment (PRA).
The fault trees for the PRA were reviewed relative to CA330 performance in plant accident sequences.
There are no PRA core damage or containment failure sequences, involving failure of a CA330, with a calculated frequency of greater than lE-10/year.
The change in assumed failure mode from fail closed to fail-as-is does not result in any core damage or containment failure sequence, with a CA330 failure, exceeding lE-10/year.
This suggests that regardless of the failure position of the CA330's on loss of power, there is an extremely low probability that CA330 performance will contribute to an accident sequence with significant adverse consequences.
Conclusion The fail-as-is design of the CA330 valves on loss of voltage is as safe as the fail-closed design and is therefore consistent with the "position of greater safety" requirement of GDC 56, and the proposed change to the UFSAR is justified by the following:
Redundancy in containment isolation system design precludes the fail-as-is on loss of voltage design of the CA330's from resulting in loss of the containment isolation function following a Phase A isolation signal coincident with loss of DC power to a CA330.
The design meets single failure criteria.
Control Air system operation following a Phase A containment isolation signal is expected to prevent challenges to the inboard isolation valves in the event the CA330 fails open.
Valve lineup changes to the air distribution panel, though not needed for operability, increase containment isolation system reliability by ensuring a CA330 on a depressurized header will close.
The fail-as-is design increases the availability of a control air supply inside containment for an Appendix R fire.
PRA supports the conclusion that the failure position does not significantly impact any accident sequences.
.NLR-N93042 IV.
DETERMINATION OF NO SIGNIFICANT HAZARDS CONSIDERATION The proposed change to UFSAR Sections 6.2.4.3 and 7.3.2.5 for Salem Unit Nos. 1 and 2:
(1) does not involve a significant increase in the probability or consequences of an accident previously evaluated.
The proposed change does not involve an increase in probability of any accident previously evaluated in the SAR.
UFSAR Section 6.2.4.1, "Design Basis for Containment Isolation System,"
discusses design features employ~d to ensure that subsequent to a postulated accident, there will be two barriers between the containment atmosphere and the outside atmosphere.
Performance of these barriers affects the ability of the containment isolation system to mitigate the consequences of a design basis accident.
The proposed change in failure position of the control air system containment isolation valves (CA330's) does not affect the initiation of any accident, but is a consideration for accident consequences, as discussed below.
The proposed change does not involve a significant increase in consequences of an accident previously evaluated~
The CA330's receive a Phase A containment isolation signal to close.
This function is not affected by the proposed change, unless there is a coincident failure of a vital DC power circuit to a CA330.
Because each control air system containment penetration also uses an inside containment check valve (CA360), a Phase A isolation condition plus single failure of the DC power circuit to a CA330 will not result in loss of the containment isolation function.
Each CA330 and CA360 valve is Type C leak tested in accordance with 10CFRSO, Appendix J.
That is, leakage rates through the individual valves are measured to ensure their performance as isolation barriers is enveloped by the containment performance assumptions in the safety analyses.
Therefore, accidents previously evaluated in the SAR are not affected by the proposed change.
(2) does not create the possibility of a new or different kind of accident from any accident previously evaluated.
The proposed change involves the failure of a CA330 to close on a Phase A signal coincident with loss of a DC power train. Failure to close is considered in containment isolation system design via application of the single failure criteria, and is not a malfunction of a different type, nor does it introduce the potential for any new type of accident.
(3) does not involve a significant reduction in a margin of safety.
ll~ttachment 1 NLR-N93042 The proposed fail-as-is position of the CA330 1 s does not involve any reduction in margin of safety.
Maintaining an open control air system flow path into containment following a Phase A isolation signal has been judged to have negligible impact on containment pressure.
The containment isolation function is ensured in any licensing basis accident plus single failure scenario.
Therefore, there is no impact on offsite radiological dose or any other safety limit.
Based on the above, PSE&G concludes that the changes proposed herein do not involve a Significant Hazards Consideration.
NLR-N93042 Table 1 Air Operated Safe Shutdown Valves Inside Containment Component 1CV77 1CV4 1CV2 and 1CV277 1CV7 1CV75 1CV132 1CV79 1CV278 and 1CV131 System eves eves eves eves eves eves eves eves Description Charging Line to 13 Cold Leg Regenerative Heat Exchanger Discharge Regenerative Heat Exchanger Inlet Letdown Heat Exchanger Inlet Charging Line to Pressurizer Spray Excess Letdown Outlet Charging Line to 14 Cold Leg Excess Letdown Inlet Component designators are for Unit 1 equipment.
Identical components are used at Unit 2.
Chemical and Volume Control System
NLR-N93042 ATTACHMENT 2
6.2.4.3 Design Evaluation The following provisions apply to all lines penetrating the containment to prevent inadvertent opening of the.se lines to the atmosphere outside the containment:
- 1.
Automatic isolation valves can be opened only upon cessation and manual reset of the actuating signal.
- 2.
Automatic isolation valves are capable of manual actuation from the control room with the limitations for reopening of the valve noted in Item 1 (above).
. Cj)
Remote manual valves are operated only under administrative control.
- 4.
Manual valves are operated under administrative control.
- 5.
Check valves open only when the fluid p_ressure is higher on the side outside the containment.
- 6.
The design pressure of all piping and connecting components within the isolation boundary is not less than the design pressure of the containment, 47 psig.
- 7.
Automatic valves;* once opened by a safety injection signal, can only be closed upon cessation and manual reset of the actuating signal.
For Items 1, 2,. 3, and 4 (above), and for flanged closures, specific administrative procedures define the positioning of these closures in the Containment Isolation System during normal operation, shutdown, and accident conditions.
Instrumentation and adjunct control
[ ~;r opem.fJ ~automatic isolation valve closu o*s sles1ue) upon loss of voltage and/.,r 6.2-62 SGS-UFSAR circuits associated with are fail safe {iait.iate l~;r opem feel I control air.
The~isolation T11.9er--f-I Revision 6 February 15, 1987
valves are air to open, spring return, diaphragm operated; thus providing a fail safe design. The automatic isolation valves inside the containment will function properly under all accident conditions.
The isolation valve. closing force is provided by a spring; control air is applied to the diaphragm of the isolation valve to open it.
To close the isolation valve, an electrically operated solenoid valve located in the air supply line to the isolation valve operator vents the control air applied to the isolation valve diaphragm through the solenoid to the containment atmosphere, causing the spring to close the automatic isolation valve.
Since the spring side of the isolation valve diaphragm is
- also v.ented to the containment atmosphere, the spring will force the valve to close when the solenoid vents the air line.
Circuits which. control redundant automatic valves are redundant in the sense that no single failure will preclude isolation.
Means are provided to periodically test the functioning of the automatic isolafion equipment such as the set point of sensors, speed of response, and operability of fail safe features.
The containment isolation instrumentation is discussed in Section 7.
Valves used for containment isolation are capable of tight shutoff against gas leakage from containment design pressure down to zero psig:
Isolation valves and equipment are protected from missiles and water jets o*riginating from *the RCS.
Missile protection for isolation valves, -actuators' and controls: is* provided by locating isolation valves between the polar crane wall and the containment wall or locating isolation valves outside the containment structure.
The
~ressure sensing devices which detect high containment pressure are located outside the containment.
Location of. the pressure sensing devices outside the containment protects them from missiles developed by a LOCA.
Isolation valves
~nd piping or vessels which provide one of the isolation barriers outside the containment are similarly protected.
. 6.2-63 SGS-UFSAR Revision 6 February 15, 1987
7.3.2.5 Containment Flooding Analysis The postulated flood level within the containment following a major LOCA has been determined to be Elevation 83 feet-1 inch (PS Datum).
Table 7.3-3 lists all electrical component~ which are in the containment at or below Elevation 83 feet-1 inch and may be subjected to the effects of flooding.
This list includes both safety~related and non-safety-related components and distinguishes between vital circuit (Class lE) and non-vital circuit association.
In addition there are some temperature elements which were not listed which may become flooded.
These devices,
- however, do not perform a safety function, but are used for computer* or annunciator alarms and will not have any effect on vital circuits or the safe operation of the plant following a LOCA.
Safety Significance An analysis has been performed on the safety significance of the failure consequences of vital circuits due to postulated flooding.
Submerged circuit components were* examined for function and whether the function was required for the accident and performed prior to flooding.. Tables 7. 3-4, 7. 3-5, 7. 3-6 and 7. 3-7 present the results in tabular form of the detailed analysis for 125 V de circuits, 115 V ac circuits, 230 ac control center circuits and junction/terminal boxes, respectively.
A detailed analysis of*
non-vital circuits is not required since their failure or improper operation will not affect the safety functions necessary for a LOCA incident.
The analysis demonstrates that the sa~ety functions required for an accident will be performed.
Containment isolation and accumulator pressure monitoring were found to be the major safety functions required and were not adversely affected by the flooding before the functions were performed.
- 1.3-27 SGS-UFSAR Revision 6 February 15, 1987
~*
\\.
Air-eperate9 eeataiB1Beet iseletieft ualoes were desigRea te elase Ypaa less ef peuer aae aFe sigeellea te elose prier te sigeifieaet fleeeiag. 1' The floodi_ng could cause short circuits, thereby tripping the control circuit breaker open and assuring that the safety function is performed.
Motor-operated isolation valves also perform their function prior to flooding.
Indication of isolation valve position has been determined not to be of. safety significance because the valves will have performed their function prior to flooding, and the closed status of the valves will be indicated before flooding can cause a trip of the circuit breaker and subsequent loss of the indication.
If this occurs, alarms are provided to indicate loss of the control circuit.
The fail elesee circuitry design assures that loss of power~ Fesalts i& TJal1le elesaE"e.
The failure of isolation valve indication resulting from flooding is therefore considered to be of no safety significance.
The accumulator pressure monitoring function will be* available for the five minutes that it is required.
The instruments are located at approximately Elevation 82 feet and will not become flooded until after they have performed their function.
The loss or improper operation of other instrumentation* will not affect the operator's response to post accident. conditions since
- they are neither..requ-ired for the accident* nor' for po-st:: ac<;ident monitoring,* *.
Effect on Class IE Sources
. ;~-.~~-*
.-~*. -:
Class IE:,*.:~le.ctrical power sources will not be adversely affected by the flooding of individual electrical circuits because of the circuit protec~ion 1provided.
Circuit protection for *those items affected by the flooding is indicated in the tables for each circuit. analysis.
7.3-28 SGS-UFSAR Revision 6 February 15, 1987
Insert 1 Such valves fail closed on loss of voltage, except for the outside containment isolation valves for the control air system (11, 12, 21 and 22CA330).
The CA330's fail closed on loss of air, but fail as-is on loss of vital DC power.
The control air system isolation valves inside containment (11, 12, 21 and 22CA360 check valves) prevent any single active failure from resulting in loss of the containment isolation function.
Insert 2 Air-operated containment isolation valves required to close on an isolation signal are signalled to close prior to significant flooding and, except for 11, 12, 21 and 22CA330, close upon loss of power.
In general, Insert 3 The CA330's are on the control air system supply headers, and fail-as-is on loss of vital DC power.
They are located outside containment, and are above the maximum calculated containment flooding elevation.
Insert 4 would not result in loss of the containment isolation function.