Justification for Sgs Units 1 & 2 Restart & Operation Rod Control Sys Failures

ML18100A420
Person / Time
Site:	Salem
Issue date:	06/15/1993
From:	Mctigue W Public Service Enterprise Group
To:
References
S-C-RCS-EEE-082, S-C-RCS-EEE-82, NUDOCS 9306220111
Download: ML18100A420 (19)
v • d • e

Text

• - l 'l -8:J : l U : l SP'I'! :

~ngineering Evaluation S-C-RCS-EEE-0822

,JlJSTIFICATTON FOR SGS UNITS l AND 2 RESTART AND OPERATION ROD CONTROL SYSTEM FAILURES

/!,,_._~ >>?. c4<-_._

~m--------

Pr~pared By APPROVALS:

"7&~-

Reviewer

?Jil-IJ:}; _J,__!o 9p, f'e/oJ Manager.- Nuclear Fuels Engineering Manager

,,,-------930622011193061 5 PDR ADOCK 05000272 P

PDR o/W~

_j/{fu Date G.-1s_-93 Date 6/~/93 Date Pfs;/r3 Date

&/;sh3 Date

~u D~1: ~~

~

• .:i.

SE\\iT BY:

t, JUSTIFICATlON FOR SGS UNITS l /\\ND 2 RESTART AND OPERATION ROD CONTROL SYSTEM FAILURES TABLE OF CONTENTS

1.0 INTRODUCTION

2.0 DESCRIPTION

OF ROD CONTROL SYSTEM FAILURE MODES 3.0 DISCUSSION OF SALEM LICENSING BASIS 4.0 ROD CONTROL SYSTEM SINGLE FAILURE ASSUMPTIONS/

DE'rECTABILITY 5.0 SAFETY ANALYSES 5.1 Key Assumptions 5.2 Evaluation Results 5.3 Conclusions 6.0 ADDITIONAL JUSTIFICATION 6.1 Rod Control System Alarms and Indications 6.2 Operator Training 6.3 Procedures 6.4 Testing 7.0 ROD CONTROL SYSTEM OPERABILITY

8. 0 CONCLUSTON

SE'.'\\T BY:

~-l~-93 : lU-l~P~ :

e f':.-T;~G L l C & REG--

,JUSTIFICATION FOR SGS UNITS 1 AND 2 RESTART AND OPERATION ROD CONTROL SYSTEM FAILURES 1.0 JNTRQDUCTIQN A failure in the Salem Generating Station (SGS) Unit 2 Rod Control System has been recently identified, which, coincident with a rod motion cormnand, could result in abnormal operation of th~ Rod Cluster Control Assemblies (RCCA's) _

On May 27, 1993, a failure in the rod control system caused a single rod to withdraw from the core 15 steps while the operator was applying a rod insertion signal.

The failure, an integrated circuit on a s1a.ve cycler decoder card, disrupted the normal sequence of pulses that the rod control system sends* to the rods in the. selected bank.

Nonnally on insert demand, the pulses -a.re staggered in a sequence that leads to rod insertion.

With the~

failure, the rod control system periodically sent simultaneous!

p1J l ses r_o the movable gripper coil. lift. coil. and stationary r coil for each of the rods in the selected bank.

Under these condilions, based on the preliminary investigation, each rod in t:.he bank may either remain where it is or withdraw from the core whi::>n cl rod movement demand occurs.

When the rod control system is in the automat.ic mode of operation, a rod movement demand is generated automatically in response to changes in the turbine Load and changes in the average reac.tor coolant temperature.

Rod movement:. then occurs without any operator action until the demand i.s sat:i8fied_

When the rod control system is in the manual mode of operation, a rod movement demand is generated only in response to operator manipulation of the raise-lower pushbuttons, given no failures* in the demand circuit.

The identified failure could potentially result in operation of the plant outside the design basis.

Evaluation of the identified failure in accordance with 10 CFR 50.59 (Ref.8) has concluded that this potential single failure would be an Unreview~d Safety Question.

The purpose of this evaluacion is to ensure safe restart*and continued operation of Salem Units l and 2 with the Rod Control System placed in the manual mode given the potential for this failure to occur.

The Salem Generating Station (SGS) Updated Final Safety Analysis Report (UFSAR) Sections 4.3 and 15.3-5.1 presently state that mult.j_ple failures would be required for a single rod withdrawal to occur.

The single rod withdrawal event is generally treated as an ANSI Nl8.2 Condition III event {Infrequent Faults), for which the acceptdnce criteria allow a small percentage of fuel failure based on a low probability of occurrence... "\\

SE:\\T BY:

ti - l 'S-83 : l IJ : 1 7P\\1 e

PSE&G L!C.EG-The basis for this justification includ~s an evaluation of the licensing basis safety analyses to account for the effects of the Ldentified failure_

This evaluation conservatively demonstrates that no fuel design limits, are exceedc~d for the affected transients, whlch is consistent with Condition II events (Events of Moderate PrPquency), and 10CFRSO Appendix A, General Design Criterion (CDC) 25.

Thls safety analysis eval11ation is µredicated on the following:

The faiJurc does not affect the ability of the Reactor Prot.ecticm System t.o perform its intended safety function.

Reactor trip is not affected by the Rod Control System logic.

The failure is detectable baseo on periodic surveillance testin~,J and control operator veri f j_cation of rod position.

Although this failure is detectable with the rod contro~i system in automatic, manual operation and modified surveillance testing during subcriticality provide furthef assurance of detecting the failure.

Detectability and ith significance relative to the safety analyses is discussed further in Section 4.0.

Although not credited in the analysis, ala:nns, administrative controls and compensatory measures implemented specifically in response to this event (Section 6.0) provide further assurance that the discovered failure will not result in any consequences adverse to public health and safety.

This evaluation bounds all of the possible rod movements described in Section 2.0 This justification for restart and operation conservatively assumes that the Rod Contcol System is placed in the manual mode of operation_

In ligh~-of continuing activities, thiA justification for restait and operation is an interim document_

Further investigations are underway.::. tb_ pursue long term resolution of the issue.

Likewise, analyses are continuing to demonstrate the acceptability for Rod Control operation in the automatic mode as well as the manual mode_

'rn addition; industry initiated investigations may provide additional insights_

As these activities yield conclusive res11lts, this justification for restart and operation will be revised to reflect the most current information and analyses_

. 2 -

• ii.

SDT BY:

• - 11--83 : I 0 : I iP\\1 P:)ESiG LI C.EG-

• --'I-

2. 0 DESCRIPTIOJ\\L_Qf ROD CONTROL

~'£~~TEM _fAILURE MODES On May 27, 1993, a fai.lure in the rod cont.rol system caused a single rod to withdraw while the operator applied a rod insertion motion command to t11e Shutdown Bank A (SDBA).

The remainder of the SDBA RCCA'ti remained stationary.

The rod withdrawal was observed by the operator on the Indivi.dual Rod Position Indicator.

The Rod Control System logic is designed to provide an insertion or withdrawal cl irection command to the selected rod bank ( s).

The direction command establishes the :::iequence of Control Rod Drive Mechanism (CRDM) coil operation.

When combined with a motion command, the direction command is designed to result in the proper number and sequence of RCCA steps.

It is now known that a card failure in the rod control system logic can result in an undesired "insert" or an undesired "withdraw" direction command.

~-.

It has been determined that the logic failure could result in ~od_

motion only if a rod motion cormnand exist.a.

The following rodi}:

movements are possible, given the presence of the discovered-

§ failure coincident with a motion command (Ref. 6):

1.

case 1 - Single failure that gives an insert direction command.

When a rod insertion motion command is given, all rods in t~he selected bank (s) will insert normally.

When a rod withdraw motion command is given, each rod in the

Jelected bank(s) may either not move, or may withdraw.

No rod will be capable of steppin~ in.

2.

Case 2 - Single failure that gives a withdiaw direction command.

When-a rod insertion motion command is given, each rod in the-'Selected-bank(s) may either not move, or may withdraw.

,No r?d will be., capable of stepping in.

-when-a* rod withdraw motion conunan<l is given, all rods in the selected bank(s) will withdraw normally.

3.

r.ase 3 -

A single gate failure that result in insertion and withdraw direction commands being present. (This is the case that existed in Salem Unit 2.J Irrespective of whether an insertion or withdraw command is given, each rod in the selected bank, or banks if in overlap, may either not move, or may withdraw.

No rod will be capable of stepping in.

- 3.

• ."'l

SE\\JT,BY:

.- l =j-93 : l U : I riP'.1

;. 7IH{)'~~i~

For each of these cases the logic failure does not affect the reactor trip function.

-i -0. DISCUSS_l.Qtl__9F SALEM LICENSINC-!-12.ASIS A potential singlP. failure that could cause a single or multiple rod withdrawal 10vent without an ur:-gent. failure alarm involves a c.hange to the current licensing basis for Salem Units 1 and 2.

The scoµe of the proposed change is limited to operation with the Rod Control Sy~:ir:.em placed in the manual mode.

UFSAR Section 15-3.5.1 states that a single RCCA withdrawal at power would result in an 11 urgent tailure" and a rod "deviation alarm" on the control rooin console_

An "urgent failure" annunciates in the control room and inhibits further rod withdrawal through the affected cabinet.

During the actual failure, a "deviation alarm" was generated but an "urgent failure" was not received.

Evaluation has concluded that foi~he experitmced failure, the conditions for an "urgent failure 11 alfirm were not satisfied.

That is, the "urgent failure" should not i have

(~nd did not) actuate.

No credit is taken in the safety

~:'"

analy3cs for the "urgent failure alarm or its termination of rod movement. As discussed in Section 6.2, operators have been bri eEed t.hat aiJnormal rod movement may occur without resulting in an "urgent failure" alarm.

UFSAR Sections 4.3 and 15.J_5.l describe single rod withdrawal events, based on the assumption that multiple failures would be requiLed for a single rod withdrawal to occur.

Multiple rod withdrawals are not considered in the piesent SNGS licensing basis (except for the bank withdrawal events)_

UFSAR.Section 15 _ 3.. 5.1 classifies the single RCCA withdrawal at power accident as an ANSI Nl8.2 Condition III Event {Infrequent Fault).

This classification is based on the assumption that multiple, independent equipment failures are required for a single RCCA withdrawal to occur.

The current UFSAR RCCA withdrawal at power analysis indicates, based on F-delta-H calculations, that localized Departure From Nucleate Boiling would result.

This is consist~rit with atceptance criteria for Condition III events (i.e.;* a small fra.ction of fuel may exceed its design limits)_

Based on the assump~ion that a single failure of the.rod control system may cause a_single or multiple RCCA withdrawal event to occur, the RCCA withdrawal at power events have been

~onservatively evaluated, based on explicit DNBR calculations, against the criteria for a Condition II event.

This is accomplished by demonstrating that the Departure From Nucleate Boiling Ratio (DNBR) limit is not exceeded and, therefore, fuel design limits are maintained..

,"\\

'. SDT BY:

t-1 ::: 8 ~ : l 0 : 1 ()P\\1 :

• • • • ~

P'.£~G LI C & REG--

Per UFSAR Sect.ion 3. 1, SNGS is comn1 L Lt. ~d to t.he intent of the General Design Criter:ia (GDC) of

• 1 u CFR 50 Appendix A.

General Design Criterion 25 states: '1The pn:itc.~ction system shall be designed to assure that specified dcceptable fuel design limits are not exceedeci tor any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods."

Based on the previous assumption thClt multiple independent failures would be required to have a single rod withdrawal event, GDC 25 compliance is addressed in the UFSAR (Section 4.3.1.4 and 15.2) by demonstrating that a rod bank withdrawal would not result in exceeding any fuel design limits.

The new assumption that a potential single failure can cause misoperation of a single or multiple RCCAs necessitates a reevaluation of compli.ance with GDC 2 5.

The anal ysP.s summarized in Section 5. O ensured continued compliance with GDC 25.

4.0 ROD CON'T1~0L SYSTEM SINGLE FAILURE ASSUMPTIONS/DETECTABI4ITY Consistent with Westinghouse safety analysis methodology,_, cont:i-01

-systems are not assumed to mitigate any UFSAR Chapter 15 transient.

Random single failures of control systems are not considered provided they are detectable during normal operation or surveillance testing.

This is based on the low probability of an initiating event coincident with a random single failure.

F'or the purposes of evaluating the UFSAR Chapter 15 safety analyses, the i_dentified rod control.system logic failure is defined as a detectable failure, based on the following.

The logic failure does not affect individual rod position indication, which is a direct measurement of the rods physical location.

Therefoie, comparison of the group step demand counter with the individual rod position indication is a means of verifying that the rods have responded per the motion command.

Techn.i.cal:, Specif ic,?:J::i on Surveillance 4. 1. 3. l. 2 is applicable in MODES r*<and.-2. It *requires each tull length rod not fully insert~ed<iµ:':the core, to be moved.;1t least 10 steps in either directicifr.at least.once per 31 days.

The surveillance procedure requir*es. an 'insertion of between 10 and 2 O steps of motion, followed by a comparison of group step counter indication and individual rod position indication.

The procedure then requires a withdrawal to the original position, followed by a final comparison of group step counter indication and individual rod position.

SE:"JT BY:

Technical Specl.Eication surveillance 4.1.3.2.2 is applicable in MODES 3, 4, and 5, with the reactor trip system breakers in the closed position.

Tt requires at.Least 10 steps of rod motion to verify that group step counter indication is consistent with the individual rod position_

This test. is required every 31 days for each bank that ls not fully inserted.

Prior to each 8tart.up, a modified sLu:veillance test will be p8cformed at SNc;s 1 and 2, to ensure that the failure does not.

exist..

The teAt will be performed for all shutdown and control banks, and will begin from the fully inserted position (although

'Technical Spec i E icctt ions do not cequ ire testing for fully inserted banks).

Each bank will be tested after the trip breakers are closed and the rod drive motor-generator sets are energized, prlor to withdrawing the banks for startup.

The test will be perfonned by sequentially withdrawing and inserting each of the shutdown and control banks a minimum of ten steps, with the operator verifying th~t individual rod position matches s:rpup demand.

While the test is being performed, current order trades*.

will be taken from the logic cabinet.

These traces will indic~te abnormalities if the failure is present.

If the failure is*

i:

present, the condition wi11 be corrected and evaluated prior t'o cormnencing startup.

During normal surveillance testing, the only way the test would not detect the failure in the logic would be if all rods (i.e.,

all shutdown and control banks) operated normally despite the presence of an undesired insert direction command.

If this is the case, the logic failure has no adverse affect on rod motion.

Therefore, normed 3J_ day surveillance testing is capable of detecting the ability of a logic failure to adversely affect rod motion.

The EailiJ.ce is a.lso detectable during normal rod control system operation.

The control operator compares the individual rod position indication to the demand counter whenever rods are moved.

In accordance with the control room logs, individual rod position indica.tion is also compared to group step demand once every four hours.when the rod deviation alarm is inoperable.

In the unlikely event the control operat.or does not detect a misalignment during rod mar.ion with the fai.lure present, it can be observed during this four hour check, subsequent to the rod motion that caused the misalignment.

Detectable control-system failures are typically assumed to initiate events of moderate frequency.

As a result, the rod control system single failure of concern in these events is considered to be an initiating event.

However, as a detectable failure, the rod control system single failure of concern need not be considered in addition to, or instead of, the protection sysLem single failure assumed in any of the UFSAR Chapter 15 safety analyses..

,"\\

_ l

SE\\T BY:

f '.)[~G LI C liEG-

; 10119>

UFSAR Chapt.P.r l~J accident event.El wpr**" c*xamined for adverse impact resulr.inq f r:c)rn the postulatc-:d rod cuur.rol system single failure.

Based on. thi f3 ccview the only events that are potentially impacted are Rori Ejection (UFSAR SPction 15.4.7), RCCA MLiC3.lignmenl

(:-Jroppf'2d Rod)

(UFSAR Section 15.2.3),

Single RCCA Wit.hdrawal At Power (UFSAR 15.3.Si. Uncontrolled Boron Dilution (U.F.SAJ:t Sect.Lon 15. 2. 4),

RCCA Bank Withdrawal At Power (UFSAR Sect:.ion 15. 2. 2) and RCCA Bank withdrawaJ From Subcritical (UFSAR Sect ion.15. 2. l).

In addi ti.on, a multiple asymmetric RCCA withdrawal both at power and from EJubcritical has been evaluated based upon the postulated failure scenario.

5.1 Key Asaump_t,ioqs Based on the PSE&G and Westinghouse investigations into the e£ f ec:ts of the identified failure sununari zed above, the evaluations of the UFSAR accident events are based on the following key assumptions:

~.

Alarm Response - Consistent with the present UFSAR analysis assumptions, no analyses performed for this evaluation take additional credit for any al.arms that may occur. The RCCA static misalignment event continues to credit Technical Specification 3/4.1.3.1, which prescribes surveillances and corrective measures for misaligned rods.

Single Failure of Control Systems - The identified rod control system logic failure that may cause single or multiple rod withdrawal has not been considered in addition to (or instead of) the protection system single failure assumed in any of the UFSAR Chapter 15 accident analyses.

As a detectable failure (See Section 4.0). it i~ not assumed to pre-exist at the onset of any transient.

RCCA position will be maintained consistent with reactor coolant system Tavg measurements, within the rod speed controller rleadband of +/-1.5 degree F of reference Tavg, consistent with the Precautions, Limitations, and Setpoints Document (Ref. 11).

Reactor Protection System Functions - No RPS functions.are adversely affected by the identified rod control system logic failure.

Technical Specifications - The present Technical Specification Limiting Conditions of Operation (e.g., Power Distribution Limits, Rod Insertion Limits) establish the initial conditions Eor the evaluated transients.

SE.'l/T BY:

t* - l ') -8J : l U : :' U P\\i e

!::.-;:*- "f' I IC & REG-

__ t_&\\I

-- e

*11 rrnfC1 5.2 Evaluation gesults As des er ibeci in UFSAR Sect ion 15. 4. *;, a rod ejection is caused by a mechanicaJ failure of the control cod drive mechanism (CRDM) pressure housing wt1ich results in the instantaneous ejection of an RCCA and drive shaft_

Neither single nor multiple failures in the rod control system can initiate a rod ejection event.

Therefore, the UFSAR analysis and conclusions are unaffected and r.emain valid considering the postulated single failure which may cause erratic RCCA withdrawal.

5.2.2 UFSAI<-.Section 15. 2. 3 describes the Condition II events of stat_ic misalignments and dropped RCCAs, groups, and banks.

The stat'i.C misalignment is not. a concern given this failure since the Sal~em Technical Specifi.cations prescribe recovery actions for a static misaliqnment_

Since inadvertent RCCA insertion is not a consequence of this failure, there is no impact on the UFSAR dropped RCCA anctlyses.

Any dynamic misalignments would continue to be addressed and bounded by the current dropped RCCA analyses presP.nted in this UFSAR section.

In summary, this single failure will not r-e'sult in any RCCA misali~rnrnent (static or dynamic) which is worse than that already analyzed for the Salem licensing basis.

5,2_3 Uncontrolled Boron Diluti..Qn.

UFSAR Section 15. 2.'.4 describes the Condition II event of an uncontrolled boron dilution.

The dilution will result in a posj_tive reactivity insertion and the power. and temperature will rise until the reactor reaches the overtemperature delta T

~etpoint~-

This-single failure will not change the reactivity insertion rate orthe time at which the overtemperature delta T trip occurs*, which is obtained from t.he UFSAR RCCA bank withdrawal at power analysis. Therefore, the boron dilution results presented in the UFSAR remain valid.

.5. 2. 4 RCCA Bank Withdr;;lwal At Power (Symmetric)

UFSAR Sect.ion 15.2.2 describes the Condition II event of an uncontrolled RCCA bank wichdrawal occurring at various power levels (e.g., representative cases at 10%, 60% and 100% rated thermal power)_

A wide range of reactivity insertion rates are assumed which bound the maximum number of RCCAs that can wit_hdraw..,"\\

• I

SE>iT BY:

tt. t2/ rff~i"'"'

'rhe high neutron Elux and overtemperat.ure delta T trip functions continue to provide automatic prot-.ectlon over the entire po-wer and react.i vi ty insertion ranges des er i_bed in the UFSAR.

The resulting minimum DNB ratios are illw~ys greater than the limit value.

In :=iurrunc:i ry, a single failure causing a synunetric RCCA wlt:.l1drawal dt. a Ll pow<:!r 1-evels is within Salem's current licenAi_ng b.'lsL-1 and the UF'SA'R conclusions remain valid.

5. 2 - 5 This event is descrj_hed in UFSAR St.~ct. i un 15. 3. 5 as w-i thdrawal of

a. single RCCA trorn the inserted D bank at full power operation.

As part of th~ current accident de8cription, it is noted that no single electrjcal or mechanical fililure in the rod control system can result. in et accidental withdrawal of a single RCCA.

The curr:ent UFSAR dl::io states that in all cases it is not possible to -

provide assurance that the core safety limits are not violated.

It has been determined for Salem that, a potential single fail.hre could ca.use a single (or multiple asymmetric) RCCA to withdraw%

A single RCCA withdrawal at power has been conservatively f

evaluated to meet the Condition II acceptance criteria.

Thus,~

for this transient, fuel safety limits are shown to be met by demonstrating t.hat the DNBR limit value is met_

Based on explicit analyses performed for Salem Units 1 and 2, the single RCCA withdrawal at power event was detennined to be bounded by a multiple RCCA withdrawal of two adjacent D-bank RCCAs (one from each group) at full-power.

This analysis, now termed Multiple RCCA withdrawal at Power (Asymmetric), is discussed below.

5_2.6 Multiple Asymmetric RCCA W:i.thdr.;iwal At Power Case Given the potential single failure, any number of RCCAs (up to

17) can experience uncontrolled withdrawal_

l.

Above 68% power, any number of the nine group 1 and 2 o-bank.RCCAs could withdraw on an insert or withdraw demand.

The maximum number* of RCCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 8 (one less than a complete bank withdrawal-*) ~

For this scenario, the most 1 imi ting case is the wi.thdra~al of two adjacent D-bank RCCAs (one from each group).

• rhe basis for this statement is due to the core physics response.

If more than two RCCAs are wit.hdrawn, the maximum peaking factor will be reduced as a result of the flattened power distribution.

2_

Between 15% and 68%" power, any combination of the nine D-bank and eight C-bank RCCAs could withdra-w on an insert or withdraw signal.

The maximum number of RCCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 16 (one less than the two complete banks)

Since the DNB benefit gained *,\\

-,:j -.

• • ~ :

SE:\\T BY:

.-.-l'l-83 :\\u::'lP\\1:

;;'.13/13' -.~~

by Che reduction in power more thctn :it f:set:s t.he increased peaking factors, there is no combination ot <3.!:.'lymmetric withdrawals at these power levels that is more 1 lmiting than item 1 above.

This has heen continned by explicit ann.ly!::1es for Units 1 and 2.

3.

Below isi power, the worst scenario - all RCCAs at their 1.nsertion lirni ts is that any combination of the eight C-bank RCCAs and the B-bank RCCAs (4 four Unit 1 and 8 for Unit 2) could withdraw on an insert or withdraw signal.

The maximum number of l~CCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 11 for Unit 1 and 15 for Unit 2 (one less than the two complete banks)

Again, since the DNB benefit gained by the reduction in power more than offsets the increased peaking factors, there is no combination of a.symmetric withdrawal at these power levels that is more limiting than item 1 above.

This has been confirmed by explicit analyses for Units 1 and 2.

Salem Unit 1 and 2 analyses were performed to address the RCCA withdrawal at power case.

The standard NRC-approved method 'i described in WCAP--9272 was employed.

A 1.08 design allowance~:*

(consistent with WCAP-7308) was made for the hot rod F-delta-~

caJculations.

Consistent with the current licensing-basis

~

analysis in UFSAR Section 15.3.5, no rod deviation or rod control urgent failure alarm or operator action was assumed.

The analyses concluded that the DNB design basis continued to be met for the limiting case, and thus, there were no fuel failures given the rod control system failure.

ln con.clusion, based on the explicit analyses performed for Units l and 2, an asymmetric RCCA withdrawal at any power level would not: result in any fuel fai1ures at Salem.

This is in compliance wi.th GDC-25.

2yrr@etric RCCA Bank_With<jrQwal From Subcritical Case UFSAR Section 15.2.l discusses this Condition II event, the uncontrolled addition of reactivity to the reactor core caused by withdrawal

of RCCAs resulting in a power excursion.

This transi~nt:- could be caused by a single malfunction in the rod control.system at subcritical, hot zero power, or at power.

The at power.case is presented above in the RCCA Bank Withdrawal At Power section.

The maximum reactiv:l.ty insertion rate analyzed in the UFSAR is greater than that occurring from a simultaneous withdrawal of the combination of two control banks having the maximum combined worth at maximum speed (rod speed is not affected by this failure).

The neutron flux response to a continuous reactivity insertion is characterized by a very fast rise terminated by the reactivity feedback effect of the negative Doppler coefficient.

This limits the power to a tolerable level during the delay time for protection action.

The transient will be terminated by an automatic feature of the react6r protection system......

~

SE.\\T BY:

1"- J 'i- 0 ~ : I u-: *)*Jf\\i UL Jn sununary, a single failure causing a syrrunetric RCCA withdrawal from subcritical or hot zero power conditions is within Salem's current licensing basis and the UFSAR conclusions remain valid.

5.2.8 A::2_ymmetric RCCA Withdrawal from Subcritical cae.s;:

ThiE'J is defined a.so. single or mulLiple asymmetric withdrawal of RCCAs from subcritical or hot zero power conditions.

The rod control system is ma.intained in the manual mode while the reactor is subcri ti ca 1.

The. UFSAR Sect ion l 5. 2 analysis for an uncontrolled bdnk withdrawal is based on a single malfunction-of the rod controJ 8ystem or control rod drive system, and shows that DNRR would remain above the design limit.

It is judged extremely unlikely that any single failure could result in a spurious motion demand coincident with the direction command logic failure.

However, if one wen~ to assume that such a f0llur~ did occur and an asynetric rod withdrawal resulted; it is reasonable Lo conclude that operator action would be e.xpedi ti ously ta.ken to prevent challenging fuel integrity.

Th.'e wors r_-. case scenario would be for the rod withdrawal to occur aft

• the point when the reactor is critical.

At the point when th~:

operator takes the reactor critical, motion continues with no~

demand (i.e., the rod direction pushbut.t.on is released).

Since rod speed is not affected by the failures, the rods step out at a rate of 48 steps per minute.

Identification would be almost irrrrnediate due to the continuous observation of the IRPI's and the bank demand counters changing both ~udibly and visually.

The action taken would be to trip the reactor as required by the Abnormal Operating Procedure 81(2) _OP-AB.ROD-0003(Q), "Continuous Rod Motion,"

and reinforced by training exercises.

s.J

~ary of Safety Analyses UFSAR Chapter 15 accident analyses have been evaluated to account for the possible effects of the fail11re.

The evaluation considered the failure to be a single failure, and applied the criteria* of 10CFRSO, Appendix A General Design Criterion 25.

The evaluation concluded that the DNB design limits for the fuel continued to be met.

6.0 ADDITIONAL CONSIDERATIONS FOR RESTART AND OPERATION

6. 1 Rod Cont:_£ol.-S.Y~m.l\\laIJDS and Indications The following C3.lar:ms are designed to provide the operator with indications of abnormal rod control system operation.

No analyses performed specifically for this evaluation take credit tor any alanns that may occur or resulting operator action. *,"'\\.

SENT BY:

6-l-'1-83

[Q:'..'~P\\1 e

• However, credit can be take.n for op<-crators to ensure alignment within the +/- 12 step Technical SpPci.licatlon allowance.

Reactor Coolnnt Temperature DevidtJon Alarms - The alarms listed below are anrtunci a ted on the conr.roJ. console a.nd provide indication thd r. a.symmetric bank movP.rnenc might have occurred in a

µa rt icu Lar ri:.~c,.r i.on of the co.re resu LL i ug in an uneven increase in Reactor Cooldnt temperature.

RC Loop D/T Deviation RC Loop Tavg Deviation Tavg RC Tavg - Tref Deviation The Tavg and (Tav~J - Tref) alarms also annunciate if rod position is not maintained consistent with Tavg_

Deviat.ion Alarm -

A rod deviation alarm is provided on the Overhead Annunciator (OHA) Windows.

OHA Window E-24, "ROD DEV; OR SEQ'1 is generated if any two rods in a given bank are more than 12 steps apart or if any rod deviates.from the bank positfon by 12 steps.

No automatic actuations are associated with this alarm_

If a rod deviation does occur, the operator is alerted and responds in accordance with alarm response procedures (Sl or S2.0P-AR.ZZ-OOOS(Q) for E OHAs).

These procedures ensure the operator investigates, takes corrective actions, and enters Technical Speclf ication action statements as required.

Technical SpeciEication LCO 3.1.3.1 requires each rod to be operable and positioned to within 12 steps of its group step counter demand position within one hour after rod motion_

Individual Rod Position Indication (IRPI) - Visual indication of rod position is provided to the operators via the Individual Rod Position Indicatiori (IRPI) system.

The IRPI's are not affected by the rod control system failure mechanism under consideration.

Each indicator is derived from a signal based on the iods' actual physical _location rather than the demanded position.

Rod Insertion Limit (RIL) Alarms -

RIL alarms give the operato:r advance warning of bank insertion demand in excess of rod inserti.oh l:imits. *The failure does not af feet the demand sent to the RIL circuits.

The Rod Insertion Limits for Control Banks B, c and Dare given iri Technical Specification Table 3.1-1. Control Bank A is withdrawn when the reactor is critical.

The computer uses the difference in reactor coolant system temperature across the core to calculate the RIL. This delta-T is a direct correlation to reactor power and thus can be used to compare against the Technical Specification limit.

The calculated limit is compared to actual bank demanded position as determined by the pulse to analog converte:r from the data logging cards.._....

~ SE:"lT BY:

PSE~G LI C ~EG-

• Two OHA rod insertion Limit alarms.=irr~ provided.

OHA E-8, "ROD INSERT LMT LO" alarms if one or more control banks are within 10 steps of the insertion limit..

OH.A E-1.6, "ROD INSERT LMT LO-LO" alarms if one or more control banks ci n:~ at the insertion limit_

Opera tors n:!:l.pond to these alarms in nccordance with alarm response procedures (Sl or S2.0P-AR.ZZ OOOS(Q) for E Windows).

For a "ROD IN~~ERT LMT LO" alarm, the operator is directed to identify the affected rod hank and determine if it is a dropped rod or rod misu.lignment. event.

For a "ROD INSERT LMI' LO-L0 11 alarm, the operator is directed to identify the affected rod bank and conunence rapid boration in accordance with the procedure.

Both alarm procedures refer the operator to Technical Specifications.

Detennination of rod position for the.insertion limit. alarms is based on positi.on demanded, not by the physical position as determined by the individual rod position indicators.

Therefore, the RJL alarms will be received if an insertion demand exceeds the alarm setpoints, regardless of whether the RCCAs are mov1n;__g as demanded.

. i:'*

• ~.

Symptoms of misaligned r:ods also include abnormal variations i!n axial flux distribution (AFD) and quadrant power distribution.

AFD is indicated on the control console with alarm annunciation when flux distribution is outside the allowable band.

The

~1adrant power tilt ratio (QTPR) is continuously monitored by the upper section/lower section deviation alarm by comparing the difference in the detected power range flux.

If the overhead deviation alarm is received, a hand calculation is performed to verify QPTR.

Deperrding on the symmetry of the misaligned rod(s),

it i8 possible to have significant misaligr~ent that would not sab sfy the d.larm conditions.

However, these alarms provide an additional means of detecting any rod misalignment that would result in abnormal.AFD or QPTR.

In addition, monthly core-Flux mapping surveillances provide an additional opportunity to detect severe RCCA misalignments.

6.2 Operator Training Reactivity* manipulations are a key element in the training of reactor.operators.

Operators are trained to confirm any movement of rods either in auto or manual with the anticipated plant response_

The operator's primary focus during manual rod motion is on the actual rod position, (i.e., IRPI), versus the bank demand.

Both of these indications are directly in front of the operator when depressing the raise-lower pushbuttons that initiate rod movement.

Heightened awareness during startup is emphasized with the operating crew during startup training conducted at the Training Center, as well as just prior to the actual plant start.up.

Continuous comparison of bank demand versus actual position is performed during the approach to critica.lity as well as administrative stops to compare these *;"\\.

SE:"iT BY:

"indicar.ions.

The operators are r:P.qu.i.red to stop rod movement should any deviation from ~he antlcipated response occur and enter the appropri.ate procedure, (e(:l., Abnormal, alarm response, etc.).

The active control room operating crews, and operations staff personnel, have been briefed on th~ potential for misoperation of the rod control system.

An Operations Department temporary standing order directs the operato1* to maintain the rod control system in manual, and to carefully monitor rod position during any manudl rod movements, noting tha.t withdrawal may occur instPad of insertion, or that less than the full group or bank may withdraw upon a withdrawal command.

The temporary standing order proh Lbits placing the rod control system in automatic in response.

to a. loss of load transient.

Tht~ temporary st.anding order will also state that dlmormal rod movement may occur without result'.ing i.n an urgent failure alarm.

Each supervisor and control opera!tor will rev_iew the actions of the standing order prior to assuming the watch.

l t-Startup training is perfoDTied on the simulator at the Nuclear Training Center prior to unit startup.

This training is provided for licensed personnel that participate in the actual plant startup and will include the potential effects of this failure.

Emphasis will be placed on the importance of readily identifying and taking the appropriate actions for any abnormal response of the RCCA's.

These actions will include reference to the appropriate Abnormal Operating Procedure as outlined below.

6.3 Procedures control Operators enter Abnormal Operating Procedure S2.0P-AB.ROD-000l(Q), "Irrunovable/Misaligned Rods," on any indi.cation that one or more rods are not responding to demand signals, or are.misaligned by 12 or more steps from the respective bank; This procedure provides the direction necessary to:

a:

S~abilize plant conditions in the event that one or more contJ7.ol rods indicate misalignment or the inabil{ ty to. move,

b.

Determine if a roe! position indication failure has occurred or* if rods are actually misaligned,

c.

Determine if a control system malfunction has occurred which prevents rod motion in the absence of an Urgent Failure Alarm,

d.

Maintain plant control with an Urgent Failure Alarm, *."'II.

SE\\T BY:

tJ - l 'J-33 : 10: :'-J.P~1 e

e.

Realign a mispositioned conlrol rod,

f.

Comply with Technical Spec i Li.cat ion requirements, as appropriate.

This procedure has been reviewed and determined to provide adequate guidance to ensure ddequate diagnostics and subsequent actions are taken should any rod movement occur that is iridicati.ve of a logic failure.

Othi::>r related procedures have been reviewed and are not impacted by a failure in the rod cont~.rol log*ic.

In accordance with the current operating procedure, the rod bank selector switch js positioned to Shutdown Bank A (SDBA) prior to energizing the rod control system.

It is maintained in that position after the rod drive systi:~m is energized and before any rod withdrawal prior to startup or tescing.

By keeping th~

selector swit.ch on SDBA, the potential for rods to inadverte.qtly withdraw in any bank other t.han SDBA is reduced.

With the plant in the condition with rod control energized capable of moving :~

rods and all cont.rol bar1ks inserted, the operator can initiall'y focus on SDBA should he be alerted to a spurious rod withdrawal.

This selector switch is sequenced through the shutdown banks until all shutdown rods are out, then placed in manual for the remainder of the reactor startup.

6.4 resting Prior to startup for each unit, a modified version of surveillance test 4.1.3.2.2 will be performed prior to control rod withdrawal in order to detect and correct the failure prior to startup.

This test is described in more detail in Section 4.0.

For Salem Onit 2, Surveillance Test 4.1.3.1.2 will be perfonned weekly for two weeks, biweekly for-two cycles, and monthly thereafter_

This Mill provide an added level of confidence that this _failure is n~Jt/present.

• !;.*::- :_?

7 - 0 ROD CONTROL SYSTEM OPERABILITX

{.~;~:-~;/--;.**.. :

• .~ti~.";i~:::

1 Technicar-_specifH::ation 3 / 4.1. 3. Movable Control Assemblies.

establishes operability and surveillance requirements for control rods and their posi~ion indicating systems.

The bases for these Technical Specifications include assuronce that fuel integrity is maintained for Condition I (Nor.mal Operation) and Condition II (Incidents of Moderate Frequency) events.

Fuel integrity is maintained by demonstrating that DNBR in the core remains greater than or equal to the design limit following such events.

This evaluation demonstrates that the Condition II criteria are met for rod withdrawal events based on the present plant operat.ing conditions.......

.c SE\\1~ BY:

• - l:J-8:.J : tu: ::'-IP\\1

~l8ii-~{~~~

• s. O CQNCLUS XO-N__S_

The pntential single failure has been cunservatively evaluated against the criteria for a Condition II.event.

This failure is detect-.able via surveillance testing and normal operation, and is treated as such in Lhe evaluat.ion.

Rased on this evaluation, the DNBR design Limit is met.

Compensdt.ory measures relative to testing and oper.=i LOI'.' training, cuntbinc:-,d with *existing alarms and procedures, provlde assurance _that should the failure occur, it*

would be readily detected and corcPcted.

Therefore, startup and continued operation of Salem Units l and 2 would not result in

~ny condition adverse to safety_

1.

10CFRSO, Appendix A, General Design Criterion 25

2.

3.

ANSI Nl8.2-1973, "Nuclear Safety Criteria for the Design _of Stationary Pressurized Water Reactor Plants," 1973 _

'l SGS Updated Final Safety Analysis Report

~"..

4.

Salem Unit 1 Technical Specifications up to and including Amendment 138-I.

s.

Salem Unit 2 Technical Specifications up to and including Amendment 118-II.

6.

Westinghouse Lett~r PSE-93-631 dated June 11, 1993, "Results of Cont~ol Rod Syscem Failure Investigation for Use in Salem Startup Justification."

7_

Westingho~use Letter F.T-NSL-OPL,-II-93-274 dated June 10, 19 9 3, "Public, Service Electric and Gas Company, Salem Uni ts 1 and 2 Safety Evaluation for Safe Startup and Operation".

8.

10 CFR So.:59 Evaluation for DEF DES-93-0146

9.

Eng_ineering:1-Discrepancy DES-93-0146

10.

Pr~~autions~"Limitati6ns, and Setpoints Document, Revision 19*~ :-i/3/9L _-- *,"\\,

L

• J

1

{/f~.>e-(J1.tf-tk otfwch eel o/ocu ~~

(Tl rh e SQ 1~M j ti.2_

76c-/: J /J /c~./

CJ6urcf/1- /11(]5 - 60~pf1;; c:t 3J1 j

~

41

)/ q c;& C,'7 /

?p ;2-

~.:::-1 L 17 JJ f2. ( '

/{1

/(/&ffr~5 Cal!/ d,-wz )f~

Sof -/ cf [ 't.

i8000Z)