ML18117A122

From kanterella
Jump to navigation Jump to search
Updated Final Safety Analysis Report, Appendix a, a Functional Evaluation of the Components of the Systems Which Are Shared by the Two Units
ML18117A122
Person / Time
Site: Turkey Point  NextEra Energy icon.png
Issue date: 04/26/2018
From:
Florida Power & Light Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML18117A085 List:
References
L-2018-103
Download: ML18117A122 (12)


Text

APPENDIX A

A FUNCTIONAL EVALUATION OF THE COMPONENTS OF THE SYSTEMS WHICH ARE

SHARED BY THE TWO UNITS

A discussion is presented of the operation of those items of shared equipment which are components of the Engineered Safety Features System.

Certain components of the Auxiliary, Emergency, and Waste Disposal Systems are shared by the two units. Where relevant, Table A-1 presents a functional evaluation of the components of the system which are shared by the two units.

In addition, any emergency and/or shutdown function of each system is indicated, together with the ability of the system to meet the emergency condition with either a failure of an active component or during maintenance outage of a single item of equipment.

Table A-1 shows that only certain components of shared equipment may be called upon to fulfill either an emergency and/or shutdown function. As previously stated, it is not considered a credible event that both units can simultane- ously develop accident conditions, where each accident is independent of, and not related in any way, to the other. Thus the criterion for design is to have the capability to deal with the affected unit, while maintaining safe control of the second unit. For a two unit plant, the worst situation which is credible is when an accident condition on one unit causes tripping of that unit which in turn leads to the tripping of the second unit.

Further, in the event that the loss of the output of the two units leads to the loss of all outside AC supply to the Station, the emergency diesel power supply is required to control the accident situation on the one unit, and maintain the second unit in a safe condition.

Loss-of-Coolant Situations

Situations in which both the high head safety injection pumps and emergency diesel power supply would be simultaneously required are restricted to loss of reactor coolant or a steambreak incident in one unit.

A-1 Rev. 10 7/92 Automatic Operations In the event of an accident requiring safety injection in one unit which is accompanied by a sequential trip of the second unit together with loss of all AC power to the nuclear units, the sequence of automatic operations is as follows:

Unit No. 3 - which has the accident condition

1. Safety injection actuation signal is initiated by the accident condition.
2. Reactor and Turbine both trip.
3. When the reactor coolant pressure has fallen below approximately 600 psig, at least two of the accumulators attached to the cold legs of loops A, B, and C will discharge their contents of borated water into the reactor coolant system.
4. Automatic starting of all four emergency diesel generators is initiated by the safety injection signals. Each emergency diesel generator then runs on a standby basis until there is a loss of voltage on its associated 4160 volt bus.
5. The auxiliary steam driven feedwater pump will begin operation.

Emergency Power Supply

The four emergency diesel generators have adequate capacity to supply all of the power required for both units under these emergency conditions for any credible single failure. Refer to Section 8.2.

Upon receipt of the command signal the emergency diesel generator will be started. Within 15 seconds the unit will be up to speed and voltage, ready to accept load. If there has been a loss of AC power, the output breakers will close, placing the emergency diesel generator on the bus which feeds the Engineered Safeguards equipment. The sequence is described in Section 8.2.

A-2 Rev. 10 7/92 Sharing of the High Head Safety Injection Pumps The high head safety injection pumps are the only pumps of the Engineered Safeguards shared by the two units which are not completely duplicated and redundant in sizing, since simultaneous accidents requiring their operation in both units are not deemed credible.

The high head safety injection lines to the reactor coolant system contain isolation valves which are normally in the closed position, opening automatically when a safety injection signal is generated. The sequence of opening is discussed in Section 6.2 under "Injection Phase".

Since all components of the Engineered Safeguards system except the high head injection pumps are separate for each unit, safety injection water from the high head injection pumps can only be delivered to the reactor coolant system of the unit which, as a result of its accident condition, has caused the isolation valves in its high head injection lines to be in the open position by generating a safety injection signal.

Operation of the Refueling Water Storage Tanks

In the current design of the system, separate refueling water storage tanks are provided for each unit. Since the high head injection pumps are common components to both units, they can draw from either one of the two tanks as shown in Figures 6.2-6 and 6.2-8. The connection from each tank to the suction of the pumps is open. The isolation valves (870A and 870B) on the suction side between pumps 3A/3B and 4A/4B are normally closed. Further, separate and independent residual heat (low head injection) and containment spray system both with an open connection to the associated refueling water tank, are provided for each unit.

The utilization of the water in one tank either to refuel or to control an accident in the unit with which it is associated, neither interferes with nor places any restriction on the operational mode of the second unit.

A-3 Rev.16 10/99

Unit No. 4 which does not have an accident condition 1. Turbine trips.

2. Reactor trips following turbine trip.
3. Automatic steam dump actuation may occur.
4. The auxiliary steam driven feedwater pump will begin operation.
5. The component cooling pump starts.

Manual Operations The following manual operations will be carried out by the operator from the control room:

Unit 3 - which has the accident condition

1. In the event that the accident which caused one unit to generate a safety injection actuation signal is a loss of coolant accident, the safety injection phase when complete is followed by the recirculation phase. The component cooling and intake cooling water systems serve as heat sinks for the recirculation loop. Depending upon the size of the rupture in the reactor coolant system, the initial stage of the recirculation phase may require the use of a high head injection pump, (to supplement the head capacity of the residual heat removal pumps).

Hence for the unit which has the accident condition, the refueling water tank will be isolated from the suction of the low head injection pumps, the containment spray pumps, and the shared high head injection pumps, in order to complete the changeover from the injection phase to the recirculation phase. Suction to the residual heat removal pump is from the containment sump during recirculation mode.

2. When the pressure in this unit has been reduced to a level where operation of a high head injection pumps during the recirculation phase is no longer required to cool the core, the pump can be shut off, and the isolation valves in the high head injection lines will be closed.

A-4 Rev. 16 10/99 Common Control Console

The two units are served by various common shared systems and emergency console in the control room. Thus the operation of these common shared systems during changeover from the injection to the recirculation phase is accomplished from a single location.

Unit 4 - which has tripped

1. When the no load average coolant temperature is reached, the control of the steam dump is transferred to the steam pressure control.
2. Reactor coolant water level in the pressurizer is maintained by operating one of the three charging pumps on the emergency diesel bus; secondary side water level is maintained by operating the auxiliary feedwater system.

In addition to the double-ended break of a reactor coolant pipe, all other less severe ruptures of the reactor coolant system will require the operation of the Engineered Safety Features to an extent which depends upon the size of the rupture.

As pointed out previously there is one further type of accident which, although not directly associated with a rupture of the reactor coolant system, can nevertheless require the operation of the Engineered Safeguards system for shutdown and control of the unit. This accident is the rupture of a steam line. A steamline break constitutes an uncontrolled heat removal from the reactor coolant system which is limited by the steam line non-return and trip isolation valves. However, these valves cannot always preclude the blowdown of one steam generator, e.g., if the break occurs upstream of the isolation

A-5 Rev. 16 10/99 valve. In this case, there is a rapid cooldown of the reactor coolant system which particularly at the end of core life results in a reduction in shutdown reactivity margin after trip. The associated coolant contraction has the characteristics of the beginning of a loss of coolant and results in the initiation of the Engineered Safety Features as the pressurizer is emptied.

The injection of borated water compensates for the temperature effect on reactivity.

For single unit plants, the design criterion for the main steam pipes is such that a rupture of one main steam pipe shall in no way affect the integrity of the other main steam pipe(s). In practice this means that the main steam piping is adequately anchored at the containment wall and is routed so that any whipping of the ruptured pipe will not result in the compounding of a break.

For a two unit plant, the layout of the two units and in particular the turbine building ensures that the main steam pipes of the respective units remain physically separated so that interaction between a ruptured steam pipe of one unit and any steam pipe of the second unit is not credible.

The double-ended rupture of a reactor coolant pipe remains the most severe of all of these accidents in terms of required operation of the Engineered Safety Features, and thus it is used together with a shutdown condition on the second unit as the basis for determining the requirements of the diesel generator emergency power supply system. See Section 8.

A-6 Rev. 16 10/99