ML18152A147

From kanterella
Jump to navigation Jump to search
Proposed Tech Specs,Increasing Requirements on Operability for Auxiliary Feedwater Pumps on Opposite Unit from One Pump Available to Two Pumps Operable
ML18152A147
Person / Time
Site: Surry  Dominion icon.png
Issue date: 10/11/1988
From:
VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.)
To:
Shared Package
ML18152A148 List:
References
NUDOCS 8810180011
Download: ML18152A147 (43)
v  d  e


Text

,.>

ATTACHMENT 1 Proposed Technical Specification Change Surry Power Station Units 1 and 2

,,--- ::::::: 101:3001 l. 881011 -i PDR ADOCK 05000280 P PDC

e I"" TS 3.6-1 l_-

~-;~ TURBINE CYCLE Applicability Applies to the operating status of the Main Steam and Auxiliary Feed Systems.

Objectives To define the conditions required in the Main Steam System and Auxiliary Feed System for protection of the steam generator and to assure the capability to remove*residual heat from the core during a loss of station power/or accident situations.

Specification A. A unit's Reactor Coolant System temperature or pressure shall not exceed 350°F or 450 psig, respectively, or the reactor shall not be critical unless the five main steam line code safety valves associated with each steam generator in unisolated reactor coolant loops are operable.

B. To assure residual heat removal capabilities, the following conditions shall be met prior to the commencement of any unit operation that would establish reactor coolant system conditions of 350°F and 450 psig which would preclude operation of the Residual Heat Removal System.

1. The following shall be operable:
a. Two motor driven auxiliary feedwater pumps.
b. Two of the three auxiliary feedwater pumps on the opposite unit (automatic initiation instrumentation need not be operable), capable of being used with the opening of the cross-connect.

e TS 3.6-2

2. A minimum of 96,000 gallons of water shall be available in the tornado missile protected condensate storage tank to supply emergency water to the auxi 1 i ary feedwater pump suet ions. A minimum of 60,000 gallons of water shall be available in the tornado protected condensate storage tank of the opposite unit to supply emergency water to the auxiliary feedwater pump suction of that unit.
3. All main steam line code safety valves, associated with steam generators in unisolated reactor coolant loops, shall be operable.

C. Prior to reactor power exceeding 10%, the steam driven auxi 1 i ary feedwater pump shall be operable.

D. System piping, valves, and control board indication required for operation of the components enumerated in Specifications 3. 6. B.1, 3.6.B.2, 3.6.B.3, and 3.6.C shall be operable (automatic initiation instrumentation associated with the opposite unit's auxiliary feedwater pumps need not be operable.

E. The iodine - 131 activity in the secondary side of any steam generator, in an unisolated reactor coolant loop, shall not exceed 9 curies. Also, the specific activity of the secondary coolant system shall be~ 0.10 µCi/cc DOSE EQUIVALENT I-131. If the specific activity of the secondary cool ant system exceeds O.10 µCi/cc DOSE EQUIVALENT I-131, the reactor shall be shut down and cooled to 500°F or less within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after detection and in the cold shutdown condition within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

TS 3.6-3 F. With one auxiliary feedwater pump inoperable, restore at least three auxiliary feedwater pumps ( two motor driven feedwater pumps and one steam dri~en feedwater pump) to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in hot shutdown within the following 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

G. The requirements of Specifications 3.6.B.l and 3.6.D above concerning the opposite unit's auxiliary feedwater pumps and associated piping, valves and control board indication may be modified to allow the following components to be inoperable, provided immediate attention is directed to making repairs.

1. Two of the opposite unit's auxiliary feedwater pumps and associated piping, valves and control board indications may be inoperable for a period not to exceed 14 days.
2. Three of the opposite unit's auxiliary feedwater pumps and associated piping, valves and control board indications may be inoperable for a period not to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
3. The piping, valves and control board indications necessary to provide auxiliary feedwater from the opposite unit via the cross-connect may be inoperable for a period not to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

If the above requirements are not met, be in at least hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the next

  • 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

H. The requirements of Specification 3.6.B.2 above may be modified to a11 ow utilization of protected condensate storage tank water with the auxiliary steam generator feed pumps provided the water level is maintained above 60,000 gallons, sufficient replenishment water is available in the 300,000 gallon condensate storage tank, and replenishment of the protected condensate storage tank is commenced within two hours after the cessation of protected condensate storage tank water consumption.

Basis A reactor which has been shutdown from power requires removal of core residual heat. While reactor coolant temperature or pressure is> 350°F or 450 psig, respectively, residual heat removal requirements are normal-

e e

- TS 3.6-4 The capability to supply feedwater to the generators is normally provided by the operation of the Condensate and Feedwater Systems. In the event of complete loss of electrical power to the station, residual heat removal would continue to be assured by the availability of either the steam driven auxiliary feedwater pump or one of the motor driven auxiliary feedwater pumps and the 110,000-gallon condensate storage tank.

In the event of a fire or high energy line break which would render the auxiliary feedwater pumps inoperable on the affected unit, residual heat removal would continue to be assured by the availability of either the steam driven auxiliary feedwater pump or one of the motor-driven auxiliary feedwater pumps from the opposite unit. A minimum of two auxiliary feedwater pumps are required to be operable* on the opposite unit to ensure compliance with the design basis accident analysis assumptions, in that auxiliary feedwater can be delivered via the cross-connect, even if a single active failure results in the loss of one of the two pumps.

A minimum of 92,000 gallons of water in the 110,000-gallon condensate tank is sufficient for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of residual heat removal following a reactor trip and loss of all offsite electrical power. If the protected condensate storage tank level is reduced to 60,000 gallons, the immediately available replenishment water in the 300,000-gallon condensate tank can be gravity-fed to the protected tank if required for residual heat removal. An alternate supply of feedwater to the auxiliary feedwater pump suctions is also available from the Fire Protection System Main in the auxiliary feedwater pump cubicle.

The five main steam code safety valves associated with each steam generator have a total combined capability of 3,725,575 pounds per hour at their individual set pressure; the total combined capability of all fifteen main steam code safety valves is 11,176,725 pounds per hour. The ultimate power rating steam flow is 11,167,923 pounds per hour. The combined capacity of the safety valves required by Specification 3.6 always exceeds the total steam flow corresponding to the maximum steady state power than can be obtained during one, two, or three reactor coolant loop operation.

  • excluding automatic initiation instrumentation

e e TS 3.6-4a The availability of the auxiliary feedwater pumps, the protected condensate storage tank, and the main steam line safety valves adequately assures the sufficient residual heat removal capability will be available when required.

e e TS 3.9-1 3.9 STATION SERVICE SYSTEMS Applicability Applies to availability of electrical power for operation of station auxiliaries.

Ob.iective To define those conditions of electrical power availability necessary to provide for safe reactor operation.

Specification A. A unit's reactor shall not be made critical without:

1. All three of the unit's 4,160 v buses energized
2. All six of the unit's 480 v buses energized
3. Both of the 125 v d-c buses energized as explained in Section 3.16.
4. One battery charger per battery operating as explained in Section 3.16.
5. Both of the 4,160 v emergency buses energized as explained in Section 3.16.
6. All four of the 480 v emergency buses energized as explained in [

Section 3.16.

e TS 3.9-2

7. Two emergency diesel generators operable as explained in Section 3.16.

B. A unit's reactor shall not be made critical without the requirements of Specification 3.9-A above, items 3, 4, 5, 6, and 7 being met for the opposite unit.

C. The requirements of Specification 3.9-A above may be modified for two reactor coolant loop operation to allow one of the unit's 4,160 v normal buses and the two 480 v normal buses fed from this 4,160 v bus, to be unavailable or inoperable.

D. The requirements of Specifications 3.9-A and 3.9-B above may be modified as provided in Section 3.16 for items 3, 4, 5, 6, and 7.

During startup of a unit, the station's 4,160 v and 480 v normal and emergency buses are energized from the station's 34. 5 kv buses. At reactor power levels greater than 5 percent of rated power the 34.5 kv buses are required to energize only the emergency buses because at this power level the station generator can supply sufficient power to the normal 4,160 v and 480 v lines to operate the unit.

Three reactor cool ant loop operation with a11 4,160 v and 480 v buses energized is the normal mode of operation for a unit. Equipment redundancy and bus arrangements, however, a11 ow safe unit startup and operation with one 4,160 v normal bus and the two 480 v normal buses feed from this 4,160 v bus, unavailable or inoperable.

Emergency power supplies on the opposite unit are required to be operable to power the equipment necessary to supply auxiliary feedwater from one unit to another via the cross-connect.

References FSAR Section 8.4 Station Service Systems FSAR Section 8.5 Emergency Power Systems

e e TS 3.16-1 3.16 EMERGENCY POWER SYSTEM Applicability Applies to the availability of electrical power for safe operation of the station during an emergency.

Objective To define those conditions of electrical power availability necessary to shutdown the reactor safely, and provide for the continuing availability of Engineered Safeguards when normal power is not available.

Specification A. A reactor shall not be made critical nor shall a unit be operated such that the reactor coolant system pressure and temperature exceed 450 psig and 350°F, respectively, without:

1. Two diesel generators (the unit diesel generator and the shared backup diesel generator) operable with each generator's day tank having at least 290 gallons of fuel and with a minimum on-site supply of 35,000 gal of fuel available.
2. Two 4,160 v emergency buses energized.
3. Four 480 v emergency buses energzied.

e TS 3.16-2

4. Two physically independent circuits from the offsite transmission network to energize the 4,160 and 480 v emergency buses. One of these sources must be immediately available, i.e. primary source; and the other must be capable of being made available within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />; i.e. dependable alternate source.
5. Two operable flow paths for providing fuel to each diesel generator.
6. Two station batteries, two chargers, and the d.c. distribution systems operable.
7. Emergency diesel generator battery, charger and the d.c.

control circuitry operable for the unit diesel generator and for the shared back-up diesel generator.

8. The requirements of Specifications A.1, A.2, A.3, A.5, A.E, and A. 7 met for the opposite unit. In addition, one of the two physically independent circuits from the offsite transmission network to energize the opposite unit's 4160 and 480 v emergency buses must be available.

B. During power operation or the return to power from hot shutdown conditions, the requirements of specification 3.16-A may be modified by one of the following:

1. Either the unit's dedicated diesel generator or the* shared backup diesel generator may be unavailable or inoperable provided the operability of the other diesel generator is demonstrated daily. If this diesel generator is not returned to an operable status within 7 days, the reactor shall be brought to a cold shutdown condition. One diesel fuel oil flow path may be "inoperable" for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> provided the other flow is proven operable. If after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the inoperable fl ow path cannot be returned to service, the diesel shall be considered "inoperable". When the emergency diesel generator battery, charger or d.c. control circuitry is inoperable, the diesel shall be considered "inoperable".

TS 3.16-3

2. If a primary source is not available, the unit may be operated for seven {7) days provided the dependable alternate source can be operable within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. If specification A-4 is not satisfied within seven (7) days, the unit shall be brought to the cold shutdown condition.
3. One battery may be inoperable for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> provided the other*

battery and battery chargers remain operable with one battery charger carrying the d.c. load of the failed battery's supply system. If the battery is not returned to operable status within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period the reactor sha 11 be p1 aced in the hot shutdown condition. If the battery is not restored to operab 1e status within an add it i ona 1 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in the cold shutdown condition.

4. One of the two trains of the opposite unit's emergency power system as required by Section 3.16.A.8 above may be inoperable for a period not to exceed 14 days. The offsite power source for the opposite unit may be unavailable for a period not to exceed 14 days provided the opposite unit's dedicated diesel generator and shared backup di ese 1 generator are operab 1 e. If the two trains of the opposite unit's emergency power system and the offsite power source are not returned to operable status within 14 days, the reactor shall be brought to a cold shutdown condition. When the opposite unit's dedicated emergency diesel generator battery, charger or d.c. control circuitry is inoperable, the diesel and associated emergency power system train shall be considered inoperable.

C. The continuous running electrical load supplied by an emergency diesel generator shall be limited to 2750 kw.

Basis The Emergency Power System is an on-site, independent, automat i ca 11 y starting power source. It supplies power to vital unit auxiliaries if a normal power source is not available. The Emergency Power System consists of three diesel generators for two units. One generator is used exclusively for Unit 1, the second for Unit 2, and the third generator functions as a backup for either Unit 1 or 2. The diesel generators have a continuous 2,000 hour0 days <br />0 hours <br />0 weeks <br />0 months <br /> rating of 2750 kw and a two hour rating of 2850 kw. The actual loads using conservative

TS 3 .16-6 J. One charging pump cooling water pump for charging pump seal coolers.

The day tanks are filled by transferring fuel from any one of two buried tornado missile protected fuel oil storage tanks, each of 20,000 gal capacity. Two of 100 percent capacity fuel oil transfer pumps per diesel generator are powered from the emergency buses to assure that an operating diesel generator has a continuous supply of fuel. The buried fuel oil storage tanks contain a seven (7) day supply of fuel, 35,000 gal minimum, for the fuel load operation of one diesel generator; in addition, there is an above ground fuel oil storage tank on-site with a capacity of 210,000 gal which is used for transferring fuel to the buried tanks.

If a loss of normal power is not accompanied by a loss-of-coolant accident, the safeguards equipment wi 11 not be required. Under this condition the following additional auxiliary equipment may be operated from each emergency bus:

A. One component cooling pump B. One residual heat removal pump C. One motor-driven auxiliary steam generator feedwater pump The emergency buses in each unit are capable of being interconnected under strict administrative procedures so that the equipment which would normally be operated by one of the diesels could be operated by the other diesel, if required.

The requirement for operability of the opposite unit's emergency power system is to ensure that auxiliary feedwater from the opposite unit can be supplied via the cross-connect in the event of a common-mode failure of all auxiliary feedwater pumps in the affected unit due to a high energy line break in the main steam valve house. Without this requirement, a single failure (such as loss of the shared backup diesel generator) could result in loss of power to the opposite unit's emergency buses in the event of a loss of offs i te power, thereby rendering the cross-connect inoperable. The longer allowed outage time for the opposite unit's emergency power system is based on the low probability of a high energy line break in the main steam valve house coincident with a loss of offsite power.

e ATTACHMENT 2 Discussion of Proposed Change Surry Power Station U_nits 1 and 2 1

I.

PROPOSED CHANGES TO TS 3.6, 3.9 and 3.16 AUXILIARY FEEDWATER CROSS-CONNECT CAPABILITY I. BACKGROUND In Reference 1, Virginia Electric and Power Company informed th~

NRC of an apparent in~onsistency between the design basis accident analysis assumptions and certain requirements of the Surry Technical Specifications. The specific accident in question is a High Energy*

Line Break (HELB), such as the rupture of a main steam or feed line, in the main steam valve house (MSVH) area.

Section 3.6 of the Surry Technica.l Specifications governs the operability requirements for the auxiliary *feedwater (AFW) pumps.

  • These requirements may be summarized as follows:
1. For any unit operating conditfon that would preclude the operation of the Residual Heat Removal system, (i.e., reactor*

. coolant system conditions in excess of 350 F and 450 psig),

both of the unit 1 s motor-driven AFW pumps. must be operable and one pump from the opposite unit must be available*.

2. Prior to exceeding 10% reactor power, the steam.driven AFW 2
  • Available is defined as (1) operable except for automatic initiation instrumentation, (2) offsite or emergency power source may be inoperable in cold shutdown, and (3) it is capable of being used with the opening of the cross-connect.

A requirement for in operable pump from the opposite unit was added in 1982 (Amendment Nos. 77 and 78)

  • to meet the requirements of the fire hazards analysis required by 10 CFR 50 Appendix* R. This requirement was 11 later modified from operable 11 to 11 available 11 as defined above (Amendment Nos. 97 and 98, October 1984).

The Surry inter-unit AFW system cross-connect feature is shown schemat-ically in -Figure 1. This feature allows the use of the opposite unit's AFW system in the event of a common -mode failure of a unit's AFW pumps resulting from a disabling fire or HELB in *the vicinity o( those pumps.

An evaluation of the HELB scenario is presented in Appendix 148 of the Surry UFSAR, "Effects of Piping System Breaks Outside Containment 11

  • The following excerpts of Appendix 148 are relevant to this discussion:

11 Since loss of offsite power must be assumed, and the turbine 3

e drives are not environmentally qualified by tests, additional assurance that feedwater will be maintained is obtained by the auxiliary feed cross-connect system" (Section 14.B.5.l.3).

11 The following modifications. to the initial plant design were_

made to further ensure safe-shutdown reliability and the operation cif plant protective features:

1. The pump discharge piping of the auxil fary feedwater systems in Units 1 and 2 were cross conne~ted so that the unaffected system.will have the capability of maintaining both units in a shutdown conditi6n. Furthermore~ an additional source of makeup water for the _auxiliaryfeedwater systems has. been_

installed. A~ ~dditional 110,000 gal* missile-protected condensate storage tank and two booster pumps supply the suction of the unaffected auxiliary feedwater pumps. These*

modifications were designed .and installed in accordan*ce with ASME Section III, Seismic Category I criteria, and are also tornado protected. These modifications are shown ih *Figure 14B-22.

As described in Section 14.2.11, only one 350 gpm auxiliary feedwater pump is required to remove stored and residual heat. Therefore, no redundancy requirements were lost for either unit, since there are two 350-gpm auxiliary feedwater 4

e pumps and one 700-gpm feedwater pump available from the unaffected unit 11 (Section 14B.5.1.7).

The UFSAR Section 14,8.5.1.7 .discussion on redundancy quoted above is al-ways true for the case of both units initially operating at power, by virtue of the requirements of Technical Specification 3~6, but would not be true if the unaffected unit were at cold or refueling shutdown with one of the two motor-driven pumps inoperable for repair or maintenance, as allowed by the current specifications. In this case, only one AFW pump

  • would be available on the unaffected unit, since the turbine-driven pump would have no steam supply. Thus under current T~chnical SpecificatiQns, the affected unit would be vulnerable to a common mode failure of the AFW system due to a HELB outside containment compounded with aQ additiona~

single active failure of an AFW pump on the opposite unit. This is corr trary to General Design Criteria 21 and 22.

As a result, Virginia Electric and Power Company is proposing a change to the Technical Specifications to ensure redundant protection against loss of all AFW under HELB conditions. A detailed discussion of the proposed changes follows.

5

FIGURE 1

~6'-WAP0-1-601

\ (FM-68A,C-6)

MOV rwi5IA

'-6~WAl>D-2-601 (FM-<;~A, C-6)

INSICE REACTOR CONTAINMErir 6'!.WAi>D-152- 601

~~U~T__l--1*---- - - - - - - - ---+---

UNIT 2 f  ;..;IN;..:S'--ID""'Ec.-R=E-AC"'"-T_O_R_C_O_N_T_A_IN_M_E-'N-'-T-*-i MOV '----6"-WAPD-l!IO "iiOI FW251~ -

CROSS-CONNECTS FOR UNIT NO 2 AUXILIARY FEED FROM UNIT NO. I j .ill. ST£AM G0L FEED PUMPS I I (11541M"M-i,BA) I 110,COO ,;AL El.lER CNDS r------'-l STCRAGE TANK

~T c-C ~-T~-1 FWZ!>IF l_i5<1&FM*e<>>\.~-7'

. NOV T I FW251C~

I

~.£..=-.J*.

-~*ro-roa-60! (11!*-Flil-EieA,C-6) 11'.SIDE REACTOR CCl'.TAINMEm

  • UlllT 2 I

---u;r ,-,----,-NSIOf REACTOR CONTAl'IIMENT 74 CROSS-CON'JECTS FOR UNIT NO. I AUXILIARY FEED FROM UNIT NO. 2

II. DISCUSSION OF PROPOSED CHANGES Specification 3.6 - 11 Turbine Cycle 11 Specification 3.6.B.l, which.governs AFW requirements to ensure residual*

heat removal capability for reactor conditions which preclude operation of the residual heat removal system, has been revised to read as follows:

11

8. To assure residual heat remo~al capabilities, the following condi-tions shall be met prior to th~ commence~ent of any unit operation that would establish reactor coolant system conditions exceeding 350 For 450 psig which would preclude operation of the Residua 1 Heat Remova 1 System.
1. The following shall be operable:
a. Two motor driven auxiliary feedwater pumps.
b. Two of the three auxiliary feedwater pumps on the opposite unit (automatic initiation instrumentation need not be operable), capable of being used with the opening of the cross-connect. 11 Thus the number of AFW pumps on the opposite unit has been increased from one to two, and the emergency power train associated with each pump must 7
  • e now be operable. As before, automatic initiation instrumentation has been excluded from the requirements si nee use of the cross-connect requires operator action. Under the proposed revision, there will still be at least one AFW pump available for use with the cross-connect, even with a single active failure of a ~ump and a concurrent loss of offsite power.

Specification 3.6.D, which governs operability requirements for AFW sys-tem supporting equipment, has been revised to read as follows:

11

0. System piping, valves and control board indication required for operation of the components enumerated in Specifications 3.6.8.1,3.6.B.2,3.6.B.3 and 3.6.C shall be operable (automatic initiation instrumentation associated with the opposite unit's auxiliary feedwater pumps need not be operab.le). 11 Urider the modified Paragraph 3.6.D, operability of the subject components has been extended to include operability of the associated emergency.power sources, independent of operating mode. Allowed outage times for the emergency power source are addressed in Technical Specification 3.16, 11 Emergency Power System 11
  • 8
  • e Specification 3.6.G defines allowed outage times for the opposite units auxiliary feedwater pumps and associated equipment. This specification has been modified to the following:

11 G. The requirements of Specifications 3.6.B.1 and 3.6.D above concerning the opposite unit 1 s auxiliary feed water pumps and associated piping, valves and control board indication may be modified to allow the following components to be inoperable, provided immediate attention is directed to m*aking repairs.

1. Two of the opposite unit 1 s auxiliary feedwater pumps and associated piping, valves and control board indicaticins may be tnoperable for a period not to exceed 14 days.
2. Three of the opposite unit 1 s auxiliary feedwater pumps and associated piping, valves and control board indications may be inoperable for a period not to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
3. The piping, valves and control board indications necessary to provide auxiliary feedwater from the opposite unit via the cross-connect may be inoperable for a period not to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

If the above requirements are not met, be in at least hot 9

shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. 11 The 14 day allowed outage time for two AFW pumps on the opposite unit is based on a realistic time allowance for performing repairs on the pumps and/or associated.emergency -diesel generators, and on the demonstrated low contribution of the HELB to.core damage risk. The three day allowed outage time for all AFW pumps on the opposite unit and for the supporting equipment for the cross-connect is also based on a probabilistic risk assessment which includes the contribution of thfs allowed outage time to the total risk of losing all AFW in the event of a high energy line break (see Section III, below).

In addition to the changes discussed above, the Basis for Section 3.6 has been modified slightly to discuss the reason for requiring two AFW trains operable on the shutdown unit.

10

e e Specification 3.9 - "Station Service Svstems 11 This Speci fi cation has been revised to .require emergency power supp 1i es on the opposite unit to be operable to power the equipment necessary to operate the AFW system cross-connect and AFW pumps. The wording of the revised Specification is as follows (only those requirements which have been augmented are reproduced here):

11

8. A unit 1 s reactor shall not be made critical without the requirements of Specification 3.9-A above, items 3,4,5,6, and 7 being met for the opposite unit.

C. The requirements of Specification 3.9-A above may be modified for two reactor coolant loop opefation to allow one of the unit's 4,160 v normal buses and the two 480 v normal buses fed from this 4,160 v bus, to be unavailable or inoperable.

D. The requirements of Specification 3.9-A and 3.9-B above may be modified as provided in Section 3.16 for items 3,4,5,6 and 7. 11 The equipment referred to in Specification 3.9-A includes* the following:

3. Both of the 125 v d-c buses energized as explained in 11

e Section 3.16.

4. One battery charger per battery operating as explained in Section 3.16.
5. Both of the 4;160 v emergency buses energized as explained in Section 3.16.
6. All fo~r of the 480 v emergency buses energized as explained in Section 3.16. **
7. Two emergency diesel generators operable as explained in Section 3.16.

By adding the above requirements, two redundant* trains of emergency power and supporting equipment are available to power the motor-driven AFW pumps on the opposite unit. Section 3.16, discussed below, has been modified to provide for a 14 day outage time for one train of the emergency power system. A note has been added to the Basis for Specification 3.9 to ex-plain the requirement for the emergency power supplies on the opposite unit.

    • This section has been revised from 11 Two 480 v emergency buses 11 to 11 all four of the 480 v emergency buses 11 for clarity. Both 480 v buses lH and lHl are sometimes referred to simply as 11 the lH 480 v bus 11 (and similarly for lJ and lJl). The wording change clarifies the intent of the spec-ification.

12

--~-1 Specification 3.16 - 11 Emergency Power System 11 This specification defines those conditions of electrical power avail-ability necessary to shutdown the reactor safely, and provides for the continuing availability-of Engineered Safeguards when normal power is not available. Specification 3.16.A defines the minimum equipment available, and has been revised to require emergency power on the opposite unit:

11

8. The requirements of Specifications A.l, A.2, A.3, A.5, A.6 and A.7 met for the opposite unit. In addition, one of the two physically independent circuits from the offsite transmission network to energize the opposite unit's 4160 and 480v emergency buses must be available. 11 The requirements referred to include:
1. Two diesel generators (the unit diesel generator and the

~hared backup diesel generator) operable with each generator's day tank having at least 290 gallons of fuel and with a minimum on-site supply of 35,000 gal of fuel available.

2. Two 4,160 v emergency buses energized.
3. All four 480 v buses energized (see the note on p.26).
5. Two operable flow paths for providing fuel to each diesel 13

generator.

6. Two station batteries, two chargers-and the d.c. distribution systems operable.
7. Emergency diesel generator battery, charger, and the d.c.

control circuitry operable for the unit diesel generator, and for the shared back-up diesel generator.

The requirement for one of the two circuits from the offsite transmission network to be available enhances the overall availability of power to the emergency buses of the opposite unit while allowing for maintenan~e to be performed on the other circuit as required.

Allowed outage times for the emergency power system are defined in Spec-ification 3.lS.B. The proposed.revision retains the existing 7 day outage time for the dedicated and shared backup generator, and adds a 14 day allowed outage time for a single .train of the emergency power system and the offsite power source on the opposite unit:

11

4. One of the two trains of the opposite unit's emergency power system as required by Section 3.16.A.8 above may be inoperable for a period not to exceed 14 days. The offsite power source*

14

for the opposite unit may be unavailable for a period not to exceed 14 days provided the opposite unit 1 s dedicated diesel generator and shared backup diesel generator are operable. If the two trains of the opposite unit 1 s emergency power system and the offsite power source are not returned to operable status within 14 days, the reactor sh~ll be brought to a cold shutdown condition. When the opposite unit 1 s dedicate~

emergency diesel generator battery, charger or d.c. control circuitry is inoperable, the diesel and associated emergency power system train shall be considered inoperable. 11 The 14 day allowed outage time for an emergency power train on the oppo-site unit is based on probabilistic risk assessment (PRA) which demon-strates that, with this outage-time, loss of AFW due to a HELB in one unit concurrent with a loss of offsite power repres~nts a negligible contribution to core damage risk. The methodology, assumptions and con-clusions of this study are summarized below.

15

III. PROBABILISTIC RISK ASSESSMENT (PRA) METHODOLOGY AN_D RESULTS A. Methodology A fault tre~ model of the AFW system was prepared. The. basic model used was that developed by Sandia National Laboratories* and documented in 11 NUREG/CR-4450/Vol. 3, Analysis of. Core Damage Fr~quency from Internal Events: Surry, Unit 1 11 (Ref. 2). The base model was benchmarked against Reference 2 to show that equivalent AFW system reliabilities were being predicted. The . base model was then modified to account for emergency power dependencies a.nd the AFW cross-tie.capabiiity.

  • Availability of AFW was modeled as a supercomponent representing the availability of an .entire train, including emergency pow*er, as defined in the proposed Speci fi ca-tions.

The scenario analyzed was a HELB in the vicinity of the operating units AFW pumps (thus fa.iling the pumps).* Cases with and without concurrent loss of offsite power were examined. The non-affected unit was assumed to be in *cold shutdown. A sensitivity study was performed which examined the effects of varying allowed outage times (AOT 1 s) on one AFW train for the shutdown unit. AOT' s of fourteen, twenty-one and thirty days were assumed in the calculations.

16

B. Key Analysis Assumptions In the discussion which follows, Unit 1 is assumed to be initially at power, and Unit 2 is at cold shutdown. The HELB occurs on Unit 1, disa-bling the Unit 1 AFW capability. The following key assumptions apply:

1. The Technical Specifications will require that both motor-driven pumps (and associated emergency power equipment) be operable on the shutdown unit. In the event that one AFW train were inoperable, the operating unit (Unit 1) would be placed into a fourteen day action statement. Should the second motor driven pump on the shutdown unit or the cross-connect flow piping, valves or instrumentation become inoperable, the operating unit would be placed into a more restrictive action statement (i.e. 3 days).
2. The turbine driven AFW pump on unit 2 is unavailable due to lack of a steam supply.
3. The loss of offsite power event was assumed to affect both units. Should the dedicated diesel generator for a unit fail to start or run, the shared backup diesel generator (#3) is assumed to align to that unit.

It is further assumed that for a simultaneous loss of-offsite 17

power and HELB, the diesel ~ould automatically align to Unit 1 (the unit with the HELB). This will necessitate operator action to manually align the diesel to Unit 2 if it is required to provide cross-tie flow capability. This operator action is viewed as an* independent action from manuall~ aligning the Unit 2 AFW flow path.

4. The use of the 300,000 gallon condensate storage tank (CST),

the emergency makeup tank or the fire main as a backup to the emergency CST were not considered as recovery actions for conservatism.

5. Failure rates and probabilities used in the analysis were obtained from Reference 2 with the exception of the maintenance outage rates for the auxiliary feedwater trains on the shutdown unit. This was calculated for various allowed outage times, as discussed above, based on the conservative assumption that a train ente~s extended maintenance at a frequency of once per eighteen months.
6. For the piping, valves ~nd control board indications associated with the cross-connect itself, the unavailability assumed was equivalent to one three-day outage every third refueling outage.

18

e C. Summary of PRA Results Table 1 provides a summary of the sensitivity study results for varying amounts of allowed outage time for one auxiliary feedwater train on the shutdown unit. The resultant frequencies for loss of AFW resulting from a HELB may be eva 1uated by comparing them to core damage frequencies for.

the Surry dominant accident sequences identified in Table IV.9-2 of Ref-.

erence 2. Summing those frequencies, one finds that the 'total core damage frequency is estimated at 2.5E-5 events/year. Thus, if one makes the assumption that a HELB followed by failure to supply AFW results in core damage with a probability of 1.0, the co~tribution from HELB is less than 1.0% of the total core damage risk. This is~ very conservative estimate since it discounts the impact of alternative actions to remove core heat such as primary side 11 feed and bleed"; also, for the cases with offsite power available, no credit has been taken for continued availability of main feedwater_ When this effect is considered, the failure rates are seen to be high by perhaps an order of magnitude.

Furthermore, the INCREMENTAL increase in contribution to risk associated with an allowed outage time of 14 to 30 days on an AFW train with respect to no allowed outage time (7.0E-8) is less than 0.1% of the total risk.

It should be reemphasized that the estimated failure frequencies are very conservative.

19

A review of Reference 2 shows that for sequences involving loss of AFW, (Event L), only those sequences which also involve a loss of offsite power are*significant contributors to the core damage frequency. Thus a case was examined which involved a loss of offsite power *concurrent with the HELB event. The resultant Jailure rate was shown to be 1.7E-8 events,

. per year, thus contributing less than 0.1% to core damage risk.

The conclusions drawn above are valid for any of the assumed *allowed outage times, ranging from 14 to 30 days. We are proposing an allowed outage time of 14 days for a train of auxiliary feedwater oil the opposite u~it. This AOT c~n realistically accommodate otcasional major repairs and.

yet remains well within the limits of* the PRA study to aC:count for un-certainties in the estimated frequency of those major repairs.

Further details of the probabilistic assess_ment methods, assumptions and results may. be found in Appendix 1 of this evaluation; 20

It_,/

TABLE 1 AFW SYSTEM PRA SENSITIVITY STUDY RESULTS For the following-table of results, these initiator frequencies were used:

Loss of Offsite Power (LOSP). 7.0E-2/YR (1)

High Energy Line Break (HELB) in AFW Room 3.0E-5/YR (2)

AFW Outage AFW Fai 1ure Initiator Resultant Change In Time, Days Probability Freguency(3) Failure Rate. Risk No AOT 4.45E-3 3.0E-5 1. 3E-7 N/A 14 6.58E-3 3.0E-5 2.0E-7 7.0E-8 14 ( LOSP) 8.07E-3 2. lE-6 1. 7E-8 N/A 21 6. 71E-3 3.0E-5 2.0E-7 7.0E-8 30 6.90E-3 3.0E-5 2.lE-7 8.0E-8 Thus, for an allowed outage time of 14 days for a motor-driven AFW pump on the shut.down unit, the resulting frequency of 1ass of AFW capability due to HELB coincident with LOSP is about l.7E-8 events per year.

1. Reference 2, Table IV.3.2.1, Page IV-21.
2. Reference 2,Section IV.3.1.1, Page IV--13.
3. HELB or HELB with Coincident LOSP 21

IV. SINGLE FAILURE EVALUATION A review of the AFW system, including.the cross-connect feature and the*

requirements of the proposed Technical Specifications, was performed to ensure that there are no single active failures which could result in* a loss of AFW under accident conditions. Only one potential failure mode was identified, but this is not considered a credible failure ..

The AFW cross-connects are provided with dual check valves (in series) to prevent 1oss of feedwater in the event of a b_reak in one of these 1i nes outside containment (see Figure 1). Failure of either of the valves to transfer open as required wo.uld render the cross-connect inoperable.

However, this is not considered credible in that:

1. There have been no reported failures of check valves of this design (Crane Co. 600 lb. cast steel swing check valves) resulting in failure to transfer open.
2. Periodic valve operability and flow testing is in place to confirm acceptable performance of these valves.
3. The valve material and AFW water chemistry are such that corrosion product buildup severe enough to cause hinge binding or any other mechanism of valve ~ticking is *not 22

tonsidered credible.

4. To further ensure reliable performance, a_formal preventive maintenance program has been established for these valves.

As a result of these considerations, the pr0per active function of these valves (i.e. transferring open) can be demonstiated d~spite any cr~dibl~

condition. Therefore, under the guidance of Reference 3, an exemption from the single active failure criterion is justified in that failure of the valves to transfer open need not be considered part of the design basis.

23

V. PLANT FEATURES/OPERATOR ACTIONS Loss of main and auxiliary feedwater at Surry is considered a very low probability event. Common mode failure of a unit's AFW pumps due to a high energy line break in the main steam valve house is considered in the design basis due to lack of formal environmental qualification of the.AFvJ-pumps for these conditions. The HELB event is in itself a very low probabi 1ity event. NUREG-1150 estimated an event frequency of 3E-5/YR;*

For the common mode failure of a- unit's AFW pumps to occur, a large eno*ugh break must be postulated so that all three AFW pumps fail due to flooding or environmental overheating.

Surry Technical Specifications impose an augmented inservice inspecti.on

  • program for high energ~ line breaks outside of tontainment. This progfam covers welds in piping systems where p.rotection from the consequences of postulated ruptures is not provided by a system of pipe whip restraints, jet impingement barriers, protective enclosures and/or other measures designed specifically to cope with such ruptures. Both main steam and main feedwater lines in the main steam valve house are covered *under this program. Under normal plant operating conditions, the piping materials.

operate under ductile conditions and within stress limits which are con-siderably below the ultimate strength properties of the materials._ Flaws which could grow under such conditions are generally associated with cy-clic loads that fatigue the metal and lead to leakage cracks. The in-service inspection program provides an adequate mechanis~ to assist in the early detection of flaws induced in these piping systems.

24

Loss of secondary heat sink events have received considerable industry study in recent years, and Surry 1 s Emergency Operating Procedures (EOP) reflect the benefits of this study. The procedures direct operator at-tention toward establishing and maintaining AFW flow to at least.one steam generator as soon as it is demonstrated that a secondary heat sink is required. For Surry this involves. remote, then local attempts to start the AFW pumps and establish appropriate flow paths. Failing th.is, the inter-unit AFW cross-connect is used.

If AFW cannot be established, the operator trips reactor coolant pumps to maximize the time available to reestablish a secondary heat sink prior to the generation of RCS voids. Once this is accomplished, he attempts.

to establish main feedwater flow to at least one generator. If this at-tempt fails, depressurization of the steam generators to a level compat-ible with feeding from the main condensate pumps proceeds.

If attempts to restore a secondary heat sink fail, the procedures and decision points are structured to initiate bleed-and-feed cooling using pressurizer power operated relief valves (PORVs) and high head safety injection pumps prior to loss of bulk subcooling margin in the reactor coolant system. Once this mod~ of cooling is established, the core can be cooled for an extended period of time while further efforts are made to reestablish a secondary heat sink.

25

As discussed in previous sections, we are proposing technical specifica-tions which enhance the effectiveness of the existing AFW cross-connect design in reducing the risk of loss of AFW capability. The design fea-tures and operator actions discussed above provide further assurance that core heat removal capability will be maintained in the event of a loss of the secondary he.at sink.

.i 26

VI. 10 CFR 50.59 EVALUATION Virginia Electric and Power Company proposes a series of modifications to* Sections 3.6, "Turbine Cycle", 3.9, "Station Service Systems", and 3.16, "Emergency Power System", of the Surry Technical Specifications.

These proposed modifications address the operability and redundancy re-quirements of the cross-connect feature of the Auxiliary Feedwater Sys-tem.

Based on our review of the proposed changes, we have determined that these changes wi 11 not create an unrevi ewed safety question as defined in 10 CFR 50.59. sp*ecifically:

1. The proposed changes do not increase _either the probability of occurrence or consequences of any accident or equipment malfunction scenario which is important to safety and which has been previously evaluated in the UFSAR. The effect of the changes will be to increase the reliability of the auxiliary feedwater cross-connect feature, which is.relied on for mitigation of certain high energy line breaks outside containment and fires. The current UFSAR accident analysis results and conclusions are not affected by the proposed changes.
2. The possibility of an accident or malfunction of a different type 27

than those previously evaluated in the safety analysis report is not created. The redundancy requirements for the auxiliary feed-water system have no impact on the range of initiating events previously assessed.

3. The margin of safety as defined in the bases of the technical specifications is not reduced. The results of the existing UFSAR accident analyses remain bounding, and therefore the safety margins are not impacted.

28

e VII. NO SIGNIFICANT HAZARDS DETERMINATION Vir~inia Electric and Power Company proposes a series of modifications to Sections 3.6, 11 Turbine Cycle 11 , 3.9, 11 Station Service Systems 11 , and 11 3.16, Emergency Power System 11 , of the Surry Techni.cal Specifications.

These proposed modifications address the operability and redundancy re-quirements of the cross-connect feature of the Auxiliary Feedwater Sys-tem. Therefore* the reliability of the system in performing its intended safety function under accident conditions will be enhanced.*

Virginia Electric and Power Comp.any ha's reviewed the proposed changes against the criteria of 10 CFR 50.92 and has concluded that the changes do not pose a significant safety hazards consideration as defined therein.

Spec.ifically, operation of Surry Power Station with the proposed amend-ment will not:

1; Involve a significant increase in either the probability of occur-rence or consequences of any accident or equipment malfunction scenario which is important to safety and which has been previously evaluated in the UFSAR. The effect of the chan~es will be to increase the reliability of the auxiliary feedwater cross-connect feature, which is relied on for mitigation of certain high energy line breaks outside containment and fires. The current UFSAR accident analysis results and conclusions are not affected by 29

~,;

the proposed changes.

2. Create the possibility of a new or different type of accident from those previously evaluated in the safety analysis report.

The redundancy requirements for the auxiliary feedwater system have no impact on the range of initiating events previously assessed.

3. Involve a significant reduction in a margin of safety. Since the results of the existing UFSAR accident analyses remain bounding, the safety margins are not impacted.

30

  • e References
1. Surry LER 87-14, Reporting Potential for Inadequate Auxiliary Feedwater Supply During a High Energy Line Break (HELB) Event, June 30, 1987.

11

2. NUREG/CR-4550/Vol .3, Analysis of Core Damage Frequency from Internal Events: Surry Unit 111 , Sandia National Laboratories, November 1986.
3. American National Standard ANSI/ANS-58.9-1981, 11 Single Failure Criteria for Light Water Reactor Safety Related Fluid Systems 11 ,

11 Section 3, Exemptions 11

  • 31
Retrieved from "https://kanterella.com/w/index.php?title=ML18152A147&oldid=2403746"