ML18153B962

From kanterella
Jump to navigation Jump to search
Revised Tech Specs Re Operability Requirements for Auxiliary Feedwater Sys & Power Sources of Shutdown Unit
ML18153B962
Person / Time
Site: Surry  Dominion icon.png
Issue date: 10/30/1989
From:
VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.)
To:
Shared Package
ML18153B961 List:
References
NUDOCS 8911070397
Download: ML18153B962 (16)
v  d  e


Text

...

e e TS 3.6-1 3.6 TURBINE CYCLE Agplicability Applies to the operating status of the Main Steam and Auxiliary Feed Systems.

Objectives To define the conditions required in the Main Steam System and Auxiliary Feed System for protection of the steam generator and to assure the capability to remove residual heat from the core during a loss of station power/or accident situations.

Specification A. A unit's Reactor Coolant System temperature or pressure shall not exceed 350°F or 450 psig, respectively, or the reactor shall not be critical unless the five main steam line code safety valves associated with each steam generator in unisolated reactor coolant loops are operable with lift settings as specified in Table 3.6-1A and 3.6-1 B.

8. To assure residual heat removal capabilities, the following conditions shall be met prior to the commencement of any unit operation that would establish reactor coolant system conditions of 350°F or 450 psig which would preclude operation of the Residual Heat Removal System.
1. The following shall be operable:
a. Two motor driven auxiliary feedwater pumps.
b. Two of the three auxiliary feedwater pumps on the opposite unit (automatic initiation* instrumentation need not be operable), capable of being used with the opening of the cross-connect.

8911070397 891030 PDR ADOCK 05000280 P PNU

TS 3.6-2

2. A minimum of 96,000 gallons of water shall be available in the tornado missile protected condensate storage tank to supply emergency water *to the auxiliary feedwater pump suctions. A minimum of 60,000 gallons of water shall be available in the tornado protected condensate storage tank of the opposite unit to supply emergency water to- the auxiliary feedwater pump suction of that unit.
3. All main steam line code safety valves, associated with .steam generators in unisolated reactor coolant loops, shall be operable with lift settings as specified in Table 3.6-1 A and 3.6-1 B.

C. Prior to reactor power exceeding 10%, the steam driven auxiliary feedwater pump _shall be operable.

D. System piping, valves, and control board indication required for operation of the components enumerated in Specifications 3.6.B.1, 3.6.B.2, 3.6.B.3, and 3.6.C shall be operable (automatic initiation instrumentation associated with the opposite unit's auxiliary feedwater I

pumps need not be operable). .

E. The iodine - 131 activity in the secondary side of any steam generator, in an unisolated reactor coolant loop, shall not exceed 9 curies. Also, the specific activity of the secondary coolant system shall be ~ 0.1 O µCi/cc DOSE EQUIVALENT 1-131. If the specific activity of the secondary coolant system exceeds 0.1 O µCi/cc DOSE EQUIVALENT 1-131, the reactor shall be shut down and cooled to 500°F or less within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after detection and in the cold shutdown condition within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

TS 3.6-3 F. With one auxiliary feedwater pump inoperable, restore at least three auxiliary feedwater pumps (two motor driven feedwater pumps and one steam driven feedwater pump) to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in hot shutdown within the following 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

G. The requirements of Specifications 3.6.8.1, 3.6.8.2 and 3.6.D above concerning the opposite unit's auxiliary feedwater pumps; associated piping, valves and control board indication; and, the protected condensate storage tank may be modified to allow the following components to be inoperable, provided immediate attention is directed to making repairs.

1. One train of the opposite unit's piping, valves, and control board indications or two of the opposite unit's auxiliary feedwater pumps may be inoperable for a period not to exceed 14 days.
2. Both trains of the opposite unit's piping, valves, and control board indications; the opposite unit's protected condensate storage tank; the cross-connect piping from the opposite unit; or three of the opposite unit's auxiliary feedwater pumps may be inoperable for a period not to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

If the above requirements are not met, be in at least hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

H. The requirements of Specification 3.6.B.2 above may be modified to allow utilization of protected condensate storage tank water with the auxiliary steam generator feed pumps provided the water level is maintained above 60,000 gallons, sufficient replenishment water is available in the 300,000 gallon condensate storage tank, and replenishment of the protected condensate storage tank is commenced within two hours after the cessation of protected condensate storage tank water consumption.

TS 3.6-3a A reactor which has been shutdown from power requires removal of core residual heat. While reactor coolant temperatures or pressure is > 350°F or 450 psig, respectively, residual heat removal requirements are normally satisfied by steam bypass to the condenser. If the condenser is unavailable, steam can be released to the atmosphere through the safety valves, power operated relief valves, or the 4 inch decay heat release line.

TS 3.6-4 The capability to supply feedwater to the generators is normally provided by the operation of the Condensate and Feedwater Systems. In the event of complete loss of electrical power to the station, residual heat removal would continue to be assured by the availability of .either the steam driven auxiliary feedwater pump or one of the motor driven auxiliary feedwater pumps and the 110,000-gallon condensate storage tank. In the event of a fire or high energy line break 1 which would render the auxiliary feedwater pumps inoperable on the affected unit, residual heat removal would continue to be assured by the availability of either the steam driven auxiliary feedwater pump or one of the motor-driven auxiliary feedwater pumps from the opposite unit. A minimum of two auxiliary feedwater pumps are required to be operable* on the opposite unit to en~ure compliance with the design basis accident analysis assumptions, in that auxiliary feedwater can be delivered via the cross-connect, even if a single active failure results in the loss of one of the two pumps.

A minimum of 92,000 gallons of water in the 110,000-gallon condensate tank is sufficient for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of residual heat removal following a reactor trip and loss of all offsite electrical power. If the protected condensate storage tank level is reduced to 60,000 gallons, the immediately available replenishment water in the 300,000-gallon condensate tank can be gravity-fed to the protected tank if required for residual heat removal. An alternate supply of feedwater to the auxiliary feedwater pump suctions is also available from the Fire Protection System Main in the auxiliary feedwater pump cubicle.

The five main steam code safety valves associated with each steam generator have a total combined capability of 3,725,575 pounds per hour at their individual set pressure; the total combined capability of all fifteen main steam code safety valves is 11,176,725 pounds per hour. The ultimate power rating steam flow is 11, 167,923 pounds per hour. The combined capacity of the safety valves required by Specification 3.6 always exceeds the total steam flow corresponding to the maximum steady state power than can be obtained during one, two, or three reactor coolant loop operation*

The availability of the auxiliary feedwater pumps, the protected condensate storage tank, and the main steam line safety valves adequately assures the sufficient residual heat removal capability will be available when required.

  • excluding automatic initiation instrumentation

e TS 3.9-1 3.9 STATION SERVICE SYSTEMS Applicability Applies to availability of electrical power for operation of station auxiliaries.

Objective To define those conditions of electrical power availability necessary to provide for safe reactor operation.

Specification A. A unit's reactor shall not be made critical without:

1. All three of the unit's 4, 160V buses energized
2. All six of the unit's 480V buses energized
3. Both of the 125 V DC buses energized as explained in Section 3.16
4.
  • One battery charger per battery operating as explained in Section 3.16
5. Both of the 4, 160V emergency buses energized as explained in Section 3. 16
6. All four of the 480V emergency buses energized as explained in f Section 3. 16

e TS 3.9-2

7. Two emergency diesel generators operable as explained in Section 3.16 B. A unit's reactor shall not be made critical without the requirements of Specification 3.9-A items 3, 4, 5, 7, and 6 (for the 480V power supplies for the auxiliary feedwater cross-connect valves) being met for the opposite unit.

C. The requirements of Specification 3.9-A above may be modified for two reactor coolant loop operation to allow one of the unit's 4, 160V normal buses and the two 480V normal buses fed from this 4, 160V bus, to be unavailable or inoperable.

D. The requirements of Specifications 3.9-A items 3, 4, 5, 6, and 7 may be modified as provided in Section 3.16-B.

During startup of a unit, the station's 4, 160V and 480V normal and emergency buses are energized from the station's 34.5KV buses. At reactor power levels greater than 5 percent of rated power the 34.5KV buses are required to energize only the emergency buses because at this power level the station generator can supply sufficient power to the normal 4, 160V and 480V lines to operate the unit.

Three reactor coolant loop operation with all 4, 160V and 480V buses energized is the normal mode of operation for a unit. Equipment redundancy and bus arrangements, however, allow safe unit startup and operation with one 4, 160V normal bus and the two 480V normal buses feed from this 4, 160V bus, unavailable or inoperable.

Emergency power supplies on the opposite unit are required to be operable to power the equipment necessary to supply auxiliary feedwater from one unit to another via the cross-connect.

References FSAR Section 8.4 Station Service Systems FSAR Section 8.5 Emergency Power Systems

TS 3.16-1 3.16 EMERGENCY POWER SYSTEM Applicability Applies to the availability of electrical power for safe operation of the station during an emergency.

Objective To define those conditions of electrical power availability necessary to shutdown the reactor safely, and provide for the continuing availability of Engineered Safeguards when normal power is not available.

Specification A. A reactor shall not be made critical nor shall a unit be operated such that the reactor coolant system pressure and temperature exceed 450 psig and 350°F, respectively, without:

1. Two diesel generators (the unit diesel generator and the shared backup diesel generator) operable with each generator's day tank having at least 290 gallons of fuel and with a minimum on-site supply of 35,000 gal of fuel available.
2. Two 4, 160V emergency buses energized.
3. Four 480V emergency buses energized.

I*

TS 3.16-2

4. Two physically independent circuits from the offsite transmission network to energize the 4,160 and 480V emergency buses. One of these sources must be immediately available, i.e. primary source; and the other must be capable of being made available within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />; i.e. dependable alternate source.
5. Two operable flow paths for providing. fuel to each diesel generator.
6. Two station batteries, two chargers, and the DC distribution systems operable.
7. Emergency diesel generator battery, charger and the DC control circuitry operable for the unit diesel generator and for the shared back-up diesel generator.
8. The requirements of Specifications A.1, A.2, A.5, A.6, A.7, and A.3 (for the 480V power supply for the auxiliary feedwater cross-connect valves) met for the opposite unit. In addition, one of the two physically independent circuits from the offsite transmission network must energize the opposite unit's emergency buses.

B. During power operation or the return to power from hot shutdown cGnditions, *the requirements of specification 3.16-A may be modified by one of the following:

1. Either the unit's dedicated diesel generator or the shared backup diesel generator may be unavailable or inoperable provided the operability of the other diesel generator is demonstrated daily. If this diesel generator is not returned to an operable status within 7 days, the reactor shall be brought to a cold shutdown condition.

One diesel fuel oil flow path may be "inoperable" for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> provided the other flow is proven operable. If after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the inoperable flow path cannot be returned to service, the diesel shall

_be considered "inoperable." When the emergency diesel generator battery, charger or DC control circuitry is inoperable, the diesel shall be considered "inoperable."

e TS 3.16-3

2. If a primary source is not available, the unit may be operated for seven (7) days provided the dependable alternate source can be operable within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. If specification A-4 is not satisfied within seven (7) days, the unit shall be brought to the cold shutdown condition.
3. One battery may be inoperable for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> provided the other battery and battery chargers remain operable with one battery charger carrying the DC load of the failed battery's supply system. If the battery is not returned to operable status within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period the reactor shall be placed in the hot shutdown condition. If the battery is not restored to operable status within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in the cold shutdown condition.
4. A train of the opposite unit's emergency power system as required by Section 3.16.A.8 above may be inoperable for a period not to exceed 14 days. During this 14 day period, the following limitations apply:

a) If the offsite power source becomes unable to energize the opposite unit's operable train, operation may continue provided its associated emergency diesel generator is energizing the operable train.

b) If the opposite unit's operable train's emergency diesel generator becomes unavailable, operation may continue for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> provided the offsite power source is energizing the opposite unit's operable train.

c) Return of the originally inoperable train to operable status allows the second inoperable train to revert to the 14 day limitation.

If the above conditions are not met, the reactor shall be brought to hot shutdown conditions within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and cold shutdown condition within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

C. The continuous running electrical load supplied by an .emergency diesel generator shall be limited to 2750 KW.

Basis The Emergency Power System is an on-site, independent, automatically starting power source. It supplies power to vital unit auxiliaries if a normal power source is not available. The Emergency Power System consists of three diesel generators for two units. One generator is used exclusively for Unit 1, the second unit for Unit 2, and the third generator functions as a backup for either Unit 1 or 2. The diesel generators have a continuous 2,000 hour0 days <br />0 hours <br />0 weeks <br />0 months <br /> rating of 2750 KW and a two hour rating of 2850 KW. The actual loads using conservative

TS 3.16-5 The diesel generators function as an on-site back-up system to supply the emergency buses. Each emergency bus provides power to the following operating Engineered Safeguards equipment:

A One containment spray pump

8. One charging pump C. One low head safety injection pump D. One recirculation spray pump inside containment E. One recirculation spray pump outside containment F. One containment vacuum pump G. One motor-driven auxiliary steam generator feedwater pump H. One motor control center for valves, instruments, control air compressor, fuel oil pumps, etc.

I. Control area air conditioning equipment - four air recirculating units, one water chilling unit, one service water pump and one chilled water circulating pump J. One charging pump service water pump for charging pump intermediate seal coolers and lube oil coolers K. One charging pump cooling water pump for charging pump seal coolers.

~-

TS 3.16-6 The day tanks are filled by transferring fuel from any one of two buried tornado missile protected fuel oil storage tanks, each of 20,000 gal capacity. Two of, 100 percent capacity fuel oirtransfer pumps per diesel generator are powered from the emergency buses to assure that an operating diesel generator has a continuous supply of fuel.

The buried fuel oil storage tanks contain a seven (7) day supply of fuel, 35,000 gal minimum, for the fuel load operation of one diesel generator; in addition, there is an above ground fuel oil storage tank on-site with a capacity of 210,000 gal which is used for transferring fuel to the buried tanks.

If a loss of normal power is not accompanied by a loss-of-coolant accident, the safeguards equipment will not be required. Under this condition, the following additional auxiliary equipment may be operated from each emergency bus:

A. One component cooling pump

  • B. One residual heat removal pump C. One motor-driven auxiliary steam generator feedwater pump The emergency buses in each unit are capable of being interconnected under strict administrative procedures so that the equipment which would normally be operated by one of the diesels could be operated by the other diesel, if required.

The requirement for operability of the opposite unit's emergency power system is to ensure that auxiliary feedwater from the opposite unit can be supplied via the cross-connect in the event of a common-mode failure of all auxiliary feedwater pumps in the affected unit due to a high energy line break in the main steam valve house. Without this requirement, a single failure (such as loss of the shared backup diesel generator) could result in loss of power to the opposite unit's emergency buses in the event of a loss of offsite power, thereby rendering the cross-connect inoperable. The longer allowed outage time for the opposite unit's emergency power system is based on the low probability of a high energy line break in the main steam valve house coincident with a loss of offsite power.

e ATTACHMENT 2 RISK IMPACT OF REVISED TECHNICAL SPECIFICATION

_J

DISCUSSION OF RISK IMPACT FOR REVISED TECHNICAL SPECIFICATION The 14 day allowed outage time for an emergency power train on the opposite unit is based on the probabilistic risk assessment (PRA) which demonstrates that, with the proposed outage times, loss of AFW due to a HELB on one unit concurrent with a loss of offsite power represents a neglible contribution to the core damage risk. The methodology, assumptions and conclusions of this study are summarized in to our Letter No.88-455. The results presented there are impacted slightly by the modified specification presented in this submittal, discussed below.

As proposed in Letter No.88-455, Specification 3.16.B.4 allows a 14 day outage of one train of emergency power on the opposite unit. The revised Specification differs from that presented in Letter No.88-455 in two main respects: 1) during this 14 day outage, in the event of a loss of the offsite power source to the operable emergency power train, operation may continue for 14 days with the EOG associated with that power train available to energize the operable train. Previously, in the event of no offsite power available, both EDGs associated with the shutdown unit were required to be operable. 2) During the 14 day outage, provision is made for a subsequent limited duration (72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) outage with both EDGs associated with the shutdown unit inoperable, provided offsite power is available to energize one train. The impact of this change on the shutdown unit is to effectively allow for a 3 day period with no onsite emergency power available to the shutdown unit.

In addition, provision is now made for the opposite unit's emergency condensate storage tank to be inoperable for a limited period of time. Since this is functionally equivalent to inoperable piping or having of the AFW pumps on the opposite unit inoperable, the allowed outage time proposed is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, which is supported by the risk assessment.

The failure rates presented in Table 1 of Attachment 2 to Letter No.88-455 are altered somewhat by these changes. Rather than reperforming the entire risk assessment, we have conservatively estimated the impact of these changes by adjusting the assumed I

_J

additional loss of offsite power frequency to account for an assumed additional loss of offsite power.of up to 14 days every third refueling outage. During this loss of offsite power, one power train was assumed to be inoperable with a probability of unity, the EDG associated with the other train was assumed to experience a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> outage with a probability of 0.25 (even though the LCO precludes a dual EDG outage on the unit unless an offsite source is available), and the calculation conservatively neglected the probability of recovery of offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> following the event.

The resulting incremental loss of offsite power rate was 8.5E-3 additional events per year. During this assumed LOSP, the system failure probability was calculated to by about 0.05. and the incremental rate for HELB with system failure was about 1.4E-8 events per year. Thus the total rate for HELB with AFW system failure conservatively increased from 1.7E-8 events per year to 3.1 E-8 events per year. Using the data presented in Section C, Attachment 2 of Letter No.88-455, this failure rate is still <

0.2% of the total core damage risk presented in NUREG/CR-4550, even if mitigating actions such as primary side feed and bleed are ignored. Thus the conclusion presented in Letter No.88-455, (i.e., the risk associated with a loss of the AFW cross-connect capability in one unit is acceptably low with the proposed equipment allowed outage times), remains valid.

Similarly, the conclusions reached in Letter No.88-455 that the proposed Technical Specification changes do not create an unreviewed safety question or pose a significant hazards consideration remain valid.

\'r SIGNIFICANT HAZARDS CONSIDERATION DETERMINATION Virginia Electric and Power Company has reviewed the proposed changes against the criteria of 10 CFR 50.92 and has concluded that the changes as proposed do not pose a significant hazards consideration. Specifically, operation of the Surry Power Station in accordance with the proposed changes will not:

1. Involve a significant increase in the probability of occurrence or consequences of any accident or malfunction of equipment which is important
  • to safety and which has been evaluated in the UFSAR. These changes consitute new and additional limitations on operation to adress the low probability of a HELB *in the Safeguards Building (AFW pumps location) concurrent with a LOOP while the opposite Unit is shutdown. The effect of the changes will be to increase the reliability of the auxiliary feedwater cross-connect feature, which is relied upon for mitigation of certain high energy line breaks outside of containment and fires. The current UFSAR accident analysis results and conclusions are not effected by the proposed changes.
2. Create the 'possibility of a new or different type of accident from those previously .evaluated in the safety analysis report. The additional requirements for the opposite units auxiliary feedwater system have no impact on the range of initiating events previously assessed.
3. Involve a significant reduction in the margin of safety. Since the results of the existing UFSAR accident analysis remain bounding, safety margins are not impacted.
Retrieved from "https://kanterella.com/w/index.php?title=ML18153B962&oldid=2402614"