ML19209B552
| ML19209B552 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 10/07/1979 |
| From: | ARKANSAS POWER & LIGHT CO., BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML19209B551 | List: |
| References | |
| NUDOCS 7910100105 | |
| Download: ML19209B552 (14) | |
Text
.
EVALUATION OF P9TENTIALLY ADVERSE ENVIRONMENTAL EFFECTS ON NON-SAFETY GRADE CONTROL SYSTEMS Prepared by:
Arkansas Power & Light Company and Babcock & Wilcox Company October 7, 1979 1134
~A7 79101 0010 5,
TABLE OF CONTENTS Page 1.
Introduction 1
II.
Plant Licensing Basis 2
1.
Safety Analysis Functions and Parameters 2.
Plant Unique Features III. Safety Assessment 3
~Potential Environmental Effects 1.
2.
Impact on Plant Safety Analysis 3.
Justification for Continued Operation IV. Recommended Follow-uo Action g
Tables I.
Typical Equipment Response During High Energy 1j Line Breaks II.
Potential Environmental Effects on Non-Sufety 12 Grade Control Systems 117j
~jQ lIJr
,u
I.
Introduction This report is in response to Harold R. Denton's letter of September 17, 1979, on the subject of " Potential Unreviewed Safety Question on Interaction Between Non-Safety Grade Systems and Safety Grade Systems."
It is intended to serve as a response to the concerns listed in Information Notice 79-22 and to fulfill the cocmitment made during our meeting with your staff on September 20, 1979.
During that meeting, we committed to:
Evaluate impact on licensing basis accident analyses due to consequential environmental effects on non-safety grade control systems.
Items that will be considered include:
Identify licensing basis accidents which cause an adverse environment for each plant.
Define Safety Analysis inputs and responses used during licensing basis accidents.
Verify Safety Analysis conclusions or recommended actions justifying continued operation.
The scope of this response includes a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the licensing basis analysis. A matrix of potential environmental effects on non-safety grade control systems is presented. Where non-safety grade equipment performance could be affected by the adverse environment, a safety assessment has been prepared. The safety assessment was used to define potential problems due to the effects of an adverse environment on non-safety grade control systems.
A justification for continued operation of the plant is provided based upon the safety assessments and risk evaluations. Work beyond the scope of the 20-day response and work to provide a more detailed assessment are included in recommended follow-up actions.
} } 3 ?r 9
1
II.
Plant Licensing Basis 1.
Safety Analysis Functions and Parameters The plant licensing basis analyses, as presented in the FSAR, were reviewed to define the inputs, assumptions and responses used for non-safety grade control systems. This information is summarized in Table 1, which lists typical equipment actions and actuation times used in the safety analyses for B&W 177 fuel assembly plants.
The data has been catagorized to reflect the functional requirements as follows:
A.
Reactor Power Control and Shutdown B.
Reactor Pressure Control C.
Steam System Isolation and Pressure Control D.
Feedwater System Isolation and Control This catagorization has been developed to focus upon those primary functions which have a potential for control system interaction.
The table identifies the range of equipment actions and actuation times used in the plant safety analysis for a main steam line break, main feedwater line break and large and small LCCAs.
2.
Plant Unique Features Following submittal of the plant licensing basis analyses for Arkansas Nuclear One-Unit 1, Arkansas Power and Light Company installed a safety grade system designed to protect against the consequences of a simultaneous blowdown of both steam generators. The Steam Line Break Instrumentation and Control (SLBIC) system will automatically initiate action to isolate each steam generator upon detection of a steam lina breaki Since this system was installed following submittal of our FSAR, no credit was taken fnr SLBIC in ot Chapter 14 safety analyses.
However, it will now be in-cluded as a part of our justification for continued operation.
2 1134 50
III. Safety Assessment 1.
Potential Environmental Effects The non-safety grade control systems have been reviewed to determine if an accident environment could adversely affect the analyzed course of the event. Specifically, the approach taken was to use the safety analysis functions and parameters from Table I as a basis to identify where potential control system effects could have an impact.
The result of this evaluation is summarized in Table II, Potential Environmental Effects on Non-Safety Grade Control Systems. The matrix identified, for six accioent types, the non-safety grade control systems which could be adversely affected by the environment caused by the event.
Where no entry is made in the matrix, no potential for environmental effects exists due to the physical location of the equipment with respect to the high energy line break, i.e., breaks inside containment do not affect equip-ment outside containment and vice versa.
If an entry is made (X or Y),
a potential effect exists as follows:
X - The adverse environment caused by the break could affect the equipment and, equipment malfunction c",uld affect safety analysis functions identified.'.able I.
Y - The adverse environment caused by the break could interact with the equipment, but, the equipment malfunction would not affect safety analysis functions identified in Table I.
This structuring of the potential effects matrix provides a focus on those non-safety grade control systems which are important and identifies areas for further evaluation of the impact on the safety analysis (i.e., X's).
2.
Impact on Plant Safety Analysis Potential environmental effects which could adversely impact the plant safety analysis are identified in Table II with an "X".
For each potential adverse effect, a safety assessment has been prepared to confirm plant safety or identify a potential problem area.
1 ] } 5, 5l 3
3.
Justification for Continued Operation Based on the evaluations and safety assessments to follow, we conclude that continued operation is justified, particularly in light of the very low probabilities of the high-energy line breaks considered and the con-servatisms included in the analyses. There are some specific potential problem areas discussed which may lead to variations from the FSAR licens-ing basis analyses. Justification that these variations do not constitute an undue risk to the health and safety of the public is included.
A.
tion-Safety Grade Eauioment in a large LOCA Eavironment The large break loss-of-coolant accident relies upon safety grade equipment for mitigation.
The potential effects presented in Tables I and II indicate that the control system functions, though considered in the analysis, are modeled conservatively such that postulated malfunctions of these systems will not invalidate the analytical results. The reactor shutdown and pressure control during the blowdown and reflood phases do not rely upon non-safety grade control systems.
The steam and feedwater system control features are conservatively modeled in the analyses as follows:
1.
The secondary steam is conservatively assumed to remain intact (bottled up) to provide a large heat source during the later stages of blowdown. The steam safety valves are used to maintain a conservatively high steam pressure.
Potential control system effects which provide more steam relief would tend to improve the analytical results.
2.
The feedwater system flow is conservatively assumed to quickly decrease to zero following the break.
This loss of feedwater minimizes the effect of the OTSG secondary as a heat sink for a conservative analysis.
1134
~52
B.
CRDS Under All Accident environments A significant increase in initial power level as a result of spurious rod withdrawal prior to reactor trip has not been includcd in the Main 5 team Line Break, Main Feed Water Line Break or Loss-of Coolant Accident analyses. While it is likely that such an increase in power would be offset by the reduction in the time-to-trip for each of these accidents, confirmatory analysis has not been performed. The following summarizes the liklihood of sig-nificant rod withdrawal for each case.
1.
For steam and feedwater line breaks, the time-to-trip is very short (up to 8 seconds for MSLB and 13.
seconds for MFWLB).
Adverse environmental effects on any equipment, e.g., out-of-core detectors, which could result in spurious rod withdrawal is considered extremely unlikely.
2.
The same rationale applies to all but the very smallest LOCA'st i.e., time to low RC pressure trip is short for the majority of small breaks. Conversely, " leaks" (breaks too small to result in a low pressure trip) are not expected to generate a severe avironment.
From the above, it is concluded that adverse interaction result-ing in significant reactor power increases is extremely unlikely.
C.
Pressurizer PORV Under MSLB (Inside Containment), MFWLB (Inside Containment) and LOCA Environments The probability and conseq0ences of inadvertent opening or failure to close of the pressurizer PORV as a result of MSLB, MFWLB, or small LOCA environments have been evaluated.
The principal components of the PORV system are the RC pressure transmitters (inside containment), pressure switches (outside containment in the control room), cabling, the PORV solenoid, and the PORV itself l l
'i 5
(both inside containment).
The system employs no pneumatics and uses the " energized-to-open" philosophy.
The consequences of spurious opening due to adverse environments has not been specifically analyzed in the FSAR.
However, the following summarizes tha conclusions for each case:
1.
Large LOCA - suprious opening of the PORV would have an insig-nificant effect on the course of the accident.
2.
Small LOCA - spurious opening of the PORV would be expected to improve the results of this analysis in that it would aid in depressurization, increase HPI cooling flow, and provide an addi-tional path for heat. removal.
3.
MFWLB inside containment - spurious cpening of the PORV or failure to close if opened, is not specifically analyzed in the SAR. How-ever, as a result of the TMI-2 incident, analysis and operator guide-lines have been developed for the case of Loss Of Feed Water concurrent with a stuck open PORV.
Further, it should be noted that, if the valve were to open spuriously early in the transient, it would aid in reducing the pressure transient.
Therefore, the consequences are acceptable.
4.
MSLB inside containment - spurious opening of the PORV is judged to have an adverse effect on the analysis.
The extent of the adverse effect has not been evaluated. However, the potential for the postulated spurious opening due to environmental
- effects is negligible as safety-grade RC pressure transmitters are used and pressure switches are in the environmentally protected control room.
D.
Steam System Isolation and Pressure Control The Turbine Trip / Turbine Stop Valves are potentially affected compo-ntnts only for a MSLB or MFWLB outside containiaent.
These components, along
)l3dr 6
with the Turbine Bypass Valves, are no longer r.ecessary for mitigation of a MSLB due to the previously discussed intcallation of the safety grade SLBIC system, therefore, the unlikely failure of the Turbine Trip / Turbine Stop Valves or the Turbine Bypass Valves will not affect the results of the safety analysis.
Following a MFWLB, the Turbine Trip / Turbine Stop Valve circuitry or components should not be affected due to location. That is, in general, they are not routed near a main feedwater line.
Should a MFWLB occur where C.is circuitry might be routed nearby, failure due to the environment in the short time frame during which the circuitry is required is not considered credible.
Further, should this equipment indeed fail, individual components of the safety grade SLBIC system are available to perform this function.
The Turbine Bypass and Atmospheric Dump Valves are potentially affected components during each of the considered licensing basis accidents.
Failure of the Turbine Bypass Valves during a MSLB has been previously shown inconsequential due to the safety grade steam SLBIC system. A motor-operated block valve has been pro /ided to isolate the Aunospheric Dump valve shculd it fail to reseat during either the MSLB, MFWLB or LOCA. These valves and their controls are, in general, not located near a main feedwater line and, therefore, failure due to a MFWLB is not considered credible.
Howev?r, their failure following a MFWLC or a small LOCA would not prevent an orderly coeldown as steam could be relieved through the Main Steam Code Safety Valves.
E.
Feedwater System Isolation and Control A MSLB inside or outside of containment will have the potential for affecting the non-safety grade MFW control and isolation valves and the EFW initiation and automatic control as assumed in the licens-ing basis anlaysis. However, MFW will be controlled by isolation of il O
7
~
L :th steam generators through the safety grade SLBIC system for a MSLB.
The SGIC system also initiates the turbine driven EFW pump.
The Emergency Feed Water system is Class lE, including controls to valves and pumps.
It normally is operated automatically by non-safety grade inputs. Qualified isolation relays are installed to protect the Class lE EFW system in order that it may be manually initiated and/or controlled. The operator normally assumes manual control shortly after EFW is initiated. Also, pursuant to the requirements of NUREG-0578, the initiation of EFW will soon be through a non-safety grade, redundant, testable system 11ch will later be upgraded to safety grade.
EFW isolation to the affected steam generator was assumed to be an operator action in the safety analysis, therefore, this function can-not be affected by the adverse environment in any case.
A MFWLB inside or outside of containment could potentially affect MFW control and FW initiation and control.
The only potentially affected components inside containment are the steam generator level transmitters whose accuracy could be affected by the elevated temper-ature hence inducing C rors (all other components which could affect these controls are outside containment).
This subject has previously been adoressed in response to Bulletin 79-21, ard the associated operator guidelines to accommodate these level transmitter errors are being developed. MFW isolation to the affected steam generator may be accomplished automatically through the non-safety grade ICS system, or through the safety grade SLBIC system either automatically or manually.
Further, B&W has recently completed an analysis for a complete
(
of all feedwater which shows that AN0-1 can supply sufficient makeup to satisfy the criteria of 10 CFR 50.46.
The small break loss-of-coolant analys-have been revised sit.
the TMI-2 accident to include a parameterizatSn of potential equipment and operator actions during the accident.
As a result of this re-analysis,
- 3. < >,c r; f,
~
8
operating guidelines have been prepared by B&W for use in operator train-ing and revised operating procedures. This change to the sm.'ll break cperat-ing procedures provides a consistency between the small LOCA safety analysis and the required equipment and operator actions.
A review of Table II indicates a potential problem with the MFW control or EFW iniation and level control. The small break analysis and operating guidelines utilize OTSG level for Reactor Coolant System cooling and depressurization.
In the adverse environment caused by the small LOCA, the OTSG level indication could potentially be misleading to the operator and cause an inadequate amount of 0TSG water inventory.
Again, the only potentially affected components are the steam generator level trans-mitters. This subject has previously been addressed in response to IE Bulletin 79-21.
IV.
Recommended Future Action The 20-day response to Mr. Denton's letter focused upon a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the licensing basis analyses.
The approach taken was to define potential effects of non-safety grade control systems in an adverse environment and prepare an assessment to confirm the conclusions reached in the original safety analyses.
Justification for continued operation was then based upon the results of this evaluation.
The scope of the 20-day response did not include potential control system effects which could impact lon~g-term system response and operator action. A complete assessment of environmental effects on non-safety grade control systems should include an evaluation of equipment required to maintain a safe shutdown following accidents which cause an adverse environment. To address this issue, a future program is recommended to:
1.
Define instrumentatic and control functions required for safe shutdown.
9
2.
Identify applicable equipment errors and responses in an adverse environment.
3.
Prepare a safety assessment and recommend corrective action if required.
This effort will be coupled to the Abnormal Transient Operating Guidalines Program currently underway, and will focus upon additional operator training to recognize and respond to the impact of an adverse environment on non-safety grade control systems.
The schedule for submittal of the safety assessment of these possible effects will be consistent with the current schedule for the Abnormal Transient Operat-ing Guidelines Program (i.e., mid-1980).
1134
^58 10
TABLE I TYPICAL EQUIPMENT ESPONSE DURING HIGH ENERGY LINE BREAKS B&W 177 FA' PLANTS Steam Line Feedwater Large Small Break Line Break LOCA LOCA I.
Reactor Power Control and Shutdown Trip Function Utilized High o or Low High RC Pressure Reactor Trip Low RC Pressure RC Pressure Not Used Time of Reactor Trip 1.1-8.0 sec.
8.2-13.4 sec.
II.
Reactor Pressure Control Time to PORV Actuation PORV not 4-8 sec.
PORV Response PORV not assumed Actuated Not Important to open Time at which PORV Closes III. Steam System Isolation and Pressure Control Steam Line Isolation Time 1.6-8.5 sec.
6.0-12.0 sec.
Code Safety Code Safety Valves are Valves are Time to Steam Relief Valve 7.0-16.0 sec.
7.0-7.5 sec.
Used in the Used in the Opening Analyses for Analyses for Conservatism Conservatism Time for Steam Relief Valve 20-30 sec.
25-30 sec.
Closure IV.
Feedwater System Isolation and Control Main Feedwater Isolation Time 19-34 sec.
18 sec.
Analysis Con-Not Required servatively
-~
Auxiliary Feedwater Isolation Time
- 19-34 sec.
18 sec.
Assumes a Loss Not Required
~~^
Auxiliary Feedwater Initiaton Time **
40 sec.
40 sec.
of All Feed-40 sec.
hf" Main or Auxiliary Feedwater Control **
Maintain Maintain water Maintain
'~'
Minimum Minimum Preset 0TSG Level OTSG Level OTSG Level
'I)
- Affected Steam Generator
- Unaffected Steam Generator 11
TABLE II POTENTIAL ENVIRONMENTAL EFFECTS ON NON-SAFETY GRADE CONTROL SYSTEMS Licensing Basis Accidents SLB Inside SLB Outside FWLB Inside FWLB Outside Large Small Non-safety Grade Control Systems Containment Containment Containment Containment LOCA LOCA I.
Reactor Power Control and Shutdown Control Rod Drive Control System X
X X
X X
X II.
Reactor Pressure Control Power Operated Relief Valve X
X Y
X Pressurizer Heaters Y
Y Y
Y Pressurizer Spray Y
Y Y
Y III. Steam System Isolation and Pressure Control Turbine Trip / Turbine Stop Valves X
X Turbine Bypass X
X X
X X
X Atmospheric Dump Valves X
X X
X X
X IV.
Feedwater System ~ Isolation and Control Main Feedwater Control X
X X
X X
X Main Feedwater Isolation Valves X
X X
Auxiliary Feedwater Isolation Valves
- Y Y
Y Y
Y i
Auxiliary Feedwater Initiation X
X X
X X
X Auxiliary Feedwater Level Control **
X X
X X
X X
Affected Steam Generator Environmental Effects Cannot Occur Due to Location of Equipment Unaffected Steam Generator (inside contaimnent vs. cutside containment)
Y Environment will not affect Safety Analysis Results X
Environment could affect Safety Analysis Results w4 is T
12