Text

,

et 6

{

C October 5, 1979 Trojan Nuclear Plant Docket 50-344 License NPF-1 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D. C. 20555

Dear Mr. Denton:

This letter responds to your September 17, 1979 letter entitled " Potential Unreviewed Safety Question on Interaction Between Non-Safety Grade Systems and Safety Grade Systems." This potential problem was further addressed in IE Information Notice 79-22, issued September 14, 1979.

In conjunction with Westinghouse, we have reviewed the specific non-safety grade systems listed in IE Information dotice 79-22, for potential interactions that could constitute a substantial safety hazard. We have not been able to identify any such interaction. While, in some cases, Westinghouse identified variations from FSAR licensing bases, the basic conclusion of the FSAR, that these events do not constitute an undue risk to the health and safety of the public, remains unchanged.

Based on the Westinghouse generic assessment of this problem, it was concluded that there are 15 potential interaction scenarios where the affect of adverse environments, resulting from high-energy line breaks, N'

on control systems could lead to consequences more limiting than the

'e results presented in the Safety Analysis Report. Talle 1 summarizes the scope of the Westinghouse investigation. Westinghouse has completed analyses which demonstrate that, for all operating Westinghouse plants, the 15 interactions are bounded by consideration of the four specific interactions indicated in Table 2.

We have evaluated the applicability

^

of these four limiting scenarios to the Trojan plant, taking into account the Plant layout, current FSAR accident analysis assumptions, and addi-b tional Westinghouse bounding analyses. The result of these Trojan-specific evaluations are discussed in the attachment. We concluded that

]

two scenarios were not cpplicable to Trojan; and for the two that were, no further action is required to resolve the issues.

~n The question of whether the generic concerns constitute potential unreviewed safety issues was evaluated by NSAC on the basis of an assessment of their impact on public risk by making a relative comparison of these issues to appropriate Reactor Safety Study (RSS or WASH-1400)bb ) f 7910100 3

Mr. Harold R. Denton October 5, 1979 Page two findings. This was done by determining the incremental public risk from the Westinghouse-identified accident sequences in terms of the percentage of the RSS prediction. Since in the RSS over 90 percent of the public risk derives from accident sequences leading to core melting, these potential unresolved safety issues were also evaluated, for comparative purposes, in terms of this severe consequence. NSAC has determined that the probability of a core melt resulting from one of these high-energy line breaks with interaction between non-safety and safety grade systems for a typical Westinghouse plant is such that the question is a trivial safety issue (less than 1 percent contributor). The NSAC study will be submitted by an AIF letter to the NRC next week. Further, such breaks are more likely to be small cracks rather than abrupt failures, so that the resulting adverse environment builds up over a period of time pro-viding the potential for detection prior to component failure. Addi-tionally, our review recognized the difference between a demonstrated deficiency (e.g., determination that a control component would operate in a fashion not within the limits presented in the safety analysis) and a potential, unreviewed question. As previously stated, we have not identified any events that would chacge the conclusions of the Trojan FSAR - that these events do not constitute an undue risk to the health and safety of the public. We intend to investigate the potential for similar interaction mechanisms .e involving those control systems employed at Trojan but not included in J' the 49 possible interactions already investigated by Westinghouse. In }} the Westinghouse investigation, an adverse environment at the location of the control systems and the consequential equipment failure in the worst .c ,.? y direction were conservatively assumed. For this reason and because of p. the acceptability of the previods consequences, we do not believe that any interaction scenarios yet to be identified in the unreviewed control q,3 systems will yield co sequences more adverse than the particular sce- ' " ~, narios described by tinghouse and investigated by us. In addition, ,"i we intend to review > 34 potential interactions where Westinghouse concluded that the so 4quences were bounded by current FSAR analyses to I verify these findings ror Trojan. We plan to complete these efforts on a schedule consistent with the long-term recommendations of the Lessons I Learned Task Force as outlined in NUREG-0578 concerning future develop-ment of General Safety Criteria. We believe that NUREG-0578 requirements for analyses of potential safety problems envision the kinds of scenarios identified by Westinghouse and which are the subject of IE Information Notice 79-22. Specifically, Section 3.2, Page 17, states in part ...the L NRC requirements for non-safety systems are generally limited to assuring p that they do not adversely affect the operation of safety systems...". Further, on Page A-45 of NUREG-0578, " Consequential failures shall also be considered... ". k\\b0 , ni o a s s, n m ~ ~

Mr. Harold R. Denton October 5,1979 Page three As a result of the Three Mile Island accident, there are a significant number of industry, governmental and regulatory investigations underway examining the licensing bases and the operating procedures of nuclear generating facilities. These investigations have already identified areas where studies may result in the consideration of new or revised events as part of the bases for assuring the continued safety 6f nuclear plants. We therefore believe that the scope of the action required oy IE Information Notice 79-22 is consistent with the requirements of NUREG-0578 and should therefore be integrated with the planned response sequence for compliance with that document. Based on our investigation of the improbability of the postulated sce-narios as they apply to Trojan, the acceptability of the consequences, and commitments made to completely resolve this issue, we conclude that continued operation of Trojan is warranted. Sincerely, r/ C. Goodwin, Jr. Assistant Vice President Thermal Plant Operation and Maintenance CG/CJP/DIH/4kk9A7 Attachments c: Mr. Lynn Frank, Director State of Oregon Department of Energy 1138 107

el no i r bt rn uo TC g m m e apt ems g t uy SDS i !0 r 1 o s T t C a A r R e. E r T ee t i Grl X X X X S l uo I icsr L S cst A Y een T LA t ro l l SPC E N l A l i f0 T R N E I r V D e l I l tl E C ao s C t r X X r L A dt A E en I eo T D fC 1 l A l E E R .L T G B O I D A P T l i D l o E lL l r T l et S o D r vn Y C E e eo S I z LC T F A i L A l I O i T r l u R T i s e l t D D s rl f I a a uo 0 r sr 0 I st X. y X X X M l en l l i S l T l ro E l fi PC i i T L A S l Y I Ci I S f h l l I rl D' 0 l oo l I l T u t r T ct X X X X C I C ao (

T A

an E l A C 'l RC t 0 R l R a E l I I T t l l L I A l I T Cl l i r l E S T 0 0 l 0 f e e r r e e u. u r-r t u. u t O p. p t t u u p p X R R u u R R e. e n n e e ok" 4Q "DO i i n n l O l - l i i n L - C r m._ m l l o e. a d d A A i s t a. e e e C C t oi " t t t t e e O O c C n S _S F F L L e e j d l e l e l e E i l g l g l g c a r a r a r d c m a m a m a o A S L S L S L R

TABLE 2

SUMMARY

OF RESULTS OF TROJAN-SP"CT.FIC EVALUATION OF LIMITING SCENARIOS Postulated Limiting Applicability to Scenario Trojan Resolution A. Small feed line break Not applicable. (Equip-None required. outside Containment with ment layout precludes consequential failure this scenario.) open of steam generator PORV. B. Small feed line break Not applicable. (Equip-None required. with consequential ment layout precludes failure of main feed-this scenario.) water control system. C. Feed line rupture inside Applicable. (Operator Alert operators to the Containment with conse-action required, within possibility that pres-quential failure open of time frame for which surizer PORV may fail pressurizer PORV. operator action was open during a high already assumed in FSAR.) energy line break inside Containment. Plant operating procedures already include an imme-diate operator action requiring isolation of PORV if they do not automatically close at the reset pressure. D. Intermediate steam line Applicable. (Westing-None required. break inside Containment house bounding analysis with consequential shows consequences of failure of automatic interaction are not worse rod control system. than reported in Trojan FSAR.) CJP/4sa9A27 jj}} ]}}

ATTACHMENT - EVALUATION OF APPLICA3ILITY OF LIMITING CONSEQUENTIAL MALFUNCTION SCENARIOS FOR THE TROJAN NUCLEAR PLANT A. Steam Generator PORV Control System: 1. Summary of Postulated Generic Scenario Following a feedline rupture outside Containment, the steam generator power-operated relief valves (PORV) are assumed to exhibit a consequential failure due to an adverse environment. Failure of the PORV in the open position results in the depressurization of multiple steam generators, which are the source of steam supply for the steam turbine-driven auxiliary feedwater pump. Eventually, the turbine-driven auxiliary feedwater pump will not be capable of delivering auxiliary feedwater to the intact steam generators. A potential exists that no auxiliary feedwater will be injected into the intact steam generators until the operator takes corrective action to isolate the auxiliary feedwater flow spilling out the ru,pture. 2. Assumptions Required for This Generic Scenario - Break occurs outside Containment between the penetra-tion and feedline check valve - Adverse environment resulting from the rupture impacts the steam generator PORV control systems associated with the ruptured loop and the intact loops - A single active failure occurs in the diesel engine-driven auxiliary feedwater pump. 3. Trojan-Specific Accident Consequences The Trojan Auxiliary Feedwater System includes two 100 percent capacity pumps; one steam turbine-driven and one diesel engine-driven. The turbine-driven pump turbine is supplied steam through steam lines from each of the four steam generators. Therefore, a failure open of the three PORVs on all three unaffected steam generators would be required in order to result in a complete loss of steam to the turbine driver. The steam generator PORVs and associated control components and cabling are located on the steam lines outside Containment in the main steam support structure adjacent to the Turbine Building. This structure is compartmentalized vertically and open to the atmosphere at the top, which prevents adverse pipe break effects from the steam or feedwater lines of one loop from being propagated to the components associated with 1138 110

the other loops. The vertical walls separating compartments provide a complete barrier for steam or water passage between compartments in the event of a high energy line break. No components of the steam generator PORV control system cross between chambers in the main steam support structure. The pressure transmitter impulse lines, conduits and associated cables are routed from the PORV controllers into the Turbine Building. This routing is vertical rather than horizontal and Mes not cross through the vertical barriers. Furthermore, the failure mode for the PORV controller is such that, under any postulated accident, the PORVs will fail closed. In particular, any damage to the cable to the valve controller would result in zero potential at the controller, which would demand a closed position of the valve. If the controller or its associated air supply are damaged, the valve would also go closed. No other portion of this control system is subject to high energy break environments for this accident. Postulated break locations, for Trojan, would be limited to 5-to 10-ft lengths of 14-in. diameter feedwater pipe adjacent to the Containment penetrations. These piping runs are located entirely within the compartmentalized main steam support structure. Hence, there is no possibility that a main feed-water piping rupture of the class that leads to this scenario could generate an adverse environment at the location of the steam generator PORV components associated with say of the intact loops. At most, the PORV control system for the affected steam generator could be subjected to an adverse environment. In this case, even if the affected PORV were to fail open, steam delivery to the AFW pump turbine driver from the three unaffected steam generators would continue to be available. For these reasons, we conclude this scenario is not applicable to the Trojan plant, and that no further action is needed. B. Main Feedwater Control System: 1. Summary of Postulated Generic Scenario Following a small feedline rupture, the main feedwater control system malfunctions in such a manner that the liquid mass in the intact steam generators is less than for the worst case presented in the Safety Analysis Report. The reduced secondary liquid mass at the time of automatic reactor trip results in a more severe Reactor Coolant System heatup following reactor trip. 2. Assumptions Required for This Generic Scenario - Break occurs between steam generator nozzle and feedwater line check valve 1138 111 - Small breaks less than 0.2 ft2 - Adverse environment resulting from the break impacts the main feedwater control systems associated with both the broken loop and the intact loop - Due to the adverse environment, the main feedwater control systems initiate spurious signals to close the feedwater control valves in the intact loops. 3. Trojan-Specific Accident Consequences The only enqualified feedwster control system components in the Trojan plant cnat could be affected by an adverse environment are located outside Containment. They are the controllers and the flow elements and associated flow trans-ettters located in the Turbine Building. In addition, various interconne; ting cabling conduits are routed to the controller from steam pressure and steam generator level transmitters inside Containment. The controllers and flow transmitters are located inside the Turbine Building next to the building wall separating the Turbine Building from the main steam support structure. Since the postulated break locations outside Containment are inside the main steam support structure com-rartments adjacent to the Containment penetration (refer to Scenario A), there is at least 23 ft of distance and the Turbine Building wall separating the main feedwater control system companents of one loop from those of any other loop. Furthermore, the postulated break size for this scenario is quite small, which would permit dissipation of the break energy upward through the relatively unrestricted main steam support structure to the outside atmosphere rather than into the Turbine Building. No interconnecting cabling of the main feedwater control system from one loop is routed through the main steam support structure compartments associated with the other loops. Therefore, a feedwater line break of the size and location postulated in this scenario would not affect compo-nents of the main feedwater control system from any other loop; it is even highly unlikely that the feedwater control system for the affected loop would be impacted. For these reasons, we conclude that this scenario is not appli-cable to the Trojan plant and no further action is needed. C. Pressurizer PORV Control System: 1. Su= mary of Postulated Generic Scenario Following a feedline rupture inside Containment, the pressurizer PORV control system malfunctions in such a mannar that the PORV fails in the open position. Thus, in addition to a feedline rupture between the steam generator }) b nozzle and the Containment penetration a breach of the Reactor Coolant System boundary has occurred in the pressurizer vapor space. 2. Assumptions Required for This Generic Scenario - Break occurs in the feedwater piping inside the Containment between the steam generator nozzle and the Containment penetration - Double-ended br<ak leads to limiting consequences. Smaller breaks permit longer operator action times - Adverse environment resulting from the break impacts the pressurizer power-operated relief valve control s;;arem - Due to the adverse environment, the pressurizer PORV control system initiates a spurious signal to open the PORVs. 3. Trojan-Specific Accident Consequences As part of the follow-up efforts to the TMI-2 accident, West-inghouse has analyzed this class of accidents (for the Westing-house TMI Owner's Group) and reported the results in WCAP-9600. Specifically, the analyses of Section 4.2 of this report assume a total loss of feedwater, with various concurrent small primary pipe breaks. The transients were run out to 5,000 sec, without operator action and assuming no auxiliary feedwater, to deter-mine the time when operator action would te required to ensure no core uncovery. For the analyses in WCAP-9600, it is concluded that the worst-case situation would be an optimum size break that just precludes delivery of safety injection fluid to the RCS. It should be noted that this break site (about 0.2 in. in diameter) is considerably smaller than the open area of one of the two presrurizer PORV. Section 4.2.3.5 of WCAP-9600 indi-cates that no operator action would be needed if both PORVs fail open since safety injection flow would then be sufficient to ensure no core uncovery. Therefore, the conclusions reported in WCAP-96G0 are conservative with respect to the possibility of one or both pressurizer PORVs stuck open due to a consequen-tial malfunction of the PORV control system. Furthermore, the WCAP-9600 analyses were based on a typical two-loop plant. This ensures a conservative minimum action time because of the small RCS vater inventory relative to a four-loop plant such as Trojan. The conclusion reached in Section 4.2.4 of WCAP-9600 is that for the worst-case primary pipe break concurrent with the loss of all feedwater, the Plant can be brought to a fully stable situation without core damage provided auxiliary feed-water flow is initiated by 3,500 sec. To apply these conclusions to the case of a concurrent feedline rupture, Westinghouse has 1138 113 4-

performed additional calculations conservatively assuming that all liquid inventory in the steam generator associated with the ruptured feedline is lost via the rupture without removing any heat (i.e., liquid blowdown). These calculations show that the heat removal capability of the liquid inventory blowdown requires operator action 1,200 sec earlier than reported in WCAP-9600. Thus, if a feedline rupture is assumed coincident with the analyses performed in Section 4.2 of WCAP-9600, the operator has at least 2,300 see to take corrective action to inject auxiliary feedwater flow to the intact steam genera-tors. The Trojan safety analysis report assumes auxiliary feedwater initiation at 600 see; hence, the consequences of feedline rupture with the consequential failure of the pres-surizer PORV contrcl system are bounded by those reported in the FSAR. Furthermore, the Trojan Plant Operators have been alerted to the potential for the pressurizer PORV to fail open for any cause, including high energy line breaks. Current operating instructions governing the operation of the pressurizer PORV require the operator, as an immediate action whenever the PORVs open, to verify that they close when the reset pressure is reached or to manually close the block valves. D. Rod Control System: 1. Summary of Postulated Generic Scenario Following an intermediate steam line rupture inside Con-tainment, the automatic rod control system exhibits a consequential failure due to an adverse environment which causes the control rods to begin stepping out prior to receipt of a reactor trip signal on overpower AT. This scenario results in a lower DNB ratio than presently presented in the Safety Analysis Report. 2. Assumptions Required for This Generic Scenario - Break occurs inside the Containment between the steam generator nozzle and the Containment penetration - Intermediate steam line breaks (0.1 to 0.25 ft2 per loop) at power levels from 70 to 100 percent - Adverse environment from the break impacts the nuclear instrumentation system (NIS) equipment (i.e., excore neutron detectors, cabling connectors, etc.) prior to reactor trip (i.e., within 2 min) - Due to the adverse environment, the NIS system initiates a spurious low power signal without causing a reactor trip on negative flux rate. 3. Trojan-Specific Accident Consequences Several factors tend to decrease the possibility of a signifi-cant consequential malfunction of the automatic rod control system due to a steam line break inside Containment. First, the four excore detectors are located in the reactor cavity at some distance from the main steam lines and f rom each other. Furthermore, the Reactcr Protection System includes features that protect against inappropriate rod withdrawal. A two-out-of-four high flux trip logic is used, so that caree of the four excore detector outputs would have to fail low to preclude generating a normal high flux trip if the rod control system begins rod withdrawal. A rapid decrease in any two detector signals generates a negative rate trip; such a condition might result from an environmentally-induced failure.. the detectors or cabling. Also, an overpower signal from any one excore detector blocks automatic rod withdrawal. These features of the Reactor Protection System would tend to terminate inappro-priate automatic rod withdrawal resulting from consequential failures of the automatic rod control system. Finally, the automatic rod control system itself develops the rod withdrawal logic based on auctioneered excore detector signals. That is, rod withdrawal is based on the highest of the four excore detector signals; therefore, all four detectors would have to fail low to lead to a spurious rod withdrawal. For these reasons, we believe it is unlikely that, prior to reaching a normal high flux trip setpoint on at least two of the excore detectors (or reaching another backup trip such as high nega-tive rate or high Containment pressure), environmental condi-tions could cause three or four of the indicated power outputs to fail low, resulting in conditions not bounded by the current FSAR analyses. In any event, a steam line rupture accident is considered a Condition IV event in the Trojan FSAR. That is, the conse-quences of this accident could include some fuel damage, provided any subsequent radioactive releases do not exceed 10 CFR 100 guidelines. Although some degree of fuel damage would not violate this criterion, the FSAR presently concludes that DNB would not occur for any size of steam line break. However, a typical bounding analysis of the intermediate steam line rupture accident has been performed by Westinghouse to calculate the extent of fuel damage that could occur due to rod control system withdrawal prior to reactor trip. Based on the reduction in radial peaking factor with burnup and conserv-ative end-of-life physics parameters, no fuel damage was calculated to occur following the intermediate steam line rupture with the consequential rod control system malfunction. This calculation was consistent with the assumptions made in the FSAR. 1138 115

Based on the low probability of the occurrence of a consequen-tial malfunction of the rod control system, the Westinghouse bounding analyses, and the current FSAR requirements for Condition IV events, we do not believe this scenario represents a significant safety question that requires further action. i CJP/4sa9A16 1138 116}}