Text

.

h.

4

( SMU:I SACRAMENTO MUNICIPAL UTILITY DISTRICT O 6201 s street, Box 15830. sacramento, California 95813; (916) 452-3211 October 5,1979 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulaticn U.S. Nuclear Regulatory Commission Washington, D.C.

20555 Docket No. 50-312 Rancho Seco Nuclear Generating Station Unit No. 1

Dear Mr. Denton:

This letter and the attached report is in response to your Septenber 17, 1979, letter on " Potential Unreviewed Safety Questions on Interaction Between Non-Safety Grade Systems and Safety Grade Systems".

Within the time frame allowed by your letter, our efforts have been focused on developing and understanding the issue and making a preliminary assessment of the impact of this issue on the conclusions of the safety analyses presented in the FSAR. We have identified several areas which could not be addressed within the allotted time and which should be investigated further.

We believe there is a logical relationship between these longer term actions and the actions already planned for in connection with NUREG-0578.

The attached report which was preoared in conjunction with the Babcock and Wilcox Company, provides the details of our review and identifies the further actions we intend to undertake to address the long term system response under adverse environmental conditions.

We believe that this report and the probabilistic analysis currently being completed by NSAC, provides adequate justification for the continued operation of Rancho Seco Unit I without modification of our license. We still feelthat the events analyzed in our FSAR do not constitute an undue risk to the health and safety of the public.

{gf N 5 h TTY 1128 3m P

AN ELECTPlc !YSTEY SEPV!NG VORL THAN 000C00 IN THE PEAEl 0F CALIfDLN6A

i, 8

Mr. Harold R. Denton October 5, 1979 If you have any questions, please feel free to contact i

us.

Respectfully submitted, SACRAMENTO MUNICIPAL UTILITY DISTRICT

{,

YkW John. Mattimoe Assistant General Manager and Chief Engineer E: ul D.qJ10 S. KAPl4 General Couns for Sacramento Mu icipal Utili ty District Subscribed and sworn to before me this 5th day of October,1979

1. ,p, NOTg g

9 %,o E

'b 'D111.vg d

$ yg-?r d. / set.y Mattier,\\ Notary Public in and 91 q %.' "

fp the County of Sacramento, State

'% u California s %,,,, o,,,.2' My Commission Expires January 12, 1980 1128 302

i 1

i EVALUATION OF POTENTIALLY ADVERSE ENVIRONMENTAL EFFECTS ON NON-SAFETY GRADE CONTROL SYSTEMS I

i Prepared by:

SACRAMENTO MUNICIPAL UTILITY DISTRICT and BABC0CK & WILC0X C0!iPANY October 5, 1979 9

ylbi 003 i

4%

79+>11o p

t 4

I.

Introduction This report is in response to Harold R. Denton's letter of September 17, 1979, on the subject of " Potential Unreviewed Safety Question on Inter-action Between Non-Safety Grade Systems and Safety Grade Systems."

It is intended to serve as a response to the concerns listed in Information Notice 79-22 and to fulfill the commitment made during our meeting with your staff on September 20, 1979.

During that meeting, we comitted to:

Evaluate impact on Licensing basis accident analyses due to consequential environmental effects on non-safety grade control systems.

- Identify Licensing basis accidents which cause an adverse environment for each plant.

- Define Safety Analysis inputs and responses used during Licensing basis accidents.

I

- Verify Safety Analysis conclusions or recommend actions justifying continued operation.

The scope of this response includes a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the Licensing basis analysis. A matrix of potential environmental effects on non-safety grade control systems is presented.

Where non-safety grade equipment performance could be affected by the adverse environment, f

a safety assessment has been prepared. The safety assessment was used to define potential problems due to the effects of 6n adverse environment on non-safety grade control systems.

t A justification for continued operation of the plant is provided based upon the safety assessments and risk evaluations. Work beyond the scope of the 20-day response and work to provide a more detailed assessment are included in recommended follow-up actions.

II.

Plant Licensing Basis The plant licensing basis analyses, as presented in the FSAR were reviewed to define the inputs, assumptions and responses used for non-safety grade control systems. This information is sumarized in Table I, which lists typical equipment actions and actuation times used in the safety analyses for B&W 177 fuel assembly plants. The data has been categorized to reflect the functional requirements as follows:

A.

Reactor Power Control and Shutdown B.

Reactor Pressure Control C.

Steam System Isolation and Pressure Control D.

Feedwater System Isolation and Control This categorization has been developed to focus upon those primary functions which have a potential for control system interaction.

The table identifies the range of equipment actions and actuation times used in the plant safety analysis for steam line break, feedwater line break i

1128 304 l

8 -

and large and small LOCA.

The Rancho Seco Unit I FSAR did not include an analysis for a feed line break; however, the data presented in this report is generic in nature and apolicable to this plant.

III. Safety Assessment 1.

Potential Environmental Effects The non-safety-grade control systems have been reviewad to determine if an accident environment could adversely affect the analyzed course of the event.

Specifically, the approach taken was to use the safety analysis functicns and parameters from Table I as a basis to identify where potential control system effects could have an impact. The result of this evaluation is summarized in Table II, Potential Environmental Effects on Non-Safety-Grade Control Systems. The matrix identifies, for six accident types, the non-safety-grade control systems which could be adversely affected by the environment caused by the event. Where no entry is made in the matrix, no potential for environmental effects exists due to the physical location of the equipment with respect to the high energy line break, i.e., breaks inside containment do not affect equipment outside containment and vice If an entry is made (X or Y), a potential effect exists as follows:

versa.

X - The adverse environment caused by the break could affect the equipment and, equipment malfunction could affect safety analysis functions identified in Table I.

Y - The adverse environment caused by the break could interact with the equipment, but, the equipment malfunction would not affect safety analysis functions identified in Table I.

This structuring of the potential effects matrix provides a focus on those non-safety-grade control systems which are important and identifies areas for further evaluation of the impact on the safety analysis (i.e., X's).

2.

Impact on Plant Safety Analysis Potential environmental effects which could adversely impact the plant safety analysis are identitied in Table II with an "X".

For each potential adverse effect, a safety assessment has been prepared to confirm plant safety or identify a potential problem area.

The results of the safety assessment are summarized in Table III, Impact of Control System Effects on the Safety Analysis. These potential effects, due to an adverse environment, have been placed into several categories as follows:

1.

Eouipment Performance The identified non-safety-grade equipment can be shown to perform its functim consistent with the safety analyses, in the adverse environment.

2.

Period Of Operability The required period of operability for the equipment (i.e., time frame in which the equipment must function) is considerably shorter than the time it takes for an adverse environment to 1128 305

_2-

i i

l have an impact.

3.

Conservative Impact The effect of the advnrse environment on the equipment is such that the equipment performance (or failure) is in a conservative direction with respect to the safety analyses.

4.

Potential Problem The effect of the adversi environment on the equipment is such that a potential problem exists.

The evaluation performed to date has not shown that the safety analysis inputs and responses are consistent with the non-safety control system perfomance in an adverse environment.

The rationale and bases for the categorization are improtant to understand those effects which do not impact plant safety analyses and, thereby, allow the focus to be placed on potential problems. The impact on safety analysis ir presented below:

A.

Turbine Bypass / Atmospheric Relief Valves, MFW Control and AFW Control Under Large LOCA Environment The large break loss-of-coolant accident relies upon safety grade equipment for mitigation. The potential effects presented in Tables I and II indicate that the control system functions, though considered in the analysis, are modelled conservatively such that postulated malfunctions of these systems will not invalidate the analytical results. The reactor shutdown and pressure control during the blowdown and reflood phases do not rely upon non-safety grade control systems. The steam and feedwater system control features are conservatively modelled in the analyses as follows:

1.

The secondary steam system is conservatively assumed to remain intact (bottled up) to provide a large heat source during the later stages of blowdown. The steam safety valves are used to maintain a conservatively high steam pressure. Potential control system effects which provide more steam relief would tend to improve the analytical results.

2.

The feedwater system flow is conservatively assumed to quickly decrease to zero following the break. This loss of feedwater minimizes the effect of the OTSG secondary as a heat sink for a conservative analysis.

B.

MFW and AFW Control and Turbine Bypass / Atmospheric Relief Under, Small LOCA Ervironment The small break loss-of-coolant analysis has been revised since TMI-2 to include a parameterization of potential equipment and operator actions during the accident. As a result of this re-analysis, operating guidelines have been prepared by the NSSS vendor for use in operator training and revised operating procedures.

This change to the small break operating procedures provides a consistency between the small LOCA safety analysis and the required equipment and operator actions.

I 1128 306 r

A review of Tables II and III indicates a potential problem with the main or auxiliary feedwater level control. The small break analysis and operating guidelines utilize OTSG level for RCS cooling and depressurization.

In the adverse environment caused by the small LOCA, the OTSG level indication could potentially be misleading to the operator and cause an inadequate amount of 0TSG water inventory.

This potential problem is addressed further in Section IV.

C.

Pressurizer PORV Under SLB (Inside Containment), FWLB (Inside Containment) and LOCA Environments The probability and consequences of inadvertent opening or failure to close of the pressurizer PORV as a result of SLB, FWLB, or small LOCA environments has been evaluated.

The principal components of the PORV system are the RC pressure transmitters (inside containment), pressure switches (outside containment, cabling, the PORV solenoid, and the PORV itself (both inside containment).

The system employs no pneumatics and uses the " energized-to-open" philosophy.

The consequences of spurious opening due to adverse environments has not been specifically analyzed in the SAR.

However, the following summarizes the conclusions for each case:

1)

Large LOCA - spurious opening of the PORV would have an insignifi-cant effect on the course of the accident.

2)

Small LOCA - spurious opening of the PORV would be expected to improve the results of this analysis in that it would aid in de-pressurization, increase HPI cooling flow, and provide an additional path for heat removal.

3)

FWLB inside containment - spurious opening of the PORV or failure to close if opened is not specifically analyzed in the SAR. However, as a result of the TMI-2 incident, analysis and operator guidelines have been developed for the case of LOFW concurrent with a stuck open PORV.

Further, it should be noted that, if the valve were to open spuriously early in the transient, it would aid in reducing the pressure transient. Therefore, the consequences are acceptable.

4)

SLB inside containment - spurious opening of the PORV is judged to have an adverse effect on the analysis.

The extent of the adverse effect has not been evaluated.

The potential for the postulated spurious opening due to environmental effects is negligible since safety-grade RC pressure transmitters are used and pressure switches are in environmentally protected areas.

D.

CRDCS Under All Accident Environments A significant increase in initial power level as a result of spurious rod withdrawal prior to reactor trip has not been included in the SLB, FWLB or LOCA analysis. While it is likely that such an increase in power would be offset by the reduction in the time-to-trip for each of these accidents, confirmatory analysis has not been performed. The following summarizes the likelihood of significant rod withdrawal for each case.

1l28 307 I

i i

1)

For steam and feedwater line breaks, the time-to-trip is very short (up to 8 seconds for SLB and 13.4 seconds for FWLB).

Adverse environmental effects on any equipment, e.g., out-of-core detectors, which could result in spurious rod withdrawal is considered extremely unlikely.

2)

The same rationale applies to all but the very smallest LOCA's, i.e.,

time to low RC pressure trip is short for the majority of small breaks.

Conversely, " leaks" (breaks too small to result in a low pressure trip) are not expected to generate a severe environment.

From the above, it is concluded that adverse interaction resulting in si-gnificant reactor power increases is extremely unlikely.

E.

MFW and AFW Control and Isolation Under SLB, FWLB, and Small LOCA Environments As indicated in Table I, these control systems are important elements of the safety analyses for steam and feedwater line breaks. To remain within the bounds of the safety analyses for these events, and prevent additonal RCS overcooling, feedwater must be secured quickly to the affected 0TSG and initiated and properly controlled to the unaffected 0TSG.

Feadwater will be isolated, within the allotted time, to the affected 0TSG, and auxiliary feedwater will be initiated within 40 seconds.

Proper control of main or auxiliary feedwater to maintain a minimum 0TSG level to the unaffected 0TSG is addressed in the current plant operating procedures for secondary system breaks.

These procedures will be reviewed as part of the Abnormal Transient Operating Guidelines Program.

F.

Steam System Isolation and Pressure Control The turbine stop valves are assumed to trip the turbine and provide steam line isolation very early in the feedwater line break and steam line break accidents.

In addition, any failure or malfunction in the control system for these valves would cause the valves to close which is the assumed action.

The FSAR evaluation of a steam line break includes a discussion of an open turbine bypass valve in the unaffected line.

IV. Justifica; ion for Continued operation Based on the evaluations and safety assessments above, we conclude that continued operation is justified, particlarly in light of the very low probabilities of the high-energy line breaks considered and the conservatisms included in the analyses.

There are some specific potential problem areas which require further investigation. Until these investigations are complete, the following actions will further enhance safety in each of the identified potential problem areas.

A.

'Effect of Adverse SLB Environment on Main Feedwater Control, Auxiliary Feedwater Isolation Valves, and Auxiliary Feedwater Control The following assessment demonstrates that the risk of continued operation is acceptably small.

The consequence of concern for steam line breaks is core return to power. The limiting case for assessing return to p wer is the double-1128 308

l ended rupture of the main steam line with the most reactive control rod stuck out of the core.

Further, EOL core conditions (conserva-tive maximum negative moderator coefficient) and other assumed conservatisms are employed. Additional overcooling caused by preventing isolation of the affected steam generator could lead to a return to power.

Although previous analyses have concluded that such a return to power is an acceptable condition, an evaluation was performed to demonstrate that the probability of such an occurence is acceptably low for continued operation during a postulated two-year period that might be required to identify and correct any such consequential failures.

The probability of a main steam line break in the size range of interest has been estimated to be %1 x 10-4 per reactor year in the Rasmussen Report (WASH 1400). B&W has previously estimated the probability of any MSLB (including small breaks) to be 1.8 x 10-4 per reactor year. For pusposes of this evaluation, a conservative probability of a double-ended rupture of the main steam line was selected as 1 x 10-4 per reactor year.

Even if such an event were to occur, and the overcooling effect were to be increased beyond that analyzed, no return to criticality would result if all control rods were to drop.

Therefore, an evaluation was made to determine the probability of any control rod to not trip on demand. The NRC Gray Book reports that, as of June, 1979, there had been 253 reactor trips at B&! operating plants (excludingTMI-2).

In no cast was there a failm of any control rod to fully insert. Using an upper 50% conf', den.: ?evel estimate for the failure of any particular rod to insert and assuming a Poisson distribution for such failures, the probability of at least one rod sticking in any scram demand is et~culated to be ? MxiC'3 per trip demand.

(Note that corresponding probability of the most reactive rod r.ot insertir.g is % 5x10-f per trip demand).

Based on the above, a conservative cWned probability of any stuck rod concurrent with a double-enace main steam line break during two years of operation of the plant is shown to be less than 5.5 x 10-7 It is concluded that, even if events were to occur which could greatly increase the overcooling effect associated with main steam line break, the probability of such an event leading to recriticality during two years of continued operation is acceptably small.

B.

liain Feedwater Control and Auxiliary Feedwater Control as a Result of Small LOCA or FULB Inside Containment The only potentially affected components inside containment are the steam generator level transmitters whose accuracy could be affected by the elevated temperature (all other components which could affect these controls are outside containment).

This subject has previously been addressed in response to Bulletin 79-21, and the associated coerator guidelines to accomodate these errors are considered sufficient to justify continued operation pending any further evaluations and/or corrective actions.

{

-e-1128 309

\\

C.

Main Feedwater Control, Auxiliary Feedwater Isolation Valves, and Auxiliary Feedwater Control for FWLB Outside Containment Unlike breaks inside containment, where unaffected steam generator level control and isolation of the affected stean generator is important to the containment integrity analysis, i.e., preserving the mass and energy release basis, no such concern exists for breaks outside containment.

Further, minimum core DNBR, which occurs during the first few seconds of the transient, would not be reduced,. peak RC pressure would not be increased, and no increase in radiological releases would result.

It is concluded that, during the analyzed course of the accident, no adverse effects would result from failure of these controls and valves. Maintenance of a preset level in the unaffected steam generator for long-term accident mitigation will be addressed in the recomcnded programs in Section V.

V.

Recommended Future Action The 20 day response to Mr. Denton's letter focused upon a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the licensing basis analyses. The approach taken was to define potential effects of non-safety-grade control systems in an adverse environment and prepare an assessment to confirm the conclusions reached in the original safety analyses. Justification for continued operation was then based upon the results of this evaluation.

The scope of the 20-day response did not include potential control system effects which could impact long-term system response and operator action. A complete assessment of environmental effects on non-safety-grade control systems should include an evaluation of equipment required to maintain a safe shutdown following accidents which cause an adverse environment. To address this issue, a future program is recommended to:

1.

Define instrumentation and control functions required for safe shutdown 2.

Identify applicable c4uipment errors and responses in an adverse environment 3.

Prepare a safety assessment and determine corrective action if required.

This effort will be closely coupled to the Abnormal Transient Operating Guidelines Program currently underway, and will focus upon additional operator training to recognize and respond to the impact of an adverse environment on non-safety-grade control systems. The schedule for submittal of the Safety Assessment will be consistent with the current schedule for the Abnormal Transient Operating Guidelines Program (i.e.,mid-1980).

1128 310

TABLE I TYPICAL EQUIPMENT RESPONSE DURING HIGH ENERGY LINE BREAKS B&W 177 FA Plants Steam Line Feedwater Large Small Break Line Break LOCA LOCA I.

Reactor Power Centrol and shutdown Trip Function Utilized High 4 or Low High RC Pressure Reactor Trip Low RC Pressure RC Pressure Not Used Tine of Reactor Trip 1.1-8.0 8.2-13.4 sec.

II.

Reactor Pressure Control Time to PROV Actuation PROV Not 4-8 sec.

PROV Response PROV not assumed Actuated for Not Important to open Time at which PROV Closes Steam Line s20 sec.

Break III.

Steam System Isolation and Pressure Control (1)

Steam Line Isolation Time 1.6-8.5 sec.

6.0-12.0 sec.

Code Safety Code Safety Valves are Used Valves are Used (2)

Time to Steam Relief Valve Opening 7.0-16.0 sec.

7.0-7.5 sec.

in the Analyses in the Analyses for Conservatism for Conservatism (2)

Time for Steam Relief Valve Closure 20-30 sec.

25-30 sec.

IV.

Feedwater System Isolation and Control (1)

Main Feedwater Isolation Time 19-34 sec.

s18 sec.

Analysis Con-Not Required servatively (1) _.

Auxiliary Feedwater Isolation Time 19-34 sec.

s18 sec.

Assumes a Loss Not Required of All Feed-(2) rs] Auxiliary Feedwater Initiation Time 440 sec. 140 sec.

water 140 sec.

Co (2)

Main or Auxiliary Feedwater Control Maintain Maintain Maintain Minimum Minimum Preset

((^

OTSG Level 0TSG Level OTSG Level (1) Affected Steam Generator (2) Unaffected Steam Generator

TABLE II P0TENTIAL ENVIRONMENTAL EFFECTS ON NON-SAFETY GRADE CONTROL SYSTEMS Licensing Basis Accidents SLB Inside SLB Outside FWLB Inside FWLB Outside large Small Non-Safety Grade Control Systems Containment Containment Containment "ontainment LOLA LOCA __

I.

Reactor Power Control and Shutdown Control Rod Drive Control System X

X X

X X

X II.

Reactor Pressure Control Power Operated Relief Valve X

X Y

X Pressurizer Heaters Y

Y Y

Y Pressurizer Spray Y

Y Y

Y III.

Steam 5ystem Isolation and Pressure Control Turbine Trip / Turbine Stop Valves X

X Turbine Bypass /Atm Relief Valves **

X X

X X

X X

IV.

Feedwater System Isolation and Control MaCn Feedwater Control **

X X

X X

X X

Main Feedwater Isolation Valves

• X X

{}j Auxiliary Feedwater Isolation Valves

• X X

Auxiliary Feedwater Initiation **

X X

t,e r() Auxiliary Feedwater Level Control **

X X

X X

X X

Affected Steam Generator

- Environmental Effects Cannot Occur Due to Location of Equipment Unaffected Steam Generator (inside containment vs. outside containment)

Y Environment will not affect Safety Analysis Results X Environment could affect Safety Analysis Results

TABLE III IMPACT OF CONTROL SYSTEM EFFECTS ON SAFETY ANALYSIS LicEasing Basis Accidents SLB Inside SLB Outside FVLB Inside FWLB Outside Large Small Containment Containment Containment Containment LOCA LOCA I.

Reactor Power Control and Shutdown Control Rod Drive Control System (2)

(2)

(2)

(2)

(2)

(2)

II.

Reactor Pressure Control Power Operated Relief Valve (1)

(1)

(3)

Pressurizer Heaters Pressurizer Spray III.

Steam System Isolation and Pressure Control Turbine Trip / Turbine Stop Valves (2)

(2)

Turbine Bypass /Atm Relief Valves (1)

(3)

(1)

(3)

(3)

(3)

IV.

Feedwater System Isolation and Control Main Feedwater Control (4)

(4)

(4)

(4)

(3)

(4)

Main Feedwater Isolation Valves (1)

(1)

C Auxiliary Feedwater Isolation Valves (4)

(4)

I Auxiliary Feedwater Initiation (1)

(1) u Auxiliary Feedwater Level Control (4)

(4)

(4)

(4)

(3)

(4)

(1) Equipment Can be Shown to Perform Intended Function (2) Required Period of Operability Is Short (3) Equipment Perfonnance Is Conservative In Adverse Environment (4) Potential Inconsistency With Safety Analysis Inputs and Responses Note: All Open Entries are Either a Dash (-) or a Y on Table II