ML19209C627

From kanterella
Jump to navigation Jump to search
Evaluation of Potentially Adverse Environ Effects on Nonsafty-Grade Control Sys.
ML19209C627
Person / Time
Site: Crystal River Duke Energy icon.png
Issue date: 10/07/1979
From:
BABCOCK & WILCOX CO., FLORIDA POWER CORP., GILBERT/COMMONWEALTH, INC. (FORMERLY GILBERT ASSOCIAT
To:
Shared Package
ML19209C626 List:
References
NUDOCS 7910160508
Download: ML19209C627 (24)
v  d  e


Text

i .

EVALUATION OF POTENTIALLY ADVERSE ENVIRONMENTAL EFFECTS ON NON-SAFETY-GRADE CONTROL SYSTEMS Prepared by:

Florida Power Corporation Babcock and Wilcox Company Gilbert Associates, Inc.

October 7, 1979 1~16b 260 7 910160 sea e,

TABLE OF CONTENTS Page I. INTRODUCTION I-1 II. PLANT LICENSING BASIS

1. Safety Analysis functions and Parameters 11-1
2. Plant Unique Features - CR-3 11-1 III. SAFETY ASSESSMENT
1. Potential Environmental Effects III-1
2. Impact on Plant Safety Analysis III-1 I V. JUSTIFICATION FOR CONTINUED OPERATION IV-1 V. RECOMMENDED FOLLOW-UP ACTION V-1 Tables I. Typical Equipment Response During High Energy Line Breaks II. Potential Environmental Effects on Non-Safety-Grade Control Systems III. Impact of Control System Effects on Safety Analysis I V. Fuel Performance at Operating Plants i

1168 261

I. INTRODUCTION This report is in response to Harold R. Denton's letter of September 17, 1979, on the subject of " Potential Unreviewed Safety Question on Interactio-Between Non-Safety-Grade Systems and Safety-Grade Systems". It is intendeu to serve as a response to the concerns listed in Information Notice 79-22 and to fulfill the comitment made during our meeting with your staff on Septem-ber 20, 1979. During that meeting, we committed to:

Evaluate impact on Licensing basis accident analyses due to consequen-tial environmental effects on Non-Safety-Grade Control Systems.

Identify Licensing basis accidents which cause an adverse environ-ment for each plant.

- Define Safety Analysis inputs and responses used during Licensing basis accidents.

Verify Safety Analysis conclusions or ret.mmend actions justifying continued operation.

The scope of this response includes a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the Licensing basis analysis. A matrix of pctstial envi ronmental effects on Non-Safety-Grade Control Systems is presented. Where Non-Safety-Grade equip-ment performance could be affected by the adverse envi r onment , a safety assessment has been prepared. The safety assessment was used to define potential problems due to the effects of an adverse envi ronment on Non-Safety-Grade Control Systems.

A justification for continued operation of the plant is provided based upon the safety assessments and risk evaluations. Work beyond the scope of the 20-day response and work to provide a more detailed assessment are included in recomended follow-up actions.

1-1 1168 262

II. PLANT LICENSING BASIS

1. SAFETY ANALYSIS FUNCTIONS AND PARAMETERS plant Licensing basis analyses, as presented in the FSAR, were re-

.. awed to define the inputs, assumptions, and responses used for Non-Safety-Grade Control Systems. This information is summarized in Table I, which lists typical equipaent actions and actuation times used in the safety analyses for 8 and W 177 fuel assembly plants. The data has been categorized to reflect the functional requirements as follows:

A. Reactor Power Control and Shutdown B. Reactor Pressure Control C. Steam System Isolation and Pressure Control D. Feedwater System Isolation and Control This categorization has been developed to focus upon those primary func-tions which have a potential for control system interaction.

The table identifies the range of equipment actions and actuation times used in the plant safety analysis for steam line break, feedwater line breck, and large and small LOCA.

2. PLANT UNIQUE FEATURES - CR-3 A. Safety-Grade Emergency Feedwater System B. Safety-Grade PORV C. Safety-Grade Main Steam Isolation Valves D. Safety-Grade Main Steam Line Rupture Matrix Equipment E. Double Blowdown Analysis (FSAR,Page 14-18C)

F. Main Feedwater Line Check Valves inmediately outside containnent (FWV-45 and FWV-46) to mitigate feedwater line breaks consequences outside containment G. Return to Power Analysis (Page 14-18A and 14-18B, Case II)

H. Safety-Grade RC System Pressure Transmitters I. Post-TMI-2 Control Grade Trips J. GAI Report , " Effects of High Energy Piping System Breaks Outside The Reactor Building" for Crystal River Unit 3, July 1,1797. This analysis includes main steam line and feedwater line breaks in accordance with NRC requirements. This report analyzed potential 11-1 1168 263'

high energy feedwater and steam line breaks at specific locations identified in figures 4.1.1 and 4.1.3. The pipe break criteria is listed on Page 3 of that analysis. The evaluation of the effects of the adverse environmental conditions due to these pipe breaks is discussed in Section 6.5 of this report.

Il-2 1163 264

III. _ SAFETY ASSESSMENT

1. P0TENTIAL ENVIRONMENTAL EFFECTS The Non-Safety-Grade Control Systems have been reviewed to determine if an accident environment could adversely affect the analyzed course of the event. Specifically, the approach taken was to use the safety ana!-

ysis functions and parameters from Table I as a basis to identify where potential control system effects could have an impact. The result of thi s evaluation is summari zed in Table II, Fotential Envi rorsnental Effects on Non-Safety-Grade Control Systems. The matrix identifies for six cccident types, the Non-Safety-Grade Control Systems which could be adversely affected by the environment caused by the event. Where no en-try is made in the matrix, no potential for environmental effects exists due to the physical location of the equipment with respect to the high energy line break, i.e., breaks inside containment do not affect equip-ment outside containment and vice versa. If an entry is made (X or Y),

a potential effect exists as follows:

X The adverse environment caused by the break could affect the equipment and, equipment malfunction could affect safety anal-ysis functions identified in Table I.

Y The adverre environment caused by the break could interact with the equipment, but, the equipment malfunction would not affect safety analysis functions identified in Table I.

This structuring of the potential effects matrix provides a focus on those Non-Safety-Grade Control Systems which are important and identi-fies areas for further evaluation of the impact on the safety analysis (i.e.,X's).

2. IMPACT ON PLANT SAFETY ANALYS?S Potential environmental effects which could adversely impact the plant safety analysis are identified in Table II with an "X". For each poten-tial adverse effect, a safety assessment has been prepared to confirm plant safety or identify a potential problem area.

The results of the safety assessment are surmiarized in Table III, Impact of Control System Effects on the Safety Analysi s. These potential effects, due to an adverse environment, have been placed into several categories as follows:

1. Equipment Performance Ihe identified Non-Safety-Grade equipment can be shown to perform its function, consistent with the safety analyses, in the adverse environment.

III-1 1168 265

S I

2. Period of Operability The required period of operability for the equipment (i.e., time frame in which the equipment must function) is considerably shorter than the time it takes for an adverse envi ronment to have an impact.
3. Conservative Impact The effect of the adverse environment on the equipment is such that the equipment performance (or failure) is in a conservative direc-tion with respect to the safety analyses.
4. Potential Problem The effect of the adverse environment on the equipment is such that a potential problem exists. The evaluation performed to date has not shown that the safety analysis inputs and responses are consis-tent with the Non-Safety Control System performance in an adverse environment.

The rationale and bases for the categorization are important to under-stand those effects which do not impact plant safety analyses and, thereby, allow the focus to be placed on potential problems. The impact on safety analysis is presented below:

A. Reactor Power Control and Shutdown

1. CRDCS Under All Accident Environments A significant increase in initial power level as a result of spurious rod withd rawal prior to reactor trip has not been incl uded in the SLB, FWLB, or LOCA analysis. While it is likely that such an increase in power would be offset by the reduction in the time-to-trip for each of these accidents, confirmatory analysis has not been performed. The following summarizes the likelihood of significant rod withdrawal for each case.

For steam and feedwater line breaks, the time-to-trip is very short (up to 8 seconds for SLB and 13.4 seconds for FWLB).

Adverse environmental effects on any equipment, e.g., out-of-core detectors, which could result in spurious rod withdrawal is concidered extremely unlikely.

The same rationale applies to all but the very smallest LOCAs, i.e., time to low RC pressure trip is short for the majority of small breaks. Conversely, " leaks" (breaks too small to re-sult in a low pressure trip) are not expected to generate a severe environment.

III-2 l}bb Lbb

From the above, it is concluded that adverse interaction re-sulting in significant reactor power increases is extremely unlikely.

B. Reactor Pressure Control

1. Pressurizer PORV Under SLB (Inside Containment), FW.jl (Inside Containment and small LOCA Environments The probability and consequences of inadvertent opening or failure to close of the pressurizer PORV as a result of SLB, FWLB, or small LOCA environments has been evaluated.

The principal components of the PORV system are the RC pres-sure transmitters (inside containment), pressure switches (located outside containment in the control room), cabling, the PORV solenoid, and the PORV itself (inside containment).

The system employs no pneumatics and uses the " energized-to-open" philosophy.

The consequences of spurious openin9 due to adverse environ-ments has not been specifically analyzed in the SAR. However, the following sunnarizes the conclushns for each case:

(a) Large LOCA - spurious opening of the PORV would have an insignificant effect on the course of the accident.

(b) SLB, FMLB, Small LOCA - the potential for the postulated spurious opening due to environmental effect is negli-gible because: CR-3 utilias Safety-Grade RC pressure transmitters; the actuation components are located out-side the containment building; and the cabling, PORV solenoid, and PORV itself are environmentally qualified.

2. Pressurizer Heaters and Pressurizer Sprays Under SLB (Inside Contai nment , FWLB Inside Containment , and LOCA Environments No credit was taken for the pressurizer heaters or sprays in y he safety analyses.

C. Steam Systen Isolation and Pressure Control

1. T .rbine Trip / Turbine Stop cives Under SLB (Outside Contain-

!aent and FWLB Outside Containment Envi ronments Turbine trip is performed by actuation of the turbine stop valves. The components that are required to actuate the .tur-bine stop valves during an SLB and FWLB are:

(a) Auto-stop oil solenoid (TB-321-SV)

(b) Pressure switches (FW-135-PS) and (FW-136-PS)

III-3 )b

(c) Reactor trip breakers (d) Lock-out relays (86/ REC)

The design temperature limit of the solenoid is 140 F and is located in an area of a steam line break location (see Sec-tion II.2.J) and could be environmentally affected. However, the accident analysis assumes turbine stop valve closure with-in 7 seconds of the break. Therefore, the required period of operability of the solenoid (i.e., time frame in which the equipment must function) is considerably shorter than the time it takes for an adverse environment to have an impact.

The auto-stop solenoid is not located near any of the FMLB locations (see Section II.2.J) and is not envi ronmentally affected during the FWLB event.

The pressure switches are not located near any of the SLB or FWLB locations assumed in the high energy line analysis (see Section II.2.J) and will not be environmentally affected by the SLB or FWLB events.

The reactor trip breakers are located in the relay room .nd the lock-out relays are located in the control room and are not environmentally affected.

2. Steam Line Isolation Valves to the Affected Steam Generator Under SLB Outside Containment and FWLB Outside Containment)

The Main Steam Isolation Valves at CR-3 are Safety-Grade, en-vironmentally qualified valves and will perform their intended function assumed in the safety analysis. The actuation matrix (Main Steam Isolation Rupture Matrix) for t% MSIVs is also Sa fety-G rade.

3. Turbine Bypass / Atmospheric Relief Valves to the Unaffected Steam Generator Under All Accident Environments (a) SLB Inside Containment The following components located inside containment actu-ate the turbine bypass and atmospheric relief valves:

(1) Pressure Transmitters (SP-6A-PT-1 and 2),

(SP-6B-PT-1 and 2)

These components will be exposed to a steam environ-nent as a result of an SLB inside containment. The design temperature limit for these components is 180'F. The accident analysis assumes (Table I) that the atmospheric relief / turbine bypass valves will open in approximately 12 seconds and will close u 763 III-4

,167 1

within 28 secands. The transmitters on tie unaffec-ted steam generator, whici; has the SLB ind, there-fore, the required period of operability for the equipment, is considerably shorter than the time it takes for an adverse environment to have an impaci.

If it is 6sred the transmitter on the unaffected 0TSG fails, it will fail such that the turbine by-pass and steam relief valves will stay closed or close if opened. Steam relief would then be provid-ed by the secondary side code safety relief valves.

Therefore, the effect of the adverse environment on the equipment is such that the equipment performance (or failure) is in a conservative direction with respect to the safety analysis.

(b) SLB Outside Containment The following components at CR-3 actuate the tu rbine bypass and atmospheric relief valves:

(1) E/P transducers located on the turbine bypass valves and atmospheric relief valves.

(2) Main steam line pressure transmitters (SP-10A-PT-1 and 2) and (SP-10B-PT-1 and 2) for bias control.

The E/P transducers are designed to a temperature limit of 140 F and are located in the intermediate building for atmospheric relief valves. The E/Ps for the turbine bypass valves are located ir the tu-bine building.

For an SLB located in the intermediate building (see Sec-tion II.2.J), the E/P transducers for the atmospheric relief valves would be exposed to an adverse environment.

However, the time period of required operability (i.e.,

opening within 12.2 seconds and closing within 20.6 sec-onds) assured in the accident analyses is considerably shorter than the time it takes for the adverse environ-ment to have an impact.

If failure of the E/P transducer on the unaffected steam generator is assumed due to long-term environmental effects, it will cause the atmospheric relief valve on the unaffected steam generator to fail in the half open position. This would result in blowdown of the unaffect-ed as well as the affected steam generators. However, this transient has been analyzed for CR-3 and found ac-ceptable as stated in Section 14.0 of the FSAR.

The E/P transducers loct.ted on the turbine bypass valves will perform its function, consistent with the safety analysis because they are physically not located near any Ill-5 1 16o0 ?69-

of the SLB locations assumed in the break analysis (see Section I' M 1). However, should we postulate their failure, it would not affect the safety analysis results as the MSIVs close within approximately 7 seconds isola-ting main steam to the bypass valves.

The main steam line pressure transmitters located at the turbine are designed for a temperature of 180 F. These transmitters are located near an SLB location assumed in the break analysis (see Sr.ction II.2.J). However, in the event of an SLB outside containment, main steam isolation is accompli shed by tFa turbine stop valves or MSIVs (Safety- Grade) withi7 approximately 7 seconds from the time of brea!.. Therefore, the period of the adverse environmer+ is too short to have an impact on the pres-sure transmitter and they will, therefore, perform their intended functions.

(c) FWLB Inside Containment Same response as 3.(a), SLB Inside Containment, above.

(d) FWLB Outside Containment The same components in 3.(b), SLB Outside Containment, are affected for this event.

The E/P transducers on the turbine bypass valves are not located in the area of an FWLB location assumed in the break analysis (see Section II.2.J) and, therefore, can be shown to perform their intended functions assumed in t ha safety analysis.

The affect of an FWLB outside containmnt on the E/P transducers for the atmospheric relief valves is the same as describc1 in 3.(b), SLB Outside Containment.

(e) Large LOCA Same response as Section D.l.(c), large LOCA Environment.

(f) Smali LOCA Same response as Section D.1.(d), Small LOCA Environment.

D. Feedwater System Isol; tion and Control

1. Pain Feedwater Control on the Unaffected Steam Generator (a) SLB Inside and Outside Containment and FWLB Inside Containment CR-3 does not use main feedwater control during these postulated accidents or transients. The main feedwater III-6 1163 270

to both steam generators is isolated and the main feed-water pumps tripped by the Main Steam Line Rupture Matrix actuation on low steam generator pressure. Subsequent steam generator level is controlled by the Emergency Feed-water System, which is Safety-Grade and environmentally quali fied.

(b) FWLB Outside Containment The break location is assumed to occur upstream of the main check valve.

The equipment used for MFW control is:

(1) FWV-14,15, 28,19, 30, 31, 32, 33, 34, 35, 36 (lim-itorque operators), and 39 and 40 (air operated).

(2) MS-92-95 PS.

The pressure switches are Safety-Grade and environmental-ly qualified to 400*F.

If the break location is assumed to occur in the inter-mediate building FWV-29-36 and FWV-39 and 40 could be exposed to an adverse environment. However, the required period of operability for this equipment is considerably shorter than the time it takes for an adverse environment to have an impact. This is based on the fact that the linitorques for FWV-29 through 36 are qualified to a tempe.rature limit of 325'F and, as can be seen in 4.3.4 (see Section II.2.J), which is conservative for an FWLB, shows this temperature is exceeded only approximately 3 seconds. The electrical components (solenoids, E/Ps, etc.) are qualified to 140 F and will function during the short-term transient. Therefore, this equipment stould perform its function consistent with the safety analysis.

It the above equipment was exposed to a long-term adverse environment resulting from an FWLB FMV-39 and 40 (elec-trical components only) could fail. If they are assumed to fail open, main feedwater flow must be terminated and subsequent steam generator level control would be provid-ed by the Emergency Feedwater System, which is Safety-Grade. If the FWV-39 and 40 fail closed isolating main feedwater to the unaffected steam generator, level con-trol would be maintained by the Emergency Feedwater System.

(c) Large LOCA Environment The large break loss-of-coolant accident relies upon Safety-Grade equipment for mitigation. The potential effects presented in Tables I and II indicate that the III-7 1163 27I

control system functions, though considered in the analy-sis, are modeled conservatively such that postulated mal-functions of these systems will not invalidate the ana-lytical results. The reactor shutdown ard pressure con-trol during the blowdown and reflood phases do not rely upon Non-Safety-Grade Control Systems. The steam and feedwater system control features are conservatively modeled in the analyses as follows:

(1) The secondary steam system is conservatively assumed to remain intact (bottled up) +o provide a large heat source during the later stag (s of blowdown.

The steam safety valves are used to maintain a con-servatively high steam pressure. Potential control system effects which provide more steam relief would tend to improve the analytical results.

(2) The feedwater system flow is conservatively assumed to quickly decrease to zero following the break.

This loss of feedwater minimizes the effect of the OTSG secondary as a heat si nk for a conservative analysis.

(d) Small LOCA Environment The small break loss-of-coolant analysis has been revised since TMI-2 to include a parameterization of potential equipment and operator actions during the accident. As a result of this reanalysis, operating guidelines have been prepared by the NSSS vendor for use in operator trcining a nd revised operating procedures. This change to the small break operating procedures provides a consistency between the small LOCA safety analysis and the required equipment and operator actions.

A review of Tables II and III indicates a potential prob-lem with the main or auxiliary feedwater level control.

The small break analysis and operating guidelines utilize OTSG level for RCS cooling and depressurization. In the adverse environment caused by the small LOCA, the OTSG level indication could potentially be misleading to the operator and cause an inadequate amount of OTSG water in-ventory. This potential problem is addressed further in Section IV.

III-8 jQ 272

2. Main Feedwater Isolation Valves on the Affecteo Steam Generator (a) SLB Outside Containment Main feedwater isolation to the affected steam generator is accomplished by the following components during a steam line break:

(1) Pressure switches MS-92 through 95 PS (2) Motor operated valves FWV-14, 15, 28, 29, 30, 31, 32, 33, 34, 35, and 36 (limitorque operators).

(3) The prc~ure switches are Safety-Grade and designed to 400 F, and will, therefore, perform their intend-ed function assumed in the safety analysis during adverse environmental conditions.

(4) The motor operated valves listed in Item (b), above, are designed to a temperature limit of 325 F.

(5) The locations for the steam line breaks assumed in the safety analysis, and pipe break analysis (see Section II.2.J) are such that no single break loca-tion can prevent main feedwater isolation during a steem line accident outside containment. For the break locations postulated in the intermediate building, main feedwater isolation is accomplished by the closure of FWV 14,15, and 28, located in the turbine building. For steam line break locations identi fied outside of the intermediate building, main feedwater isolation is accomplished by FWV 29 through 36, located in the intermediate building.

(6) In addition, the accident analysis assumes that main feedwater isolation is completed within 34 seconds from the time of the break. Therefore, the required period of operability for this equipment is consid-erably shorter than the time it takes for an adverse environment to have an impact. This assumption is based on the fact that the temperature limitations of the valve limitorque operators is 325 F and fig-ure 4.3.4 shows that the temperature transient greater than 325 F during a steam line break in the i ntermediate building only lasts approximately 3 seconds, and for breaks occurring in the turbine building in the location of FWV 14, 15, and 28, would be terminated within 7 seconds by the main steam line isolation valve closure. The short dura-tion of temperatures greater than the limitorque design temperature during a steam line break at CR-3 should not cause failure of the limitorque operator.

III-9

.))Y S

(b) FWLB Outside Containment The analysis for an FWLB outside containment between the steam generator ar.d check valve is the same analysis as the SLB outside containment.

For an FWLB outside containment upstream of the check valve, main feedwater isolation is accomplished by the main steam line rupture matrix when the affected steam generator pressure drops to 600 psi. The feedwater valves used for this 1;olation are the same as those used for SLB discussion and, therefore, perform their intended function for the same reason.

3. Emergency Feedwater Isolation Valves (a) SLB Outside Containment and FWLB Outside Containment The components used for isolation of emergency feedwater to the affected steam generator are:

(1) Pressure switches MS-92 through 95-PS.

(2) FWV-161 and FWV-162 (limitorque operators).

(3) FWV-34 and FWV-35 (limitorque operators).

The pressure switches and limitorque operated valves (FWV-161 and 162) are Safety-Grade and, therefore, should perform their intended function as stated in the safety analysis. Limitorque operated valves (FWV-34 and 35) are designed to a temperature limit of 325 F and, therefore, are not affected by adverse environment as described in Section 2.(a) (6), above.

4. Emergency Feedwater Initiation (a) SLB Outside Containment and FWLB Outside Containment The components used for emergency feedwater actuation are Safety-Grade and environmentally quali fied with the exception of pressure switches FW-135-PS and FW-136-PS.

These pressure switches have a design temperature limit of 160 F and should perform their intended function con-sistent with the safety analysis because they are not located near any of the SLB locations assumed in the safety analysis for pipe breaks (see Section II.2.J).

111-10

\ ) Wb

5. Emergency Feedwater Level Control (a) SLB Inside Contai rrnent, FWLB Inside Containment, and Small LOCA The steam generator level transmitters are affected by these accidents; however, the effects of the adverse environments to these transmitters was described in our submittal to IE Bulletin 79-21, dated September 17, 1979.

(b) SLB Outside Containment and FWLB Outside Containment The components requi red for emergency feedwater level control are Safety-Grade a nd envi ronmentally quali fied with the exception of pressure switches FW-135-PS and FW-136-PS. The qualifications fcr these pressure switch-es are described in Section D.4 aboyc.

\\6,,a'075 III-11

IV. JUSTIFICATION FOR CONTINUED OPERATION Based on the evaluations and safety assessments above, we conclude that con-tinued operation is justified, particularly in light of the very low proba-bilities of the high-energy line breaks considered and the conservatisce included in the analyses. There are some specific potential problem areas which require further investigation. These potential problem areas at Crystal River Unit 3 are as follows:

A. EFFECT OF ADVERSE SLB AND FWLB ENVIRONMENT OUTSIDE CONTA IfNENT ON ATMOSPHERIC RELIEF VALVES During our evaluation of the SLB and FWLB events outside the cuntain-ment, the potential long-term failure due to adverse environmental con-ditions of the atmospheric relief valves was identified. The potential failure of these valves during the SLB and FWLB events outside contain-ment cculd result in the blowdown of both steam generators. The failure of these valves was not postulated on the steam line/feedwater line break analysis for CR-3. The result of this event is bounded by the double blowdown analysis of both steam generators as described in Sec-tion 14.0 of the CR-3 FSAR. Therefore, no unreviewed safety concerns exist at CR-3 and continued operation is justified.

B. MAIN FEEDWATER CONTROL AND AUXILIARY FEEDWATER CONTROL AS A RESULT OF SMALL LOCA, FWLB INSIDE CONTAINMENT, OR SLB INSIDE CJNTAINMENT During our evaluation of these events, the only potentially affected components inside containment are the steam generator level transmitters whose accuracy could be affected by the elevated temperature (all other components which could affect these controls are outside containment).

This subject was addressed in our response to IE Bulletin 79-21. dated September 17, 1979, and our commitments identified in our response are considered sufficient to justify continued operation pending any further evaluations and/or corrective actions.

Further justification for the continued operation of Crystal River Unit 3 are summarized as follows:

1. Core Return to Power The limiting case for assessing return to power is the double-ended rupture of the main steam line with the most reactive control rod stuck out of the core. Further, EOL core conditions (conservative maximum negative moderator coefficient) and other assumed conserva-tisms are employed. Additional overcooling caused by preventing isolation of the affected steam generator could lead to a return to power. Although previous analyses have concluded that such a re-turn to power is an acceptable condition, an evaluation was per-formed to demonstrate that the probability of such an occurrence is acceptably low for continued operation during a postulated two-year period that might be required to identify and correct any such con-sequential failures.

IV-1

))h0

The probability of a main steam line break in the size range of interest has been estimated to be approximately 1 X 10-4 per reac-tor year in the Rasmussen Report (WASH 1400). B and W has pre-viously estimated the probability of any MSLB (including small breaks) to be 1.8 X 10-4 per reactor year. For purposes of this evaluation, a conservative probability of a double-ended rupture of the main steam line was selected as 1 X 10-4 per reactor year.

Even if such an event were to occur, and the overcooling effect were to be increased beyond that analyzed, no return to criticality would result if all control reels were to drop. Therefore, an eval-uation was made to determine tSe probability of any control rod to not trip on demand. The NRC Gray Book reports that, as of June, 1979, there had been 253 reactor trips at B and W operating plants (excluding TMI-2). In m case was there a failure of any control rod to fully insert. "Using an upper 50% confidence level estimate for the failure of any particular rod to insert a nd assumi ng a Poisson distribution for such failures, the probability of at least one rod gticking in any scram demand is calculated to be 2.74 X 20-3 per trip demand. (Note that corresponding probability of the most reactive rod not inserting is ~ 5 X 20-0 per trip demand)."

Based on the above, a conservative combined probability of any stuck rod concurrent with a double-ended main stream line break during two years of operation of the plant is shown to be less than 5.5 X 10-7 It is concluded that, even if events were to occur which could greatly increase the overcooling effect associated with main stream line break, the probability of such an event leading to recritical-ity during two years of continued operation is acceptably small.

2. Radiological Consequences The environmental consequences of a main steam line break are sen-sitive only to the assumed reactor coolant activity level, steam generator leak rate, steam and feedwater isclation times , and meteorological assumptions. Of these, the isolation times could be potentially affected by adverse environmental effects with Non-Safety-Grade controls ard equipment. Although time did not permit a rigorous evaluation of the possible increases in reactor coolant releases which could conceivably occur, the following assessment demonstrates that ample margins are available to cover such an eventuality.

(a) Table IV provides a summary of the past and present defective fuel in all operating B and W plants. The highest levels seen to date were during cycle 3 of Oconee-2, which had an esti-mated defect level of 0.15%. It should be pointed out that IV-2 Q

the leakers in this cycle were from an early "first genera-tion" batch of fuel. Subsequent improvements in design and manufacturing have significantly reduced the defect rate so that such a level is not likely to recur. The current average for all plants is less than 0.0?% leaking fuel (using previous cycle values where current-cycle data are not available). It can be concluded from this data that an increase by a factor of 50 in RCS coolant release to the atmosphere could occur before the equivalent of the SAR releases (based on 1% failed fuel) would be equaled.

(b) The calculated offsite doses presented in the FSAR of .488 rem to the thyroid and .0044 rem whole body represent a very small fraction of the regulatory limits permitted for this accident.

It is judged that, even if undefined effects were to occur which could greatly increase the release of RC coolant to the environ-ment, ample margins exist to prevent exceeding FSAR offsite dose values or regulatory limits.

3. Containment Integrity Containment pressure response could be aggrevated if safety system or operator actions were adversely affected to the extent that steam and feedwater isolation were delayed or prevented. Such a case was analyzed and presented in the Oconee FSAR where'n it was cemonstrated that the containment design pressure was not exceeded.

Although time did not permit confirmatory analysis for other plants, it is expected that similar results could be demonstrated.

This. coupled with the fact that environmentally qualified eouip-ment is used in most cases for the isolation function, and the estimated low probability of a steam line break (see B, above),

leads to the conclusion that the potential for an unmitigated steam line break exceeding the containment design pressure is acceptably small.

IV-3 173 0 6L

V. RECOMMENDED FUTURE ACTION The 20-day response to Mr. Denton's letter focused upon a confirmation that the plant's actual equipment actuation and performance are consistent with that used in the licensing basis analyses. The approach taken was to defd.ne potential effects of Non-Safety-Grade Control Systems in an adverse environ-ment and prepare an assessment to confirm the conclusions reached in the orignal safety analyses. Justification for continued operation was then based upon the results of this evaluation.

The scope of the 20-day response did not include potential control system effects which could impact long-tenn system response and operator action. A complete assessment of environmental effects on Non-Safety-Grade Control Systems should include an evaluation of equipment required to maintain a safety shutduin following accidents which cause an adverse environment. To address this issue, a future program is recomended to:

1. Define instrumentation ar.d control functions required for safe snutdown.
2. Identify applicable equipment errors and responses in an adverse environment.
3. Prepare a safety assessment and recomend corrective action if required.

This effort will be closely coupled to the Abnormal Transient Operating Guidelines Program currently underway, and will focus upon additional opera-tor training to recognize and respond to the impact of an adverse environment on Non-Safety-Grade Control Systems. The scnedule for submittal of the Safe-ty Assessment will be consistent with the current schedule for the Abnormal Transient Operating Guidelines Program (i.e., mid-1980).

A more detailed evaluation of potential effects of high energy line break ac-cidents on Non-Safety Control Systems will be performed in the long term, with particular emphasis on the potential problem areas identified in the Safety Assessment.

v_1

\\W, Gl9

TABLE I TYPICAL EQUIPMENT RESPONSE DURING HIGH ES!ERGY LIE BREAKS B and W 177 FA ;tANTS a Nak Large LOCA Small LOCA I. Reactor Power Control and Shutdown Trip Function Utilized High e or Low High RC Pressure Reactor Trip Low RC Pressure RC Pressure Not used Time of Reactor Trip 1.1 8.0 sec. 8.2-13.4 sec.

II. Reactor Pressure Control Time to PORY Actuation PORV Not 4-8 sec. )0RV Response PORV N Actuated for et Important Assudtto Open Time at which PORV Closes Steam Line s20 sec.

Break .

III. { teamSUTE System Isolation and Lontrol (1) Steam Line Isolation Time 1.6-8.5 sec. 6.0-12.0 sec. Coje Safety Coje Safety (2) Time to Steam Relief Valve Opening 7.0-16.0 see. 7.0-7.5 sec.

1 ntS El $ tN El or Conservbsm 1 or ConservN$sa (2) Time far Steam Relief Valve Closure 20-30 sec. 25-30 sec.

IV. Feedwater System Isolation ano controi (1) . Main Feedwater Isolation Time 15-34 sec. s18 sec. Anal vs' s Con-vel 1[ Recud red Rec ul red gervlit j (1) Egency Feedwater Isolation 19-34 sec. s18 sec. gsgs '

y.

3 s40 sec. s40 sec. tOTSG (2) Egency Feedwater Initiation

& Maintain M intain ca (2) Mbontrolin or Emergency Feedwater Minimun Minimum OTSG Level U:56 Level ra .

(1) Affected Steam Generator (2) Unaffected Steam Generator

t TABLE 11 POTLNTI AL ENVIR0tNENTAL EFFECTS ON NON-SAFETY-GRADE CONTROL SYSTEMS Licensing Basis Accidents S W Inside SW Outside FW W Inside FWW Outside Large Small Non-Saf ety-Grado Control Systems Containment Containment Containment Containment LOCA LOCA I. Reactor Power Control and Shutdown X X X X X X Control Rod Drive Control System

11. Reactor Pressure Control X - Y X Power Operated Rellef Valve X -

Y - Y -

Y Y Pressurizer Heaters Y - Y - Y Y Pressurizer Spray ,

lli. Steam System isolation and Presure Control Turbine Trip / Turbine Stop Valves - X - X - -

X X - -

Steam Line isolation Valves * - -

Turbine Bypass /Atm Relief Valves ** X X X X X X IV. Feedwater System isolation and Control X X X X Main Feedwater Control'* X X Main Feedwater isolation Valves * - X - X - -

X - X - -

Emergency Feedwa'er Isolation Valves * -

Emergency Feedwater initiation ** - X - X - -

X X .X X X X Emergency Feedwater Level Control **

'Atfacted Steam Generator - Environmental Ef fects Cannot Occur Due to Location of Equipment

Y Environment will not af fect Safety Analysis results X Environment could affeet Safety Analysis results C:J N

CD

o a

TABLE 111 IMPACT OF CONTROL SYSTEM EFFECTS ON SAFETY ANALYSIS Licensing Basis Accidents SW Inside SW Outsido FW W Inside FWW Outside Large Small Non-Saf ety-Grade Control Systems Containment Containment Contelnment Containment LOCA L(EA

1. Reactor Power Control and Shutdown Control Rod Drive Controt System (2) (2) (2) (2) (2) (2)

II. Reactor Pressure Control Power Operated Relief Valve (1) (1) (1)

Pressurizer Heaters Pressurizer Spray lit. Steam System Isolation and Presure Control Turbine Trip / Turbine Stop Valves (1) or (2) (1) or (2)

Steam Line isolation Valves (1) (1)

Turbine Bypass /Atm Rellef Valves (2) or (3) (4) (2) or (3) (4) (3) (3) ly. Feedwater System isolation and Control Main Feedwater Control * * * (2) or (3) (3) (4)

Main Feedwater Isolation Valves (1) or (2) (1) or (2)

Emergency Feedwater Isolation Valves (1) or (2) (1) or (2)

Eme;gency Feedwater Initiation (1) (1)

Emergency Feedwater Level Control (4) (1) (4) (1) (3) (4)

(1) Equipment Can Be Shown To Perform Intended Function (2) Required Period of Operability is Short (3) Equipment Performance is Conservative in Adverse Environment (4) Potential Inconsistency With Safety Analysis inputs And Respons<es

  • See Section D.1.(a)

NOTE: All Open Entries are either a Dash (-) or a Y on Table 11.

Ch CD N

03 N .

g es e li a'.

O O" tj@i m"du\ur 9 -

~

-9 s m 't

'.')

isJ 121 J .) n - N I O () O O O I

>-y- e e e g L' i ) ,

, _ _ e.,

to _

s'*

.a s , 4s 4 wg RA @

.J M in O V O 7.

u O O

e e

O e

O e

O e

.T. (. )

.2-g b-t I %.J PT 48 ) ft%

[tl

_J e C s3 N ti g g l D-(1 11 t7 g o- .' . O. O. O. , , l 1 t:1 ( 1  ; g y_ p__._t_. _ .7 ._:

i Cl "

tar U1 >. tot *D8 C 'O '

}- J( . J V O O *- *- O O I

? "(.*

O. O. O. O.  ;

. - >. O. O.

.3 >> U CL A

  • st

-q __ - . . _ _ _ _ . _

H S.

  • f t) sT. . td uJ ti . oe -

+

t l

> 0, C9% Q.) h% C -

r3 O N e O. +l e

i e i r3

. . , . . iI s S- "

() . J in

+l  %

  • 6 l'.J

. 4 til til ,

T 't- >= T* fJ fJ ,

er U. " *r 14J l r 3 _, a O. O. I' t

  • 3
  • - t1

{1, ti!

O

u. - - -. -

I t' ut 1 1

D. l J O T & N

  • O O L,aJ

_ 11 N s'+ o o --N "r e o CJ o

h. LL ts , N "

( T td G. .

t a.1 e _

ta '

.2 C .) '!

> l f1 I (*

t_ is t -f tn it ) et >1 rJ 11J

  • M, h

()

ll I L 9 s ',

l M, f- ,,

?) ** f6 v> s *>l y r i I i .J 11 i LJ b1 t+1 Isa r) et I 6s j *" *'

J b ' /1 f 4

() (s i Ill n .- .- e n y v> - n r e o o o --

o . >- - -

3 (i ,

___ .____..-_l__ ._

G i l6o ?83 m -

Retrieved from "https://kanterella.com/w/index.php?title=ML19209C627&oldid=2391294"