ML19210C810
| ML19210C810 | |
| Person / Time | |
|---|---|
| Site: | Byron, Braidwood  |
| Issue date: | 11/08/1979 |
| From: | Rubenstein L Office of Nuclear Reactor Regulation |
| To: | Peoples D COMMONWEALTH EDISON CO. |
| References | |
| NUDOCS 7911200139 | |
| Download: ML19210C810 (22) | |
Text
y Distribution:
~
Doc le M. L. Ernst C PDR R. P. Denise NOV 8 1979 Local PDR R. Hartfield LWR #4 File ELD D. B. Vassallo IE (3) l D. F. Ross S. A. Varga bec: ACRS (16)
,T s
t x
F. J. Williams.
NSIC -
Docket @s: STN 50-454, STN 50-455 L. S. Rubenstein TIC STN 50-456 & STN 50-4 C. W. Moon f.
M. W. Service-x R. J. Mattson
~
S. H. Han'auer Mr. D. Louis Peoples Director of Nuclear Licensing f,'hT o
Comonwealth Edison Company P. O. Box 767 R. C. DeYoung Y* h, Chicago, Illinois 60690 g,
Dear Mr. Peoples:
SUBJECT:
FIRST ROUND QUESTIONS ON INE' BYRON AND BRAIDWOOD OL APPLICATION i
In our review of your application for operating licenses for the Byron Station, Units 1 and-2, and the Braidwood Station, Units 1 and 2, we have identified a need for additional information which we require to complete our review.
The specific requests contained in the enclosure to this letter are tim. fourth set of our round one questions and cover some of the areas of our review perfomed by (1) the Reactor Systems Branch and (2) by the Quality Assurance Branch. Subsequent requests will include questions arising from the Reactor Systems Branch's review of Chapter 15 of the Byron and Braidwood Final Safety Analysis Report and any applicable questions associated with assessments of the TMI-2 accident.
j Please contact us if you desire any discussion or clarification of the enclosed requests.
Sincerely, "mgA aROBO M m
L. S. Rubenstein, Acting Chief Light Water Reactors Branch No. 4 Division of Project Management
Enclosure:
Request for Additional.
Infoimation ec:
See next page.
j364 33J c
..DP,,M,@: LWR #4,,,
,,DPgLHR
,,,,f,,,,,,,,,..,,,,,,,,
..Cu.M. (pH.... t.,
.... e1n.
c
.1.11.as....la....11/... 3...../. 9...
,q1 m,,.,_
. 79112E6
4
. Commonwealth Edison Company NOV 81979 ces:
Mr. Willisn Kortier Atomic Power Distribution Westinghouse Electric Corporation P. O. Box 355 Pittsburgh, Pennsylvania 15230 t
Paul M. Murphy, Esq.
Isham, Lincoln & Beale i
One First National Plaza 42nd Floor Chicago, Illinois 60690 Mrs. Phillip B. Jchnson 1907 Stratford Lane Rockford, Illinois 61107 Jerome 0. Hughey Attorney at Law i
Sycamora Plaza Building Suite 2A 407 West State Street Sycamore, Illinois 60178 C. Allen Bock, Esq.
P. G. Box 342 Urbana, Illinois 61801 Thomas J. Gordon. Esq.
Waaler, Evans & Gordon 2503 S. Neil Champaign, Illinois 61820 Ms. Bridget Little Rorem Appleseed Coordinator 117 North Linden Street Essex Illinois 60935 I
u 1364 338
ENCLOSURE 212-1 212.0 REACTOR SYSTEMS BRANCH 212.1 In Section 3.5.1.1 you state that valve stems, instrument wells, valve (3.5.2) bonnets, pump impe11ers and pump and valve motors are not credible mis-siles. Tha staff has insufficient information to evaluate this claim.
Provide detailed design criteria which was utilized to preclude the above components from becoming missiles.
Provide blueprints for representative samples of the above components, indicating those features which prevent missile ejection. Also reference any appropriate tests which support your claim that valve stems cannot be ejected.
212.2 Discuss the potential for the reactor vessel seal ring to become a missile (3.5.2) during a LOCA. What design provisions preclude this from occuring?
212.3 Following a LOCA it is expected that reactor coolant pump overspeed will (3.5.2) occur due to blowdawn of the primary system. Discuss the expected behavior of these pumps following a LOCA and identify which break results in the most severe overspeed condition. Discuss potential for failure of the coolant pump flywheel and impeller and provide assurance that ejection of flywheel and impeller missiles will not occur for the limiting case identified.
212.4 Discuss why relief valve components are not included as credible missiles.
(3.5.2)
Provide blueprints of typical relief valves indicating features which prevent ejection of missiles from the components.
212.5 Discuss the potential for falling objects causing damage to safety related (3.5.2) equipment. How are essertial systems and components protected from this missile source? Also discuss the potential for damage to safety systems inside containment by secondary missiles generated by impingement of primary missiles.
212.6 Provide diagrams showing the location and orientation of all high energy (3.5.2) piping near the control rod drive assemblies. These diagrams should include the orientation of valve stems and bonnets as well as location of all missile shields.
Provide your basis for concluding that the control rod drive assemblies are protected from missiles.
212.7 The functional operability of the Control Rod Drive System in respect to (4.6) its ability to bring the plant to a safe shutdown must be verified during preoperational and startup tests.
Provide information on your test objec-tives, methods of testing and test acceptance criteria, so as to verify that functionability of this system will be shown. Test for scram times should envelope all system thermal hydraulic conditiens which would be experienced during normal and off-normal conditions.
~
l364 339
~
212-2 212.8 In Section 5.2 you discuss the overpressure analysis performed for Byron-(5.2)
Braidwood; and indicate that the analysis assumes RCS pressure and tempera-tures to be at their maximum values including instrumentation and control system errors. Describe the assumed instrumentation and control errors, and justify their selection and conservativeness. Also discuss the pre-operational tests which will verify the accuracy of instrumentation systems used to initiate overpressure protection.
212.9 You have referenced WCAP 7769 for an evaluation of the Byron-Braidwood (5.2) overpressure protection system.
Provide all parameters for Byron-Braidwood, comparing them to the ones given in Table 2-2 of the report for a typical Westinghouse 4 loop plant. Where differences exist, show that those dif-ferences will not affect the conservatism of the results given in WCAP 7769, as being applicable to your plant.
212.10 WCAP 7769 identifies Turbine Trip without bypass, concurrent with loss of (5.2) main feedwater pumps as the most severe overpressure transient. Provide an analysis for this transient on the Byron-Braidwood plants.
Provide graphs showing maximum pressurizer water volume, pressurizer pressure, DNBR and reactor power. Perform the analysis assuming that reactor trip comes from the second safety grade signal.
212.11 Your statement in Section 5.2.2.5 that Sargent and Lundy is responsible (5.2) for the design of mounting of pressurizer safety valve supports does not provide the necessary assurance that the valve mounts meet the Westinghouse criteria. Discuss the anticipated loads on the safety valve supports and verify that the methods used by your A/E to design the supports will, limit the loads to acceptable limits.
212.12 Provide assurance that loading due to water relief has been considered in (5.2) the support analysis, including the passage of a water slug and effects of water hammer. What liquid water relief rates were assumed in the loading analysis? Are these values consistent with experimental results obtained from similar valves?
212.13 Branch Technical Position RSB 5-2 related to overpressure protection of (5.2)
PWR's while operating at low temperatures has been recently approved by the Regulatory Requirements Review Committee.
Since Byron-Braidwood will receive an operating license after March 14, 1979, compliance to the following criteria will be required.
(1) A system should be design and instilled which will prevent exceeding the applicable Technical Specifications and Appendix G limits for the reactor coolant system while operating at low temperatures. The sys-tem should be capable of relieving pressure during all anticipated overpressurization events at a rate sufficient to satisfy the Techni-cal Specification limitc, porticularly while the reactor coolant system is in a water-solid condition.
1364 340
212-3 (2) The system must be,able to perform its function assuming any single active component failure. Analyses using appropriate calculational techniques must be provided which demonstrate that the system will provide the required pressure relief capacity assuming the most limiting single active failure. The cause for initiation of the event, e.g., operator arror, component malfunction, will nat be considered as the single active failure. The analysis should assume the most limiting allowable operating and systems configuration at the tima of the postulated cause of the overpressure event. All potential overpressurization events must be consiuered when establish-ing the worst case event.
Potential events may not be eliminated from consideration in overpressure protection system design analyses merely by the imposition of technical specifications or other admin-istrative controls, (e.g., prohibitions on safety injection pump operation).
(3) The system must meet the design requirements of IEEE 279. The system may be manually enabled, however, the electrical instrumentation and control system must provide alarms to alert the operator to:
(a) properly enable the system at the correct plant condition during
- cooldown, (b) indicate if a pressure transient is occurring.
(4) To assure operational readiness, the overpressure protection system must be tested in the following manner:
(a) A test must be performed to assure operability of the system electronics prior to each shutdown.
(b) A test For valve operability must, as a minimum be conducted as specifie f in the ASME Code Section XI.
(c) Subsequent to system, valve, or electronics maintenance, a test on that portions (s) of the system must be performed prior to declaring the system operational.
(5) The system must mest the requirements of Regulatory Guide 1.26,
" Quality Group Classifications and Standards for Water, Steam, and Radioactive-Waste-Containing Components of Nuclear Power Plants" and Section III of the ASME Code.
(6) The overpressure protection system must be designed to function during an Operating Basis Earthquake.
It must not compromise the design criteria or any other safety grade system with which it would inter-face, such that the requirements of Regulator Guide 1.29, " Seismic Design Classification" are met.
~
1364 341
m h
. y
..(
212-4 Lee c
(7) The overpressure protection system must not depend on the availability of offsite power to perform its function.
(8) Overpressure protection systems which take credit for an active component (s) to mitigate the consequences of an overpressurization event must include additional analyses considering inadvertent system initiation / actuation or provide justification to show that existing analyses bound such an event.
~
Discuss how your plant complies with this position and identify deviations and modifications to be made for compliance with this position.
212.14 Provide your limiting Appendix G curve for the first eighteen full power (5.2) months of operation. Discuss the operational procedures which will lower
_ the likelihood of an overpressure event._ __
212.15 Expand and clarify your discifsTifof the leakage detection system.
~
(5.2)
Include-a discussiorr of the system relative to each of the positions of Regulatory Guide 1.45.
Provide diagrams showing the placement and design of tne containment floor drain step and their corresponding weir boxes.
212.16 You state that equipment leakage is routed through the floor drain system (5.2) to the identified leakage weir box. Provide a discussion on what leakage paths are considered identified leakage. Explain why all leakage into the containment from the RCS will be channeled into the weir box. Provide diagrams of the containment showing that for any RCS leakage location, fluid will be directed to the unidentified leakage weir box.
-212.17 Do t W ii boxes communicat idire M y with the containment atmosphere?
~~
~
~
~
~
(5.2)
If they do, what prevents fluid from the identified leakage paths from flash-ing, raising the containment humidity and swamping out any small unidenti-fied leakage effect from being seen by the dew point instrumentation?
212.18
-It'ifnot ifeir ihat the systems Weitfiei the ide'ntified or unidentifie'd
~
~
~
~
leakage weirt boxes have sufficient sensitisity to meet the detection requirements of Regulatory Guide 1.45. Provide design details to allow for staff evaluation of the system's sensitivities. Also discuss the calibration procedures which will verify that the desired sensitivity
.._ __ _ _is_obtained.
___m___._.
212.19 You stata that the reactor cavity sump will alarm at'one GPM above the (5.2) normal rate. What is this normal rate? What leakage sources are expected to end up in this' sump?
212.20 Provide design information on the particulate and gaseous containment (5.2) radiation monitors. How do they meet the requirements of Regulatory Guide 1.457 Specifically, indicate the sensitivity of these monitors (i.e., ? what RCS leak rate will they alarm?).
Do their sensitivities vary o a to containment contamination? Do these monitors have control room alarms? How are these detactors calibrated?
F361 342-
212-5 212.21 How do the containment air pressure monitor and the dewpoint and drybulb (5.2) monitor meet the requirements of Regulatory Guide 1.45? Are alarms pro-vided for these systems?
212.22 Discuss the seismic qualifications of each leakage detection system which (5.2) will be utilized to detect RCS leakage.
212.23 You have provided no information on how intersystem leakage, as from the (5.2)
RCS into interfacing systems such as the RHR, LPIS, SIS, and CVCS will be detected.
Identify each interfacing system and indicate how intersystem leakage will be identified and what sensitivities the detection system will have.
212.24 In Section 5.4.7.1 it states that each RHR discharge line includes a (5.4.7) relief valve capable of relieving all possible backleakage through the isolation check valves. How was this maximum creditable backleakage arrived at? What is the relief capacity of these safety valves?
212.25 In Section 5.4.1.3.1, you discuss the consequences of failure of the (5.4)
- 1 seal on a reactor coolant pump, and state that significant leakage is prevented by the #2 seal, if the plant operator is warned of the seal failure and takes appropriaiie action. Discuss how seal failure is iden-tified, and what time frame the operator has to take remedial action before large leakage occurs.
212.26 In light of the October,1978 failure of the seals in the Salem Generating (5.4)
Station No.13 reactor coolant pump, where 15,000 gallons of primary cool-ant was lost, explain why your design precludes massive seal failure of this kind.
212.27 Assuming total seal failure for one of your reactor coolant pumps, what is (5.4) the maximum leak rate that would be experienced? How long would this leak continue until the operator is alerted? What are the consequences?
212.28 Seal injection flow is often bypassed during startup to provide sufficient (5.4) bearing coolant. Does your plant utilize this feature? If so, how is the operator alerted to the fact that full seal infection flow is required?
If bypass is not stopped, how long until seal damage occurs, and which seals are affected?
212.29 Continued supply of component cooling water is necessary for reactor (5.4) coolant pump cooling. How is the operator alerted to the fact that com-ponent cooling water flow has ceased? When will this alarm occur in relation to flow stoppage? Loss of this flow has the potential of result-ing in a locked rotor event, with fuel failure occurring due to the rapid decay of forced coolant flow and concurrent low DNBR's. Upon loss of component cooling water, how long will the reactor coolant pumps continue to operate? Reference appropriate test results to justify this value.
Discuss what operator actions within what time frame must be completed to prevent the pump from experiencing a locked rotor, assuming loss of component cooling water.
1364
$43
212-6 212.30 In Section 5.4.2.5.2, you state that natural circulation is promoted due (5.4) to steam generator elevation being higher than the core.
In the event of loss of offsite power where loss of forced circulation does occur, how is pressurizer pressure maintained so that saturation pressure is not reached in the reactor coolant vessel? If the pressurizer does not maintain pres-sure and boiling in the reactor coolant system takes place, would vapor collect at the top of steam generator U tubes, causing stoppage of ni. oral circulation flow? What procedures are available to clear out vapor bound U tubes?
212.31 What are the ASME quality group and seisric qualifications of the main (5.4) steamline flow restrictors?
Section 5.4.7 of the FSAR provides insufficient detail on the reactor coolant leakage detection system to allow for staff review.. It is'the staff's position that the design of the Byron /Braidwood plant must conform to the guidance provided by Regulatory Guide 1.45.
All the requirements of that guide should be addressed in your FSAR. Additionally, the following information identified by questions 212.32 to 212.47 is required to enable us to continue our review of Section 5.4.7.
212.32 Following electrical system single failure, you state that limited action (5.4.7) outside the control is necessary to open the suction isolation valves for initiation of RHR cooling. What actions ar'. necessary and where must they be performed? Provide the procedures which the operators will need to use following a postulated failure such as discussed above.
212.33 Discuss the consequences of failure as described below of the RHR system (5.4.7) during shutdown cooling mode of operation. Assuming the RCS was still sealed and only a single train of RHR was operating, what would alert the operator to loss of RHR cooling function. This failure could be the result of inadvertant isolation valve closure (operator error or valve interlock failure) or failure of the single operating RHR pump.
Which alarms would identify the problems? What are the appropriate responses by the operator and in what time frame must they be performed?
212.34 What are the consequences of passive failure of RHR piping during shutdown (5.4.7) cooling? How is this leakage detected? What are the procedures needed to isolate the faulted RHR line, and in what time frame must operator action be taken to protect the core? If one RHR pump is out of service and the alternate train becomes unavailable due to passive failure, what means are available to the operating staff to maintain core cooling? If this event occurs when the steam generators are down due to maintenance, what core cooling methods could be utilized?
212.35 What indicates loss of component cooling water to RHR pumps? Do all of (5.4.7) these instruments meet IEEE 279 requirements? How long could the pumps continue to run following loss of component cooling water without damage?
1364 344
212-7 Assuming a common mode failure was to make component cooling water unavail-able, are there any other water sources and pumps which could supply cooling water to the RHR pumps?
212.36 The NRC Regulatory Requirements Review Committee has recently approved a (5.4.7) new staff position (BTP RSB 5-1) for the residual heat removal system.
The technical requirements of this position for your plant are described below. Your response to these requirements should be in sufficient detail to enable the staff to review your compliance. System parameters assumed should be the most limited parameters allowed by Technical Specifications:
BRANCH POSITION (A) Functional Requirements The system (s) which can be used to take the reactor from normal operating conditions to cold shutdown
- shall satisfy the functional requirements listed below.
(1) The design shall be such that the reactor can be taken from normal operating conditions to cold shutdown
- using only safety grade systems. These systems shall satisfy General Design Criteria 1 through 5.
(2) The system (s) shall have suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available) the system function can be accomplished, assuming a single failure.
(3) The system (s) shall be capable of being operated from the control room with either only onsite or only offsite power available.
In demonstrating that the system can perform its function assuming a single failure, limited operator action outside of the control room would be considered acceptable if suitably justified.
(4) The system (s) shall be capable of bringing the reactor to a cold shutdown condition, with only offsite or onsite power availablo, within a reasonable period of time following shutdown, assuming the most limiting single failure.
" Processes involved in cooldown are heat removal, depressurization, flow circulation, and reactivity control. The cold shutdown condition, as described in the Standard Technical Specifications, refers to a subcriti-cal reactor with a reactt.. coolant temperature no greater than 200*F for a PWR and 212*F for a BWR.
1364 345
212-8 (B) RHR System Isolation Requirements The RHR system shall satisfy the isolation requirements listed below.
(1) The following shall be provided in the suction side of the RHR system to isolate it from the RCS.
(a) Isolation shall be provided by at least two power-operated valves in series. The valve positions shall be indicated in the control room.
(b) The valves shall have independent diverse interlocks to prevent the valves from being opened unless the RCS pres-sure is below the RHR system design pressure.
Failure of a power supply shall not cause any valve to change position.
(c) The valves shall have independent diverse interlocks to protect against one or both valves being open during an RCS increase above the design pressure of the RHR system.
(2) One of the following shall be provided on the discharge side of the RHR system to isolate it from the RCS:
(a) The valves, position indicators, and interlocks described in item 1(a) - (c),
(b) One or more check valves in series with a normally closed power-operated valve. The power operated valve position shall be indicated in the control room.
If the RHR system discharge line is used for an.ECCS function, the power-operated valve is to be opened upon receipt of a safety injection signal once the reactor coolant pressure has decreased below the ECCS design pressure.
(c) Three check valves in series, or (d) Two check valves in series, provided that there are design provisions to permit periodic testing of the check valves for leak tightness and the testing is performed at least annually.
(C) Pressure Relief Requirements The RHR system shall satisfy the pressure relief requirements listed below.
(1) To protect the RHR system against accidental overpressurization when it is in operation (not isolated from the RCS), pressure relief in the RHR system shall be provided with relieving capac-ity in accordance with the ASHE Boiler and Pressure Vessel Code.
The most limiting pressure transient during the plant operating 1364 3'46
212-9 condition when the RHR system is not isolated from the RCS shall be considered when selecting the pressure relieving capacity of the RHR system. For example, during shutdown cooling in a PWR with no steam bubble in the pressurizer, inadvertent operation of an additional charging pump or inadvertent opening of an ECCS accumulator valve should be considered in selection of the design bases.
(2) Fluid discharged through the RHR system pressure relief valves must be collected and contained such that a stuck open relief valve will not:
(a) Result in flooding of any safety-related equipment.
(b) Reduce the capability of the ECCS below that needed to mitigate the consequences of a postulated LOCA.
(c) Result in a non-isolatable situation in which the water provided to the RCS to maintain the core in a safe condition is discharged outside of the containment.
(3) If interlocks are provided to automatically close the isolation valves when the RCS pressure exceeds the RHR system design pres-sure, adequate relief capacity shall be provided during the time period while the valves are closing.
(D) Pump Protection Requirements The design and operating procedures of any RHR system shall have provisions to prevent damage to the RHR system pumps due to overheat-ing, cavitation or loss of adequate pump suction fluid.
(E) Test Requirements The isolation valve operability and interlock circuits must be designed so as to permit on line testing when operating in the RHR mode.
Testability shall meet the requirements of IEEE Standard 338 and Regulatory Guide 1.22.
The preoperational and initial startup test program shall be in conformance with Regulatory Guide 1.68.
The programs for PWRs shall include tests with supporting analysis to (a) confirm that adequate mixing of borated water added prior to or during cooldown can be achieved under natural circulation conditions and permit estimation of the times required to achieve such mixing, and (b) confirm that the cooldown under natural circulation conditions can be achieved within the limits specified in the emergency operating procedures.
Comparison with performance of previously tested plants of similar design may be substituted for these tests.
1364 347
212-10 (F) Operational Procedures The operational procedures for bringing the plant from normal operating power to cold shutdown shall be in conformance with Regula-tory Guide 1.33.
For pressurized water reactors, the operational procedures shall include specific procedures and information required for cooldown under natural circulation conditions.
(G) Auxiliary Feedwater Supply The seismic Category I water supply for the auxiliary feedwater system for a PWR shall have sufficient inventory to permit operation at hot shutdown for at least four hours, followed by cooldown to the condi-tions permitting operation of the RHR system. The inventory needed for cooldown shall be based on the longest ecoldown time needed with l
either only onsite or only offsite power available with an assumed single failere.
212.37 The RHR miniflow bypass lines allow bypass flow when RHR pump discharge (5.4.7) flow is insufficient. At what frequency is the operability of these mini-flow lines verified? What assurances are available to the operating staff that the miniflow isolation valves are not misaligned due to operator error?
212.38 Discuss the potential for exceeding the allowable cooldown rate of the RHR (5.4.7) and the reactor coolant system during the shutdown cooling mode of opera-tion assuming loss of the nonsafety grade instrument air system which controls the RHR heat exchanger outlet and bypass valves.
Failure of the RHR heat exchanger bypass valves in the closed position would cause loss of bypass flow with the possibility of exceeding the allowable cooldown rate. The resulting stresses on the piping systems must be assessed.
212.39 What precautions are taken to prevent icing or other blockage of the RWST (5.4.7) vent? Failure of this vent when water is being drawn from the tank could result in tank collapse if tank vacuum is not relieved.
In addition, pro-vide the minimum and maximus RWST water temperatures assumed in the Chapter 15 safety analyses, and what means are available to assure that RWST temperatures remain within this band.
212.40 On page 5.4-28 of the FSAR you list three RHP isolation valve interlocks.
(5.4.7)
Provide functional reasons for each interlock und their electrical qualifications.
212.41 The RHR miniflow bypass isolation valves are interlocked to pump discharge (5.4.7) flow. Has this feature been used on any other Westinghouse plant? Provide the logic circuitry of these interlocks, and describe the sensors which feed them. What are the electrical qualifications of these interlocks?
Could any equipment single failure, or abnormal flow condition result in spurious closing of these valves? This event could cause damage to the RHR pumps due to insufficient flow and assurance must be provided that defeat of both miniflow bypass valves is not a credible event.
13M 348
212-11 212.42 Assuming the most severe overpressure transient at low temperature, will (5.4.7) system relief capacity be adequate to prevent RHR pressure from exceeding 110% of design? Justify your choice of the most severe overpressure inci-dent at low temperature considering e'/ents which have occured in operating reactors.
212.43 On page 5.4-31 of the FSAR you state that the RHR discharge is protected (5.4.7) by a motor operated valve and two check valves in series. Yet on page 5.4-26 you state that the motor valve is normally open.
Explain this discrepancy.
212.44 Section 5.4.7.2.5 states that the Auxiliary feedwater system can perform (5.4.7) shutdown cooling for an extended period of time. Discuss water sources which are available to the Auxiliary feedwater system, the quantity of each source and the duration of shutdown cooling they would provide.
212.45 On page 5.4-32 you indicate that alternate power sources besides the (5.4.7) diesel generators can be used to open the RHR suction valves after loss of offsite power. Describe these alternate power sources, and what actions are necesrary to initiate them.
212.46 Table 5.4-10 refers to a pressurizer relief valve interlock at 2185 psig.
(5.4.7)
Provide the purpose for this interlock.
If Byron-Braidwood uses a dual set point relief valve to provide water solid overpressurization protection as many Westinghouse plants have, discuss how this system could operate with your relief valve interlock. Would any interlock disabling system be single failure proof so that the overpressure protection system would not be defeated following failure of the interlock disabling switch?
212.47 Table 5.4-16 indicates that pressurizer valve flow rates are given for (5.4.7) saturated steam.
Provide saturated liquid flow rates for both the pres-surizer relief and safety valves. This data will be necessary to svaluate water solid overpressure protaction for Byron-Braidwood.
212.48 Certain operator actions (both short term and long term) are required for (6.3) the various modes of operation of the ECCS to mitigate the consequences of the following events:
steam line break, small LOCA, large LOCA.
For each of these modes of operation, provide the following additional information:
(1) List any operator actions required.
(2) Discuss alarms / indications available to the operator that would lead him to take the cppropriate actions.
(3) Discuss the time interval assumed in the FSAR analyses between the time the operator is alerted to a condition by these alarms / indica-tions and the time that he is assumed to perform the action.
1364 349
212-12 212.49 In Section 6.3, you do not provide sufficient detail regarding the NPSH (6.3) calculation for ECCS pumps. Provide the analysis you conducted to deter-mine that adequate NPSH is available for these pumps. Justify your assump-tions regarding: minimum containment water level, friction losses in piping, sump screen losses, and assumed ECCS flow rates. Are pump flows and corresponding NPSH requirement based on runout flows resulting from the most limiting single failure? Identify this limiting failure.
212.50 Provide a list of manual valves in the ECCS system which have position (6.3) indication.
Indicate which manual talves, through mispositioning, could result in the defeat of redundant safety trains.
212.51 Provide a discussion on excessive boron concentration in the reactor (6.3) vessel and hot leg recirculation flushing related to long-term cooling following a LOCA. During hot leg injection, what will be the minimum expected flow rate in the hot leg, and what is the required ficw rate to match boil-off?
The staff position concerning boron dilution is as follows:
(1) The baron dilution function shall not be vulnerable to a single active or limited passive failure (i.e., leakages of seals).
Specifically, the limiting single active failure should be considered during the short-term period of cooling. During the long-term period of cooling, the limiting single active failure should be considered and so should a limited passive failure be considered but not necessarily in conjunction with each other.
(2) The inadvertent operation of any motor-operated valve (open or closed) shall not compromise the baron dilution function nor shall it jeopardize the ability to remove decay heat from the primary system.
(3) All components of the system which are within containment shall be designed to Seismic Category I requirements and classified Quality Group B.
(4) The primary mode for maintaining acceptable levels of baron in the vessel should be established.
Should a single failure disable the primary mode, certain manual actions outside the control room may be allowed, depending on the nature of the action and tt'e time available to establish the backup mode.
(5) The average boric acid concentration in any region of the reactor vessel should not exceed a level of four weight percent below the solubility limits at the temperature of the sqlution.
(6) During the post-L0iA long-term cooling, the ECC system normally operates in two modes: the initial cold leg injection mode, followed by the dilution mode. The actual operating time in the cold leg injection mode will depend on plant design and steam binding consid-erations, but in general, the switchover to the dilution made should be made between 12 and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after LOCA.
1%i 350
212-13 (7) The minimum ECCS flow rate delivered to, the vessel during the dilution mode shall be sufficient to accommodate the boil-off due to fission product decay heat and possible liquid entrainment in the steam dis-charged to the containment and still provide sufficient liquid flow through the core to prevent further increases in boric acid concentration.
(8) All dilution modes shall maintain testability comparable to other ECCS modes of operation (HPI-short term, LPI-short term, etc.). The current criteria for levels of ECCS testability shall be used as guidelines (i.e., Regulatory Guides 1.68, 1.79, GOC 37).
Discuss your conformance to this positiot 212.52 Discuss in detail how your preoperational test program for the ECCS will (6.3) conform to the recommendations of Regulatory Guides 1.68 and 1.79.
Specif-ically, include the procedures which will be used to verify nominal and runout ECCS flow, pump cnaracteristics, piping losses and verification that each check valve in the system is capable of performing both its isolation and flow function.
212.53 In a post-LOCA situation, when the ECCS system is in recirculation cooling (6.3) mode, discuss the consequences of the largest credible passive failure of the LPI system. Indicate how the failed train is identified, and how much time is available for operator action before the redundant train is in jeopardy.
Provide assurance that isolation of the failed train could be accomplished within this period.
212.54 Recently, a similar plant has indicated that a design error existed in the (6.3) sizing of their RWST. This error was discovered during a design review of the net positive suction head requiremnts for the containment spray and residual heat removal pumps. The review showed that there did not appear to be sufficient water in the RWST to complete the transfer of pump suctions from the tank to the containment sump, before the tank was drained and ECCS pump damage occurred.
It was reported that in addition to the water volume required for injection following a LOCA, an additional volume of water is required in the RWST to account for:
(1) Instrument error in RWST level measurements (2) Workina allowance to assure that normal tank level is sufficiently above the minimum allowable level te assure satisfaction of technical specifications (3) Transfer allowance so that sufficient water volume is available to supply safety pumps during the time needed to complete the transfer process from injection to recirculation.
\\)hh
'212-14 (4) Sinnie failure of the ECCS system wt.Sh would result in larger volumes of water being needed for the transfer process.
In this situation, the worst single failure appears to be failure of a single ECCS train to realign to the containment sump upon low RWST signal. This results
- 1 the continuation of large RWST outflows and reduces the time
_sailable for manual recirculation switchover, before the tank is drawn dry and the operating ECCS pumps are damaged.
(5) Unusable volume in the tank is present because once the tank suction pipes are reached, the pumps lose suction and any remaining water is unusable. Additionally, some amount of water above the suction pipes may also be unusable due to NPSH considerations and vortexing tenden-cies with the tank.
Preliminary indications are that approximately an additional 100,000 gallons of RWST capacity were needed to account for these considerations.
It is our understanding that the design parameters for instrument error, transfer allowance and single failure have changed since the original sizing of the tank.
In light of the above information, discuss the adequacy of your Refueling Water Storage Tank. Provide a discussion of the necessary water volumes to accomodate each of the five considerations indicated above. Justify your choice of volumes necessary to account for each consideration.
Pro-vide drawings of your RWST, showing placement and elevation of tank suction lines, and level sensors. Also, provide operator switchover procedures for aligning to the recirculation mode, with estimates of the time required for each action.
212.55 In Section 6.3.3 it is stated that the most severe core depressurization (6.3) event is associated with the inadvertent opening of single steam dump, relief or safety valve. Provirle a Failure Modes and Effects Analysis which substantiates your claim that a single failure could not result in the inadvertent opening of mora than one valve.
212.56 In Section 6.3.4.2 you descriLt the leak testing of check valves which (6.3) form the isolation boundary between high pressure and low pressure systems.
Only safety injection pump cold legs and RHR pump cold legs infection lines have check valves which will be leak tested. The staff finds this position unacceptable, and will require that all connected systems whose design pressure is below RCS pressure be protected by multiple leak tested isolation valves. The staff position on this issue is given below.
Interfaces between high and low pressure systems having two or more valves in series must be leak tested periodically.
The interfaces of interest are those between the reactor coolant system (RCS) and other systems whose design pressure is less than the rated RCS pressure. This includes systems which are rated at full reactor pressure 1364 352
212-15 I
on the discharge side of pumps, but have pump suction piping rated below RCS design pressure.
The & valves will be classified as Category A as described in Section XI Subsection IW of the ASME Pressure Vessel Code.
The frequency of leak testing of these isolation valves will be:
(a) For the RHR, Hot and Cold Leg LPI, LPCS and any other system rated at less than 50% of RCS design pressure, the testing frequency will be each time the valves are disturbed because of flow in the line.
(b) For all systems, once per refueling.
All leak tests will be performed just prior to resuming power operation as the plant is pressurized, and subsequent to the most recent cycling of the valve.
The Class 1 to Class 2 boundary will be considered the isolation point which must be protected by redundant isolation valves.
In cases where pressure isolation is provided by two valves, both will be independently leak tested. When three or more valves provide isolation, only two of the valves need to be leak tested.
Discuss how your testing program will conform to the above position.
Provide a list of all valves which will be categorized as "A" or "AC", and verify that leak testing connections are available for individually testing each of these valves.
212.57 Describe the instrumentation for level indication in the recirculation sump.
(6.3)
Also, provide detailed design drawing of the containment recirculation sump, including the design provisions which preclude the formation of air entrain-ing vortices during recirculation cooling.
Discuss the anti-vortex criteria which was utilized during the sump design.
212.58 The staff will require verification that no vortexing tendencies exist in (6.3) the recirculation sump. Discuss the full scale preoperational tests which will show that under prototypical post LOCA conditions, no adverse flow conditions will occur which could degrade ECCS pump performance.
In lieu of full scale in plant tests, a scale model sump test may be acceptable to the staff.
If you chose to conduct a scale model test, provide details of the test program.
Include information of the model size, scaling principles utilized, comparison of model parameters to expected post LOCA conditions, and a discussion on how all possible flow conditions and screen blockages dll be considered in the model tests. The applicant should be advised that due to scaling problems, the staff will require that model tests indi-cate considerable margin is available in respect to vortexing tendencies.
Rotational flow patterns and surface dimples which might be acceptable in full scale tests, probably would not be accepted in a model program.
1364 353
212-16 212.59 Table 6.3-7 provides the sequence of changeover from injection to (6.3) recirculation. Provide a time reference for each action given in this table.
Indicate the time required to complete each action, and what other duties the operator would be responsible for at this point in the postu-lated accident. How much time does the operator have to realign the SI and charging pumps before RWST water is exhausted. Consider the required NPSH for these pumps in your answer.
Identify the most restrictive single failure (such as operator failure to close the RWST isolation valve) which would impact the time which the operator has to realign the SI and charging pumps. What impact would this single failure have on the nominal times given in the revised Table 6.3-77 212.60 Table 6.3-4 indicates that the Technical Specifications should be referred (6.3) to for missing information. Provide the Byron-Braidwood Technical Specift-cations, or the missing information from that table.
212.61 Operator mispositioning of Valve 8802 A or B would appemtly result in (6.3) hot leg injection following SI initiation. Previde me a to assure that these valves will always be in the closed position dv% II initiation.
Administrative controls and alarms alone will not be sa ficient for this purpose.
212.62 Spurious actuation or misposition of Valve 8835 would terminate all cold (6.3) leg injection flow.
Provide means to assure that this valve does not iso-late during actuation of the safety injection system.
Position alarms alone do not provide sufficient assurance.
212.63 What is the design pressure of the SI and charging pump suction lines?
(6.3) 212.64 Provide details of the procedures and methods to keep the ECCS lines (6.3) filled to prevent water hammer and possible damage to pipes and components when the ECCS is actuated.
212.65 A recently reported event has raised a question regarding the conservatism (6.3) of NPSH calculations and whether the absolute minimum available NPSH has been considered.
In the past, the required NPSH has been taken by the staff as a fixed number supplied through the applicant by either the architect engineer or the pump manufacture.r.
Since a number of methods exist and the methods used can affect the suitability or unsuitability of a particular pump, it is requested that Byron-Braidwood provide the basis on which the required NPSH was determined (i.e., testing, Hydraulic Institute Standards) for all the ECCS pumps and on the estimated NPSH variability between similar pumps including test inaccuracies.
212.66 Recent plant experience has identified a potential problem regarding the (6.3) long-term reliability of some pumps used for long-term core cooling fol-lowing a LOCA.
For all pumps that are required to operate to provide
)b k
b
212-17 long-term core cooling, provide justification that the pumps are capable of operating for the required period of time. This justification could be based on previous testing or on previous operational experience of identi-cal pumps. Differences between expected post-LOCA conditions and the conditions during previous testing or operational experience cited should be justified (i.e., water temperature, debris, water chemistry).
212.67 Provide a list of all actia components which are required for operation (6.3) of the ECCS. Provide safety and seismic classification for each component and indicate what services such as cooling, lube oil and air are necessary for the proper fur.ctioning of each component.
212.68 Indicate what instrumentation is needed to control and monitor ECCS (6.3) performance following an accident. What process and control instrumenta-tion is lost in the control room following loss of offsite power? Is the plant ccmputer available following loss of offsite power?
212.69 Following a spurious safety injection initiation signal, how long must the (6.3) operator wait until the SIS can be reset? Assuming a loss of offsite power occurred after the SIS was reset, will essential loads be picked up automatically? If not, what procedures does the operator have to assure that essential equipment is loaded onto the emergency generators?
212.70 A minimum flow bypass line is provided on each safety injection (SI) pump (6.3) discharge to recirculate flow to the refueling water storage tank (RWST) in the event the pumps are started with the normal injection flow paths unavailable. Normal injection paths could be unavailable for the situa-tion if inadvertent actuation of safety injection while the RCS is at normal operating pressure or in the event of a small LOCA during the period when RCS pressure remains above the shutoff head of the pumps.
The minimum flow bypass line for each pump contains a single motor-operated valve. Downstream of these motor-operated valves the miniruum flow bypass lines join and are connected to a single line which terminates in the RWST.
In this single line is a single motor-operated valve (8813).
If Valve 8813 should close while SI pumps are running with the normal injection flow paths unavailable, both SI pumps could be damaged as a result.
Demonstrate that no pump damage will occur as a consequence of the closure of this valve or modify the design of the minimum flow bypass lines. Any proposed design must ensure that (1) no single failure can result in the loss of degradation of both SI pumps and (2) no single failure results in not being able to isolate the RWST during the recirculation phase following the postulated LOCA.
212.71 Discuss what means are available to assure that proper positioning of air (6.3) operated valves during LOCA and RHR cooling.
1364 355
212-18 212.72 Assuming the control room becomes uninhabitable, could the plant be brought (6.3) from power operation to cold shutdown from outside the control room?
Describe what actions can be taken to reach cold shutdown and the location of the required equipment.
212.73 Identify any lengths of ECCS and RCS piping which have normally closed (6.3) valves, that do not have pressure relief in the piping section between the valves.
212.74 Identify all ECCS LOCA related instruments, valve and valve motors which (6.3) are expected to be flooded following a postulated LOCA.
For any ECCS or RHR valve motors which are submerged following a LOCA, evaluate the conse-quences of spurious activation of the valves.
212.75 Does Byron-Braidwood utilize a Boric Acid Injection Tank (BIT)? If so (6.3) describe this tank and the methods which will be utilized to preclude Baron precipitation in SIS lines.
If no BIT is included in the design, explain the impact of this considerable design change which was made following issuance of a construction permit.
1364 356
421-3 421.0 QUALITY ASSURANCE BRANCH 421.6 Clarify whether the stop work authority delegated to the QA (17.2.1) organization is delineated in writing.
421.7 RSP The description on page 1-7 of the Commonwealth Edison Company (17.2.1)
(CECO) Topical Report for the position of the Manager of Quality Assurance does not completely satisfy our current guidelines.
It is a staff position that the qualification requirements of the Manager include:
Management experience through assignments to responsible a.
positions.
b.
Knowledge of QA regulations, policies, practices, and standards.
c.
Experience working in QA or related activity in reactor design, construction, or operation or in a similar high technological industry.
More specifically, the qualifications of the QA Manager should be at least equivalent to those described in Section 4.4.5 of ANSI /
ANS-3.1-1978, " Selection and Training of Nuclear Power Plant Personnel."
421.8 Describe measures which assure that the scope of the QA program (17.2.2) includes the identification of structures, systems, and components and related consumables covered by the QA program, and controlled measures identifying personnel authorized to approve changes to this list and methods controlling its distribution.
421.9 Describe those provisions for notifying NRC of changes (1) for
( 17. 2. 2) review and acceptance in the accepted description of the QA program as referenced in the FSAR prior to implementation, and (2) in organizational elements within 30 days after announcement.
(Note -
editorial changes or personnel reassignments of a nonsubstantive nature do not require NRC notification.)
421.10 Describe provisions which assure that procedures are established
( 17.2. 3) to assure that verified computer codes are certified for use and that their use is specified.
.j 3() k
e 421-4 421.11 Describe measures which assure that responsible plant personnel
( 17.2.3) are made aware of design changes / modifications which may affect the performance of their duties.
421.12 Describe whether the scope of the document control program includes
( 17.2.3) as-built drawings and provisions to assure as-built drawings are kept updated, properly maintained, and controlled.
421.13 Describe measures which assure that maintenance, modification, and (17.2.6) inspection procedures and other QA related' documents are reviewed by independent, qualified personnel knowledgeable in QA disciplines (nonnally the QA organization) to determine:
a.
The need for inspection, identification of inspection personnel, and documentation of inspection results.
b.
That the necessary inspection requirements, methods, and acceptance criteria have been identified.
421.14 Describe measures which assure that controls are established and 07.2.8) described to identify and control materials (including consumables),
parts, and components, including partially fabricated subassemblies.
The description should include organizational responsibilities.
421.15 Describe measures which assure that inspection procedures, instructions, (17.2.10) or checklists specify the necessary measuring and test equipment, including the accuracy requirements, as required and determined by QA or by a qualified individual knowledgeable in QA/QC.
421.16 Describe measures which assure that when inspections associated with (17.2.10) normal operations of the plant (such as routine maintenance, surveillance, and tests) are performed by individuals other than those who performed or directly supervised the work, but are within the same group, the following controls are met:
a.
The quality of the work can be demonstrated through a functional test when the activity involves breaching a pressure retaining item.
b.
The qualification criteria for inspection personnel are reviewed and found acceptable by the QA organization prior to initiating the inspection.
421.17 Describe provisions which assure that program procedures provide (17.2.11) criteria for detennining the accuracy requirements of test equipment and criteria for determining when a test is required or how and when testing activities are perfonned.
421.18 Describe provisions which assure that the storage of chemicals, (17.2.13) reagents (including control of shelf life), lubricants, and other consumable materials is controlled.
1364
$58