ML19254E117
| ML19254E117 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 10/12/1979 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19254E118 | List: |
| References | |
| NUDOCS 7910310115 | |
| Download: ML19254E117 (12) | |
Text
'
- p * * * %e,'o, UNITED STATES
/
[ SS ( "i NUCLEAR REGULATORY COMMISSION wasstwarou.o.c.20sss
,.gqq/sl
~
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION CONCERNING THE EMERGENCY CORE COOLING SYSTEM SINGLE FAILURE ANALYSIS ARKANSAS POWER & LIGHT COMPANY ARAKANSAS NUCLEAR'ONE, UNIT NO. 1 (ANO-1)
DOCKET NO. 50-313 I.
Introduction Amendment No. 21 to Facility Operating License No OPR-51 fce Arkansas Nuclear One - Unit No.1 (ANO-1) to Arkansas Power and Light Company (AP&L or the licensee) was issued March 31, 1977. This amendment 4
incorporated modified operating limits in the Technical Specifications based upon an evaluation of emergency core cooling system (ECCS) per-0, fonnance calculated in accordance with an acceptable ECCS evaluation model
,that conforms with the requirements of Appendix K of 10 'CFR Part 50 and as required by the Comission's Order for License Modification dated 27, 1974, with one exception. The Commission's analysis of December electrical single failure criterion was still under consideration and subject to a separate review. The licensee, in response to our request for additional information (Reference 1) and later our requests'for infor
- mation in specific areas, submitted data (References 2 through 9) relating
- a..oM to the facility modifications and procedural changes a'nd other information necessary to permit completion of an evaluation of the electrical and instru-mentation subsystems of ECCS against the single failure criterion.
This Safegf Evaluation ciscusses cur review o# the af:rementioned ANO-1 documentation submitted by the licensee.
12A3 217 7910310.} (
II.
EVALUAT Q We have performed an evaluation of the Arkansas Nuclear One, Unit 1 Plant ECCS in the following specific areas:
Emergency Core Cooling System Actuation System 1.
2.
Onsite Emergency Power System 3.
Electrical Equipment Qualifications 4.
Submerged Electrical Equipment 5.
Electrically Operated Fluid System Components 6.
Single Failure Criterion 7.
Electrical Interlocks S.
Electrical and Physical Separation Criteria 1
I A.
Emergency Core Cooling System Actuation System The Emergency Core Cooling System (ECCS) actuation system is part of t
l the Engineered Safety Features Actuation System (ESFAS) which is a j
protection system that initiates operation of various engineered safety features equipment to mitigate the cc v equences of a loss-of-The ESTAS monitors two veriables, low reactor coolant accident.
coolant pressure and high reactor building pressure, to detect loss of reactor coolant system or the secondary system (inside containment)
The ESFAS is two-out-of-tnree coincidence logic boundary integrity.
The system is comprised of three redundant and independent system.
The analog subsystems supply two redundant and in-analog subsys tems.
dependent digital subsystems, each capable of initiating the required The Engineered Safety Features (ESF) through five ac%uation groups.
emergency core cooling portion of the ESF actuated by the (ESFAS) l consists of High Pressure Injection (HPI) and Low Presst..e Injection (LPI) systems.
j Topical Report, BAW-10003 " Qualification Testing of Protecticn k
System Instru entation" (Rev. 4, January 1976) contains the single failure analysis of Babcock & Wilcox's (B&W) Engineered Safety Features I
j Al though Actuation System (ESFAS) used to initiate all ECCS.
the AND-1 ESFAS equipment was required to be designed to IEEE-279-1968 rather than IEEE-279-1971, BAW-10003 has been generically accepted by 10,1975),for the NRC (Ltr. A. Schwencer to K. E. Suhrke dated October plants required to meet both the 1958 and 1971 versions of IEEE-279.
I It should be noted that, with respect to single failures, the 1958 and 1971 versions of IEEE-279 differ only in treatment of protection-control There fore, the t tatener.t f
irterfa:es, and ESFAS has no such interfaces.
of single failure requirements applicable to ANO-1 is identical in both IEEE-279-1968 and IEEE-279-1971 and no changes are proposed for the ANO-1 ESFAS.
s 124.3 218 Based upon a review of the informatior the licensee has provided and of the pnhious evaluation of this system at the operating license review stace, we have determined that the original design meets the single failure criterion and present staff requirements; and, therefore, is acceptable.
B.
Onsite Emercency Power System The onsite emergency power system supplies electrical power to the engineered safety features equipment whenever there is a partial or a total loss of offsite power, and is comprised of two redundant and independent distributien systems.
Each distribution system includes 4160, 480, and 120 volt (a.c.) load centers powered by a 4160 volt,2600 kw diesel generator; a d.c. distribution center powered by a 125 volt battery and battery bank charger unit (a third charger can serve either d.c. bu's); and two inverters.
The ECCS safety loads are distributed evenly between the two dis-tribution systems with the excepticn of the third high pressure injection pums and the third service water pump.
These pum:s can be powered from either Train A3 or Train A4 distribution system through separate breakers.
The selection of the power feed will be accomplished manually through interlock bus-transfer switches which prevent interconnection of the power supplies.
In addition, there is a single '480V voter control center which can be manually connected to either one of the distribution systems through a mechanically interlocked transfer switch.
The discussion of the review of these interlocks is contained in Section F below.
The ensite electrical power distribution system satisfy the recommendations of Regulatory Guide 1.6, " Independence Setween Redundant 5,tandby (Onsite) Power Sources and Between Their Distribstion Systems."
(
Each distri,bution system is capable of furnishing pcwer to equipment load groups which meet the minimum requirements to safely shutdown the reactor.
Furthermore, each system is capable of providing sufficient electrical power to all functions necessary to operate the systems which mitigate the consequences of a loss-of-coolant accident.
Based on the above, we conclude that the onsite energency power system meets the single failure criterion and is acceptable.
C.
Electrical Equipment Qualification The qualification requirements for safety-related equipment are a measure of the equipment's ability to withstand the design basis envircnmental and siesmic conditions.
The lic'ensee documented with the exception of radia* ion that all safety related motors, cables, instruments and other equip v it located inside the containment which must operate during and sub;
_ert to an accident, will be capable of function under the following gost accident conditions:
temperature 285'F, pressure 59 psig, and humidity 1005.
An environmer.tal and seismic qualification program was implemented by m', the N555 man-1243 2M
-m
.-e-
.-,e a
ufacture, for confirming that all safety-related instrumentation located in This quali-the containment would sati. fy the above 1sted LOCA conditions.
fication program (B&W topical report BAW-10003 " Qualification Testing of Protection System Instrumentation") has demonstrated by testing the operability of the instrumentation and electrical equipnent under LOCA The level of rapf atien to which the conditions inside containment.
Tnis level instrument were exposed in BAW-10003 was 2 x 10* reentgens.
of radiation exposure satisfied the criteria then current for the period of construction nhase of this 'niant, However, this level of radiation exposure Until this issue is presently being evaluated under the review of IEB 79-01.
raview.
is resolved, it will remain as an "open" issue subject to a secarata On the basis of documentation and acceptance by the staff of Tcoical Report BAW-10003, we nave concluded with the exception of the "open" issue that the equip-ment located inside the containment is environmentally qualified.
The licensee has documented in the FSAR that the seismic testing program meets the requirements of IEEE Standard 344-1971, Seismic Qualification of Class ! Electric Ecuipment for Nuclear Power Generating Stations."
The seismic qualification program under B&W 10003 con'irmed that all seismic Category I instrumentation and elect ical equipmentThis will operate properly during an SSE and post-acciden. conditions.
qualification program has demonstrated by testing the. operability of the On the instrumentation and electrical equipment under SEE conditions.
basis of docurentation in the FSAR and acceptance by the Staff of Topical Report BAW-10003, we have concluded that the seismic design of this equipment is acceptable.
D.
Submer;ed Ele:trical Ecuioment The license,e's analysis has shown that the maximum depth of water which can accumulate in the primary containment building following a This yields an upper elevatier. of water in the LOCA will be 8'-9".
containment of 345'-3" (bottom of the containment building is elevation 336'-6").
No other motor-operated valves are located between elevation 345'-3" and elevation 357'-0", thus a very conservative depth of water of 20.5 feet may be considered.
The licensee has surveyed the primary containment building, and all the electrical equipment which is located below the LOCA flood level (elevation 345'-3") has been identified and is discussed below:
1.
Submer;ec Motor-Ocerated Valves Recuired for ECCS The licensee has listed in submittals dated July 9,1975 and August 3,1976 those motor-operated valves required to operate for short or long term cooling located inside containment that could beccme submerced following a LOCA.
These valves are:
CV-1050 reactor coolant hot leg locp A to DHR5 CV-1410 reactor coolant hot leg loop A to CHR5
',2kb q
]
I-i CV-1414 reactor building sump to DHR5 CV-l'15 reactor building sump to DHR5 se m.
=w-w Valves CV-1050 and CV-1410 are normally closed.
Following a LOCA, these vakes ray be required to circulate borated water to prevent boron precipitation.
Fully qualified seboersible valve operators have been purchased and installed on valves, CV-1050 and CV-1410.
They are qualified to operate submerged after being exposed to the LOCA environment.
Valves CV-1414 and CV-1415 are nomally open.
Following a LOCA these valves are required to operate (open and close) for long term ECCS functions.
CV-1414 and CV-1415 and their related raceway are fully submersible, and are qualified to operate submerged following a LOCA.
The licensee has documentE d that the Rotork submersible valve operators for valves CV-1050, CV-1410, CV-1414, and CV-1415 were designed to remain functional in a submerged condition for 30 days with a maximum fluid temperature of 271*F decaying to 130*F in 30 days, and at a maximum pressure of 53 psig decaying to 5 psi; in 30 days.
Qualification tests for this type operator were done at a ',aximum pressure of 70 psig and a maximum temperature of 370*F.
The valve operator was sub-mersed in a solution of the same chemistry as the reactor building spray for 30 days with no failure.
These valves can be depended upon to operate for at least 30 days under post, accident conditions.
We conclude that flooding of motor-operated valves CV-1050, CV-1410, CV-1414 and CV-1415 following a LOCA will not prevent proper operation of the ECCS anc are, therefore, accertable.
2.
Subrerced Motor-Ocerated Valves Recuired for Containment Isc~ nion The following listed valves which are located belcw maximum flood' evaluation inside containnent are not recuired to operate for short or long tem ECCS cooling.
Honever, these valves do receive a containment isolation signal.
CV-1214 (N.O.) steam generator letdown cooler outlet valve CV-1216 (N.0;) steam generator letdown cooler outlet valve CV-1053 (N.C.) reactor coolant quench tank (T42) discharge isolation valve CV-1054 (N.C.) sampling line (3/4 inch) isolation valve CV-4446 (N.C.) reactor building sump connection to auxiliary building sump valve.
In those cases, where the valves are open, they close to isolate the containment.
These valves are required to operate immediately upon the occurrence of a LOCA, are environmentally qualified for the LOCA environnent, and they perfom their funct ons before any i
app eciable accurulation of water in the bottom of the containment.
An auxiliary relay enercized by containment isolation signal L. locks the "ooer.inc" circuits of the valves and precluces spurious opening of the valves.
Consequently, tne above listed valves are not required to ce qualified for submerged operation.
1243 221
6-Frctective meFsures have been taken to insure that these valves will not cause loss of v1tal motor control centers because of electrical faulting at thi valve drive motors following submergence.
lne 480 V MCC Combination motor starters are provided with an instantaneous trip element and an overload relay for each phase.
This crovides containment penetration, motor and cable protection, and the isolation of incividual motor circuit faults so as not tu effect other MCC loads. The control circuits associated with the 480 Y MCC are protected by control circuit fuses to isolate electrical faults and to limit the effects of such electrical short circuits to the circuit involved.
The 120 V ac/125 V de instrument Protection is similar to the p:wer protective circuits with the exception that fuses are used to protect loads.
For a fault, the fuse has a faster clearing time than the breaker above it.
Thus, selective tripping is assured.
It is docunented that the breakers have been and are periccically tested against the calculational curves providing operational assuredness.
We conclude that the above designs as discussed for preventing mal-functions of the emergency power systems resulting from submergence of equipment inside containment are acceptable.
E.
Electrically Ocerated Fluid System Components Tne following systems were analyzed in accordance with EICSS Branch Technical Position STP-18, " Application of the Single Failure Criterion
- Manually-Controlled Electrically Operatined Valves" to detemine if a single failure could result in loss of capability to perform a sa f,ety function:
\\
1 Service Water System, 2.
Decay Heat Removal System (low pressure injection) 4 Makeup and Purification System (high pressure injection) 5.
Reactor 3uilding Spray System 5.
Ccre Flooding System These systems were first reviewed to determine those manually-controlled electrically-operated valves which were present and required to satisfy single failure by compliance with BTP EICSB-18. Upon detemining these valves, an analysis was performed individually to evaluate' the potential consequences of these valves failing in an unsafe position. The determina-tion yielded four valves which could potentially have adverse effects on safety system cperation if failure occurred.
These valves are as fol'ows:
1.
CV2417 core flooding tank vent valve (CF-3A) 2.
C'.'2:20 co e flooding tank vent valve (CF-35) 3.
CV3323 service water discharge to emergency pond a.
CV3E-~ service water discharge to flute Ine fc.;r valves whose improper function could potentially have adverse e'fects en safety system operation ere discussed below.
12.43 222
s F.
Core Flooding Tank (CFT) Vest Valves A spur 4 7us actuation of Ne CFT vent valves CF2417 and CV2420 would result in a decrease in CFT pressure.
These valves are manually controlled, electrically operated isolatien valves.
Howeve,
each of these valves is equipped with a pressure reducing orifice.
This orifice controls the rate at which the.CF T ru s:wre decreases. An alaen would occur when the tank depressuri:ed to 585 psig, aoproxi-mately 15 minutes following valve failure.
It has been estima'.ed it would take an additicnal 15 minutes for the tank to vent beluw Technical Specifi:ation limits (575 psig), allow ng more than sufficient time for i
the valse to be closed nanually.
Valves CV2417 and CV2420 which are environce, tally qualified for LOCA environment, are not accessible during LO:A.
However, dual indication of tank pressure is provided ia the cc. trol room to detect and alam (visual and audiole) any di;rease in tank pressu-which may occur due to operator error or electrical fault.
For these reasons it is deemed no modifications are required. We find this acceptable.
G.. Service Water Return Valves The service water return discharges either to the recirculating water discharge flu e through valve CV 3824 (during normal operation) or to the cooling pond through valve CV3523.
These two valves are ad.inistratively controlled by operating procedures so that only one of the discharge paths is in service at any particular time.
The inadvertent closure or the single failure of the return valve (CV3823 or CV3824) will result in the loss of cooling,,for both low pressure inje: tion (LPI) strings and to all ECCS components and provides no distharge for service water.
For this reason during operation, procedures require the circuit breaker for the valve in service to be removed from the circuit and tagged.
The valve handwheel is also tagged to prevent inadvertent operation.
Inadvertent closure or single failure resulting in the closure of the open service water discharge valve is imediately alamed in the control room.
The ala m is actuated from hi;h diffe ential pressure across service water pumps (2 alarms).
Pump discharge pressure (each pump) is indicated in the control room.
The service water discharge valve position and service water system flow are also displayed in the control room. This instrumentation allows the operator to evaluate the situation and initiate opening of the alternate discharge path.
Based on racking out of the discharge valve circuit breaker, the redun-tant alar s in the centrol room, and c:her available instrumentatien as descrite: in the above analysis, it is cencluced tnat a single failure er operat:r error will n:t result in averse consecuences to ECCS perfora.:e; and therefcre, is acceptable, j 2k3 w-*=ew.-
-**Se=
4
_ gee
,,,g,,,,
,w
-e.
H.
Electrical Interlocks Electrical interlocks are used es a means of preventing redundant safety divisions from being tie together thus compromising the electrical independence of reduuiant power divisions.
There are several points in the distribution system.hi.h allow ur:es.
These for energizing equipment from the redundant power !
exist at the various voltage levels: 4160, 480,120 and 125 (d.c. )
and are addressed ia the following paragraphs.
Interlocks provided at each voltage level satisfy the single failure criterion and the intent of Regulatory Guide 1.6.
1.
4160 Volt Redundant Bus The two manually operated tie breakers between the two 4160 volt
~
redundant buses are interlocked so that neither breaker can be closed when both emergency buses are supplied from the nonredun-dant 4160 volt buses (condition during normal operation), or when the two diesel generators are supplying the 4160 voit emergency buses.
lhese interlocks consist of auxiliary contacts on the 4160 volt circuit breakers and interconnecting wiring.
Of the safety loads, a third high pressure injection pump and a third service water pump can be powered from either distri-bution system through separate breakers.
The selection of the power feed will be accomplished manually through interlock bus-transfer switches which prevent interconnection of the power supplies.
2.
480 Volt Load Center Redundant Breakers The two tie breakers between the redundant load center buses are interlocked so that both breakers cannot be closed when the twc redundant lead center buses receive power simultaneously through the inccming circuit breakers.
These interlocks consist of auxiliary contacts on the 480 volt load center breakers and interconnecting wiring.
3.
480 Volt Motor Control Center Redundant Buses The redundant MCC buses have no interconnecting tie breakers, with the exception of one common MCC (B5C) which receives power from the load center redundant buses through breakers and a transfer switch.
Assurance against interconnection of redun-dant emergency buses via the comon MCC is accomplished by the manually operated transfer siwtch which can only be in one or the other position enabling power supply from one or the other load center emergency bus.
4 120 Volt, A.C. Redundant Buses Power supply to the 120 volt instrument AC distribution panels is accomplished from either motor control center redundant bus.
The tie breakers between the two instrument AC distribution panels are normally open and are provided with keyed locks.
- ) '} ?1 b,.,
.g.
5, 125 Volt, D.C. Redundant Buses
'The two redundant DC buses, supplied frcm separate batteries have tie connections through manually operated breakers and transfer switches.
The redundant buses cannot be interconnected since the manually operated transfer switch has one contact open when the other contact is closed, In addition to the battery chargers which separately supply the redundant DC buses, there is one common battery charger which can be used to charge either battery, but not both simultaneously.
Simul-taneous charging is prevented by a manually operated transfer switch which has a mechanical interlock that will open one set of contacts connected to one redundant bus when the set of contacts connected to the other redundant bus is closed.
We have determined that the manual transfer switches installed and the interlocks provided to prevent the propagation of faults to the redundant safety buses are adequate.
Therefore, it is concluded that the interlock systems designed to prevent compromising electrical independence are acceptable.
I.
i.lectrical and Physical Separation Criteria Engineered safety features circuit separation includes separation of power sources, control and power devices, protective devices, sensors and the interconnecting cables.
The engineered safety features 4160 volt switchcear, 430 vo.it load centers and rotor control centers are located within a Category I structure area to minimize exposure to mechanical, fire and water damage.
Within practical limits, nonsegregated, metal-enclosed 4160 volt buses are used for all major bus runs where large blocks of power are to be carried.
The routing of this metal-enciesed bus minimizes its expcsure tc mechanical, fire and water damage.
The a;;1ication and routing of control, instrumentation and pcwer cabies -inimizes their vulnerability to damage from any source.
Cables related to engineered safety features syster.s have color coded icentification and have been routed and installed to maintain the inte;rity of their respective redundant channels.
Cable is carried in raceway systems consisting of rigie.' and flexible ccnd ui t, calvanized steel cable tray, junction boxes,.ontainment penetrations and raceways within equipment cabinets.
Pcwer, control ard instru.ent cables are run in separate raceway syste 15.
When pcder, control and instrument trays occupy the same area, they are arracned vertically with the power trays on tcp and the control and instru.entation located in the lower trays.
The separation of redundant cables of the encineered safeguards syste s circuits is accomplished by spatial separation where cables are insta' led in trays.
1243 25 2
- ~ - -
Q@un Mbiru[gl Q
iT1NWM l
sb t
-iu-Sepa ration distances for trays containing redundant cables are as fellows:
1.
Horizontal Separation In rooms containing heavy rotating machinery or high pressure pipe lines, a~ minimum separation of 20 feet or a 6" thick reinforced concrete wall is provided.
In fire hazare areas a separation of 3 feet or a barrier equivalent to one inch of transite, covered with a sheet of 16 gauge steel is pmvided.
2.
Vertical Secaration A vertical separation of 5 feet is provided.
Where physical conditions do not permit 5 feet af separation, either the lower tray is equipped with a solid sted cover or the upper tray is equipped wit.t a solid steel bottom, or a barrier similar to the une described for horizontal secaration, has been provided.
Engineered cafety feature system, and Class IE electrical system components mounted on control. boards, panels, and relcy racks are designed and physical separated by a steel barrier or at least 6 inches of air space.
In contrtl panels, some wiring and components are com on to the two redundant safety system channels.
Also in many cases interlocks are required beueen equipment of different channels to nerform certain safety functions.
The cables containing these common or interlocking conductors are color coded green when they are routed through the raceway system between ' panels belonging to different safety channels.
These cables are run in flexible steel conduits inside the control panels.
The flexible steal conduit is extended as close to the terminals as physically possible.
The Fire Protection review required certain modifications to improve the separation in various areas of the plant where the existing cable separa-tion was found inadeouate to assure that fire will not cause damage to redundant safe shutdown equipment.
Tha licensee has reposed rerruting of cables or isolating the associated circuits with
- lay contacts where subject to bein9 disabled by fire in nonsafety-relat;d circuits associated with safe shutdown systems.
On the basis of our review of the original separation criteria described above and the upgrading of separation accomplished under fire protection review, it is concluded that the physical independence of electrical systems is acceptable.
l24$
22b
_g_.gy,ag m nge.,q-am.,
-e mm +
- ew ww-e e +
+ w me-,
,in.
=,.,.
g
. III. Concl usion The staff has completed its review of the licensee's ECCS perfomance single failure analysis and has concluded:
A.
The original design of the emergency core cooling system actuation system meets the single failure criterion and present staff requirements.
B.
The onsite emergency power system meets the single failure criterion.
The safety-related electrical equipment is environmentally C.
and seismically qualified except for the'eperf' issue of level This issue will be subject to a separate of radiation exposure.
review as it relates to resolution of the response to IE 79-01.
The submergence of equipment inside containment will not D.
prevent the proper operation of the emergency core cooling system, containment isolation systems, nor cause malfunctions of the emergency power systems.
The redundancy of systems and valves satisfy the requirements E.
of EICS Branch technical position 18, and precludes the malfunctioning of the emergency core cooling system due to operator error or single failure of electrically operated fluid system components.
The' interlocks provided to prevent the propagation of electrical F.
faults between redundant safety buses satisfy the requirements of Regulatory Guide 1.6.
The electrical and physical separation between redundant divi-G.
siens satisfies the separation criteria current for the period of construction of this plant and will not cause functional loss of redundant emergency core cooling system equipment.
It is concluded, in summary, that the emergency core cooling system at ANO-1 satisfies the single failure criterion, is seismically qualified, and is environmentally qualified except for the "open" issue; and threfore, is acceptable.
I 1243 227 l
1 I
i.t
REFERENCES l.
Let.er from D. Ziemann -(AEC) to J. Phillips' (AP&L) dated December 27, 1974.
2.
Letter from W. Cavanaugh III (AP&L) to A. Giambusso (NRC) dated April 21, 1975.
3.
Letter from J. Phillips (AP&L) to A. Giambusso (NRC) dated July 9,1975.
4.
Letter from W. Cavanaugh III ( AP&L) to D. Ziemann (NRC) dated August 3, 1976.
5.
Letter from D. Rueter (AP&L) to D. Ziemann (NRC) dated August 2D,1976.
6.
Letter f rom D. Williams (AP&L) to D. Davis (NRC) dated
, November 23, 1977.
7.
Letter from D. Williams (AP&L) to D. Davis (NRC) dated January 20, 1978.
8.
Letter from D. Trimble (AP&L) to R. Reid (NRC) dated June 29, 1979.
9.
Letter from D. Trimble (AP&L) to K. Seyfrit (NRC) dated July 13,1979.
Dated: 0cotber 12, 1979 1243 228
--