ML19257B613
| ML19257B613 | |
| Person / Time | |
|---|---|
| Site: | 05000273, Crane |
| Issue date: | 10/21/1979 |
| From: | Jacobi W WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | Kemeny J PRESIDENT'S COMMISSION ON THE ACCIDENT AT THREE MILE |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8001170784 | |
| Download: ML19257B613 (12) | |
Text
'
GeEtGAO ISSUE:
COINCIDENT PRESSURIZER LEVEL / PRESSURE PROTECTION LOGIC WESTINGHOUSE Positron:
1972. SAFETY ANALYSIS REPORTS SHOWED POSSIBILITY THAT AUTOMA e
SI ACTUATION PROM COINCIDENTtSIGNALS MAY NOT OCCUR BECAUSE OF lHANG-UPOFWATERLEVEL' COINCIDENT LEVEL / PRESSURE LOGIC SHOWN TO BE SAFE AND ACCEPT-o ABLE PROTECTION SYSTEM
- ADEQUATE TIME FOR OPERATOR ACTIONiCONFIRMED.BY 1972 hNALYSIS, BEZNAU'INDIDENT.AND POST-TMI ANALYSIS WESTINGHOUSE?IRAINING PROGRAMS INCLUDED EXERCISES TO~
IDENTIFY AND ISOLATE STUCK-OPEN PORV IN ONE MINUTE SIMPLIFIEDiPRESSURE-0WLYL LOGIC WAS FORWARD FIT INTO NEW e
PLANTS:AFTER 1972-
[NOT BACKFIT AT TIME SINCE CONDITIONS THAT COULD LEA 7 T e
AUTOMATIC SI ACTUATION WERE ACCOMPANIED BY ADEQUATE IIME FO OPERATOR ACTION SINCE TMI PRESSURE-OtjLY LOGIC WAS BACKFIT INTO PLANT HAVING e
COINCIDENT LOGIC 1916 347 8001170 70I [
e*
NTW Ceder Westinghouse Water Reactor Electric Corporation Divisions Ensgn Fe.msyivantaiszac W M Jacott
'0CT 211979 Gerera! vrager htcarIt@fcegy Divls!cn
. The Honorable John G. Kemeny, Chairman President's Ccmmission on the Accident at Three Mile Island 2100 M Street, N.W.
Washington, D. C.
20037 Dear Mr. Chairman; This letter documents information we have provided at the request of Professor Pigford in connection with the following issues:
1.
fRC requirements for safety related backfits to operating plants.
Nuclear plant delays resulting from the licensing process.
2.
The 1974 incident c1 which a Power Operated Relief /alve (PORV) stuck 3.
open at the Beznau Unit 1.
4.
The effects of non-condensibles on natural circulation and heat removal.
5.
The extent to which operating experience is available to support the -
development of large Nuclear Steam Supply Systems.
The following paragraphs address these issues in summary fashion; addi-tional specific data is provided in the Attach:.ents as noted.
Backfitting The NRC has not been reluctant to require backfit of new requirements where significant safety considerations are involved. The extensive backfit of safety improvements to operating plants is a matter of public record.
In addition, the lSC has had in place for the past five years a Regulatory Requirements Review Committee to consider new requirements on a case-by-case basis, and to require backfitting when appropriate. Approxi-mately one-third of the changes they have approved were implemented on a backfit basis.
Further, the NRC instituted a Systematic Evaluation Pro-gram in 1977 to evaluate older plants relative to the safety significance An overview of the extent of backfitting is provided of new requirements.
in Attachment 1.
It is clearly shewn that the required backfits have had a substantial impact on the older operating plants.
Y F9l5'348 e
Nuclear Plant Delays The licensing process has contributed to expensive delays in nuclear plant design and construction. This is documented in two AIF reports, Priorities for Solution,"
" Licensing, Design and Construction Problems:
January 1978 and " Cost Impacts Related to Nuclear Power Plant Project These two reports were referenc d in testimony Durations," April 1978.
on this subject by John E. Ward, P.E., Chairman of the AIF Commictee on Reactor Licensing and Safety before the Subcommittee on Nuclear Regu-lation, Senate Committee on Environment and Pubiic Works on July 12, In addition, the Congressional Sudget Office of the United States 1978.
Congress issued a background paper, " Delays in Nuclear Reactor Licensing The Possibilities for Reform" dated March 1979.
See and Construction:
Attachments 2, 3, 4 and 5.
}c7aauStuck-OpenPORVIncident In3972,twoyearspriortotheBeznauPORYincidentIestinghousesub-mitted to the _ tRC.an_ evaluation of pipe breaks in lines leading to the
~
This evalu-
_ pressurizer vapor.spact such as f ailure of a PORV to close.
ation called attention to the f act that the Safety Injection System automatic actuation frca coincident level and pressure signals may not occur but that" ample time (more than 50 minutes) was available for The Beznau PORV incident demonstrated the validity of operator action.
Following TMI, Westinghouse performed the conclusions reached in 1972.
additional analyses based on Safety Injection initiation frcm coincident These analyses which have been submitted to level and pressure signals.
tRC confirmed the results of the 1972 analyses as well as the experience at Beznau, that adequate time exists for manual initiation cf safety injection.
Prior to TMI, Westinghouse simulator training programs included an exercise in which operators were trained to identify and isolate an open-iPORV within one minute.
Since TMI the simulator program has been exten-
.ded to conditions when the open PORV cannot be isolated.
See Attachment 6.
Effect of Non-Condensibles on Natural Circulation Evaluations of the effect of non-condensible gases in small loss of coolant accidents on condensation in the steam generators and on system hydraulics of natural circulation were submitted to the IRC and ACRS These evaluations show that the amount of non-condensible prior to TMI.
gases that would be generated during the period for which the steam generators are required for decay heat removal has only a slight effect on condensation and would be insufficient to stop natural circulation A1alyses performed since TMI show that in the unlikely event of ficw.
signific6ntly larger volumes of non-condensible gases which could pos-sibly interrupt natural circulation flow, other adequate modes of cooling are available such as reflux boiling and " feed and bleed".
Additional details of these evaluations are described in Attachment 7.
1 9 1.6 3 4'9 '
s d a-
.7..
,)
V ATTACHMENT 6 The Beznau Unit No.1 PORV Incident During 1972 Westinghouse evaluated postulated small loss of coolant accidents located in the pressurizer vapor space, and demonstrated that for a range of assumed break sizes in this location,; level. hang-up_in
[thepressurizerwouldbe.expecteddueto_floodinginthepressurizer Under these circumstances, a safety injection signal would surge line.
not be generated automati: ally from the coincident pressurizer pressure and level SI actuation logic.
However, it was also demonstrated by analysis that for those break sizco where such a level hang-up woult be expected and pumped safety injection flow was relied on as the initial means for maintaning RCS liquid inven-tory,$a substantial time period was available to the operator. to allow for manual initiation of safety injection prior to any core uncovery or subsequent fuel rod heat-up. These analyses were reported in the Zion LFSAR,.RESAR-3 and other plant specific SAR's (Exhibit C) and determined the range of break sizes in the pressurizer vapor space for which floo'd-ing was expected as well as having quantified the amount of time avail-able for the operator to take action to manually initiate safety injec-tion to prevent core damage. The results reported in these documents showed that level hangup for pressurizer vapor space breaks as small as a stuck open pressurizer power operated relief valve would be expected to cause level hangup and prevent automatic SI actuation.
Further, the results reported in the various SAR's utilizing the existing calcula-tional tools indicated that approximately 50 minutes was available for he reactor operator to diagnose the event as a loss of coolant accident and take appropriate action to initiate safety injection.
191 8 50 e
e e
'sx, e s
',g%
y In consideration of these results, an evaiuation was made of those indi-5~ca'tions 17111able to _the operator to permit pecmpt an accurate event diagnosis for the case of a pressurizer vapor space break (such as a stuck open pressurizer PORY or safety valve). This evaluation demon-strated a variety of diverse instrumentation and alarms which would promptly inform the operator of such an event, and include the following:
1.
Pressurizer Pressure Indication - Low Pressure Alarm 2.
Pressurizer Pressure Indication - Low Pressure Reactor Trip 3 7 ressurizer power operated rei:ef valve position indic,ation P
4.
Pressurizer power operated relief valve backu" '3clation valve position indication 5.
Pressurizer relief valve di: charge line temperature indication -
High temperature alarm 6.
Pressurizer relief tank pressure - High pressure alarm 7.
Pressurizer relief tank level - High level alarm 8.
Pressurizer relief tank temerature - High temperature alarm Each of the above indicaticns would be present and recognizable very soon in the event of a stuck open pressurizer pcwer operated relief valve.
Subsequent indications and alarms af ter relief tank rupture disc operation would be present and available to the operator for event diagnosis prior to the time required for operator action to initiate safety injection and would include:
9.
Pressurizer relief tank pressure - Low pressure alarm
- 10. Containment sump level indication
- 11. Containment radiation indication
- 12. Containment temperature indication
- 13. Containment pressure indication 1916 351 Based on the available indications, Westinghouse concluded that ade4: ate information is avai'.able to the operator within a reasonable time period O
7 to assure proper event diagnosis and action to initiate afety injec-Although these analyses were not performed for such specific tion.
plant application, the phenomenon of pressurizer level hang-up for postulated vapor space breaks and resultant long allowable time for operator action are still censidered generically applicable to all typical PWR designs.
Based on these evaluations, then, it was recognized that the simpler, (pressure-only SI actuation logic represented an improvement that rini-imized reliance on operator _ actioni. This feature was also considered in the process of the SI actuation logic design change.
This modification was net backfit' to existing plants, however, since it representeionlyasimplifil cation _andimprovementtotheSIactuation Westinghouse evaluations of a complete spectrum of assumed pri-logic.
mary break sizes and locations indicated that for all breaks in the liquid space of the RCS, the coinc.ident pressure and level SI logic would provide automatic SI actua', ion.
Further, for those vapor space breaks where pressurizer level hang-up would be expected, and for which no automatic SI signals would be expected from pressurizer signals, an extended period of time was available for the operat Jr to manually ini-There-tiate safety injection and mitigate the course of the accident.
fore, the pressure and level coincidence logic represented a safe and acceptable protection system.
On August 20,.197.4 an event resulting in an 6 pen failure of a pres-surizer power operated relief valve occurred at the Beznau 1 facility in Switzerland. The overall result of this event was that the plant was Following safely shut down with no consequential reactor core uncovery.
this event, a Westinghouse team visited the site on August 23, 1974 to gather pertinent plant data and evaluate the incident.
The results of.their evaluation showed good agreement with the previous 5 analytical _ studies performed to identify system response for such an As described in the 1972 analyses, pressurizer level did not event.
3, 1916 152-e
's.
drop and thus prevented automatic safety injection actuation.
Further-more;ibased cn available;instrumentat 4n and' alarms as described.above v
, '(primarily pressurizer-relief tank and. containment. indications and
-alarms),ytIIeoperatorimmediatelydiagnosedtheeventasastuckopen pressurizer power operated relief valve. Within three minutes of the valve failure, operator action according to existing procedures resultad in closing the backup isolation valve, associated with the stuck open relief valve, thus terminating the LOCA. The result of this action was a rapid drop in pressurizer level and resulted in an automatic genera-tion of the safety injection actuation signal.
Therefore,. manual opera-ter action for safety injection was not required in this case.
Based on the above data and evaluation, Westinghouse ccncluded that the event demonstrated the validity of the conclusions reached in 1972 regarding such events,$that the incident represented a fully analyzed kandunderstood. event,andthatnogenericsafetyissuewasraisedbythe event that had not previously been addressed. iTherefore, Westinghouse did not need to report 'the event to. the fRC.
Analysis cf Stuck Open PORVs After TMI-2 Subsequent to TMI-2 incident, Westinghouse has performed aoditional analyses of pressurizer vapor space breaks, such as the f ailing open of one or more power operated relief valves. The purpose of these analyses was to:
1.
Determine the operator action time available for which SI must be manually actuateu for plants with coincident logic, and 2.
Evaluate the thermal-hydraulic system response from these accidents utilizing the current ECCS Evaluation Models and demonstrate that adequate core cooling results if minimum safety systems function as designed.
}9l6'353 e
4 The general conclusions of these analyse were presented at the ACRS meeting of 5/10/79, to the f3C Analysis Group at the 5/31/79 Meeting at the f2C offices at Bethesda,_ and at two cust=er meetings developed by Westinghouse to inform all custcmers of the status of all post TMI activities, which were held on 5/23/79 and 5/30/79.
Figure 1 is a copy of the slide that vis utilized in these presentations. A pressurizer This is equivalent vapor space break of 2.5 inch diameter was assumed.
A few Westinghouse to the break area of 3 PORVs failed fully open.
plants have 3 PORVs; most have 2.
The statement was made at all pre-sentations that if less than 3 PORVs f ail open that the time until the onset of core uncovery is significantly later than the values presented in Figure 1 if no safety injection actuation occurs, and if safety injection does occur, no ccre uncovery, thus adequate core cooling exists, similar to the 3 PORV open case.
These analyses generally verified studies discussed previously that Westinghouse performed prior to the Beznau incident, in that adequate time exists prior to the onset of core uncovery for the operator to manually initiate safety injection.
If safety injection is initiated just prior the time of first core uncovery, vessel refill occurs imme-diately and core conling is maintained.
The next paragraphs of this report present a summary of the system thermal-hydraulic behavior for a PORY break as determined through analysis with tr. - rent Small Greak Evaluation Model. Two cases are The first case, Case A, assumes that SI actuation logic is
, considered.
based on low pressurizer pressure only, and the second case, Case B, assumes a coincident pressurizer pressure and level SI actuation logic.
A 4 loop plant is utilized for this coiparison. Minimum safeguards safety systems availability is assumed, consistent with conservative FSAR licensing calculations.
A 2.5 inch diameter pressurizer vapor This break space break is assumed, equivalent to 3 PORVs stuck open.
size is more limiting in terms of minimum operator action time avail-able. The following table presents a sequence of events:
191'6 354
' c_...
Case A Case B 3 PORVs, fail open 0.0 sec 0.0 sec.
Reactor scram on low 30.6 sec 30.6 sec pressurizer pressure Safety injection actuation signal 33.5 sec No automatic SI signal generated Pressurizer Mixture Level rises 100 sec 100 see to elevation of PORV-Break flow becomes two phase Continued RCS depressurization 300 sec 300 see to approximately steam generator safety valve setpoint Manual safety injection occurs Nct Required Prior to 2200 sec Minimum vessel mixture level Hot Leg Elevation Top of active core or higher dependent en manual SI actuation time (<.2200 sec)
Time of core uncovery None None The analysis results indicate that for the case with coincident SI actuation logic, if manual initiation occurs at any time prior to 2200 seconds in the transient, which is adet ate time for the operator to diagnose the accident, that no core uncovery will occur.
For this case, even though the pressurizer level indication may rise, the pressurizer pressure indication will illustrate continued depressurization, typical of the LOCA system behavior characteristics.
19{6 355 e
a me mes
ATTACHMENT 6 - EXHIBIT C g
r.;.,. '.
.:':},
, )..;.-
.' t !,'
,yf.. 3 prior to the 3ccident is shotin-in Figure 15.3-13.
The core couer transier j,...
f.4 following the accident is si.aun in Figurc '15.3-14.
3
, ~,,,!, :. 5
- q*
?
s
..'.. :... 6 The full range of break sizes uo to 0.5.. f t7 in area is analyzed in
.,.. 3 :
' O..'. t, 7,
this section by considering the ninir;.um sa feguards Emercency Core Coolina
- 4.,T.f. :~8 System cacabili.ty and operability.
The cases analyzed considered a sinnlr failure of one.dicsci-generator unit of the er.orgency pouer sypply
. '. '. -9 The flo.i from the cold leg line injecting into the bmhen
'.10,
system.
'a-i n.
..:~...-.,l7 11 loop is assu.e.d to spil1. -
,~
,v..
r-a w
32
... ~
.13
. Pine Srcaks i~n Lines i.eadino to the P essurizer Vanar So e
14..
. );.
l' Be:ause of the specici considerations related to Safety Injection Syste.
~,
15 actuation,(breaks in lines connected to the pressurizer vcoce soace
}~
16 17 have also. been analyzed.
Transient results illustrated'in Section.
~
, ",., 18 15.2.12 are apolicabic to breaks in these lines (taxir::m 'line size
~
d' '
~
'~
.~
. *. :.1 -
19' is 6 inches).
' ~ -
'5 n
' * ~4 V.
v.~Xc. ;,:~~a..
f.
O. ' :.
- ~,.
.-a ss
.u.
gg
. ; :.' 21 For breaks sra'ller than a' 2 inch dicc.eter equivalent break, the Safety g
22 Injection System will be actuated by the pressurizer.levci and oressure
'-. "23 coincidant signals and subsequant cooling of the core tlill cc maintaincd.
.m ' 24 For these break sizes, the updrd steam velocity in the surge lines 25
. drops during the. accident below the entrainc:ent velccity, thus all6 wing i
l 26
_ liquid flow down'the' surge line and actuation of the low level s gna.
.~
27
... '.. 28 For, breaks in the 2 to 6 inch range, Safety Injection System automatic -
,. 29 Lactua' tion _ may not result; however,fa delay in obtaining the Safety
' ' " 30 Infection Sistem signalLof core than 3000 seconds (50 minutes) decs 31 Lnot result in core uncovering.
The results of the analyses indicate
' 32 that the. accumulator activation pressure is reached when approxi-utely haif of the reactor coolant inventory remains; much core coolant th.1n 33 It is noted that discharge 34 is required to cover the top of the core.
\\
k w 'g,. Q u.. :
h..\\ e.
.3
. Is5 7.-
l-1916 356
.- 2a 37 15.3-8 OCTOBE R, 1972.
30 JRESAa.3 gn f [ /Eli J.NT 1 -- - -
+ *
~
from the vapor scace is more effective in reducing pressure t:ai.
3.
from the liquid sp:ce bccause of the greater loss in enthalpy"per
- 3.. _.. 51';..;;., '...C-
- M: 4
2 s.........
~ -
5 unh of mass discharca.
..., ~.
. ~....
..g..
., y.c...,.:.
n.:....;.
=.
.. ~.
..p
..u
]
.o
,w..
..,...c.,
.. v..
.. v.
g
. '.,i p= *. -..
c*
9 l,
...s
...,. ~.
.~..
. s....
..n
.~..c
.l e... -
.s.
?
.~ 11
.=.
. '..:, Q....: '.!^ '
.1..
~.. ~ r.a. : ~. :...
... s c
12 l
.J..,- ~. -:. ' :m y..+.'
. v..:
r
.......,......v.-. 3 : _
s n..".. q W.; ~
- e..,.~. -
. - :.+
. v :.
13 s
14
.i
-.. ~.
.:.~..
e,
...,.5-
. ~..
15 n n.
2..
s.
. w 6 i.,
- =
9 t
- < v,u..
. ' ? :,
- V. '. *:
i.
/.
. - m%i n. :..
. ' _,, '.:...;.n
,n...*.,
. c.. :.
g
....e _x _ :.
- (...
%.. ' - '. 1
- ., ~. i.s.'.. :. : x.
.y ?,', 2 y,.u..
... - 5. >. g a..
~; - '.
n.*;.f?
m *q
- :2
.n.. :..
- s.
- s. 9
.. r :..
...p s;
n.
.1.
\\
s.
- i. gQ
.e qy
.J.- : %..
X.... a:.
.-..~
..r.
v
, 21 l
"..J.
'.x.
2
-.t. P,., * -
.: s s -.
.=
22
- t...
..._ c...
s-
.e
., + :;,*
.., = *
...; ;c,.
. +..
e-
..,. ~...
24
., =.
.g
,,n,g v.
..r.
~.. ' ' ;
. 25
.N@p$. '...
26
,.. y. %..., ;n :...
.~. % i. -
q 27
.........~
~
f,,.N.. ',.
'.". /.
3
,.. 'c
', ~; "
23 v
< c.:. -
s.
. e i:
.. ~.
'.,.;.. 2 9
. ~,A.
r t
30 c.
s
.. ~,..
~.
....st g. :,.
..,4,.,..
,.. 7, 2
w
.:. v.
33
.s....
- ...~.. _. 1 ~. v- ~
34
.s. n 3 su.
,u
.,~. y. w;;.:,.-+,
v
... 35 b.
-6.
b
..J 0CT0"G i 15.3-ca M"
Rtsm-3 1,.
fu,, L...,...i
}
e.-
.s
. J..:. :
s
. _ 39 s.
- o.,y a.7.;.
....c i4O J
1
~ ~ - -.
~
e
h
,3'~ ' h 3 The injection of the accumulator water causes the 11 gun
. eve
! i r.
3
[
/
4 and the pressbre in the reactor system to decrease at a faster rate
,..5 because of the reduced steam cencration caused by the addition of sus.
It is expected that the, operator would actuate the Safety 6
cooled water.
[..
Injection Systcm manually during this'3000 second interval and subscquen
- '. ~ (
?7 cooling would be maintaine'd by the Safety injection System.
h 8
n 9
The reactor is f ripped either on overtemnerature aT or icu pressurizer
,2.,..
.10 x
'll pressure sienal for all break sizes.
Based on the fact that D."DR does
-)'12 not fall below 1.30 prior to the reactor trip initiation and the core remains covered throughout the 3000 second interval, no clad damage 13 is: predicted.
.....-..J.
.s.....
. 14
... :.y.?;t:::.: s..::..:..
- t.
.... J. v..-
1
. r
- a..
-15 Although the containment pressure signal acts as a backup to the coinct-
~
16
'17 dent icu pressurizer l'evel and pressure signal, no credit.uas taken i
~ '."., 18 for actuation of the Safety Injection System from this soarce.
.3'
\\..
- e
., :: 'M.'19
~ i. E.
..,7..s.:n.
- :;.y;.g 3.:,,:.
7 c, ajg,
..,2....
.... ~.,
(.
.,,p;.:n
.a
- ,,. 20 15.3.1.3 Conclusiens
,,V..c.. a. :. 4.n.. :.
L.i... :n.:..~
... 3
.e.
..g..
Analyses presented in.this section show that the high.hecd portion of 22 the Emergency Core Cooling System, together with the accuquiators, ;.rcy-23 Peak 24 sufficient core f,loeding to prevent excessive clad temperctures.
,' *;- 25 clad temperatures.are calculated to be approximately 1500 to 1700*F s.'
~
26 for the worst bredk size analyzed.
Adequa'te protection is therefore afforded by the Emergency Core Ccoling System in the event'of a small 27 t>.
7
~~
28 break less of coolant accident.
.m
/-
(.
4
- 29 It is also concluded that for a break in any line connected to the cres.
30 yapor space, a delay in obtaining the safety injection signal does not 31 The resultin 32 result in core uncovering and no clad damage is expected.
activity released to the containment is limited to that contained in 33
.U '?
7 34 the Reactor Ccclant. System prior to the accident.
~
a.*
35
..,...v,.9..... y. p, r.. ~.. : s.:. s. ~..
r.
.g.
6
~
w..
2a S,
. g~
.3-9 y.
.:.u...-
3, is 1916 358
^ *2 mua a ggD 33 g
39
.~:...,
..,..n.........
.w
-m i _,
a.,
.s.
n...
.,.;.. _ m.. -
. ~.,....... ~..
.. - _...v---.
=
,e