ML19305C582
| ML19305C582 | |
| Person / Time | |
|---|---|
| Site: | Surry  |
| Issue date: | 03/04/1980 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19305C579 | List: |
| References | |
| NUDOCS 8003310116 | |
| Download: ML19305C582 (11) | |
Text
.
)[f narg UNITED STATES
+
NUCLEAR REGULATORY COMMISSION o*g 8*
WASHINGTON. D. C. 20555 o
a g
\\ *..,
- p#
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR R 55 TO RELATED TO AMENDMENT NOS. 56 AND FACILITY OPERATING LICENSE NOS. DPR-32 AND DPR-37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-280 AND 50-281 Introduction By letter to the Virginia Electric and Power Company (the licens Unit Nos. 1 and 2, system designs to determine susceptibility to overpressuri-August 11, 1976, zation events, an analysis of the possible events and proposed interim and permanent modifications of systems and procedures to reduce the likelihood consequences of such events.
By letter dated October 14, 1977 (Reference 1) which supplements other letters (References 4-12), the licensee submitted the information we requested including the administrative operating procedures, the proposed low temperature overpressure protection system (OPS), and pr The proposed OPS includes sensors, changes to the Technical Specifications.
actuating mechanisms, alarms, and valves to prevent a reactor coolant system Units 1 and 2 Technical Specifications as required by Ap Code of Federal Regulations, Part 50 (10 CFR 50).
Background
Over the last few years, incidents identified as pressure transients haveThe te occurred in pressurized water reactors.
used in this report, refers to events during which the temper All of these incidents occurred at relatively low temperature (less than 200 F) where the reactor vessel material toughness (resistance to are exceeded.
brittle failure) is reduced.
The " Technical Report on Reactor Vessel Pressure Transients" in NUREG-0138 (Reference 2) summarizes the technical considerations relevant to this matter, discusses the safety concerns and existing safety margins of operating reactors, and describes the regulatory actions taken to resolve this issue by reducing A
the likelihood of future pressure transient events at operating reactors.
brief discussion.is presented here.
Reactor vessels are constructed of high quality steel made to rigid specifica-tions, and fabricated and inspected in accordance with the time proven rule of the ASME Boiler and Pressure Vessel Code.However, since reactor vessel steels are le at reactor operating conditions.
tough and could possibly fail in a brittle manner if subjected to high pressures I
8003310
2 at low temperatures, power reactors have always operated with restrictions on the pressure allowed during startup and shutdown operations.
At operating temperatures, the pressure allowed by Appendix G limits is in excess of the setpoint of currently installed pressurizer code safety valves.
However, most operating PWRs did not have pressure relief devices to prevent pressure transients during cold conditions from exceeding the Appendix G limit.
By letter dated August 11, 1976 (Reference 3), we requested that the licensee begin efforts to design and install plant systems to mitigate the consequences of pressure transients at low temperatures.
It was also requested that operating procedures be examined and administrative changes be made to guard against initi-ating overpressure events.
We felt that proper administrative controls were required to assure safe operation for the period of time prior to installation of the proposed overpressure mitigating hardware.
The licensee responded (References 4, 5, and 6) with preliminary information describing interim measures to prevent these transients along with some discus-sion of proposed hardware.
The proposed hardware change was to install a low pressure actuation setpoint on the pressurizer air-operated relief valves.
The' licensee participated as a member of a Westinghouse user's group which was formed to support the analysis effort required to verify the adequacy of the proposed system to prevent overpressure transients.
Using input data generated by the user's group, Westinghouse performed transient analyses (Reference 10) which were used as the basis for plant-specific analyses.
We requested additional information concerning the proposed procedural changes 2
and the proposed hardware changes.
The licensee provided the required responses (References 7 and 8).
Reference 1 transmitted the plant-specific analysis for Surry Units 1 and 2.
Through a series of meetings and correspondence with PWR vendors and licensees, we developed a set of criteria for an acceptable overpressure mitigating system.
The proposed overall approach to eliminating overpressure events incorporates administrative, procedural, and hardware controls with reliance upon the plant operator for the principal line of defense.
Preventive administrative and proce-dural measures include (a) explicit procedural precautions, (b) deenergization of essential components not required during the cold shutdown mode of operation, and (c) maintaining a nonwater solid reactor coolant system condition whenever possible.
The basic design criteria that were applied in determining the adequacy of the electrical, instrumentation, and control aspects of the low temperature over-l pressure protection system are:
Operator Action:
No credit can be taken for operator action for 10 minutes after the operator is aware of a transient.
l
3 The system must be designed to relieve the pressure transient Single Failure:
given a single failure in addition to the failure that initiated the pressure transient.
The system must be testable on a periodic basis consistent with Testability:
the system's employment.
Seismic and IEEE 279 Criteria:
Ideally, the system should meet seismic Category I The basic objective is that the system should not be and IEEE 279 criteria.
vulnerable to a common failure that would both initiate a pressure transient and disable the overpressure mitigating system.
Such events as loss of instru-ment air and loss of offsite power must be considered.
In addition to complying with these criteria, tN licensee agreed to provide a variety of' alarms to alert the operator to (a) manually enable the pressure protection system during cooldown, (b) indicate the occurrence of a isolation valve which ensures a complete pathway from the pressurizer to the pressurizer relief tank.
Design Basis Events The incidents that have occurred to date have been the result of operator errors Two varieties of pressure transients can be identified:
or equipment ~ failures.
a mass input type from charging pumps, safety injection pumps, safety injection accumulators; and a heat addition type which causes thermal expansion from sources such as steam generators or decay heat.
On Westinghouse designed plants, the most common cause of the overpressure Letdown during low transients to date has been isolation of the letdown path.
Thus, isolation pressure operations is via a flowpath through the RHR system.of RHR c
- Although other transients occur with lower frequency, those which result in the most rapid pressure increases were identified by the staff for analysis.
The most limiting mass input transient identified by the staff is' inadvertent The most limiting thermal Linjection by the largest safety injection pump.
expansion transient is the e, tart of a reactor coolant pump with a 50 F tempera-ture difference between the water in the reactor vessel and the water in the
-steam generator.
Based on the historical record of overpressure transients and the imposition of more effective administrative controls, we believe that the limiting events identified above form an acceptable basis for analyses of the proposed over-pressure mitigating system.
Evaluation
System Description
~
c The licensee adopted the " Reference Mitigating System" developed by Westinghouse The licensee proposed to modify the actuation circuitry and the user's group.
of the existing air-operated pressurizer relief valves to provide a_ low pressure I
4 One PORV has a low pressure setpoint during startup and shutdown conditions. When the reactor vessel is at setpoint at 410 psig and the other at 425 psig.
low temperatures, with the low pressure setpoint selected, a pressure transient is terminated below the Appendix G limit by automatic opening of these relief setpoint A manual switch is used to enable and disable the low pressu.
valves.
An enabling alarm which monitors system pressure, the of each relief valve.
position of the enabling switch, and the upstream isolation valve is provided.
The system low'setpoint is enabled at a pressure of 390 psig during plant cool-We find the down and is disabled at the same pressure during plant heatup.
pressurizer relief valves, with a manually enabled low pressure setpoint, to Discussion be an acceptable concept for an overpressure mitigating system.
and evaluation of the system proposed by the licensee follows.
-Air Supply The power operated relief valves (PORVs) are spring-loaded-closed, air required To assure operabil-to open valves, which are supplied by a control air source.
ity of the valves upon loss of control air, a backup air supply is provided.
i The backup air supply consists of four seismically restrained compressed air bottles (220 psig) for each PORV.
Each tank contains enough air for approxi-mately 31 valve openings.
A pressure alarm, transmitting to the control room,
~
will be installed to alert the operator when the compressed air pressure has decayed to the point where it will still provide the required number of cycles for 10 minutes. We find the backup air supply to be acceptable.
3 Operator Action Operator awareness of the overpressure transient will be by the low temperature overpressure transient alarm.
No credit for operator action has been taken until 10 minutes later. We find this accep+able.
Single Failure, Seismic Design, and IEEE Std-279 Criteria System Electrical and Control Description The control circuitry for the OPS has been designed to comply with IEEE Std 279-1971, except for the two variations discussed under PORV Channel The compliance of the design with IEEE 279-1971, including the Separabili ty.-
excepticns described by the licensee (Reference 7), is adequate.
The OPS has two channels that are completely independent except that the channels share an alarm to show that the OPS should be enabled and an alarm to indicate The alarms are isolated from the' approach to a possible overpressure event.
the channels they serve so that a failure in the alarm circuitry will not Each channel of the OPS is enabled by transferring
-incapacitate either channel.
the key operated ENABLE / DISABLE switch for the channel from the DISABLE to the ENABLE position (two switches must be transferred to completely enable the OPS).
Setpoint #1 has a value of 400 psig Each channel has two pressure setpoints.
When the OPS is enabled, the NDf PRESSURE HIGH annunciator for both. channels.
will be activated 'if the the ' pressure exceeds Setpoint #1 for either channel, thus alerting the operator of the need for actions to remedy the cause of the Setpoint #2 has a value of 410 psig for Channel #1 and a increasing pressure.
i L
5 value of 425 psig for Channel #2.
When the OPS is enabled and the pressure exceeds Setpoint #2 for.a channel, the PORV for that channel is opened to provide a pathway from the pressurizer to the pressurizer relief tank.
During power operation the ENABLE / DISABLE switches for both channels of the OPS are in the DISABLE position, and the pressure is above Setpoint #2 for both channels so that the NDT PRESSURi SYSTEM REQUIRED annunciator is off.
As the reactor is cooled down the pressure decreases and, when it reaches 400 psig, the NDT PRESSURE SYSTEM REQUIRED annunciator comes on, thus alerting the operator of the need'to manually enable the OPS by transferring both key-controlled ENABLE / DISABLE switches to the ENABLE position.
If both isolation valves between the pressurizer and the pressurizer relief tank are open, the NDT PRESSUR..ZER I
SYSTEM REQUIRED annunciator will go off, indicating that the OPS is enabled.
These design features are adequate.
t Isol_ation Valve Alarm.
The required isolation valve alarm is provided by the NDI PRESSURE SYSTEM REQUIRED annunciator.
When the OPS is being enabled, the annunciator will not clear unless both isolation valves have been opened.
This ensures that a path from the pressurizer to the pressurizer relief tank is main-
-tained.
With the OPS enabled, the annunciator will alarm upon the closing of either isolation valve.
The two channels share a single alarm.
These design features are adequate.
PORV Channel Separability.
Each of tha two PORVs has its own independent instru-mentation and control channels, except that the two channels share a common annunciator.
A Failure Mode and Effects Analysis (Reference 8) has shown that no single failure can disable both channels, and the licensee has stated that the design meets all of the final criteric except the following two requirements from IEEE 279 for electrical components:
(1) The requirement of automatic removal of a bypass.
The bypass funct'on will be' served by two key lock switches, one for each power-operated relief valve, under administrative control.
The switch will be enabled at the proper point (temperature versus pressure) on the cooldown curve and disabled at the proper point on the heatup curve.
The position of the switch versus system requirements will be annunciated to indicate improper system alignment.
(2) The requirement of identifying components as to protection grade.
.The existing components are mounted and wired in control cabinets and wireways.
However, channel independence conditions are met, as the channels are totally separate and the new system will also be installed separately.
To disrupt the existing system to move the components and wires into protec-tion marked areas does not provide a sufficient advantage to be worth the risk involved to the rest of the station.
The exceptions to IEEE 279 are justified and the design is adequate.
PORV Operation.
The pressurizer power-operated relief valves (PORVs) are spring-loaded, normally-shut-valves that are. opened by motive air controlled
6 by solenoid operated valves (S0Vs), one for each PORV when the,0PS is enabled.
The motive air is normally supplied by the containment instrument air system.
To ensure operability upon loss of the normal air supply, each PORV has an inde-pendent backup air supply.
One PORV opens at 410 psig and resets at 400 psig, the other ooens at 425 psig and resets at 415 psig.
Each backup air supply will have four high pressure bottles with each bottle capable of opening a PORV 31 times so that the system capacity is 125 cycles.
This sizing considers that the fastest system response time is 6 seconds per cycle and that operator response will not take place for 10 minutes.
On this basis, the required capacity for the backup air supplies is 100 cycles.
Check valves isolate the normal and the two backup air supplies so that a failure in one supply will not disable the other supplies.
This design is adequate.
Pressure Transient Reporting and Recording Requirements The staff position on a pressure transient which causes the overpressure protec-tion system to function, thereby indicating the occurrence of a serious pressure transient, is that it is a 30-day reportable event.
In addition, pressure and temperature instrumentation are required to provide a permanent record of the pressure transient.
The response times of the temperature / pressure recorders shall be compatible with a pressure transient increasing at a rate of approxi-mately 100 psi per second.
This instrumentation shall be operable whenever the OPS is enabled.
Disabling of Essential Components Not Required During Cold Shutdown Except as required for brief intervals by operating procedures or Technical Specifications, the staff position requires that essential components not required during cold shutdown that could produce an overpressurization event, be disabled or isolated from the RCS during cold shutdown and that the controls to disable or isolate these components be incorporated in the Technical Specifi-cations.
In particular, the safety injection accumulators and the high pressure i
safety injection pumps are included in the components to be disabled or isolated during cold shutdown. While the system is water solid, two of the three charging pumps will be disabled by removal of the power to them.
Valves and breakers used to disable equipment during cold shutdown will be tagged or locked to prevent inadvertent changes of state.
System Testability Testability will be provided prior to establishing a solid system by use of the remotely _ operated isolation valve, ENABLE / DISABLE switch, and normal elec-tronics surveillance procedure methodology.
The testing requirements will be incorporated in the Technical Specifications.
The provisions for testability are adequate.
Appendix G The Appendix G curve submitted by VEPC0 for purposes of overpressure transient l
' analysis is the most limiting condition expected over the 40 year life of the l
plant.
The zero degree heatup curve is allowed since most pressure transients L
occur during isothermal metal conditions.
Margins of 60 psig and 10 F are
7 included for possible instrument errors.
The Appendix G limit at 100 F according to these conditions is 500 psig.
The staff finds that use of this value is acceptable as a basis for overpressure mitigating system performance.
Setpoint Analysis The one-loop version of the LOFTRAN (Reference WCAP 7907) code was used to perform the mass input analyses.
The four loop version was used for the heat input analysis.
Both versions require some input modeling and initialization chariges.
LOFTRAN is currently under review by the staff and is judged to be an acceptable code for treating problems of this type.
The results of this analysis are provided in terms of PORV setpoint overshoot.
The predicted msximum transient pressure is-simply the sum of the overshoot magnitude and the setpoint magnitude.
The PORV setpoints are adjusted so that, given the setpoint overshoot, the resultant pressure is still below that allowed by Appendix G limits.
The licensee relied upon the following Surry Units 1 and 2 plant characteristics to determine the pressure reached for the design basis pressure transients:
SI pump flow rate @ 500 psig 83 lb/sec 3
RCS volume 10,000 ft 2
SG heat transfer area 58,000 ft Relief valve setpoint 435 psig The analyses were performed assuming a single PORV setpoint of 435 psig, although the actual setpoints are 410 and 425 psig.
Westinghouse also identified certain other assumptions and input parameters as conservative with respect to the analysis.
Some of these are listed here.
(1) One PORV was assumed to fail.
-(2) The RCS was assumed to be rigid with respect to expansion.
-(3) Conservative heat transfer coefficients'were assumed for the steam generator.
The staff agrees that most of these are conservative assumptions.
It is prudent to assume a PORV failure.
Mass Input Case The inadvertent start of a safety injection pump with the plant. in a cold shut-down condition was selected as the limiting mass input case.
For this transient, a relief valve opening time of:1.7 seconds was used.
VEPCO has verified that this' time.is conservative.
' Westinghouse provided.the licensee with a series of curves based on the LOFTRAN analysis of a generic plant design which indicates PORV setpoint overshoot for
8 this transient as a function of system volume, relief valve opening time, and relief valve setpoint.
These sensitivity analyses were then applied to the Surry Units 1 and 2 plant parameters to obtain a conservative estimate of the PORV setpoint overshoot.
We find this method of analysis to be acceptable.
Using the Westinghouse methodology, the Surry Units 1 and 2 PORV setpoint overshoot was determined to be 65 psi. With a relief valve setpoint of 435 psig, a final pressure of 500 psig is reached for the worst case mass input transient.
Since the Appendix G limit at temperatures above 100 F is above 500 psig, we concluded that the system performance was acceptable with a 435 psig low pressure relief valve setpoint.
The actual setpoints of 410 and 425 psig add additional conservatism.
Heat Input Case Inadvertent startup of a reactor coolant pump with a primary to secondary temperature differential across the steam generator of 50 F, and with the plant in a water solid condition, was selected as the limiting heat input case.
For the heat input case, Westinghouse provided the licensee with a series of curves based on the LOFTRAN analysis of a generic plant design to determine the PORV setpoint overshoot as a function of RCS volume, steam generator UA and initial RCS temperature.
For this transient, a relief valve opening time of 1.7 seconds was used.
The calculated final pressure for the heat transient for a fixed AT of 50 F depends on the initial RCS temperature.
The most limiting heat input case resulted in a maximum pressure of 500 psig.
Therefore, the Appendix G limits are not exceeded.
We find that the analysis of the limiting mass input and heat input cases shows a maximum pressure transient which does not exceed that allowed by Appendix G limits and is therefore acceptable.
Administrative Controls To supplement the hardware modifications and to limit the magnitude of postu-lated pressure transients to within the bounds of the analysis provided by the licensee, a defense-in-depth approach is adopted using procedural and adminis-trativi controls.
Those specific conditions required to assure that the plant is ope ated within the bounds of the analysis are spelled out in the Technical Specifications.
Procedires A number of provisions for the prevention of pressure transients are contained
~in thi Surry Units 1 and 2 operating procedures.
(1) A standing order has been implemented to minimize the period of water solid operation; only fill and vent procedures absolutely require the RCS being maintained in a water solid condition.
9 (2) To reduce the probability of RCP start from occurring and causing a thermal expansion due to energy transfer from the steam generator, at least one RCP is kept running during cooldowns until the RCS temperature is below 160 F.
(3) A pressurizer 3 team bubble is maintained prior to any RCP start with the exception of a RT.P being started or jogged during the fill and vent procedure.
(4) 'The RCP operating procedures require a RCS/SG temperature difference of less than 20 F whenever the RCS is water solid.
(5) To assure that the reiief capacity of the RHR system (750 gpm at 600 psig) is available to provide RCS pressure relief, the RHR valves are locked open during shutdown operations.
(6) Operation of only one charging pump is permitted during water solid conditions.
(7) The safety injection accumulators are isolated and the safety injection logic is blocked while in a shutdown condition.
We find that the procedural and administrative controls described are acceptable.
Technical Specifications The licensee has proposed changes'to the Technical Specifications to assure operation of the overpressure mitigating system (References 11 and 12).
These changes are consistent with the intent of the statements listed below.
(1) Both PORVs must be operable whenever the RCS temperature is less than the minimum pressurization temperature, except one PORV may be inoperable for
-7 days.
If these conditions are not met, the RCS must be depressurized and vented to the atmosphere or to the pressurizer relief tank within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
(2) Operability of the overpressure mitigating system requires that the low pressure setpoint will be selected, the upstream isolation valves open i
and the backup air supply charged.
(3) No more than one high head SI or charging pump may be energized at RCS temperatures below 350 F, unless the reactor vessel head is removed.
(4) A reactor coolant pump may be started (or jogged) only if there is a steam bubble in the pressurizer or the SG/RCS temperaturc difference is less than 50 F.
(5) The overpressure mitigating system must be tested on a periodic basis consistent with the need for its use.
~(6)- When the plant is in a cold shutdown condition, the saf ety injection accum-
- ulators shall be isolated from the RCS by verifying that the accumulator i
10 isolation valves are in the closed position and power to the valve operators is removed.
Summary The administrative controls and hardware changes proposed by the licensee provide protection for Surry Units 1 and 2 from the pressure transients at low tempera-tures by reducing the probability of initiation of a transient and by limiting the pressure of such a transient to below the limits set by Appendix G.
We find that the system is acceptable as a long-term solution to the problem of overpressure transients,Ron the basis that (1) the design complies with the IEEE Std 279-1971 design criteria, (2) the design complies with the seismic design criteria, (3) the system is redundant and meets the single failure criterion, (4) the design requires no operator action for 10 minutes after the operator receives an overpressure action alarm, (5) the system is testable on a periodic basis, and (6) the proposed changes to the Technical Specifications
.have been reviewed and are in agreement with our requirements.
Environmental Consideration i
We have determined that the amendments do not authorize a change in effluent types or total amounts nor an increase in power level and will not result in any significant environmental impact.
Having made this determination, we have further concluded that the amendments involve an action which is insignificant from the standpoint of environmental impact and, pursuant to 10 CFR 551.5(d)(4),
that an environmental impact statement or negative declaration and environmental impact appraisal need not be prepared in connection with the issuance of these amendments.
Conclusion We have concluded, based on the considerations discussed above, that:
(1) because the amendments do not involve a significant increase in the probability or consequences of accidents previously considered and do not involve a signif-icant decrease in a safety margin, the amendments do not involve a significant hazards consideration, (2) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (3) such activities will be conducted in compliance with the Commission's
-regulations and the issuance of these amendments will not be inimical to the common defense and security or to the health and safety of the public.
References 1.
VEPC0 letter (Stallings) to NRC (Case) dated October 14, 1977.
2.
"Staf f Discussion of Fif teen Technical Issues listed in Attachment G November 3, 1976, Memorandum from Director NRR to NRR Staff," NUREG-0138, November 1976.
3.
NRC letter'(Ziemann) to VEPC0 (Stallings) dated August 11, 1976.
k
11 4
4.
VEPC0 letter (Stallings) to NRC (Rurche) dated S'otember 7, 1976.
5.~
VEPC0 letter (Stallings) to NRC C<usche) dated Novemt9r 3,1976.
6.
VEPC0 letter-(Stallings) to NRC (Rusche) dated December 17,197G.
7.
VEPCO. letter (Stallings) to NRC (Rusche) dated February 25 1977.
8.
VEPC0 letter (Stallings) to NRC (Rusche) dated April 1, 1977.
9.
VEPC0 letter (Stallings) to NRC (Case) dated April 22, 1977.
10.
" Pressure Mitigating System Transient Analysis Results," prepared by Westinghouse for the Westinohouse user's group on reactor coolant system overpressurization, dated July 1977.
11.
VEPC0 letter (Stallings) to NRC (Denton) dated October 12, 1978.
i 12.
VEPC0 letter (Stallings) to NRC (Denton) dated December 15, 1978.
Dated: March 4,1980 t
t m.
,