ML19309C309
| ML19309C309 | |
| Person / Time | |
|---|---|
| Site: | Midland |
| Issue date: | 04/01/1980 |
| From: | Howell S CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.) |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| HOWE-69-80, NUDOCS 8004080431 | |
| Download: ML19309C309 (100) | |
Text
..
Consumers POWCr (m-}
g Stephen H. Howell Senior Vwe 14rsnJent General Officos: 1945 West Pernell Road, Jackson, MicNgen 49201 * (517) 788-0453 April 1, 1993 Howe 69-80 US Huclear Regulator;/ Co=cission Att Mr Harold R Denton Office of nuclear Reactor EeCulation Washington, DC 2C555
!'IDue:D Pac 20T doc::ET ::0 50-329, 50-333 RESP;::SE TC 1C CFE 5'.
54 REQUEST 0:: DESIZ ADEq%CY CF B?& SYSTE3 FILE: 0485.19 SER'AL:
8563 Enclosed are ten (10) copien of Consumers Power Company's responsc to ycur supplemental 10 CFE 53.5L(f) request dated I's.rch '7,1980 reEardinC BV. Cysten Sensitivity.
Our conclusions with reEard to continued constraction contained in our original f )
response to your 10 CFR 50.54(f) request have not changed either as a result of additional analyses perforced and ir.cluded as Revision 2 to that document or due
'~
to the effort expended in developing the attached response.
ChanEes to the Midland Plant expceted to result from identified design evaluations and reviews will be mainly in the instrumentation and controls areas and can be acco:n.cdated within the current construction schedule. Therefore, we feel that sufficient information has been provided to support a decision to allow continued construction and that future exchanEcc on this issue should be conducted as part of the normal licensing review process.
The majority of your additional requests do not appear central to the 10 CFE 50.5L(f issue regarding potential construction stoppage since they do not seek information which we feel is supportive of determining the advisability of continued constructie.
The nature of these requests is mostly in the area of design review and verificatior.
core appropriately issued as part of the normal FSAP licensing review. The Midland operating license application has been docketed for this purpose and we er. courage your reinstitution of this process.
Consumers Power Company is prepared and available to interact with your staff and restart the detailed review of the Midland application.
Consumers Power Company Dated: April 1,1980 B3 D Stephen $Howell, Senior Vice President l
'd Sworn and subscribed to before me on this 1st day of April 1980.
bYY t 4-h NotaryPubfic,JacksonCoua.ty,Michien E
My commission expires September 21, 1932 8004080%l
RESPONSE TO 10 CPR 50.54(f)
SUPPLEMENT 1 Question F.1 Your discussion in Appendix F of the pre-TMI-2 changes for Midland states that newer control systems hardware (non-nuclear instrumentation [NNI]/ integrated control system
[ICS]) using dual auctioneered power supplies for logic modules rather than individual power supplies are being used.
a.
For this modification, provide the logic and/or your failure mode and ef fects analysis that shows how systems will respond to failure in the power supply and input parameters.
Also provide your design criteria for the ICS with respect to these types of failures.
Informa-tion in the FSAR may be referenced or supplemented as appropriate for this response.
b.
Operating events at several plants with B&W NSSS designs (including Rancho Seco in March 1978; Oconee Power Station, Unit 3 on November 10, 1979; and the Crystal River Station on February 26, 1980) have occurred which resulted in loss of power to the ICS and/or NNI system.
The loss of power resulted in control system malfunc-tions, feedwater perturbations, and significant loss 'of or confused information to the Operator.
NUREG-0500 also discussed LER 78-021-03L on Three Mile Island,
(]'
Unit 2 whereby the RCS depressurized and safety injection occurred on loss of a vital bus due to inverter failure.
Discuss the extent to which these events would have been mitigated or precluded by the changes incorporated into the Midland design.
Include a response to action items 1 to 3 required of near-term licensees in IE Bulletin 79-27 and identify corrective actions you consider appropriate as a result of the Crystal River event.
Response
a.
A failure modes and effects analysis (FMEA) was per-formed as one of the long-term actions directed by the NRC in its order of May 7, 1979.
The integrated control systems (ICS) FMEA determined the expected ef fects upon the Babcock & Wilcox (B&W) nuclear steam system from single failures of ICS input, output, and internal modules.
The Rancho Seco plant, specifically, was F.1-1 4/80 i
l
RESPONSE TO 10 CFR 50.,54(f)
SUPPLEMENT 1 chosen as a representative design for all the B&W units (sS for the analysis; however, because of the close func-
/
tional similarity between plants, the results of the study are applicable to all 177-FA B&W plants includ-ing Midland.
l The analysis was complemented with an evaluation of field data from all B&W operating plants, and a computer i
simulation to confirm the effects of various ICS failures 1
on associated equipment.
The overall conclusion of the FMEA was that the reactor core remains protected through-out all of the ICS failures studied.
For those postu-lated ICS failures that could cause reactor trip, the safety systems operate independently of the ICS malfunc-tion.
The overall conclusion from the operating expe-rience evaluation was that.ICS hardware performance has not led to a significant. number of reactor trips.
The ICS has prevented more reactor trips than it has caused and thus its net effect has been a reduction in the number of challenges to the reactor protection system.
b.
The FMEA of the ICS described in the response to Part a, above, discusses the reliability of the 820 control system design.
The nonnuclear instrumentation (NNI) utilizes the same design concept as the ICS; therefore, reliability of the NNI hardware is expected to be
(])
equivalent to that of the ICS.
This reliability is expected to minimize the frequency of ICS/NNI internal component failures which could result in plant tran-sients.
The arrangement of the external power sources to the NNI and ICS is shown in Figure F.1.a-1 and is described in FSAR Subsections 8.3.1.1.6 and 8.3.2.1.
As shown, the ICS is supplied by two separate 120 V ac battery-backed power sources.
These sources power individual 24 V de power supplies whose output is auctioneered.
Also supplied is a 120 V ac bus within the ICS cabinet which is equipped with an automatic bus transfer switch that provides access to both external battery-backed 120 V ac sources.
This is an extremely reliable power supply arrangement in that loss of either external power source will not result in a loss of ICS power.
NNI-X channel cabinets are supplied power in a manner similar to the ICS with the exception that the 120 V ac bus within the NNI-X cabinets is not equipped with an automatic bus transfer for access to both external battery-backed 120 V ac sources.- Within the NNI-X cabinets, the 120 V ac bus i:s used to power resistance temperature detectors (RTDs), (E/P) converters and for O
F.1-2 4/80
RESPONSE TO 10 CFR 50.,54(f)
SUPPLEMENT 1 monitoring field contacts.
Consumers Power Company
()
(CPCo) is evaluating incorporation of an automatic bus transfer, similar to that utilized in the ICS, to improve the reliability of the NNI-X channel.
NNI-Y channel cabinets are supplied power from a single external battery-backed power source.
Loss of this supply would, therefore, result in a complete loss of the NNI-Y channel.
In light of the recent event at Crystal River, CPCo is reviewing the functions and interrelationships which exist between the NNI-X and NNI-Y channels.
Based on the results of this review, appropriate measures will be taken to improve the overall reliability of the NNI system.
In the unlikely event that a loss of power to the NNIs should occur, the consequences would be mitigated by design features including those listed below:
a.
Upgrading of PORV control circuit to Class lE status and removal of control from the NNI b.
Upgrading of selected pressurizer heater controls to Class lE status and removal of control from the NNI
('
c.
Class lE indication of pressurizer level and L
pressurizer pressure independent of the NNI d.
Psat/Tsat subcooling meter independent of the NNI e.
Safety-grade auxiliary feedwater (AFW) actuation, control, and indication independent of the NNI/ICS.
These additional features result in providing the operator key information required to control the plant until NNI power is restored.
In addition to the modifications described above, CPCO is currently evaluating the need for upgrading other control room indications.
Necessary modifications or design changes based on the results of this evalua-tion will be implemented upon completion of this study.
CPCo evaluations of the design of the ICS, NNI, and associated power supplies will consider events at Rancho Seco, Oconee, Crystal River, and Three Mile Island.
Changes resulting from these studies l
would make any immediate response to IE Bulletin 79-27 l
premature and therefore inappropriate at this time.
O F.1-3
O O
O IDO3A 460 V AC 460 V AC 460 V AC IDO3B 125 V DC B51 B23 824 125 V DC l
D35 D36 D37
-]
r-D38 l l
l D39 I
l l
l L__J l
l
_l 4
)
)
I)- - - -
-K' - - - - -(i
)
)
D32 D31 l
~
I) i I
DC DIST DC DIST PANELS PANELS s
i D30 250 V DC 480 V AC 480 V AC B34 I)
')
833 YSO Y60 MOTORS 120 V AC 120 V AC I
)
)
)
)
)
NNI-X NNIX NNI-Y PRIMARY BACKUP DC-PWR DC-PWR DC-PWR SUPPLY SUPPLY SUPPLY ICS ICS PRIMARY BACKUP DC-PWR DC PWR SUPPLY SUPPLY FIGURE F.1-1 NNI AND ICS 120 V AC PREFERRED POWER SUPPLY
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1
(']
Question F.2 We are concerned that an instability in the ICS.could lead to transients initiating with plant parameters more severe than those assumed for the safety analysis or significantly increase the number of challenges to the protection system during early plant life.
In this regard:
a.
The Midland ICS includes a significant difference from ICS designs of other plants in its evaporator steam development.
Describe all studies and tests which have been and will be conducted to establish stability and reliability of the Midland ICS design.
b.
Operating experience at the Crystal River plant has indicated a control instability for the integrated control system when bringing the plant up to power with pump out of service.
Specify your criteria and describe Midland design features to preclude this type of instability.
c.
Describe your design criteria, features, and operational requirements for the ICS and its supporting systems to preclude instabilities when:
(1) switching from manual to automatic control and vice versa or (2) switching from one operating mode for process steam to another mode.
Response
This question expresses a concern that the integrated control system (ICS) may cause nuclear steam supply system (NSSS) instabilities that significantly increase the number of challenges to the protection system.
This concern is unwar-rante'd as can be readily ascertained by examination of the data tabulated below:
Combustible B&W Engineering Westinghouse 1976 Number of automatic trips 25 46 147 Number of plants 6
5.1 19.13 Trips / plant / year 4.17 9.02 7.68 1977 Number of automatic trips 30 31 174 Number of plants 6.85 6.67 21.6 Trips / plant / year 4.38 4.65 8.06
()
l F.2-1 4/80 I
RESPONSE TO 10 CPR 50.54(f)
SUPPLEMENT 1 Combustible B&W Engineering Westinghouse 1978 Number of automatic trips 43 41 150 Number of plants 8
7 23.4 Trips / plant / year 5.38 5.86 6.41 Three-year average (trips / plant / year) 4.64 6.51 7.38 This information was extracted from the NRC Gray Book (NUREG-0020, Operating Units Status Report) for the years indicated.
Because Babcock & Wilcox (B&W) plants are not subject to excessive transients that challenge the protective systems (when compared to other pressurized water reactor (PWR) vendors], the concern that the ICS causes a significant increase in protective system challenges does not appear warranted.
On the contrary, operating experience at B&W plants has demonstrated that the ICS is a reliable system that tends to mitigate NSSS upsets rather than initiate them.
The Midland ICS design is not significantly different a.
than designs at other B&W plants; rather, it is essentially es (s) the same.
The differences that exist are in the evaporator steam demand development described in FSAR Subsection 7.7.1.2.7.
This uniqueness has been scrutinized during the normal design review process.
Additionally, proper operation will be verified during ICS startup testing.
There are extensive preoperational (prefuel load) tests designed to determine system response and to identify and correct system instabilities.
Coupled with ICS tuning at power, the results of these tests will lead, where necessary, to the identification and correction of any potential operational difficulties.
b.
This question expresses a concern that operation of the ICS in a three reactor coolant (RC) pump mode is suspect, due to the problem experienced at Crystal River in mid-1979.
The difficulties encountered during this incident were due to both operator unfamiliarity with this type startup and reduced operating margins resulting from the reduction in the high RC pressure trip setpoint.
At Midland, this trip setpoint will retain its original value, thus providing an increased operating margin over that existing at Crystal River.
The procedures were revised following the Crystal River event and the operators given further instruction in the proper execution of three RC pump startup.
The ICS is fully
(])
capable of.providing adequate NSSS control during three I
RC pump startup and it is not expected to reoccur as a problem.
F.2-2 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 c.
The ICS and evaporator steam demand development (ESDD)
(])
system are described in FSAR Section 7.7.
Operating procedures for plant startup and shutdown as well as procedures for switching process steam operating modes will be written.
These procedures will be utilized by the operators during these evolutions and will contain guidelines for transfer of control from automatic to manual and from manual to automatic.
In summary, the B&W ICS that will be used at Midland is designed and has been proven to regulate feedwater flow and other parameters automatically to maintain the plant in a stable condition during both steady-state and transient-power operation.
A failure modes and effects analysis has been completed and shows that no ICS failure can prevent proper safety system functioning.
This analysis and operating experience also demonstrates that the ICS is a reliable system with respect to preventing plant upsets.
O eg e
1 U
t I
F.2-3
RESPONSE TO 10 CPR 50.54(F)
SUPPLEMENT 1 Ouestion F.3 O
Experience at operating B&W plants have indicated that the dynamics associated with main feedwater termination and steam generator pressure control following a reactor trip can lead to overcooling of the primary system.
Discuss your c'iteria and the adequacy of your existing and proposed r
design features and changes to preclude this overcooling situation.
Response
The dynamics associated with main feedwater (MFW) termina-tion and steam generator pressure control following a reactor trip do not normally lead to overcooling of the primary system.
Following a reactor trip, the integrated control system (ICS) is designed to close the MFW control valves to terminate MFW and to open the turbine bypass valves to control steam pressure at approximately 1,000 psi.
The startup feedwater valve then controls MFW to the steam generator to provide for decay heat removal foJ 1owing the reactor trip.
Figure F.3-1 illustrates reactor coolant (RC) temperature and pressure following a reactor trip with proper feedwater
('h flow and steam pressure control.
The rapid decrease in
\\#
reactor power causes RC temperature to decrease; the result-ant RC contraction causes a decrease in RC liquid volume and pressure.
The RC cold leg temperature reaches an equili-brium value equal to the saturation temperature of the secondary side steam pressure (546F at 1,000 psig), and the RC pressure is restored to 2,155 psig due to the normal makeup flow which accommodates the RC contraction that occurs as the average RC temperature drops from 579F'to 546F.
Overcooling of the primary system can occur if excessive MFW is added to the steam generator (due to improper feed-water valve control), or steam pressure falls significantly below 1,000 psig (due to improper steam relief valve operation).
Experience at a Babcock & Wilcox (B&W) operat-ing plant has demonstrated that such overcooling is a moderate frequency event which is safely mitigated by the action of the high-pressure injection (HPI) system.
The o7perating data shows that there have been 24 reactor trip events followed by an overcooling which caused the RC pressure tio fall below 1,600 psig and/or caused the RC temperature to exceed a 100F in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> cooldown rate.
The 1,600 psig value of RC pressure approximates the setpoint for automatic initiaton of the HPI system (1,500 psig for Midland), and j
(^
should be avoided for anticipated transients to minimize l T challenge to the safety systems.
The 100F in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> cooldown
.F.3-1 4/80
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1 is a Technical Specification limit based upon the reactor
((_')s coolant system (RCS) design analysis.
Table F.3-1 summar-izes the B&W operating experience for such events and identifies the minimum values of RC temperature and pressure.
The 24 overcooling events which caused pressure to decrease to 1,600 psig or caused an average RC tempera-t'ure cooldown in excess of 100F in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> have occurred in over 40 reactor years of operation, which is an acceptable moderate frequency of 0.6 events / year.
These 24 overcooling events compare to the 346 total number of reactor trips on B&W reactors.
Therefore, the basic design goal for overcooling is to minimize the frequency of automatic actuation of the HPI system and excessive cooldown rates due to improper steam generator pressure and feedwater flow control following a reactor trip.
Even though the actuation of HPI will main-tain the plant in a safe condition for overcooling events (based on operating experience and the overcooling analysis presented in Reference F.3-1), the Midland design includes several additional features to further preclude such over-cooling events caused by the dynamics associated with MFW termination and steam generator pressure control following a reactor trip.
These include:
a.
Upgrade of required pressurizer heaters and controlc to
()
safety classification to enhance RCS pressure control following reactor trip b.
Addition of a two-channel, Class lE auxiliary feedwatcr (APW) control system to reliably establish a preset steam generator level and preclude overcooling due to AFW overfeeding c.
Adoption of newer control systems hardware [nonnuclear instrumentation (NNI)/ integrated control system (ICS)]
which uses dual auctioneered power supplies for the logic modules rather than individual power supplies for each logic module d.
Adoption of an increased pressurizer level range of 400 inches In addition, Appendix F of Reference F.3-1 identifies proposed hardware and procedural changes related to the need for and 1m:ethods for damping the primary system sensitivity to perturba-
- tions in the once-through steam generator (OTSG).
Several o'f these features are specifically. included to preclude overcooling events caused by improper steam generation pressure or feedwater flow control following a reactor trip.
These changes are:
uJ F.3-2 4/80
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1
()
a.
Restore the original B&W design features of turbine bypass, ICS runback, and power-operated relief valve (PORV) actuation to keep the reactor online, thereby minimizing the reactor trip frequency and the probability of subsequent overcooling.
Changes to accomplish this goal include the following features:
1)
Original B&W 177-FA PORV and high RCS pressure setpoints (2,255 psig and 2,355 psig, respectively) 2)
Safety-grade anticipatory reactor trip on total loss-of-MFW 3)
Fully qualified safety-grade PORV 4)
Reliable safety-grade indication of PORV position 5)
Dual safety-grade PORV isolating block valves actuated by low RCS pressure engineered safety features actuation system (ESFAS) signal 6)
Test program to demonstrate PORV operability (EPRI) b.
Upgrade the two-channel, Class lE AFW control system to O-limit the rate of primary system cooldown by limiting the rate of steam generator level increase following a reactor trip where AFW is initiated (i.e., limiting AFW flowrates).
c.
Evaluate the recommendations contained in the B&W ICS Failure Modes and Effects Analysis and implement. appropriate modifications to ensure improved steam generator pressure and feedwater flow control following reactor trip.
d.
Review the current Midland MFW system design to identify changes which would significantly decrease the frequency of feedwater upsets which might cause reactor trip, thereby minimizing the probability of subsequent overcooling.
Install an MFW overfill limiter to preclude feedwater c.
overfill above a preset steam generator level, thereby minimizing overcooling due to failures in the MFW flow control system following reactor trip.
' S e
h G
F.3-3 4/80
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1 These existing and proposed design features will reduce the h,3 frequency of reactor trips during minor feedwater flow and
/
steam pressure upsets while the reactor is at power, and minimize the probability of subsequent overcooling.
In addition, several of the features provide more reliable and accurate feedwater flow and steam pressure control following a reactor trip.
In summary, the experience at B&W operating plants has demonstrated that overcooling is a moderate-frequency event which is safely mitigated by the actuation of the HPI system.
The combination of existing and proposed design _ features at the Midland plant will serve to further reduce the frequency of overcooling due to improper steam generator pressure and feedwater flow control following reactor trip.
O l
r 1
l F.3-4 4/80 l
=
RESPONSE TO 10 CFR 50.54 (f)
SUPPLEMENT 1 FIGURE F.3-1 RCS RESPONSE TO REACTOR TRIP l
O
~
5H w
ggy ggg ass COLD LEG 579 ses
$59 t
I I
e 8
-I j
-I e
1 2
3 4
5 i
I l
Time, sta l
""c'"'""
0
,2,,
2I05 2500 c
1808 lett litt L
Isos 1500 t
a a
-__t a
3
-l 8
1 2
3 4
5 Ties. sia l
a sl l.
W T g
j l
x.
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-1 fS OVERCOOLING EVENTS AT B&W REACTORS V
Minimum RC Minimum Rc Temperature Pressure Date Event Description
(*F)
(psig) 6/13/75 Reactor trip on low pressure 429 720 from 19% FP due to pressurizer PORV opening.
Five and one-half minutes into the trans-ient HPI initiated when RC pressure reached 1,500 psig; RC pressure bottomed out at 720 psig when the PORV block valve was closed 28 minutes into the transient.
5/5/73 The reactor was manually tripped 520 1,330 from 18% FP after an instrument technician inadvertently opened a valve and caused a loss of MFW.
Approximately 4 minutes after the initial loss of FW, FW flow to both OTSGs was re-()
established at a high flowrate causing a rapid cooling of the RCS.
11/10/79 Reactor trip from 99% FP on RC 420 1,650 due to OTSG feeding.
Approximately 20 seconds after the reactor trip, all power to the ICS was lost and caused OTSG overfeeding due to the opening of FW valves.
4/23/78 Reactor trip from 30% FP due 464 to noise spike on power range neutron detector. Five main steam safety valves failed to reseat at the correct pressure and the OTSGs blew down to 550-600 psig before the valves reseated.
The operator reduced FW demand but failed to recog-nize that feed pump speed was in manual and did not run back feed pur.p speed causing over-feeding of the OTSGs.
Sheet 1 of 7
RESPONSE TO 10 CFR.50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued)
(
Minimum RC Minimum Rc Temperature Pressure Date Event Description
('F)
(psig) 3/2/77 Reactor trip from 40% FP due 410 1,800 to loss of power to the control rods and the ICS.
Subsequent OTSG overfilling caused RCS cooldown.
7/11/74 The reactor tripped on low RC 528 1,450 pressure following loss of the ICS auto power.
An instrument supervisor knocked out the 2KI-22 circuit breaker which i
supplies ICS auto power.
ICS power was restored in 30 to 45 seconds.
The reactor tripped from 80% on low RCS pressure.
The overcooling apparently was the result of improper FW con-trol while the ICS auto power was out.
10/23/77 The reactor tripped on low RCS 520 1,575
(])
pressure following OTSG over-feeding by AFW.
The transient started when a " half-trip" of the steam and FW rupture control system closed the startup FW valve to OTSG 2 followed by a low OTSG level trip of the turbine, OTSG isolation, and AFW initiation.
A rapid cooling of the RCS resulted due to AFW overfill.
9/24/77 Manual reactor trip from 9%
505 875 power when OTSG undercooling resulted in high pressurizer level (290 inches) and pres-sure.
The pressurizer PORV cycled nine times and stuck open, discharging to the quench tank.
PORV remained open and pressure decreased tripping ESFAS and starting HPI pumps at 1,600 psig.
O Sheet 2 of 7
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued) k'N)
Minimum RC Minimum Rc Temperature Pressure Date Event Description
('F)
(psig)
Pressure continued to de-crease until the PORV block valve was closed at 20 min-utes.
11/29/77 Reactor trip on high flux at 512 1,600
~
50% FP due to improper jumper in test equipment which caused the ICS to increase FW and pull control rods to increase power from 40% to the high flux trip setpoint at 62% FP.
Sub-sequent overcooling was caused by OTSG overfill with AFW.
11/7/78 The reactor was in a power run-528 1,550 back from 92% FP when it tripped on the variable temperature pressure trip due to loss of one MFW pump.
The ICS began a power runback to 55% FP, but because of the initially elevated
()
Tave, the reactor tripped at 64% FP; subsequent overcooling was apparently caused by a leaking or stuck open turbine bypass valve.
1/30/77 Reactor trip on low RC pressure NA 1,540 from 15% FP following manual turbine trip.
Following tur-bine trip, the OTSGs were under-fed causing RCS heatup.
Operator action to regain FW caused overfeedir.g and a subsequent low pressure reactor trip.
2/26/80 The reactor tripped on high RCS 514 1,325 pressure at 2,300 psig during an MFW upset initiated by loss of NNI power.
Due to the loss
~
, ~ ~
of NNI power, the ICS ran FW down and tried to increase
/~
\\ >T Sheet 3 of 7
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued)
()
Minimum RC Minimum Rc Temperature Pressure Date Event Description
(*F)
(psig) reactor power resulting in the reactor trip.
The pressurizer PORV opened and stayed open due to the power failure.
RCS pressure decreased to 1,500 psig where HPI was automatically initiated and the four RCS pumps were turned off in accordance with procedure.
The PORV isolation valve was manually closed by the operator.
3/28/79 Reactor trip on high RC pressure
~280
~600 from MFW.
100% power due to loss of MFW.
The pressurizer PORV stuck open and remained open, and RC pressure de-creased below 1,600 psig to N600 psig.
12/14/78 The reactor tripped from 98% FP NA 1,440 g-on pressure / temperature trip after
(
an electrical short caused the ICS to pull rods to raise Tave.
Both main feed pumps tripped on high discharge pressure; emergency feed pumps started and then stopped when MFW was re-established.
MFW did not control properly, and level in "B"
OTSG went to zero.
Emergency FW reestablished to "B" OTSG and caused overcooling which initiated HPI.
6/18/74 The reactor was tripped manually
~530
~1,610 from 7% FP following about 10 minutes of oscillatory be-havior of the primary and secondary systems.
A loss of instrument air caused the turbine bypass valves to close
~
and the FW valve to partially open. The undercooling caused the RC temperature and O
Sheet'4 of 7
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued)
Minimum RC Minimum Rc Temperature Pressure Date Event Description
(*F)
(psig) pressure to increase followed by several minutes of oscillation before the reactor was tripped.
The OTSGs were boiled dry and were dry for 7-8 minutes before level was restored to normal.
11/20/73 The reactor tripped on low RC NA
%1,600 pressure from 57% FP due to a stuck-open pressurizer spray valve.
The RC pressure started decreasing and the oeprator was successful in attempts to close the pressurizer spray valve and block valve.
The spray line block valve was finally closed after reactor trip when an electrician entered the containment and jumpered the torque overload circuit.
3/29/78 Reactor trip on the pumps / power 530 1,173 trip during hot zero power testing caused by a loss of vital bus power to the reactor protection system.
The loss of vital power caused a partial loss of NNI and caused the pressurizer PORV to open and remain open.
RCS pressure de-creased from 2,200 psig to 1,173 psig in 4-1/2 minutes before the vital bus power was restored and the PORV closed.
HPI started automatically at 1,600 psig, 2 minutes and 15 seconds after the reactor trip, and restored RCS pressure.
4/16/77 Manual reactor trip from 15% FP
~474 1,810 in accordance with the test
~
procedure for shutdown from outside the control room.
Sub-sequent OTSG overfeeding was due
)
v Sheet 5 of 7
RESPCNSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued)
(
Minimum RC Minimum Rc Temperature Pressure Date Event Description
(*F)
(psig) to the FW pump in manual and the startup FW valves sticking partially open.
Both OTSGs were fed to a point in excess of 100% on the operating range.
1/6/79 Turbine trip from 71% FP with 521 1,600 an FW block valve stuck in an open or partially open position.
The operator then closed the MFW cross-connect valve and tripped one feed pump causing underfeeding.
The operator tripped the reactor and started the emergency feed pump which then overfed the OTSGs.
12/2/78 Reactor trip from 22% FP on 515 1,600 low RCS pressure while switch-ing from the startup to the
()
MFW control valves.
Prior to the trip, the MFW control valves were full open by manual hand-wheel with the instrument air isolated.
When the operator increased FW pump speed during the switching-process, the OTSGs were overfed and the reactor tripped on low RCS pressure; subsequent over-cooling was caused by overfeed-ing the OTSGs.
3/20/78 Reactor trip on high RC pressure 285 1,490 from 70% power due to LOMFW caused by faulty input signals to ICS.
Subsequent OTSG overfeed from both MFW and AFW overcooled primary system and overfilled the OTSGs.
O O
Sheet 6 of 7 l
l
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 TABLE F.3-2 (Continued)
G
/
Minimum RC Minimum Rc Temperature Pressure Date Event Description
(*F)
(psig) 1/15/79 Reactor trip on high RC pressure 430 1,183 from 100% power due to OTSG under-feeding caused by loss of power to ICS.
MFW was not te rmina ted.
AFW was started and both MFW and AFW overcooled the primary system by overfilling the OTSGs.
8/16/79 Reactor trip on high RC pressure 500 1,550 from 45% power due to OTSG under-feeding caused by faulty FW pump speed control.
The "A" MFW valve remained open and subsequent OTSG overfeed caused primary system overcooling.
10/7/74 Manual reactor trip from 15%
408 1,810 power to prevent RCS heatup caused by LOMFW due to loss of condenser vacuum.
Secondary steam leaks to auxiliary loads O-(MFW pumps, air ejectors, etc) caused excessive steam relief, loss of steam pressure, and primary system cooling.
Sheet 7 of 7
RESPONSE TO 10 CFR 50.54 (f)
SUPPLEMENT 1
()
Question F.4 Your response states that you intend to bring together information from B&W and your own evaluations of B&W operating plant experience coupled with the ICS-FMEA and a B&W review of ' overcooling transients to identify the changes which may significantly decrease the frequency of upsets to feedwater.
State when this review and analysis of the MFW system will be performed and how the recommendations and studies proposed in your response are likely to be affected by your results.
Response
The review of the Midland feedwater system will be performed during 1980 and the results of this study will be factored into the Midland design.
As stated in our original response, the potential changes to the design which have been identified to date are related to plant control and instrumentation.
We do not expect that the final results of this study will affect these conclusions.
O l
l t
e O
O F,4 -1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.5 Other applicants responding to our October 25, 1979 requests have considered the following additional items to further decrease undesirable perturbation in the once-through steam generator:
a.
Increased demineralized water makeup capacity to the condenser hotwell during runback following a turbine trip.
b.
Increased bypass capability around the condensate polishers with fast acting valves.
Discuss these and like considerations which you have given to the Midland design and their ef fectiveness.
Response
The items identified in this question have been evaluated for their applicability to the Midland plant.
As discussed below, unique features of the Midland design eliminate the need for or benefit of these changes.
a.
Increased Demineralized Water Makeup Capacity to the Condenser Hotwell During Runback Following a Turbine
()
Trip The Midland design does not include the large atmospheric dump capability which may exist in other plants.
As a result, the water lost from the Midland cycle, which must be made up from the condensate storage tank, will be less.
Also, the Midland design includes a deaerator with a fairly large storage capacity.
During a transient, the deaerator and the condenser provide a large surge volume which, balanced with the size of the line from the condensate storage tank to the condenser, provide adequate makeup capability.
During the normal course of design, the adequacy of the makeup line has been ve rified.
b.
Increased Bypass Capability Around the Condensate Polishers with Fast Acting Valves This design modification is more applicable to plant designs which do not include a-deaerator in the cycle.
A fast bypass capability is not necessary for Midland O
F.5-1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT.1 since a surge volume for the feedwater and booster pump
({}
suction is provided by the deaerator storage tank.
This feature would be more important when the condensate pumps provide a direct discharge into the feedwater pump suction and disturbances in the condensate system are immediately reflected at the feedwater pump.
Other considerations which are applicable to the feedwater system are under review and are included in the main feedwater design study.
The items in this study include, but are not limited to, assuring a stable delta P signal for control of main feedwater, assuring smooth transients from startup to the main feedwater valve control, and investigating the role of the integrated control system runbacks on secondary system disturbances.
O OO e
F.5-2 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.6 O/
Discuss the advantages and disadvantages, if any, of a control independent of the ICS to terminate main feedwater flow following a reactor trip.
Response
The routine termination of main feedwater (MFW) following a reactor trip would constitute an overreaction to the potential for low probability (overfill) or low risk (overfeed) events.
These two events are sometimes confused.
Temporary overfeed occasionally occurs following reactor trip.
While this constitutes a departure from ideal post-trip performance, it is not a serious concern.
The resulting shrinkage can be easily accommodated within the indicated range of the pressurizer.
The most frequent causes of this event are equipment malfunction or improper tuning of control systems.
At Midland, careful tuning of the integrated control system should reduce the probability of this occurrence.
Once-through steam generator (OTSG) overfill is definitely an undesirable event which, as previous analysis demonstrates, can result in reactor coolant system overcooling.
It is, however, a low probability event and certainly does not routinely occur following reactor trip.
At Midland, the design of the MFW control system will include the capability f-to prevent OTSG overfill.
kSJ The routine termination of MFW (the preferred source of water for the steam generator) following reactor trip would unnecessarily exercise the auxiliary feedwater system, complicate the control room operators' duties following a trip, and superimpose an additional transient upon the s team generators.
Furthermore, this action would place the entire nuclear steam supply system in a degraded condition by deliberately defeating the primary means of removing heat from the reactor coolant system, main feedwater.
()
F.6-1 4/80
RESPONSE TO 10 CPR 50.54(f)
SUPPLEMENT 1 Question F]
Specify the extent to which control limitations such as valve and pump speed responses ef fect main feedwater stability,
.particularly:
during startup from the manual to the automatic operational a.
mode or b.
during automatic switchover from one process steam mode to another.
Response
The response of the main feedwater system during the a.
startup phase at low power is a critical item in both the once-through steam generator (OTSG) and recirculating steam generator startups.
At low power levels during both manual and automatic control, the response of the system should be as smooth as possible and the system should be designed to eliminate any perturbations which could cause rapid changes in system parameters.
To accomplish this, the feedwater pump speed when in manual control should be adjusted to maintain an approximately 35 psi differential pressure across the control valve.
(])
In this way, changes in feedwater valve positions during manual control will result in a slow change of flow.
Also, since the automatic control maintains an approximately 35 psi differential across the control valve, the transfer from manual to automatic will not result in changes to the pump speed which could perturb the system.
The flow control valve characteristics at low flows are also an important f actor in obtaining smooth control.
A 35 psi pressure drop across the control valve permits the valve to operate in its normal control range resulting in smoother control.
In addition to these operating guidelines, design features have been incorporated in the Midland plant to eliminate unwanted perturbations of the system.
One such feature is the Midland feedwater pump recirculation valve which is a modulating valve and eliminates any changes caused by an on/off valve controller.
Even considering the above, manual control of feedwater is highly dependent on the operator.
Operator capability to control the flow at low powers increases with experience and training.
"b.
The process steam transfer system will be modif'ied so that all mode changes except Mode 1 to 2 will be initiated by the operator and will be executed at rates of load change which are well within the response capabilities
(])
of the integrated control system (ICS), reactor, turbine-generator, and feedwater system.
4/80 F.7-1
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 A Mode 1 to 2 transfer (Unit 1 extraction supply to C)
Unit 1 main steam supply) can be initiated manually or automatically.
When manually initiated, the Mode 1 to 2 transfer will be conducted in a controlled manner to minimize perturbations in Unit I reactor power, MWe load, and feedwater flow.
When automatically initiated, such as following a turbine trip, our intent is to execute the Mode 1 to 2 transfer as quickly as possible to reduce the magnitude of the steam and feedwater flow transients.
i m
S S e
O F.7-2 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Ouestion F.8 gg V
State -the design objectives of the revised auxiliary feedwater control system.
Also indicate whether it will:
a.
Initiate for all loss of MFW events, either total or partial, and at what lower limit; b.
Initiate on SIAS; c.
Initiate on loss of offsite power; d.
Preclude overcooling or undercooling of the primary system even with a single failure in the system (e.g.,
failures in input, power, valves); and e.
Interact in any adverse fashion with the Feed-Only-Good-Generator interlock.
Also, describe how you will demonstrate that the dynamic response has been achieved.
Response
I.
GENERAL
{*]/
The design objectives of the auxiliary feedwater (APW) control system are as follows, a.
Redundant and independent initiation and control circuits will be provided for each AFW train such that the capability to initiate and control at least one AFW train, when required, is maintained even when degraded by a single random failure.
Redundancy and independence will be provided from the sensors through the actuated devices.
b.
The redundant portions of the APW control system will be powered by separate Class lE vital battery-backed buses such that the objective of Item I.a can be accomplished with the' loss of a single vital bus or with the loss of all ac power except that derived from inverters.
c.
The system will provide automatic initiation of AFW for all required conditions including emergency core cooling system actuation.
1 F.8-1
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 d.
The APW system and its controls will be designed p).
such that AFW flow will be injected within 40 seconds
(_
af ter an initiation signal.
This time limit includes the time required for diesel startup and generator loading.
e.
Two level setpoints will be provided.
The low steam generator level setpoint (approximately 2 feet) provides adequate inventory for decay heat removal with forced primary circulation.
The high steam generator level setpoint (approximately 20 feet) provides adequate inventory for decay heat removal with natural circulation of primary coolant.
The control system will automatically select the appropriate setpoint based on reactor coolant (RC) pump status.
f.
The injection of full AFW flow can, under certain conditions (high level setpoint, low decay heat),
result in considerable cooling of the primary system.
Therefore, the control system will be designed to limit AFW flow based on a predetermined rate of steam generator level increase.
The rate limit will be selected such that overcooling is minimized at low decay heat levels and adequate cooling is provided at maximum decay heat levels.
(])
The minimum level rate will be established based on providing adequate cooling with maximum decay heat.
This rate limit will then be assessed with respect to minimization of overcooling at low decay heat conditions.
Calculations have shown that under worst case overcooling conditions (high level setpoint, zero decay heat, no makeup flow),
level rate control will provide at least 10 minutes of automatic control before operator action is required to prevent loss of pressurizer level indication.
However, performance verification of level rate control and final setpoint (rate limit) determination will be accomplished by preoperational testing.
g.
Primary system cooldown during AFW operation will be controlled to less than 100F in any 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time pe riod.
h.
The system shall not include control of secondary system pressure.
Existing control of steam generator pressure by the integrated control system utilizing both turbine bypass valves and steam safety relief valves shall be retained.
(^}
i.
The system will include necessary bypass features of the automatic initiation for plant startups and shutdowns.
F.8-2 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 II.
RESPONSES TO QUESTION F.8.a THROUGH F.8.e C:)
a.
See response to Question F.9.
b.
See response to Question F.9.
t c.
See response to Question F.9.
d.
The entire AFW system, including controls, is designed to provide decay heat removal assuming a single failure.
The level rate control feature of the AFW control system is not intended to be designed to single failure requirements, i.e.,
a single failure can result in full AFW flow with resultant potential for overcooling.
AFW flow to the steam generator caused by such an event would be terminated automatically when a high once-through steam generator level was reached or more probably by manual operator action.
Designing level rate control to prevent overcooling in the event of a single failure, if indeed achievable, would result in a reliability degradation in meeting the safety function of the AFW system (decay heat removal).
e.
See response to Question F.12.
()
As stated in Item I.f, preoperational tests to verify the adequacy of the AFW level control system will be conducted.
This program will require that a test of the system be performed both before and af ter fuel load.
9 O e
O F.8-3 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Ques tion F.9
\\
For your intended revision to the AFW initiation logic, identify the signals (e.g., generator level, no feedwater flow, loss of pump suction pressure, SIAS, and loss of steam flow to pumps) that will be used to initiate APW and justify their use.
Also, update your response to our request 031.51 to identify the type and characteristics of the revised transmitters selected for the reverse feedwater flow monitoring system.
Response
Automatic initiation of the auxiliary feedwater (AFW) system is based on the need for AFW flow to accomplish the following:
Maintain continuity in reactor coolant system (RCS) a.
flow during the transition from forced to natural circulation when RC pumps are tripped b.
Prevent the boil-of f of the entire inventory of water immediately following a loss-of-main feedwater (MFW) occurrence and anticipatory trip of the reactor Provide a conservative margin to prevent overpressurization c.
of the RCS due to potent'71 undercooling following a loss-of-MFW event O
The individual parameters selected to initiate AFW and the specific justification for each are as follows:
a.
Loss of both MFW pumps:
The AFW system provides a backup source of feedwater sufficient to remove decay heat and pump heat should the primary source (MFW) be lost.
Low control oil pressure is sensed because this condition will exist whenever an MFW pump turbine is tripped.
b.
Low steam generator level:
Low level in either once-through steam generator (OTSG) is indicative of insufficient feedwater flow and provides a backup for initiation on loss of MFW.
Emergency core cooling actuation system (ECCAS):
ECCAS c.
actuation results in initiation of the main steam line isolation system (MSLIS) which isolates main steam and
',~
Therefore, AFW is required to remove decay heat.
FOGG logic will prevent AFW flow to a ruptured steam generator and acts independently of the AFW actuation system.
O F.9-1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 O--
d.
Loss of RC pumps:
Loss of forced RC flow will result in a reactor trip and integrated control system (ICS) runback of.MFW.
AFW is initiated to raise the OTSG 1evel to approximately 20 feet to facilitate establishing and maintaining natural circulation of primary coolant.
6.
Low steam pressure:
Low steam pressure will initiate the MSLIS and isolate main steam and MFW to both OTSGs.
Therefore, AFW is required to remove decay heat.
FOGG logic will prevent AFW flow to a ruptured steam generator.
(See the response to Question F.12 for a discussion of the FOGG logic).
f.
Loss of of fsite power:
Undervoltage on either of the Class lE 4160 V buses is sensed to indicate a loss of offsite power.
A loss of normal ac station power will result in the loss of MFW and a?.1 four RC pumps.
This signal provides diverse initiation for both a loss of MFW and a loss of forced RCS flow.
The necessity for and configuration of the reverse feedwater flow monitoring system are currently being reevaluated.
Therefore, additional information is not available at this time.
e O
P.9-2 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.10 O
You state that changes to the Midland auxiliary feedwater con-figuration since the TMI-2 accident will include:
Modification of the AFW pump suction piping from one inter-a.
connected system for both Midland units to two systems operating independently to supply AFW to each unit, and b.
The addition of redundant flowpaths from the discharge of each AFW pump to each steam generator.
Provide a simplified diagram illustrating the previous and re-vised configurations.
Include a table denoting valve positions during normal and abnormal operating conditions.
Specify your schedule for completion of the details of the revised Midland AFW design.
Res ponse Figures F.10-1 and F.10-2 illustrate the previous (current) design and planned revised design, respectively, for both the suction piping and the discharge piping.
The detailed control design and analysis is incomplete at this time; however, Figure F.10-2 indicates the control parameters planned to be used in the design.
O Table F.10-1 summarizes the position of valves under five selected operating conditions.
For simplicity of presentation, we elected to assume no single failures.
The positions tabulated represent the alignment of the valves upon receipt of the actuation signal.
Detailed design of the revised auxiliary feedwater system is expected to be essentially complete by August 1980.
FSAR up-dating is anticipated at that time.
me
- e a
F.10-1 4/80 I
RESPONSE TO 10 CFR 50.54 (f)
SUPPLEMENT 1 TABLE F.10-1 P)
(.
AFW SYSTEM VALVE POSITIONS - REVISED SYSTEM AFWAS and Normal Low AFW Steam Cooldown Pump Generator Station to DHR AFWAS Suction A Main-Blackout Initiation Actuation Pressure Steam Break Operation Valve
( Deaerator (CST (SWS (CST (CST Number Suction)
Suction)
Suction)
Suction)
Suction)
Train A 2MO3993Al Close Close Open Close Close 2MO3993A2 Close Close Open Close Close 2MO3968A Open Open Close Open Open 2LV3975Al Modulate Modulate Modulate Close Modulate
- W W
2LV3975A2 Modulate Modulate Modulate Modulate Modulate 2XV3989"3 Close Close Close Close Close G
2MO3965A Open Open Open Close Open 2MO3970B Close*
Open Open Close Close Train B 2MO3993B1 Close Close Open Close Close 2MO3993B2 Close Close Open Close Close 2MO3968B Open/Close Open Close Open Open 2LV3975B1 Close Modulate Modulate Modulate Modulate 2LV3975B2 Close Modulate Modulate Close Modulate m
2MO3965B Open Open Open Open Open 2MO3970A Close*
Open Open Open Close Common 2MO3956 Close Open Open Open Open 2MO3940A Open Close Close Close Close 2MO3940B Close Close Close Close Close 2MO3936 Close Close Close Close Close (II Valve 2XV3989 is only open when the AFW system is used for l
-plant startup or cooldown via the main feedwater system.
l 2)At least one of the two valves to each steam generator will be pen.
(3) Valves will modulate, but since motor-operated pump is not operat-ing, there will be no flow through these valves.
l l
4/80
[
s!!
3!"
q p
Egx
.s f~
GN2 L>\\
}
s < ;12 $
, r
<; s l
l
$ EE ed l$khk
+
a i r
i i.
<cs h
lk 3_ _ _%
'-f.__'Ml Y. Ij@ It" E
I 8
I
'-i- @
R t_____
f 3
i
<,m m. a T
i
_3
_~*
T 2 3
a v
I I
T
_L__i J
l i
y gs j
g
__+s T
T, v
i a
- _ _ __ _X m
s
____a i
i i
e I
g I
$f i
i g
i s_
i E
l o
R 1
g y
_-____J s
C; h!
r
- hy N.
v i
v
,e s
_g g
8 t
4 E
g g
gg
- g a
T 5
5 ?
i i
,d:l 4r@l l
X pV E
l I thfI1 li I
i<
5
. _ _ _ _.. _ _ _.s
- l, l
r i
I l
a s
1 1
i I
k i
-- 8 1-1 g
, _ _ _..J_;
i i
i i
T I i
l 7
I i
_ il I
a s I 2
1 r----- -- - - 4
{ 7 l
ll I
E' ;
I Ix f*Vfi [i 1 i.nl x
g te, 2
O 1
91 s8 2
O!
.g 16
(
t 6
E 1
si !
EP <
(
ag n h 3 ar na Gas ageia
(_,)3
- sEj!
J L
J L
@Y!SE
.! g'8 i
g Iq it
=
8
=
ggr T 1-@-):l, T I-@y,
,T-I-@-):j 2
3
- l F I-GH i
j i
i A
e-f
- h. e@-
@=
1 m
r -1
'a s
i, i i
s g
i y
a i
e
~
~T T 8
- l T Tt-eEFr iH.'SH:t t.-e@{ j s
8 7
T T 8 iTT 8 8
h'-3H u <..
e e
.e P[
18 f<l<
iji l-
.I if
,I' i
I j
,t t
8 8
g k
O i
!O!j i-a-
=
i w
e
~
g i
s
" O !g t3-e-t.,j.
_ y'e e
i x
i 4
x l
=
1 I
l 11 1[
l h
f.Gk !
E-?@b t t 2*f l
je i --$*ibi i
,ul 9,1, i
l r----N $
JL 02 n
s----
g t--i@
ls
- -- r*-GN!!
h 1@ !! f~
!l l
I 17 l
{ l- @ x 2
i t-@
~1 1 ---l$ l>[
~
e!
i-19 i
!l 3
i i
o_
)
v
=
i' kI l
s
- 9 i
1
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.ll
(
In the event of a steam line break upstream of the MSIVs accompanied by failure of a MSIV in the intact line, reliance is placed upon reliable but non-safety grade circuits and downstream valves to isolate steam flow except for residual flows associated with turbine gland sealing, etc.
Describe the behavior of the revised FOGG interlock during this accident scenario, including the significance, if any, of the residual steam flow limits on the FOGG system.
Response
An analysis of worst-case single failures following a main steam line break has been performed and is discussed in the FSAR in the response to NRC Ouestion 211.185.
This analysis shows that the maximum blowdown of the unaffected steam generator occurs if the atmospheric dump valve on that steam generator fails open.
Blowdown from the unaffected steam generator through the atmospheric dump valve exceeds the blowdowns through available residual flowpaths if the main steam isolation valve fails to shut and therefore provides a worst-case scenario for evaluation of the revised FOGG Icgic.
The results of this analysis will be reviewed as described in the response to Question F.12 to ensure proper
{}
operation of the FOGG interlock.
9 E
F.ll-1 4/80 i
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1
()
Question F.12 In addition to the FMEA for the revised FOGG interlock to be provided as part of your revised AFW evaluations, identify those events and combinations of events which have been and
'will be evaluated to assure that no confused or inadvertent inputs (such as from a previously unrecognized event or event combination) can lead to a malfunction or undesirable operation of the FOGG system.
Also describe any studies and tests performed to assure proper integration and interaction of the FOGG interlock with other systems.
Response
Failure modes of the FOGG interlock will be evaluated during the normal process of system design to ensure the design meets single failure criteria.
No formal failure modes and effects analysis of the FOGG interlock is being prepared.
Babcock & Wilcox is currently reviewing the steam line break spectrum studies submitted in the Midland FSAR.
This review is to assure the revised FOGG logic does not invalidate any of the submitted results, will respond properly for all break sizes, and does not interfere with normal operational transients.
The output from this review will be appropriate
(]}
setpoints for FOGG action.
(
l i
F.12-1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1
(])
-Ouestion F.13 Describe the results of your design evaluation studies for the several process steam operating modes performed to determine whether any unique opportunities for operator or equipment errors (such as improper system alignments, including misalignments between circuitry and hardware) or adverse interactions unique to a given mode exist which could lead to overcooling or overpressurization transients or accidents more severe than those for which the protection systems have been analyzed and designed.
Identify the maximum potential contribution of the process steam to the sensitivity of overcooling events for the Midland plant, whether as a result of heat extraction through the tertiary heat exchangers or via any control system change influenced by the Dow use of steam.
Response
Operating at its full design capacity, the Midland process steam system (PSS) will consume about 40% of the steam flow from the nuclear steam supply system (NSSS) from which it is supplied.
Actual load projections indicate that the system will operate at 50% or less of its design capacity for several years following initial operation.
The potential r
contribution of the PSS to cause undercooling transients is limited by the fraction of NSSS output which is dedicated to process steam production.
Unique operator errors or equipment malfunctions could produce a step decrease in NSSS steam load of 40% (loss of the PSS).
This load rejection is obviously well within the capability of the reactor protection systems, which are designed for 100% load rejections.
The maximum potential PSS load increase leading to reactor overcooling is represented by a rupture of the 36-inch main steam supply line to the PSS.-
Analyses of such steam line breaks of varying size and location are presented in Appendix 15D of the Midland FSAR.
No unacceptable overcooling conditions were found.
Although the worst case transients originating from the PSS are well within the design capabilities of plant protection systems, the impact of less severe PSS operational transients is of concern.
In response, reevaluation of the design and operation of the PSS is being conducted with the objective of reducing the frequency and severity of operational transients within the PSS while maximizing system availability.
Additionally, post-fuel load testing of the PSS will be conducted to verify that normal mode transfers and load changes are within the response capabilities of the plant control systems.
O F.13-1 4/80 l
l
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1
()
Ouestion F.14 You state that you are currently investigating modifications to the AFW level control system to limit primary cooldown rate following AFW actuation.
Describe how the control modifications under consideration would provide the capability to distinguish in a positive manner between transients and accidents with regard to SG level setpoint control.
Also describe how two-phase level during swell from depressurization affects level detection and how this is treated in the analyses.
Response
The auxiliary feedwater (AFW) control system will have two once-through steam generator (OTSG) level setpoints that are automatically selected based on reactor coolant (RC) pump status.
This method of selection ensures the appropriate level setpoint will be in effect for all transients and accidents requiring AFW.
The high level setpoint (20 feet) will be selected automatically when the RC pumps are tripped.
For transients and accidents where the RC pumps remain operational, the low level setpoint is adequate for heat removal.
For accidents where the RC pumps are lost, either intentionally as in a small break loss-of-coolant accident
(~d or due to a loss of offsite power, the level setpoint will T
automatically be raised to the high level.
During the initial phase of a small primary system break (approximately 20 minutes to I hour depending on power level at time of trip), the control system will automatically raise steam generator levels to the high setpoint.
The operator will then manually control AFW flow to raise OTSG levels to the level specified in the small break operating guidelines.
Preliminary evaluations indicate that level rate control provides adequate AFW flowrates for all accidents requiring AFW.
This will be verified by a detailed evaluation of Chapter 15 events.
In the unlikely event that level rate control provides insufficient AFW flow for certain accidents, the control system will provide for bypass of the level rate limiting function under those conditions and allow full AFW l
flow up to the OTSG 1evel setpoint.
Errors in level detection can occur from several phenomena,
.-most notably ambient temperature effects on reference legs
.~and level sensors.
Of these phenomena, errors due to two-i phase level during swell from depressurization are considered i
to be relatively minor and of short duration.
However, this effect and other error mechanisms are presently under evaluation and will be accounted for in the overall design either by analytical input assumptions, changes in level setpoints, or p>>
operating guidelines.
t
(
F.14-1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 r-Question F.15 b)
The modifications, recommendations, and studiea you present to reduce sensitivity are in the direction of additional automation of the plants.
While this approach leaves the operator free to verify system performance and should improve the control of transients, we are concerned that potential system interaction effects might result.
Therefore, a complete and integrated review of the primary and secondary system should be performed to assure that no significant adverse interactions result from the modifications that are ultimately made.
Describe your plans and schedules with regards to performing such a comprehensive, integrated evaluation of these changes, based upon conservative and realistic analyses and simulator comparisons as appropriate.
Response
The modifications proposed in our response to your 10 CFR 50.54(f) request are based upon sound engineering judgment of their benefit to both system operation and overall plant safety.
A comprehensive integrated evaluation of these changes will be provided through various methods previously discussed.
These include safety sequence analysis work by EDS Nuclear, construction of event trees as part of the abnormal transient operating guidelines (ATOG) program, I)'
reliability analysis of the Midland auxiliary feedwater system being conducted by Pickard, Lowe, and Garrick, Inc.,
and overall plant response testing to be conducted prior to commercial operation.
Additionally, extensive analysis has been conducted by Babcock and Wilcox on the overall plant impact of overcooling type accidents and transients.
This work is presented in our revised 10 CFR 50.54(f) response (Revision 2, April 1980).
()
l 4/80 f
-F.15-1
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.16 O
Provide the following analyses:
a.
Overcooling event initiated by steam pressure regulator malfunction resulting in increased steam flow, b.
Overcooling event initiated by feedwater system malfunctions that result in decreased feedwater temperature.
For these analyses, assume no beneficial operator action before 10 minutes.
Also, only qualified safety systems should be assumed for mitigation.
Identify which safety and nonsafety grade systems are considered to operate during this transient and specify the part each of these systems take in the transients.
Identify the signals acting upon these systems during the transients.
The analyses should be performed for a period of at least 10 minutes after transient initiation.
If existing analyses which are presented for a shorter duration are utilized for this response, then confirm that during the time not shown out to 10 minutes:
(1)
No operator action is required or assumed.
[]}
(2)
No changes in operating systems are required.
(3)
No significant changes result out to 10 minutes, such that extrapolation from the results presented is considered valid.
Response
The steam pressure regulator malfunction event has been a.
analyzed and is included in our 10 CFR 50.54(f) response, Revision 2, April 1980.
b.
The overcooling event initiated by feedwater system malfunctions that results in decreased feedwater temperature was analyzed in the FSAR, Section 15.1.1.
The overcooling effect is less severe than the steam generator overfill and steam pressure regulator malfunction events previously analyzed and therefore is not included as part of the 10 CFR 50.54(f) res ponse.
The existing FSAR analysis is carried out for 60 seconds.
If this analysis was continued for a full 10 minutes operator action would not be necessary, operating systems would continue to perform in their normal, post-trip mode, and plant parameters would trend from
(-)g their 60-second value as expected after a reactor trip.
u F.16-1 4/80 l
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 f~1 Question F.17 V
You have stated during related meetings with NRC and with ACRS subcommittees that the analyses presented in your current 50.54(f) response were not necessarily selected to represent the worst case.
Provide your recommendations as to what criteria, assumptions, and experience should be recognized in defining the worst case for design purposes.
Response
From those events considered to be of moderate frequency, a f ull spectrum of overcooling events has been presented in the Midland response to 10 CFR 50.54(f), Revision 2 (April 1980).
The results have varied from no voiding in the reactor coolant system to the formation of large steam voids.
In all cases, however, adequate core cooling has been maintained.
The referenced statements were meant to indicate that additional analyses were to be performed.
These analyses have been completed and are included in the revised 10 CFR 50.54(f) response.
O 1
t e
O~
S 4
A F.17-1 4/80
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1 Ouestion F.18
()
Regarding your proposed changes to the pressurizer level indication, specify the new location of the instrumentation taps and revise FSAR Figure 3.8-73 accordingly.
Also provide or reference the relationship between " indicated" and " actual" level for the revised Midland design.
Response
The Midland pressurizers will be modified to increase the indicated level range from 0-320 inches to 0-400 inches.
Figures F.18.1 and F.18.2 show the azimuthal and elevation locations, repsectively, of the three new high level sensing nozzles and the three new low level nozzles.
Table F.18.1 is to be used in conjunction with Figure F.18.2 to define the location of each nozzle.
Table F.18.2 provides the relation-ship between " indicated" pressurizer level and the " actual" water volume.
FSAR Figure 3.8-73 will be revised when field modification is completed.
O m
m a
F.18-1 4/80
1 O-O O
RESPONSE TO 10 CPR 50.54(F)
SUPPLEMENT 1 TABLE F.18.1 NOZZLE LOCATION MATRIX ( '
Nozzle No.
Angular Location Dimension Move From Present Location l
W to X 14*11' A
32.37510.125 up 2
Y to Z 74*11' A
32.37510.125 up 3
2 to W 44*11*
A 32.34410.125 up 4
W to X 14*11' B
40.34410.125 down 5
Y to 2 74*il' B
40.2510.125 down 6-Z to W 44*11*
B 40.312510.125 down
'IIIThe new level nozzles locations are to be established based on the existing as-built nozzle locations as a datum.
Appropriate locating dimensions and directions are given above.
L N
o
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1 O
TABLE F.18.2 ACTUAL PRESSURIZER WATER VOLUME VERSUS INDICATED PRESSURIZER LEVEL Indicated 0-320 Inches 0-400 Inches Level (in)
Range (cu ft)
Range (cu ft) 0 239 112 Maximum level 1,281 1,384 Note:
Values are based on nominal pressurizer dimensions.
O
+
O 4/80 l
-~
1 RESPONSE TO 10 CFR 50.54 (f)
SUPPLEMENT 1 O
i
~
X i
I e.
t (1 TOP)
(4 BOTTO'4) i I
i 42"REF i
IN 14.g.
W k
. t
.d 1
l O
wa-
\\
.<a Tor) 3
s a
i Q
and J. E. Howard i
W. W. Larsor.
of Bor, ton Edison Company I ::me'Nb Edtkon Q
v.e w l
i presented at l
American Nuc! car Society
~
Winter Meeting November 11 16,1973 i
San Francicco, Ca:ifornia O
l-I t
s a
o g
v Safety Function and Protection Sequence Analysis s.
to
' Abstract
'J Today's complex nuclear plant safety requirements SSAD's form the basis for comprehensive design re-demand a planned and systw.tatic enginecting ap-view of all safety related systems. Because the fidi proach to identify the functional design requirements range of plant conditions is considered in evaluating cf the nuclearplant systems. This systems engincenng each postulated event, the true design criteria and concept is required to ensure that the nuclear plant requirements are casily derived and documented for dcsign satistics the varicus (cdcral regulations andin-cach safety related system, structure and compcnent; dustry standards. Tne Salcty function and Protection the Quality Assured items List is established; and re-Sequence Analysis prnvides such a systematic design dundancy and separation criteria are set. The SSD's verification process. The plant safety functions essen-and SSAD's also facilitate the identification of Scis-tial to achievinn acceptable consequences following mic Category I equipment and structures. Systematic postulated xcidents and transients are first carefully criteria are established for protec: ion against pipe identified, and then the sequence,of prime system whip, jet impingement, fire and flooding. The infor-responses that form redundant success paths to the motion on the SSD's and SSAD's also forms the basis safety functions are diagramined as Safety Sequence for the development of operating technical soccifi.
Diagrams (SSD). Systems that act as essential auxil-cations. The concentrated effort required to perform iaries in supporting ti:e prime safety systems are func-the Safety Function and Protection Sequence Anti-tionally diagramn :a on Safety Systems Auxiliary ysis is repaid many times over through the resulting Diagrams (SSAD). When complete, the SSD's and benclits the analysis brings to today's nuclear project.
l t
I.
N g
1 Introduction Developments over the past decade in nuc! car plant The SFPSA provides the following specific benefi.s st:fety technology have given birth to numerous tech-for a nucicar project:
riically complex nucl car plant design and operational requirements. The proper application of the AEC rc
- 1. A compfete response to Section 15.1 of the quirements and industry codes and standards offers a AEC's Standard Format and Content nf Safety signihcant challenge to nuclear plant engineers, man-Analysis Reports for NuclearPower Plants,
,p agens and operators ahke. The ove all ef fect of the S::lety Function and Protection Sequence Analysis is
- 2. A systematic and consistent identification of all It systematizc the identif. cation of the functional dc.
systems, structures and comnonents (nat muu sign acquirements to the noticar power plant design.
be on the Quality Atsured items List and sub-i Develo;)cd c) a systematic approach to the nuclear jected to a Ouality Assurance Prouram satisiying sifety aspects of tha Pilgrim Unit 2 design, the Safety the requirements of 10CFfl50 Appendix D.
function and Proicction Sequence Ar alysis (SFPSA)
Jeatifies the necessaiy and suf ficient functional
- 3. A systems level design verific'ation process sctis-design requirements of the r'uclear power station to fying. in part, the design control requiri.ntents ci i
naute protection of the public health and safety.
10Cf(GO, Appendix 0.
O 1
e 1
i
_a
e.
' t.
rw
- 4. A systems level failure modes cnd effects anal-
- 7. A documented basis for the oreparation and re-ysis which assists in the identification of the view of those plant operating procedures which necessary inputs for the development of func-address abnormal and accident conditions.
tional, physical and electrica! separation criteria.
- 8. A learning and training aid for enginrcis and l
S. A systems level, single failure analysis as re-operators to facilitate understancing of t!'c in-quired by lEEE 279. IEEE 379 and Regulatory tegrated plant response to various plant Guide 1.53.
abnormal and accident conditions.
I
- 6. A documented basis for establishing operating plant technical specifications for inclusion in Chapter 16.0 of the Safety Anclysis Report.
9 j
T A Hl.E 1_
EVENTS CL ASSIFIC ATION FOR PILGRI.\\f 2 l
sppsA
l Planneil Routine Normal Normal Reactor Condition I; t
Operation Operation Operation Normal Operation Expected 2: 1/ year Anticipated Expected Opera-Condition 11; i
Operational Operational tional Occur-Incidents of I
Occurrences Occurrences rences Moderate I
Frcquency infrequent 1/40 yrs s f Anticipated Expected Opera-Condition III; Operational
< 1/ yrs Operational
'tional Occur-Infrequent Occurrences Occurrences rences Incident f
Accident
< 1/10 yrs Condition IV; I
Limiting Faults l
l: '
(d' I
I 4
l l
2
ns D.,evelopmenfof the Safety Function and PratcMion Sequence Analysis The fundamental objective of the nuc! car plant de-Interim Policy Statement on Emergency Core Cool-sign is to develop the functional requirements of the ing; and the ASME cuocs and IEEE standards. Be-plant's safety systems to prevent the occurrence of cause the unacceptable results must be specific and M]
1 specified unacceptable results during a postulated measurabic to be useful in the SFPSA, certain key i
event. To achieve this propqr plant design, a con-plant variabics c,r parameters are associated with the i
sistent systems engineering analysis must be devel-specific design limits of the plant, and thus with the I
oped. The Safety Function and Protection Sequence una ceptable results. Examples of these plant parcm.
Analysis, the development of which is described in eters are fuel centerline temperature, site bound. wry the following paragraphs, is an example of this re-dose, and containment structure stress. The unaccep-quired systems cngineering analysis.
tabic results are developed from the design limits using these key plant variables. Table il hsts the un-Event Ciassification and the Unacceptable Results acceptab!c results used in the Pilgrim 2 analysis.
The first task in the analysis is to categorite the postulated cvents and to select the unacceptable re-Safety Functions suits for cach event category. The postulated events Having defined the unacceptab!c results for each are grouped into event catc0 cries based upon some event category, the plant safety functions must bc common event initiating characteristic, such as ex-identified and developed. These safety functions arc pected freque.ncy of occurrence or the event initiating the functional means whereby the important plent mechanism (e.g., pipe breaks). Event categories are variables are controlled or limited following a rosta-not based upon event consequences because such latcd event to avoid the unacceptable results. Tne categorization would involve circular reasoning. The development of the safety function is one of tne event consequences are dcocndent upon the plant major steps in the SFPSA. As a safety function is safety systcms for which the design requirements are developed, the initial functional design requirements i
sought. Consideration is given to the varicas event of the nuclear plant systems are estabiished. For j
classifications tet forth in such regulatory and in.
example, the safety function " Trip Reactivity Cen.
dustry literature as 10CFR50 and its appendices and trol" establishes the functional requirement for the
?
(
ANSI N18.2. Table i lists the event categories used in rapid insertion of negative reactivity into the reactor Q
the Boston Edison PUgrim 2 SFPSA and compares core to prevent a certain plant parameter, DNE R, them to the event classifications used in other in.
from exceeding its design limit.
dustry publications. Expected frcque,cy of occur.
rence was used as the basic cvent classification The development of the safety functions is com-characteristic.
plcte when it establishes all the functional design re-quirements essential to avoid the unacceptable results After classifying the events into categorics, the for all the event categories. To ass:st in developing til specific unacceptable results applicabic to each cate-the required safety functions, a matrix is used to re-gory are defined. To define the unacceptable results late the safety functions to the unacceptable results.
the specific design limits associated with the proposed This enables the plant analyst to gain a functional i
nuclear plant are identified. For the Boston Edison l
Pilgrim 2 analysis these limits were selected from the overview of the safety fun:tions and their ef fects.
Tab!c Ill.. lists the safety functions identifier! for (n i
design criteria for the plant and includea considera.
Pilgrim 2 unit. Tahic IV is the matrix showing the tion of the AEC's Federal Regulation, Safety and correspondence between the rafety functions and the HeDulatory Guides, Interim Acceptance Criteria and unacceptable results for the Pilgrim 2 SFPSA.
i i
'g i
1 3
i
- I s
e' T A B,L E 11 t.
UNACCEPTABLE RESULTS FOR bq PILGRIM 2 SFPSA FXPF CTI f1 t il'I'R ATit 'N s t. 8 k'Cl*R R S NCI'4 A.
Radioactne *.taterial E elca c 1.
Radioactive material rete.ase ca the enviren nent et
- ceedir.g the larrs*.. tlCFrtSU. prnenseJ AfTenJa 1.
B.
fuel I. smit s 1.
DNER < l.3 (W-3 correlatior:)
2.
Fuel centerline temper ature 2 t'02 *
- I' ' " # ' '
- P ' " ' '
s C.
Reactivity l_tmitw
,1.
Inability to ach. eve a Abutdo*4 n marcin af RO load reJCtor coolant temperatwrc smmediateiv fo!! cuss.: actea%
reactor trap with the mo<t reacttve CEA Ntiv withdr.sv n and all other CENs Mly insertec.
2.
IrLibility to achieve and matritain a shutdown margin follow.ng the event.
D.
Primary %ntem Stress l
I.
Pria.as y system stress in cxecss of tt.at for which tne primary s) stem te designed, as deterrut..ed t'y tLe fellowirg:
a.
Primarv svstem pressure > 2750 psia when reactor coolant system terrrerature is 2 IJT.
b.
Primary system pressure > allowable when reacter costant system temperan.re < IST.
e.
Primary ayrtem thermal transients in escen of those cc,nsidered an the pr: mary mystcr:t design,
.t F Secondarv Mestem Stress i
f 1.
Secondary system stress in eveess of that 'cr stich the se;o adary system is destened. as cetermancJ Jy the -
following:
I a.
Sceondary syste s pressure > 1320 psia.
b.
' Secondary spte n it ermal trantierte tat excess t
of thone consaccred an the secor.dary Aystem desI(r..
F.
Plint Fnv6rua.meval Conditmns I.
L'ninhabitabiltty of ti e cor.ttol scom and ot!.cr plant locations where manual actions are tn ential.
G-y 4
g e
e.
ey e*
V INFRIQt?!T"T OPFP ATIONAL OCCURPITCrr.
ACCIDl:.N*l S A.
Radit. active \\laeet aal Relea se A.
Radioacthe Yver tal Helme I.
Radnactive maicrial relea se to the environnient that 1.
P.adioactive material release to the environment en-would result in cacceding the guideline es*aes of creding it e limsts of tud R20.
IUC FR ip0.
B.
Fuct Limits R.
Fuel Limir=
1.
Iuct centerline temperature 2 L'O; melting tempera-1.
DNBR < l.3 (W.3 correlationi ture.
2.
Peak fuel cladding te:nperature ta excess of 22tu* F.
2.
Fuel centerInne temperarure 2 L;O; melting terrperature J.
Osidation of fact cladding at any location in esce** of 17 ;.
C.. Reactivtry t im 4.
kletal mater reactior, revratine rnore Hy t*.an 1 ~ of the that uould be generated Lf all claddt.g reacted.
112 1.
Inability to achieve a chutdown marcan at no le.ad reactor ccolar.: temperature immediately tellowine C.
It esetivtry tir-L a I
automatu reactor trip m:th sne tr.ost reactive CEA 1.
Inst.shty to altucve a shardown niarrut at no load reictor fully mithdram n a nd all oc.er L EEs fully tueried.
ccolant ter.pt rature ucrreciatelv followice autorr.atic reactor trip with the mov reactive C t> f lly withr:ra.n 2.
Inabilifv to achiese and maintain a shutdown ma rgin and all otner CfXs fulh anserted.
follow ang the event.
2.
Inability to actueve and maLntain a shutdown mar;#
following the eve'at.
D.
Primary Svetem Stress D.
Primarv System fttest 1.
Pr6 mary systen.
- tress in excess of that frir which the 3.
Tramary sy> tem stress in excess of that for whic*i the primary system is designed, as cetermined by it e primary system is designed. as determined by the follos ing:
follue orig:
- a. Primary sutem cressure > 27% p?ta when re.sctor a.
Patrr.ary systerr. pressus e > 2750 psia mhen coolant sysicm temperature s= 2 1 ST.
/ )
reactor coolant system tersperature is 2 LST.
- b. Pitmary system pressure > ellowable uten reactor
\\.)
coolant system temperature < L.ST.
b.
Pi. mary system pressure > allowabic when
- c. Primary =ystem thermal transients in encon of those reactor coolant system temperature < LST.
considered in the primary system design.
4 c.
Primary system thermal transients an excess of E.
Secon?.irv Sv= tem Strees
\\
those considered in the primary ss stem design.
1.
Secondarv system atress in excess ef t'.at fur w* isch the secondary system is designed, as determined by the L.
Secondary System Stress follo. ing:
- a. Secondary system pressure > 1320 psia.
I.
Sceondary sy te n stress in cycess cf that for uhtch
- b. Secondar) system thermal transients in es:ess of the secondar) system is designed, as determined those contadcred in tt e secondary system design.
j by the fo!!ouing:
F.
Containment Streg=
a.
Secondary system pressure > 1320 psia, l.
w hen cnntair mert is rern:tred. contai sment st ress in ex.
cess of that far stuch the cortatnment is desar.cd as b.
8.econdary erstem therwal transients 6n esce's determined t y the tollowirg:
I of those considered in the mondary system design,
- s. Containment preuure * (O pstr.
f
- b. Thermal transient s af fectinr either contantner.t con-1 F.
Flam Fnvivewertal Cr.mhinung crete or bner plate in excess of those cces<ered in the containment desirn.
l 1.
Lfn6nhabitahts:ry of tt e control roor, and other plant
- c. Existence of a flammable or espin>ive mixture of l
locations where manual actions are essential.
hydrogra and crygen t..e.
- 4*, it. with a 5? Oy or
- S 0 with e 4 ~ ltye in areas uf the plant 7
oliere safety systems are located m-h'
.i are re-quired an response to it.c oregue a, c ider.t.
G.
Plint Fevironmental Conditians 1.
1.rpmure of ~Ution personnel na the cor. trol room in ca-cens cf 5 hem whuis tuty. 8 % Hein a ksn. and to Kem g
thyroid over the darattt.n of the acces'cu.
t 2.
Lfninhabitat.nlety of the conerof rnom and other riant loca.
tions ut.cre manaal actions ate essential.
9, 1
l' G
W@ 'p o qlp r AM s
_ @M!nL
b TABL,.E Ill SAFETY FUNCTIONS FOR PILGRIM. SFPSA l
I Safety Function
- Functional Descrintion.
Trip Reactivity Control Rapid insertion of negative reactivity into the core to produce suberitically immediately following an evaluated event.
Transient Reactivity Control Insertion of negatise reactivity into the core suf-ficient to compensate for cooldown of the reactor coolant system.
, Long Term Reactivity Control Establishment of a sufficient boron concentration in the core such that the reactor is maintained suberitical following the event.
Emergency Core Cocaing -
Provision of coolant to the reactor core immediately Injection Phase following an accident and prior to the time that manual action can be taken.
Emergency Core Cooling-Provision of coolant to the reactor core some time Recirculation Phase after the accident his occurred and at a time when manual action can be taken ar.d in such a way that q
g the core coo! ant is recirculated back into it.e primary syst m after it leaks out.
Reactor Heat Removal Cooling of the : ore by other than injection of coolant directly to the core.
Pressure Control -
hiaintenance of primary system pressure within Primary System allowable pressure limits and ensuring that the primary steam bubble remains in the pressurizer.
Pressure Centro! -
hiaintenance of secondary system pressure within Secondary System allowable pressure limits.
Pressure Control -
hiaintenance of comainment pressure within allow-Containment able pressure limits when containment is required.
Temperature Control -
hiaintenance of containment temperature within Containment allowahle temperature limits when containment is required.
Where appropriate, safety function descriptions are modified with such phrases as
" initial", "long term", "above LST", etc.
i G
+
^g Safety l'unct ton
- Functional Description Combustible Gas Control Conditioning of post-accident atmosphere or treat-ment of accident-generated flammables to prevent formation of flammabic or explosive mixtures.
Radioactive Material Treatment Mechanical or chemical treatment of radioactive materials to' reduce the quantity that escape or are discharged to the environs.
F,stablish Containment Trapping of rat.iioactivity inside the containment to prevent esca;.e to the environs.
Primary System Isolation Isolation of all or part of the primary system to prevent coolant loss or radioactivity discharge.
Secondary System isolation Isolation of all or part of the secondary systera to (blowdown) prevent or reduce the discharge of secondary system coolant into the containment, so'tha't con-tainment temperature and pressure are maintained within allowable limits.
V,.
Secondary System Isolation Isolation of all or part of the secondary system to (heat sink) prevent or reduce the discharge of secondary coolant, so that at least one steam generator can function as a heat sink for primary system energy.
Secondary System Isolation Isolation of all or part of the secondary system to 9
(radioactivity) prevent the discharge of radioactive materials to i
the environs.
i i
Steam Generator Inventory Maintenance of a proper level in at least one steam Control generator for use as a primary system heat sink i
and prevention from injecting cold feedwater into i
a dry and hot steam generator.
Control Station llahitability Conditioning of the post-event control :ttation (Control room and other locctions where manual j
actions are essential):11mosphere to ensure q
habitability and control of personnel radiation cxposure.
i 7
i
TABLE IV O
SAFETY FUNCTIONS AND UNACCEPTABLE RESULTS MATRIX FOR PILGRIM 2 SFPSA Primary Secondary Fuel Reactivity System System Containment Safety Functions Limits Limit s Strers Stre=s Stress i
Trip Reactivity Acc:B.I Acc: C. ) 'Acc: D. I.a Control EOO: II.1 - 2 EOO: C.1 EOO: D.1.a 100:. B.1 -2 100: C. I 100: D.1.a Transient Reactivity Acc: C. 2 Control EOO: C.2 100: C. 2 long Term Reactivity Acc: C.2 Control EOO: C. 2 100: C. 2 Emergency Core Acc: D.1-4 Cooling - Injection Phase Emergency Core Acc: D.1-4 Cooling - Recircula-tion Phase Reactor !! cat Acc: D.1.2 Removal EOO:D.2 100: B. 2 Pressure Control -
Acc: D.1. a. b Prim.,ry System EOO: D.1.a. b 100: D.1.a. b Pressure Control -
Acc: E.1.a Secondary System EOO: E. I.a 100: E.1.a Pressure Control -
Acc: F. I.a Containment A
Alphanumesic references refer to unseceptable results as listed on Table 11 l
8 e
,w w,
- e e
e; l
l Primary Seconda ry Radiological Fuel System Systern Cor.tainment Environmental SAFETY Ft'NCTION Release Limits Strets Stres:;
Stress Condit mns Temperature Cottrol - Contain-Acc: F.1.b ment Combustible Gis Centrol Acc: F. l.c Radioactive Mater-Acc: A.1 ial 1 rcatment EOO: A. I 100: A.1 Establish Contain-Acc: A. I m ca.t Primary System Acc: A. I Isolation Secondary System isolation (blowdown)
Acc: F.1.a. b Secondary System Acc:D.1-4 isolation (heat sink)
EOO: D.1-2 100: B.1-2 Secondary Syrtem Acc: A. I Isolation (Radio-activhy)
Control Station Ilabitability Acc: G.1-2 EOO: F. I 100: F.1 Steam Generator Acc: B.1 -4 Ace: D. I. a. b. c Acc: E. I.a.b inventory Cor. trol EDO: D.1-2 EOO: D.1.a. h e EOO: E.1.a.b 100: B.1-2 100: D.1. a.b.c 100: E. l... b i
I I
legend:
Acc = Accident EOO = Expceted Operat:enal -
.F\\
Occurrences Q
100 = Infrequent Operational
- Occurrencc2 0
t
1
' Operating States Bcc$use each postulated event mu be evaluated the range of plant conditions.vithin cach operating over the fu.I range of normal plant conditions in state. The opcrating states to be used for the analysis which the event is possible, it is convenient to of a specihc plant are cependent upon the niant de-identify and define various plant operating states. The sign. Table V defines the operating states used for the analyst can then more easily evaluate each event over Pilgrim 2 unit, a two loop pressurized water reactor.
TAill E V Pl. ANT OPE R ATING STATFS FOR pli GRIM 2 1
j Operating State Reactivity Control Status Primary System Reactor i
se uos p
_ mr A Refueling All CEA's may be with-O psig Nil i
drawn
- T < 210 F 1
11-Cold Shutdown
< 1 shutdown group O esig Nil withdrawn; all others T < 210 F inserted *'*
< 1 shutdown group 2l00 F < T < 3500 F Nil withdrawn; all others pressure per allow-l Inserted "'
cb!c * '
h D-11catup/Cooldown
< 1 shutdown group with-3500 F < T < 556 F Nil l
drawn; all others pressure per allow-j inserted ""
ab e *'
I E-liot Shutdown
< 1 shutdown group 2250 psia Nil withdrawn; all others 5560 F Inserted '
l 1
F llot Standby Any allowable CEA Temp / pressure per
< 15%
positions "
allowable i,
G - Power Any allowabic CEA Temp / pressure per 15 - 100%
positions '
allowabic
'jl Reactor boton concentratinn such that reactor would have at least a 5%
i shutdown margin with all CEA's fully withdrawn.
Reactor boron concentration such that reactor would have nt Icast a 25 shutdown margin at no load reactor coolJut temperature following reactor trip with the most reactive CEA lully withdrawn and all other CEA's fully l l In.ser ted.
g Pressure-temperature limits applicable during heatup and cooldown of I
Reactor Imron concentration such that reactor would have at least'a 2%
shutdown margm with all CEA* fully inserted.
l I 8
- I 10
- i
I
.. Event' Analysis f:atures) have been designed with functional redun-dancy, certain safety functions require only one l
V/ith the placement of each postulated event in its success path, i.e., no sing!c active component f ailure l
categ5ry, and with the unacceptable results and can prevent the saicty systems m the success path l
safety functions identified for event category, the from achieving their special responses. If the analysis
~
c analysis of each specific event can be periormed.
reveals a safety function for which functional recun-(
j The analysis of an event begins with the comp!cte dancy does not.cxist, either with a ocrattel indeoen.
v j
definition of the event. This includes the identifi-dent success path or safety system redundancy, t"en cation of the event (e.g., steamline break inside con-the plant design, configuration or functional respona i
tainment), the range of plant process variables which must be changed to achieve this redundancy.
l apply to the event (e.g.,350'F to 580*F for average j
reactor coolant temperature), and the listino of the The analysis of the postulated event is continued applicable plant operating states (e.g., pov[er oper.
fcr its entire duration including post event activitics ation, hot shutdown). Af ter the event is completely until some planned operation is resumed or the punt defined, the analyst selects a specific set of initial achieves a stable condition. A planned operation is -
considered resumed when the actions taken are plant process parameters (e.g.,100% power, rated I
temperature) to begin the event analysis. Witn this set identical to those described by normal operating pro-cedures.
of initial parameters, eacn unacceptable result asso.
l cijted with the event's category is examined to deter-Af ter the success paths and safety functions re-h mine which unacceptaoie results could or couto not quired for the initial set of plant conditions have ben occur as a result of the event. For example, the ana' identified and illustrated on the Safety Seauence Dio-lyst determines that the unacceptable result concern-gram, the analyst will vary each plant process para-i inD the existence of a flammable or explosive mix-meter from its initial conoition value throuchout its ation prob;c for the event. During ini turc of hydrogen and oxygen could not occur for a entire ranc steamline break accident occurring outside contain-ess, the analyst ensurcs that all required i
ment.
safety functions hcvc been Identified. If any cddi-Having determined which unacceptable results tional required safety functions are identified, their cou!d occur for the event, a matrix sucn as that required success paths must be determined in inc shown in Taofe IV is used to determine the safety same manner as done for the initial set of plant condi-functions associated with the specific set of initial tions. Additionally, as the parametcrs are varied, tne
)
parameters. To achieve these safety functions the analyst also determines which of the " initial condi.
specific plant safety systems and their required re-tion" safety functions are sull required. Each cf inssa sponses, or safety cctions, are identified. A safety reouired safety functions is reviewed to ensurc that system is a system, active or passive, which must the safety systems in the success path will provide furnish the safety action as a result of a postulated their required safety actions under Ine dif ferent piaqt plant event.
conditions. During this proccss, if any new success Af ter identification of the required safety systems paths are discovered, they are pgrammed on the I
and their safety actions, the sensed variables are Safety Sequence Diagram with appropnaic notation identified that cause or require the special system re.
as to the specific conditions under v.hich tr.ev arc sponses. In cases where the system does not auto.
required. Also, where the event mechanism itself is matically respond, the operator action required to variabic (e.g., size and location of a pipe break), the initiate the safety system (e.g., starting the pump variable characterirtic is considered over its full range i
locally from the control room) is ioentified. As the to assure Inat all success paths are identified.
l safety systems and their actions are identified, they This parameter variation analysis for each :afcty aic arranged in functional order forming success sequence enables the analyst to identify the limiting paths, or protection sequences, leading to the re-set of parameters for each success path anc each quired safety function. The arrangement of success safety s'/ stem. This type of systematic anslysis i: used i
paths becomes the Safety Sequence Diaaram for the to demonstrate tne plant's anihty to safely respond to cvent. The Safety Sequence Diagram (SSD) becomes any postulated event. The historic 81 concept ref tne L
the analyst's enajor output in tne SFPSA. Fiqure 1 ts
" worst case" is an unusab!c concept far a sy*.tems the format of the SSD's developed for the Boston an:4 sis of a nuclear power plant. Considerinr; the Edison Pilgnm 2 analysis.
. g g,uu of systems and ccmponents which mu>r 'func-b To depict the level of redundancy in the plant de.
tion during an accident. no singic set of instoi cont si n on the SSD, a sulheient number of independent ditions can possibly desenbe the most limiting.et for D
paral!ci paths is developed for each safety function all systerns. Rather than any one worst case" cundi-such that no sinnle compunent f ailure can prevent the tion, there exists a spectium of " worst cases" which j
achievement of the required safety funct:on. Because must be ana!yred on a systems basis to properly de-many of the Pilgrim 2 systems (e.g., engineered safety
' sign a nuclean power station.
5 D Y,j m 0 }{Q
~
IR hr p g
m l 4 Figure 1 oreile.if 11 A
A
e e
e e
e**
ei e Sit u:L'% f t6tas 1 H**
th5 sot CC4fa'*WL4, Statt: 0. t. 8. 6
,{
e
.,,,,,....A....s.....
( ~'3
_L V
ks 1, s.~, e....,
I x~/
.......e.,
- u...
p.. @ y
......a 9
Q.,,-
m @,~g c....
i
=
.u 1
m@
C.
...,,.....n t
..,.. <.. u c er..
.s Qa,
nW
..i t
r-- ---- i u t.
8 eu.t e 2,n.
a.
i.! #di)
.?( e. es.e g CIIes CJos
..e
. eas gg,eg
.3.t C 8041.;6 3
,, g,
.0.*4.eitt e t cg to e, I -
- gga g L.*
!
- I esteses.*..ev e. a.s eatet.
t*
TO C9%* ess pag.w eg p*(* a's of at t m.
al9 eg.
e T o :p am====***===*
stat fewef f g
S COnef e06 e G
..,.- ::1.:..,..; 8 + a c: 9 I
.e.
1 'y -......, ;.. -
um n u...
Cat.::t I
. I.b1 00 $. We b...
(.
SC.
+.etutet ON3 II b.,* *.*
94%
matte I.
I
.........,.u.8 co...e.
,,, a pl a t 908. 8 p
.. l g g,9, g 90.at t ge l
Iaf T"
C WC.
e t,r-e..:.n..m..,..
flg P.e4 0
Jtn
'n
_. p
+
0.'.t.'...
o p.T
-+
a:*a?.ns.sete
.i. tit T eag ga i
)e t t v e t e' gegg ggey p( S.t t sw.17 e
CO t a 36
, g _
._ y t.
=
.e................
d.*
I 06 e f t #8 8010 488.C1 0.fm Ct.
I i
.1
.t.e.'t e 997 9
- i 6
88 I
.t v e.ssun e.t
- 90s, ep i
i b
~b_T* '*.'*.
e-e,G -- =,=.-
. m.o.,..
(
ee v
p k;-
L (5], Ai a
i 1:8
{
s e
3. Fi *' f ' 6.f. s.4 'T " ' 99, 8
.t H&f f
2m O. -..q.....
- ,,=..w u-....
.~:;d'i:~
i-l.:::-
@ _ L.S.,,,-.
.. uL., 4 n y
......... A..,.....
1 v
sh i g 4a..
j f.L1 's-gg,,g g g,,,
,. 3
(* s*' N,
- I' #
_ W {*~
~
r,
- s. 6 h.9 Jn
?,,y e.....s,
se..... g u.
OC.
5
..... CC< t.an. 8.e e
+.-*
- 8 f.e.f.',. I t.. :
4 f e.i r
G sfee "M
u,..
=
u....c Q. r'p" _
3 v
.t
.........s,
,i 11 l
18 o,.
u.u..s.,..
l (m) a.?l?!!:
[
";x,rt' i
l r
e
.i
.....i...m......e..,..........
e S
l sTrau Jim era ms. ipr._spsT.w:vrm 1 1
,s n.r_(T Y S E 99.L'iff_.kMc r> A u j x t
i
.-l Figure P e m uu m oo m uuu u 13 t
e Safety Sequence Dia iram
+
When all the plant vocess para neter variations h::<c been consiriered, the Safety Sequence Diagram f""D) for the particular event is comp;eted. The SSD lays those prime, or major, plant safety systems
(
-wriose responses are essential to providing the safety ections required for the postulated event. The SSD sliows these safety systems in their functional (not necessarily chronological) sequences following the
. postulated event. In addition, the SSD shows which plant process voriabics are monitored or sensed by these safety systems as initiating signals. Figure 2 is cn exampic of the Safety Diagram 'or the accident "Steamline Break inside Containment", as developed for the Pilgrim 2 unit.
4 m
r'%
/
6 i
O e
S O
S 14
Saf:ty System Auxiliary Diagram ensuring all support requirements are identified. Af ter identification of the support requirements, tric plant
. After ccmpletion of the SSD for o postulated systems that provide these support requircrnents are event, each safety system displayed on the SSD is identified. These systems are the Aux,iliary Safety pnalyzed to determine the specific sup; sort require-Systems. A Safety System Aux,liary Diagram is then i
tents necessary to produce its safety action.
h,.xamples of these support requirements are electric prcpared n which the prime safety system and its auxiliary safety systems are displayed. Figure 3 is the power, component cochna. or instrument air supply.
The analyst refers to the SSD to determine every se-
.ormat for a Safety Sysum Audary Wagram as used quence in which a safety system is required, thereby in the Boston Mson Wm 2 analys,is.
AUXIL A A R Y AUXlLI ARY SAFETY SAFETY SYST E M SYSTEM B
SAFETY A
SAFETY
- S" 3
l e
l ACTION A
l n
' ACTION SIGNAL "S* ACTU ATES AUXILLARY S AFETY SYST E M D
~
SAFETY (SAFETY ACTIONS PROVIDE SYSTEM SilPPORT REQUIREMENTS)
O x
A l
D AUXIL I ARY AUX ILI A RY SAFETY SAFETY SYST E M SYST E tA D
SAFETY C
_ SAFETY A
l D
l ACTION A
l D
ACTION 4
SA FFTY SYSYF M 4tlX f tl ARY DI ACR A fA FOnMAT l
t OO FIGURE 3 i
l 15 O
9 e
e
e..
in dtycloping the Safety System Auxiliary Diagram To complete any Safety System Auxiliary Diagram
,
- 1'he bridlyst ensures tnist cach supnort recuirement is the analyst must review the Safety Sequence Dia-I functionally redundant by developing design infor-grams for all the postulisted events to identify all rnation ebout the plant su f ficient to positively safety sequences in which the subject safety system identify the auxikaries essential to the required re-appears. Figure 4 is the Safety System Auxihary D'a-
- - -(),
sponic of the safety system, and by identifying plant gr:m for the Containment Spr.:y System of the design changes so that the auxshary systems can sup-Boston Edison Pilgrim 2 nuclear unit.
port their safety system yvith the neeced level of Fedundancy.
Sri l2D V DC CONT POL POWER FOR PDS
'~*PUYP MSTCR DREAKERS A
D SI AS TO A BCW WIL L ISOL AT E t.O'. SAr El Y HEL ATED LOA 05 FitOM ADC W C0cuNS WATER ABCW SRAC 4.16 K V TO P UM P LIAS rea CON 1:.w ENT pp3
- MOT OR E;E.*.xE RS
+ epr.Av o u'/ P 463V TO MCC AlB L.C. COOL E R AlB FCR VALVE MOTOPS v
B STOY PU'/PS AND o
ISOL ATES tJON -
SAF ETY REL ATED POR1 tOf.S OF THE CCW SYSTEM C C b,,
PROV10ES COOLW:
SUPPLIES COOL 1'1G W AT E R F0a PRCU 53^S AIR TO CSS PUMP 6
+ MOTOR IN E SF AlB OLALS Alb PUMP AOOM l
SDCS HE AT EXCHANGERS SDCS COOL SF 6AY DVAP G M
+ REClieCUL AT;ON (HAS).
Agg MANUA1 kALVE OPER ATION RECUtRED HO1r:
r.rFER TO T ADLE VI FOR DErlNITioN OF ABBREylAtl0NS
.f.DI.flAj!!'lLCf!!IJ2ET_Lu_
S Ar t T v Sv$7 E u Avn et ta ar Deannaji i
- 9 FIGUnE 4 6
Auxiliary Safety Systein Commonality Diagram supports. ASSCp is developed mainly as an infor-mation diagram, rather than a primary design revit:w
,. Af ter. completion of the Safety Sequence Diagrams diagram. ASSCD allosvs evaluation of the overall for each postulatal event and the Safety System Aux.
plant response to the operations of each Auxiliary iliary Diagrams. the Auxiliary Safety System Com-Safety System, censidering such ef fects as that of a
(')
monality Diagram (ASSCD) for each Auxiliary Safety single active failure to the cort'ponent cooling water V
System is developed. This diagram indicates all the system. Figure 5 is the ASSCO for the Component safety systems that a given Auxiliary Safety System Cooling Water Systern of inc Pilgrim 2 station.
CCW CCAS S'
') CCAS Incres es Flow To CCS A
a Fan Ccils lsclates Nonsafety Related SLAS Stas Heat 1.oads and Starti Standby it:nps CIAS - Isolates RCP Motor and CIAS Seal Heat Exchangers
/'h
)
y V
V 1/
1/
A u
A D
A B
A D
A D
i i
V V
V V
V i
Cools Cools Cools L. PSI Cools CSS Cools CCS llP51 Ivmp Pump SDCS ran Pump rocchanical rnrensnical liest d
Coils mec ha nical seals seals Exchanger seals l
,, o i n A
f;tf[n to TADLE Tl FOR otr PJITIOrd Or ADBREvl Atlof45 e
l
_co,,,,,, ~ 1 c n o i,,, c..,,. s m,..
_ Auxsi aany sa r r T y s.si, u coovoem.i y cencna v F I 'e U R L S i)
(Mi?hil(IS1[@[!
mmoa hlh UNUbddM E
i
- TAPJ.E.VI
.,a I
p' I
AD11REVIATIONS USED ON SFPSA DIAGRAMS ABCW Auxiliary Building Cooling Water RCS Reactor Coolant System ADS Atmospheric Steam Dump System RPS Reactor Protection System CB Containment Structure RTS Reactor Trip System CC45 Containment Cooling Actuation Signal RWT Refueling Water Tank CSS Containment Cooling System SDCS Shutdown Cooling System CCW Component Cooling Water SG Steam Generator CEA Control Element Assemblies SIAS Safety injection Actuation Signal CETS Control Element Trip System SRPDS Safety Related Power CIAS Containment Isolation Actuation Signal Distribution System CIS Containment Isolation System SSV Secondary Safety Valves CSAS Containment Spray /ictuation Signal CSS Containment Spray System CST Condensate Sterage Tank CVCS Chemical and Volume Control System
\\o EFCS Emergency Fced Control System J EPS Emergency Feed System Jgli liigh Logrithmic Power ESFPS Engineered Safety Features Protection J
Startup Neutron Flux Level 3
System L
Pressurizer Level p
llPSI 111gh Pressure Safety injection
.LSG Steam Gencretor Level LPSI Low Pressure Safety Injection LSGL Low Steam Generator Level MFIV Main Feed Isolation Valves P ll liigh Containment Pressure C
MSI Main Steam Isolation System P
Pressurizer Pressure p
MSIS Main Steam Isolation Signal PL Low Pressurizer Pressure p
MSIV Main System isolation Valves P lL Low-Low Pressurizer Pressure p
PPil Pressurizer Proportional licaters P
Steam Pressure g
PRCU Pump Room Cooling Unit P
L L w Steam Generator Pressure SG PRV Power Relief Valves PSG,L Low-Low Steam G ncrator I
PSV Primary Safety Valves Pressure P2R Pressurizer T
Cold Leg Temperature O
e f
'J e
Ib
= + _.
b
v e
t
.T.h.M9 e of 'SFPSA in the Design Process 1
i 3
( l Under the requirements of 10CFRSO, systems, Seismic Design Review structures and components important to nuclear The SFPSA facilitates the identification of the plant safety must be identified and designed to ensure sys! cms, components and structures that must be that they will perform rehably in service., his re-classified Seismic Category I under the requirements quirement is satisfied by subscting all such safety of AEC Regulatory Guide 1.29. In a manner similar related items'to a quahty assurance program conform-to the identification of quality assured items, the ing to the requirements of 10CFR50. Appendix B.
accident SSD's are reviewed, and suf ficient systems, The systematic process employed by the SFPSA, as components and structures are classified Seismic g
shown on the resulting SSD's and SSAD's, makes it Category I to provide at least one success path for possible to casily identify and classify the various cach required safety function. The SSAD for caen systems, structures, and components of the plant in safety system in the success path is rcviewed to relation to safety. In particular, the SSD's and identify those &uxiliary systems required to support SSAp's become a key tool or mechanism to ratisfy the Category I safe'y systems. Such auxiliary safety the des,ign verification requirements of a nuclear quat.
systems are also classifico Scismic Category 1.
sty assurance program uncer Criterion 111 (Design Control) of 10CFR50, Appencix B. The following To identify the specific components and structures paragraphs describe how the SFPSA results are used to bc Seismic Category 1, cach prime safety system i
in the design process.
and auxiliary safety system is studied in detain, as done in the Quality Assured Itcms List study. The The Ouality Assured items List specific components and structures whicn must func.
Each system, component, and structure required tc tion to produce the safety actions of thest sy:,tems mitigate the consequences of a nuclear plant accident are classified as Se:smic Category I.
must be subjected to the Nuclear Quality Assurance Redundancy end Separation j
Program and must be hsted on the Quality As<.ured items List. Upon comoletion of the reauired Safety During the dev'elopment of the SSD's and SSAD's, m
( ). Sequence Diagrams (SSD's) and Safety System Auxit.
success paths are deterrained for each safety function.
' i;ry Diagrams (SSAD's), the process of identifying Each success path represents a sequence that is cao-i these quality atsured items and olacing them on tne able of achieving its saicly function Tven any sing!c Ouality Assured items List is simple and systematic.
active compor.cnt failure. This capability is shcan Each accident SSD and the associated SSAD's is re.
with cither physical redundancy (e.g., two indepcn-viewed. Because the prime safety systems and their dent trains of the Safety injection System) or fure-supportJng auxiliary systems reauired to achieve the tional redundancy (e.g., citner the H;gh Pressure Safety d
safety functions are ciiagramed on the SSD's and Injection System or the Chemical & Volume Convol l
SSAD's, the task of quahty assured r.rstem identifi.
System supplying borated water). Thus, with the
(
cation is complete. 'Io identify the specific com-SSD's and SSAD's finished, the complete systems 1
ponents and structures within the plant s/ stems and level redundancy of the plant is shown diagramat-larger structures that must be quahty assured, cach itally.
safely system and auxiliary safety sysicm is examined W
y sysM deM M 13 determine the specific components of these sys-U" U
,S S
1 ems that must funclica to produce the required is used to ensure that the oesigns do ref!
.1 the re-system responses. The structures in wnich the systems quired redundancy shown on the diagrams. The and components are located, including passive struc-e reviewer refers to the SSD's and SSAD s as ha tures shown on the SSD (e.g., the containment, or the refuelin0 water tank), are identified as structures to be tests the designs for susceptibility to single failures.
During review of physical arrangement drawings, the:
qual;ty assured.
SSD's and SSAD's are used to check the adequacy of The significant amc.unt of analytical effort ex.
physical sepaiation, thus ensuring that the plant is pended to perform the SFPSA has mada the develop.
properly designed against the effects of pipe whip. jet ment of the sometimes controversial Quakty Assured impingement, flooding, fire, etc.
Item le s List casy and systematic.
l 10 j
Effects cf Pipe Breaks ment is ceceptable. For example, if a particular two
b'e$a'use an SSD has been devefoced for every pipe inch pipe break in the reactor coolant system does
'UO"""
- O'
- 'CUI b break that inust be postulated in plant design con-trol System (CVCS), there is no reason to protect the sidering the various plant systems and tne various CVCS piping following that two inch reactor coolant
<b sites of breaks, the spt cific systems and structures system pipe break, and no pipe whip restraints or j2t that must respond to cach specsfic pipe break can be dcIlectors would be specified for this purpose. How easily identihed. During the analysis of a particular ev r, il the High Pressure Safety injection S/stcm is pipe break the enformation on tne SSD's and SSAD's is used to identif y the specific systems. components damage due to pipe whip and jet impinn ncnt. Thus, and structures that 'must be protected for that partic-aH k items which must be protected are systemati-,
ular break. Pipe whp restraints and Ict deflectors are
,dentified and proiccted, but the numoer of cply i
located to protect those tpccific systems, components pipe restraints and deflectors is minimized.
and structures, whereas damage to other plant equip-Summary The systematic approach of the SFPSA provides receives a complete and censistent design review. The essurarece that cach system, component or structure SFPSA helps to ensure that no one safety system has
)
required for safety is identified and designed in accor-been over designeo" at the expense of another.
dance with all appiicab!e requirements.
\\Vhen performed early in the design process of a When the SFPSA is complete, each required safety nuclear proicct, the SFFSA o;; crates to greatly re-function that rnust be achieved is c!carly ioentified; duce, or even climincte, design cht.nges later in the the time sequence in which the necessary safety project, when such changes wou!d be much rnore actions must occur is delineated; the degree of redun-costly. Beccuse the SFPSA is a continuing anciysis dancy provided in plant desi:;n is estabhshed; ano the throughout the desi n phase of tne project, it be-0 I
need for station design tu provide intelhgence for comes the most useful and meaningful comprehensive I
operator manual control is defined. The SFPSA representation of the plant safety system design, distinDuishes between those plant systems that are re-illustrating en casily understcod diagrams the practi-quired for the public health and safety ar.d those that cal results of large volumes of engineering drawings, are required only for equipment protec tion. Tne specifications, and design information.
SFPSA is the mecharnsm whereby ecch safety system O
e e
h 20
ea
'o SAFETY FUNCTION AND PHOTECTlatl SEQUEtlCE ANALYSIS y
Ide n t if y
\\-
Events il 1
Classif y l
Eve nts I!
Iden tif y g
Unacceptable i
Results I
hC"
- Functional Design i
afcty
( Functions j Requirements Postulate Event 1
Identif y Con i ons Required Saf e ty Functions I
i f Determine Safety Sequence Diaoram
{( Success Safety Systems a
- -.j Safety Actions Paths l
l
[ Select i
( Success i
. Path
~
Select Saf ety System identify SupporI
. : Safety System Retive r e m ehi Auxiliary Diagram 21 3
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.20
~#
Your reply notes that an in-depth reliability assessment is being performed on the Midland AFW systems:
.a.
Studies performed by several operating nuclear plants have concluded that a significant improvement in reliability and plant availability results from addition of a second motor-operated auxiliary feedwater pump.
We require that the benefits from such an addition be included as part of the results of your reliability assessment of the Midland AFW system.
b.
Other than the auxiliary feedwater system, what Midland systems and changes will be the subjects of your reliability assessments?
State your planned completion date for these analyses.
Res ponse The Midland auxiliary feedwater (AFW) system reliability a.
analysis, currently being performed by Pickard, Lowe and Garrick, Inc., will include a comparison of the reliability of the Midland two 100% pump system to the typical one 100% plus two 50% pump system found at other plants.
Preliminary results from Pickard, Lowe
/~)
and Garrick indicate that the predicted availability of
\\/
Midland's two 100% pump system is. higher than that of the typical three-pump system because both motor-driven 50% pumps must operate following a failure of the 100%
turbine-driven pump in order to provide sufficient water to the steam generators to assure system success (decay heat removal).
The results of this analysis combined with the capability to power the turbine driven main feedwater pumps from the auxiliary boiler, if necessary, will demonstrate that a third AFW pump is not required for Midland Units 1 and 2.
b.
Formal, in-depth reliability assessments are planned for no other Midland systems at this time.
O F.20-1 4/80 l
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.21
(")x
\\_
On what basis did you determine that pressurizer heater banks 5 and 6 alone will provide sufficient heating capacity if only these banks are uprated to safety grade?
Identify the limiting transient or accident which established the required heating capacity.
What provisions for equipment failure are provided in this selection?
Response
The limiting transient which establishes the heater capacity is natural circulation of the reactor coolant system (RCS) with a loss of of fsite power.
The number of pressurizer heaters per bank was calculated by taking into account the following information:
a.
The loss through the pressurizer insulation results in an approximate heat loss of 28 kW.
b.
The loss through the uninsulated pressurizer areas around the horizontal heater bundles results in an approximate heat loss of 15 kW.
c.
B&W experience shows that the heat losses in Items a and b above may account for approximately 40% of the total losses.
Additional losses may occur through
(])
- 1) conduction paths such as supports for the pressurizer, instrument lines, and loss-of-coolant accident and seismic restraints, 2) uninsulated surfaces such as relief valves and spray lines, and 3) chimney losses caused by airflow between insulation and heated surfaces.
This may result in an additional heat loss of up to 64 kW.
Thus, the total estimated heat loss from the system is 107 kW.
Due to the electrical arrangement of heater groups, the value of 126 kW was selected.
Redundant Class lE heater banks of 126 kW allow for a failure of one bank of heaters without loss of system capability.
The impact of a control or power failure has been mitigated through design as discussed in the FSAR in response to NRC Ouestion 031.27.
This response discussed the incorporation of redundant Class lE pressurizer heater controls and power supplies as shown in FSAR Question / Response Figures 7.4-1
',through 7.4-10.
(3 F.21-1 4/8C
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.22
()
You note that the existing pressurizer heater low level interlock design is being reviewed to determine its adequacy in the event of loss of liquid invcatory in the pressurizer.
Describe how energized pressurizer heaters fail when uncovered and provide justification that such failure would not threaten or cause failure of the reactor coolant pressure boundary.
i
Response
The pressurizer heaters use a concentric coil design:
an inner coil and an outer coil insulated from each other and the sheath by compacted magnesium oxide (Mg0).
During i
normal operation, heat generated by the two energized resistors (inner and outer coils) is removed by reactor coolant (RC) surrounding the sheath of the heater.
In the event that an energized heater should become uncovered, the heat removal medium would be saturated steam rather than RC and less heat trans fer would occur.
This, in turn, would cause the temperature of the inner coil to rise above its normal operating temperature to the point that the thermal capa-bility of the inner resistance coil and the immediately surrounding Mg0 would be exceeded.
This condition would be expected to occur within a few minutes (less than 10 minutes).
O This mode of failure, which is the expected mode of failure for the postulated condition, would result in an open circuit path along the length of the inner coil, thus rendering the heater inoperative.
RC pressure boundary areas which could be postulated to be adversely affected by the over-temperature operation of uncovered heaters followed by an insurge of RC are:
heater sheath, sheath-to-diaphragm weld, diaphragm, and pressurizer shell/ heater bundle forging.
Analyses of the heater sheath, sheath-to-diaphragm weld, and diaphragm predict areas of high thermally-induced stresses.
These one-time stresses do not predict failure in these areas but do result in increases in the calculated fatigue usage factors.
Due to the physical separation between the pressurizer shell and the actively heated length of the pressurizer heaters and due to the short predicted over-temperature on-time of the pressurizer heaters, no significant adverse effects to
- the pressurizer shell/ heater bundle forging areas are expected.
Therefore, for the postulated ~ operation of pressurizer heaters in a saturated steam environment, the failure mode would be an open circuit along the actively heated length of the inner coil.
This abnormal, short duration heater operation C~/S and resulting failure of the internal resistance heating element would not compromise the integrity of the RC pressure boundary.
F.22-1 4/80
m -
RESPONSE TO 10 CFR 50.54(F)
SUPPLEMENT 1 Question F.23 You state that a subcooling meter will be provided with redundant safety grade hot leg temperature and reactor coolant system pressure input.
Clarify whether it is your intent to provide a subcooling meter which is itself safety grade.
If not, justify your position.
Specify the detection and indicating range and sensitivity for this meter and its inputs.
Response
As previously stated, Consumers Power Company is committed to providing a subcooling meter with redundant safety-grade hot leg temperature and reactor coolant system pressure input.
However, the detailed design specifics of this instrumentation have not been finalized.
Consistent with the NRC clarification letter of October 30, 1979, Short-Term Lessons Learned (NUREG 0578), and the recently issued proposed revision to Regulatory Guide 1.97, the subcooling meter will consist of either safety-grade calculational devices and display or a highly reliable single channel instrument which is environmentally qualified to the conditions of its intended operation and testable, with a backup procedure for use of steam tables.
The intended range for this device is 200F g3 subcooled to 35F superheated.
s/
e-e O
F.23-1 4/80
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1
{}
Oues tion F.24 You state that the technical feasibility of providing a low flow indication as a means of confirming core cooling during natural circulation modes of cooldown is being assessed.
What criteria are being used for this assessment?
What power requirements for this instrumentation are intended?
Response
Consumers Power Company is reviewing the technical feasibility of providing a low flow indication as a means of confirming core cooling during natural circulation modes of cooldown.
The criteria being used to assess methods of providing this indication include the following.
The instrumentation should be seismically and environmentally a.
qualified Class 1E.
b.
The instrument range should provide indication coverage from -12% to +12% design flow.
The low flow indication should be readily available c.
following transfer from forced circulation to natural circulation operation (i.e., instrument calibration
(^
should remain unaf fected by forced circulation operations or by the transfer to or from forced circulation to natural circulation).
If an instrument capable of meeting the above criteria is identified, it is intended that it be powered from a Class lE power supply.
O F.24-1
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Ouestion F.25
.c(
In view of the experience from the TMI-2 accident, justify your proposed use of non safety grade equipment (core exit thermocouples with the plant computer) as a means of determining ~
r adequate core cooling.
What physical or practical limitations, if any, preclude use of a safety-grade system for this purpose?
Your justification should be coupled with the fact that a positive, direct means for detection and removal of a gas bubble from the reactor vessel head is not yet included in your proposals.
Include in your discussion what backup is provided for operation when the plant computer is down.
Also, specify the range and sensitivity of the detection and indication measurements.
Response
In view of the experience-from the TMI-2 accident, nonsafety-grade core exit thermocouples appear to be adequate as a diverse indication of core cooling.
As of March 27, 1980, 48 of 52 core exit thermocouples are still providing valid readings.
Based on the "TMI-2 environmental type test" and on the fact that other methods are available for determining adequate core cooling, the use of nonsafety-grade core exit thermocouples is considered adequate.
Consumers Power Company's position is that the installation of
()
reactor coolant system (RCS) loop high point vents precludes the necessity for venting the reactor vessel head.
Ongoing analysis of this issue will be reviewed for impact on RCS vent design.
The use of a safety-grade core exit thermocouple system is impractical, if not impossible, in terms of seismic qualification and compliance with separation criteria to meet single failure requirements.
Likewise, individual safety. display of each thermocouple measurement would be excessive.
Additionally, the modifications necessary to seismically qualify these instruments are impractical.
Core exit thermocouples do not represent the sole method of determining adequate core cooling.
Hot leg temperature, cold leg temperature, loop flow indication (as discussed in the response to Question F.24), reactor coolant (RC) pressure, pressurizer level,'and power-operated relief valve (PORV) and pressurizer safety relief valve position are all provided
,as safety-grade indications for determining adequate core
. cooling.
In combination, these parameters characterize the plant status with respect to the core cooling function.
Detailed design of the instrument upgrades required to provide O
V F.25-1 L
~ RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 p,_
all these parameters as safety grade has not been finalized.
\\,,)
Instrument sensitivities are therefore unavailable.
- However, it is our intention to provide safety-grade indication of hot leg and cold leg temperature from 150 to 750F, loop flow as indicated in the response to Question F.24, RC pressure from 0,to 2,500 psi, pressurizer level from 0 to 400 IWC, and PORV and pressurizer safety-relief valve position.
Because this safety-grade instrumentation provides sufficient indication for determining adequate core cooling, the use of nonsafety-grade core exit thermocouples is adequate as-yet another diverse indication of core cooling.
O A
F.25-2 4/80
RESPONSE.TO 10'CFR 50.54(f)
SUPPLEMENT:1 Question F.26' To prevent automatic tripping of the reactor coolant pumps
.due to ESFAS initiated by overcooling events, you state that the Midland pump trip logic will include coincidence circuitry sensing pump motor current.
This' input is intended to actuate on degraded pump current indicative of significant RCS void formation characteristic of a LOCA; but~for overcooling i
events, the extent of void formation should not reach a.
point where degraded pump current will trip the pumps and undesirable pump trip will thus be avoided.. Describe the significant: elements of the development program for this circuitry, including-that phase directed to the distinction 1
of a valid motor current signal.
What criteria will distinguish a valid signal?
How will the system be verified in an actual nuclear power plant or.under realistic conditions?
'i r
Provide your. current schedule for this program.
1
-t
Response
Consumers Power Company (CPCo) is pursing the development of l
an automatic reactor coolant (RC) pump trip design generically through participation in the Babcock &.Wilcox.(B&W) Owners Group.
The goal of this ef fort is a design which will trip the RC pumps - for all events identified by B&W analyses as being required to assure compliance with 10 CFR 50, Appendix :K criteria, while limiting to the extent practicable pump trip for=nonloss-of-coolant accident (non-LOCA) events.
In CPCo's-December 4,1979 reply to your 10 CFR 50.54(f) request, i
it was stated 'that the Midland automatic pump trip circuitry would incorporate a coincidence circuitry sensing RC pump motor current to minimize unnecessary pump trips.
J Subsequent to this response, difficulties have been. encountered in implementing this design concept, especially in the analysis of the correlation between the total RC system i
void, the localized void at the RC pump suction, and the corresponding RC pump motor current.
As a result, 'B&W is l
reviewing the feasibility of -an RC pump motor current providing an acceptable coincidence signal while also investigating alternative concepts for providing this feature.
Thel response to your detailed questions concerning program development and design criteria must await better definition of the
'l design ' concept to be pursued.-
l l
e i
L 4/80 L
F.26-1 i
RESPONSE TO 10 CFR 50.54(f)
SUPPLEMENT 1 Question F.27 After the PORV closed during the transient at Crystal River Unit 3 on February 26, 1980, the reactor coolant system pressure increased from approximately 1300 psi to 2400 psi in less than 3 minutes.
The last 600 psi (from 1800 to 2400 psi) of this increase occurred in less than 1 minute.
This caused lifting of the code safety valves.
Operating guidelines for B&W supplied plants typically recommend termination of high pressure injection when hot and cold leg temperatures are at least 59'F below the saturation temperature of the existing reactor coolant system pressure and the action is necessary to prevent the indicated pressurizer level from going off scale.
In view of this characteristic of rapid repressurization, what operator action, and basis thereof, is proposed to reduce the potential for lif ting of the Midland code safety valves?
Res ponse Initial reactor coolant system (RCS) depressurization during the transient at Crystal River Unit 3 resulted in the initiation of high-pressure injection (HPI) and the subsequent lifting of the pressurizer code safety valves.
Operator control of
(])
the HPI system during this scenario was predicated upon assuring adequate core cooling as indicated by an acceptable subcooling margin.
The satisfaction of this condition must take priority over concerns for filling the pressurizer solid.
A modification of operating procedures to limit pressurizer safety valve lifting at the expense of core cooling is obviously unacceptable and the current Babcock & Wilcox operating guidelines must remain in force.
In order to reduce the potential for lif ting the pressurizer code safety valves, reliable indications must be made available to the operator to ensure that during similar transients, conditions satisfying small break guideline criteria for terminating HPI flow can be promptly recognized.
At Midland, indications necessary to assure this capability will be provided.
In the event of total loss of both nonnuclear instrumentation (NNI) and integrated control system (ICS) power, indica tions in the control room of pressurizer level, hot leg temperature, RCS pressure, and saturation margin will be available to the operator.
This will limit the
O P.27-1 4/80