Forwards Response to NRC 800325 Request for Addl Info Re Sys Sensitivity

ML19312E594
Person / Time
Site:	Washington Public Power Supply System
Issue date:	06/02/1980
From:	Renberger D WASHINGTON PUBLIC POWER SUPPLY SYSTEM
To:	Harold Denton Office of Nuclear Reactor Regulation
References
GO1-80-171, NUDOCS 8006050358
Download: ML19312E594 (24)
v • d • e

Text

.

t W y P W shington Public Power Supply System A JOINT OPERATING AGENCY S

e. o. no . . .. sooo o... w..-... . w., m m ....w....... 3sa e o . (so.) 37s.sooo Docket Nos: 50-460 June 2, 1980 50-513 G01-80-171 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission THIS DOCUMENT CONTAINS Washington, D. C. 20555 POOR QUALITY PAGES

Dear Mr. Denton:

Subject:

WPPSS fluclear Projects Nos.1 & 4 Response 'to NRC Supplemental 10 CFR 50.54 Request

Reference:

Letter, H. R. Denton, NRC to N. O. Strand, WPPSS,

" Supplemental 10 CFR 50.54 Requests Regarding B&W.

System Sensitivity for Washington Public Power Supply System Nuclear Projects 1 & 4 (WNP-1/4),"

March 25, 1980.

In the reference letter the NRC requested that WPPSS provide additional information regarding the changes and studies proposed in our December 3, 1979 response to the initial 10 CFR 50.54 letter.

, Our response to this supplemental request is attached, l

Ve truly yours,

/ o l D. L Renb9gr l Assi tant Dit ctor - Technology l

DLR:AGH:ce Attachment cc: A. Bournia, NRC T. Novak, NRC l N. S. Reynolds, D&L 1

C. R. Bryant, BPA l Eng. Files-1/4 (290)

G. C. Schieck, B&W l

l H. Kwan, UE&C-PA l A. J. Friedman, UE&C-PA i

8006050 3fg A

, Docket flos. : 50-460

,s 50-513 Response to NRC Supplemental 10 CFR 50.54 Request STATEOFWASHINGT0ft) ,

) ss C0VilTY OF BEllT0tl )

G. F. BAILEY, Being first duly sworn, deposes and says: That he is the Manager, Technical Division, for the WASHINGTON PUBLIC POWER SUPPLY cYSTEli, the applicant herein; that he is authorized to submit the fore-going on behalf of said applicant; that he has read the foregoing and knows the contents thereof; and believes the same to be true to the best of his knowledge.

DATED- Quat. 'Z , 1980 0

. 1 F.JAILE On this day personally appeared before me G. F. BAILEY to me known to be the individual who executed the foregoing instrument and acknowledged that he signed the same as his free act and deed for the uses and purposes therein mentioned.

GIVEN under my hand and seal this A day of ' (/if ,1980 f

( n 0$LE. '

}fL$(-

(b

- Notary Public in and for the Sta'te of Llashington s7 ' //

Residing at d4O/MCLEdy/

ENCLOSURE RESPONSE TO HRC REQUEST FOR ADDITIONAL INFORMATION REGARDING WMP-1/4 SYSTEM SENSITIVITY F.1 Question Your discuss. ion in Appendix F of the pte-T!fi changes for WNP-1/4 stittes .that newer conttal .sys tems hardatte (non-nuctcar .insttu-mentation (NNI)/integtated conttol system (ICS)) using dual auctioncer poteen supplies fot logic modates rather than individual powcr supplies are being used,

a. For tJtLs modification, provide the logic and/or yout failur.

mode and effeets analysis that shotes how systems tellt respond to fallate in .the potest supply and input parameters. Also provide your design criteria fet .the NNI and ICS telth respeet to these types of faitures.

'b . Operitting cuents at severat plants telth B&W NSSS designs (including Rancho Seco .in ifarch 1978; Oconee Poteer Station, Unit 3 on Novembeit 10, 1979; and the Crystal River Station on Februany 26, 1980) have occusted tehich resafR d in loss of poteet to the ICS and/or NNI system. The loss of potest resulted in conttal system malfunctions, fecdteater perturbations, and significant loss of or cenfused .infomnatie i to the Operator.

NUREG-0600 also dLscusses LER 73-021-03L on Th.tcc Mike Island, UnLt 2 schereby .the RCS dentessurized and safety injection

, occurred on toss of a vital bus due to invetter fallute.

Viscuss .the extent to tehich .these evcuts teould have been mLtigated at ytecluded by the changes inconporated into the WNP-1/4 design. Include a response to action Ltems ! .to 3 requined of near-teon licensees in Butletin 79-27 and items 2, 4, 5 and 6 of Enclosute 3 of lettet da.ted !Lttch 6, 1980 to att openating B&W Reactor Licensees pertaining to the Crystal Riven event.

Res po_n_s e F .1_a The ICS and NNI are each supplied by a single independent 120 VAC source. Each 120 VAC source is input to redundant 24 VDC supplies.

he 24 VDC supplies are auctioneered within each subsystem.

~ ither of the redundant 24 VDC supplies is capable of supplying

<ll cabinet modules and external instrumentation utilizing 24 VDC power. Within each system (NNI and ICS) the 120 VAC input source is used for the required 120 VAC remote mounted instrumen-tation and control. The NNI and ICS designs meet the following requirements with respect to power supply failures:

1. Failure of an NNI power supply shall not cause the PORV to open nor shall it prevent the PORV isolation valve from functioning.

i

4 j 2. Failure of flNI/ICS power supplies shall not prevent safety or protection systems from operating or prevent manual over-ride of safety or protection system.

) 3. Failure of an Nfil power supply shall not cause the spray

] valve to open nor shall it prevent the spray block valve from functioning.

i

4. Loss of an flNI or ICS power supply shall not cause the pres-surizer heaters to fail on, or remain on, when the pressurizer level is low.

! '5. Upon loss of the NNI and/or ICS power supplies, the remaining plant instrumentation and controls shall be sufficient to place and maintain the plant in a safe hot shutdown condition.

! 6. Following loss of an Nfil or ICS power supply, the capability

! of maintaining and/or restoring steam pressure in at least one steam generator shall be available.

F.lb -

The extent to which the events described above would be mitigated or precluded,by the WNP-1/4 design is presented below. The format of this discussion is in response to items 2, 4, 5 and 6 of the NRC flarch 6,1980 letter.

r

2. The Crystal River event was caused by the loss of the +24VDC "X" bus which affected important shutdown indicators. The UNP-1/4 design is susceptible to the same kind of failure in

. the NNI system; however, it has an Essential Control and Instrumentation (ECI) system completely independent of the NNI. The ECI system consists of two duplicate cabinet assen-I blies (ECI "X" and ECI "Y") having redundant indications and control capable of maintaining the plant in a safe hot shutdown 1

condition. The two ECI cabinet assemblies are powered from

) separate vital sources entirely separate from NNI system.

! 4. The UNP-1/4 instrumentation and control desigr. is different from CR-3 in that the ICS and NNI for WNP-1/4 is a singl'e system. Upon failure of ICS/NNI power the operator should consider all information invalid and rely upon the ECI for reliable indication.

Instrumentation provided to bring the plant to cold shutdown will be discussed in FSAR Subsection 7.4.1.4.

The ICS/NNI and ECI systems are separated such that a test

~

5.

l of the various input power systems is feasible. Specifically, a loss of flNI/ICS power does not affect the ECI system and a l- loss of power to either ECI-X or ECI-Y does not af fect the other redundant set of instrumentation indications and controls.

.,-~wm.--

---m--,-e.%~ - , -~,r, .<v.,.. ..%-,, .,,,& w-,, .-.,--,,.,..-r, -

---

,.-v-,,- , . , ,,, , , , , , , , , , ,--.,y-,.,.--y,--,,-,,--wr**-*=9* y*o-ewm gee-<= -ev 7+ + ----==r+*

Applicability of each planned CR-3 action to the Wre 1/4 plan'*

is as follows:

Intermediate-

1. Determine failure cause in NNI Not applicable. ,

'2. PORV closure on NNI failure The circuit design is such that the PORV will close on loss of power due to either NNI internal power supply J+ 24 V DC) failure or in general, to a complete loss of power to the NNI.

3. Pressurizer spray valve operation on NNI failure Circuit design is such that the pressurizer spray valve will not open automatically on loss .of power due to either an NNI internal power supply (+ 24 V DC) failure or in general, to

- a complete loss of power to the NNI.

4. PORV and- relief valve indication Positive relief valve indication will be provided in response to NUREG-0578.

5. Procedural control of NNI selector switches No applicable since the UNP-1/4 NNI has one power source.

The ECI system is available in the event of the loss of the NNI system.

6. Operator training for NNI and ICS failures All licensed operators and licensed operator candidates will receive training on the WNP-1 simulator. This will include training for a loss of power to the NNI and/or ICS systems.

The training shall be targeted toward identifying and con-trolling overcooling transients and overpressure transients which result from the loss of power to the instrument circuits.

7. 'ICS power .com vital bus The ICS and NNI are powered frem an uninterruptible bus (120 VAC distribution panel) that is supplied by a non-Class 1E inverter. No design change is required.

8. Event recorder system A surveillance procedure for UNP-1/4 will'be developed for a periodic functional check of the events recorder / annunciator system (PMIS).

9. Redundant indication ECI system provides this function independent of NNI/ICS At Next Refueling

1. Power indication lights This concern will be addressed during our review of IE Bulletin 79-27 discussed below.

2. Fuse Access The non-Class 1E, inverter backed,120V AC distribution panel which provides power to the NNI and ICS is designed with hinged doors to facilitate quick access to the fuses.

No design change is proposed.

3. AFW pump start on low S.G. level This feature is included in WNP-1/4 design of ECI system.

Long Term Upgrade of NNI

1. Any required upgrade for CR-3 will be evaluated for appli-cability to WNP-1/4. -

2. Remote Shutdown Provided in WNP-1/4 design by ECI system

3. Backup AC sources The inverters which supply power to the NNI and ICS are pro-vided with a static transfer switch which automatically trans-fers to a backup voltage regulated power source on inverter failure.

Regarding Items 1 to 3 of IE Bulletin 79-27:

Items 1 and 3 (Review of IE and non IE power to safety and non-safety instrumentation and control systems) 4 Our review of the power supplies to safety related and non-safety related instrumentation and control systems has just been initiated.

This review will consider the Rancho Seco, Oconee and Crystal River events and IE Bulletin No. 79-27 and IE Circular No. 79-02.

We expect this review to be completed during the third quarter of 1980.

Item 2 (emergency procedures used to obtain cold shutdown during loss of IE and non-1E power)

WNP-1/4 will develop and write emergency procedures to include the steps required to achieve a cold shutdown upon loss of each class 1E and non class 1E bus that supply power to safety and non-safety related instruments and control systems. Also, a test demonstrating the ability to obtain shutdown and cooldown using only

l , ,

s sa'fety grade instrumentation will be scheduled once definite methodology and .1cceptance criteria are determined. Finally, see our responn, item 6 of the CR-3 " Intermediate" action.

The emergency procedures shall include:

Identification of alarms, indicators and symptoms to alert

~

. a) the operator to the loss of power.to each bus,

~

b) The use of alternate indication and/or control circuits which may be powered from other class .1E or non class 1E instrumentation a id control buses.

c) Methods for restoring power to the bus.

I

F.2 Question We are concerned that ontrol system response could lead to than-sients inLtiating sci.th plant paramete,ts more severe than those assumed for the safety ana.tys.is or significantly increase the

, ' number of challenges to the ytotection system dur,ing carty plant in .this regard:

life,

a. Operating exper,ience at the Crystal River plant'has indicated

{ a control system response ptablem tchen b. tinging the plant up to poteer scith a pump out of senvice. Specify yout critstia and desetibe WNP-1ll design fea,bstes .to pteclude this type i of response ptobicm.

k , b. Describe your design etitstia, features, and opcAational i reqaltcments for .the ICS and its suppo,tting systems to pte-l clude control response problems tchen steltching from mannaC to atttoma, tic control and vice vetsa.

l

, Response i

i- In response to the concern that the ICS may cause NSS instabilities i

that significantly increase the number of challenges to the pro-

, tection system, operating experience at B&W plants has demonstrated i' that the ICS is a reliable system that tends to mitigate NSS upsets rather than initiate them. The data tabulated below demonstrate i that B&W plants have been subjected to fewer challenges to the protection system than plants of other PWR vendors.

j- B&W CE W l_ 1976 Number of Auto Trips 25 46 147 L

Number of Plants 6 5.1 19.13 Trips / Plant / Year 4.17 9.02 7.68 1977 Number of Auto Trips 30 31 147

{

. Number of Plants 6.85 6.67 21.6 Trips / Plant / Year 4.38 4.65 8.06 5

- .~ . . . - _ _ . - _ _ - - _ __. - . _ _ ._ _. -___ _ _

i l

1978 Humber of Auto Trips 43 41 150 Hun.ber of Plants 8 7 23.4 i Trips / Plant / Year 5.38 5.86 6.41

Three-Year Average

~

i Trips / Plant / Year 4.64 6.51 7.38 This information was extracted from the NRC " Gray Book" (NUREG-0020, Operating Units Status Report) for the years indicated. ,

a. The difficulties encountered at Crystal River in mid-1979 during startup in a three-pump mode were due to operator j

unfamiliarity with this type of startup rather than control

! instability of the ICS. The three-pump startup procedure

] was later reviewed and modified to give more explicit instructions. The operators were also given further instruc-i tions in the proper execution of a three-pump startup. The ICS is designed and fully capable of providing adequate NSS control during three-pump startup as evidenced by the suc-cessful three-pump startups at Davis-Besse-1 in April 1978 and March 1980. The UNP-1/4 ICS incorporates the same design features to allow control'or restart in the three-pump

) operating mode.  !

4 j

i

b. The ICS design criteria , . system features and operational requirements will be described in Section 7.7 of the WNP-1/4

, FSAR. The ICS is designed to facilitate "bumpless" transfer to preclude control response problems when switching various ICS hand / automatic control stations from manual to automatic or vice versa. This feature allows the operator to place control stations in manual from automatic without perturba-tion. "Bumpless" transfer from manual to automatic requires l operator action to zero the error across the hand / automatic l station by adjustment of either demand or setpoint. The

"bumpless" transfer feature then corrects minor offsets in control signals by a timed release provided by control system capacitance.

, The ICS is designed to minimize plant upsets by use of a " Load Tracking" mode feature. In this mode, subsystems in auto-matic control will follow a subsystem which has been placed in manual with only slight error. If the operator exercises reasonable care in correcting this remaining error prior to

switching from manual to automatic, mode switching is not j a problem.

1

, t

, , - --.m.,..m. ,1- .,#c3 .. .--.m_...,,y , . _ , , --,._..-,m um-- ..

-m,,,-.,,.,,,7, ,,wm,, , , _ , , , _ _ , ,

F.3 Question Expetience at openating GW plants Itave indicated tliat tite dynamles associated teitit main fecdtatter tcMination and steam geneutor ptessttte control fattetcing a reaetor trip can Ecad to overcooting of the ytinary system. Discuss gottt esitetia and tlic adequactj of youn existing and ptoposed design featutes and changes to pteclude this ovetcout.ing situation. .

Response

The dynamics associated with main feedwater termination and steam generator pressure control following a reactor trip do not normally lead to overcooling of the primary rystem. Overcooling usually occurs only after an off-normal or i . lure situation. The normal situations are controlled by the ICS which has the following design crii.eria for proper control of feedwater after a reactor trip:

1. Reduce feedwater flow to both steam generators. Accomplished by reducing flow demand which results in closing the main control and block valves.

2. flaintain the OTSG low level setpoint. Accomplished by closing the feedwater startup valves until additional fe6dwater is required. ' '

3. flaintain the low water level in each steam generator.

Accomplished by continuing to use the startup feedwater valves.

4. Control main feedwater temperature at a minimum of 390F.

Accomplished by secondary side system design.

Steam pressure control is also necessary to prevent an overcooling event. The design criteria for the steam pressure control is the following :

1. 1aintain steam pressure below tiie design pressure of 1250 psia or that of the low set code safety valve whichever is lower.

2. flaintain steam pressure at 1200 psia following a reactor trip to regulate the heat sink temperature high enough to control reactor coolant pressure with significant operating margin to prevent HPI actuation.

Following a reactor trip, the ICS reducing flow demand which results in closing the main feedwater control and block valves to terminate main feedwater until the water level decreases below the two foot low level setpoint. The startup feedwater valves then open to control main feedwater thereby maintaining the steam generator low level and providing for the removal of decay heat.

4 l . With the simultaneous trip of the turbine on a reactor trip, the turbine stop valves close causing the steam pressure in both steam generators to increase and turbine bypass valves to the condenser and atmospheric dump valves to open to relieve the excess steam pressure. Thereafter, the steam pressure is maintained at 1200 psia by the turbine bypass valves.

This setpoint for steam pressure has been selected .so that the primary system cold leg temperatures (which are nearly equal to

.the secondary side steam saturation temperatures) will maintain a proper cooldown of the primary system.

Figure 1 illustrates reactor coolant temperature, pressure, feed-water flow and pressurizer level following a reactor trip with proper feedwater flow and main steam pressure control . The rapid decrease in reactor power causes reactor coolant temperature to decrease (due to large heat transfer. surface area in each steam generator); the resultant reactor coolant contraction causes a decrease in reactor coolant liquid volume and pressure. The reactor coolant cold leg temperature reaches an equilibrium value nearly equal to the saturation temperature of the secondary side steam pressure (567F at 1200 psia), and the reactor coolant pres-sure will eventually be restored to the normal operating pressure of 2210 psia.

s s  :

! The above discussion describes the system normal response to a reactor trip with a simultaneous turbine trip. Overcooling does not occur. Overcooling is defined as that cooldown of the primary

. system which causes either pressurizer level to go off-scale low

, or reactor coolant pressure to decrease below the setpoint for automatically initiating the HPI system. The HPI system is initiated j by an Engineered Safety Features Actuation System (ESFAS) signal when the reactor coolant system (RCS) pressure falls below l 1600 psig.

I

In an overcooling situation, the pressure in either steam generator may have decreased significantly below the 1200 psia setpoint due i to either of the following causes

.1. Improper venting of steam through the safety relief valves.

2. Overcooling due to large flow rates of low temperature auxiliary feedwater.

A decrease of 150 psi or more in steam generator pressure below the 1200 psia setpoint is sufficient to cause a decrease in the I

primary system temperatures and approach to e overcooling condi-l tions defined previously. The control of st aa generator pres-

! sure in returning steam pressure from below 1200 psia back to the

! setpoint is accomplished by the heating and repressurization via the decay heat of the primary system.

I i

L

- = - - - .. . _ _ - - .-

i l WHP-1/4 design features of turbine bypass, ICS runback,~and power operated cclief valve (PORV) actuation keep the reactor on-line to minimize the reactor trip frequency and the probability of subse-

quent overcooling. However, the following items are being con-

sidered to further enhance the effectiveness of the safety and control systems. These proposed hardware and procedural changes i would be designed to preclude overcooling events caused by improper steam generator pressure or feedwater flow control .following a

reactor trip

1. Upgrade the two-channel, Class 1E Auxiliary Feedwater Control

. System to limit the rate of primary system cooldown by limiting the rate of steam generator level increase following a reactor trip where AFW is initiated (i.e., limiting AFW .flowrates) .

2. Review the current Main Feedwater System design to identify

changes which would significantly decrease the frequency of feedwater upsets which might cause reactor trip, thereby mini-mizing the probability of subsequent overcooling.

t

3. Install both Main and Auxiliary Feedwater Overfill Limiter to preclude feedwater overfill above a preset steam generator level, thereby minimizing overcooling due to failures in the

, main or auxiliary feedwater flow control system following reactor trip.

)i l 4. Add a control function *o the ICS to provide for positive

{

and rapid reduction of main feedwater flow following a reactor trip.

5. Interlock ICS operation of atmospheric dump and turbine by-pass valves to preclude a single failure from opening more than 25% steam dump capacity.

Overcooling is a moderate event which is safely mitigated by the

' actuation of the Engineered Safety Features Actuation System.

The combination of existing and proposed design features for WNP-1/4 will serve to further reduce the frequency of overcooling by proper l steam generator pressure and feedwater flow control following l

reactor trip.

i

! F.4 Question l

l Disettss tite advantages and disadvantages, if antj, of a control independent of tite ICS to terminate main feedwater flew fonotcing a reactor trip.

I

Response

The routine termination of main feedwater following a reactor trip would be a drastic solution to a low probability event,3 overfill of the steam generators following trip. At this point, two events l that are sometimes confused should be distinguished, steam generator overfill following trip and temporary overfeed. The i

l l

l l- . _ . _ . _ . - . _ . . _ _ . - ~ _ . _ - . _ - - _ _ _ . _ . ~ . _ _ _ . _ _ , , _ , _ . _ . - . . _ _ - - _

i .

first of these is definitely an undesirable event and can cause RCS overcooling. It is, however, a low probability event and certainly does not routinely occur following reactor trip. The second event, temporary overfeed, occasionally occurs following reactor

trip; but while a departure from ideal. and expected post-trip performance, it is not serious. Temporary overfeed is the result of less than perfect control system performance but has no

-safety implications and does not result in overccol.ing.

.The routine termination of main feedwater (the preferred source of water for the steam generator) following reactor trip would unnecessarily exercise the auxiliary feedwater system, complicate i

the control room operators' duties following a trip, and super-impose an additional transient upon the steam generators _ following i trip. Further, this action would place the entire Nuclear Steam

} Supply System in a degraded condition by deliberately defeating

the primary means of cooling the reactor core, main feedwater.

4 F.5 Question Specift) the entent to thich cont,tol limi,tations such as valve

, ~

and pump speed responses affect main feedwate,t response du, ting

sta,ttup f,1om .the manual .to the antematic mode. .

' + '

Res pons _e_

The control limitations of valve and pump speed responses will not strongly affect the main feedwater flow response during startup from the manual to the automatic mode where the operating proce-

! e dures properly reflect these limitations. During startup with the ICS feedwater controls in automatic (which is the preferred control mode), the pumps and valves are normally capable of following the gradual increase in reactor power.

Startup is usually performed with the feedwater valves in auto-i matic on level or flow control with the pump controls in auto maintaining a set pressure drop across the control valves. If l

any of the valves, pumps or feedwater demand hand / auto stations is

in manual control and the operator desires to transfer to auto,

-certain precautions must be taken to ensure that "bumpless" transfer

! occurs. The operator accomplishes this by ensuring that the con- '

trols are adjusted to produce zero error (flow or pump speed error) prior to the transfer. The control error signal may be manually adjusted to a.zero value by the operatcr.

i j The ability to effectively control feedwater flow rates during startup is affected by: 1) valve controllability over the flow range, 2) sequencing of valves during startup, 3) valve leakage,

! and 4) control of feed pump speed and recirculation flow. These factors may act to produce a less than ideal flow response but i

this response generally will be manageanle by the control system or by utilizing specific operating modes which minimize the effects of placing a sub-loop in manual, e.g. , pump speed control .

i t

, , , - r,y-- , < +, ., - ,. - _.-.-.,,, -. ~ ,,,,-.,-_ -

.m.. ,.-__..,_--.,,,,w.-- . . , , , , , - , , , , , , , - - , ,,-,y. , , , , . ,-,.,..._,-,.,,,y.-my.., .

. . . - ~ _- .. -- -_ .- . - - . -- --

t The design of the feedwater flow controls is such that some degree of degraded valve and pump response will not produce an unaccept-able overall flow response. In the event that perturbations in feedwater flow rates influence the primary system to.a significant extent, adjustments may be required to be made to the valve or pump

, speed controllers or to the ICS control modules.

The WilP-1/4 plants are designed to allow a minimum feed pump speed over the low power range such that the proper control. valve pres-

! sure drop.can be maintained. ?lso the feed pump recirculation flows i

will be set to maintain the requn el "nimum pump flow rates at approximately 35% of design flow by a direct-acting m. tulating recirculation valve. These conditions will minimize the .limita-tions of pump speed and flow control such that these should not be a source of concern for flow controllability over the power oper-ating range.

F.6 Question.

I State the design objec.tives of the improved auxitiaty feedteatet

! doitttot sys tem. ACso indica,te tchethe,i it tellf:

a. Initiate for all loss of MFW events, either totai or partial _

and at tihat toteer limit; s s ,

b. Initiate on loss of of fsite pctecr;

c. Yrectade overcoolbig or undercoolbig of .the ytimary system even ecLth a single failure in the systen (e.g., faltures

. in input, poteer, valves);

d. Interact in any adverse fasition telth .the Feed-%ly-Good-Generator intetlock.

j Response The design objectives of the Auxiliary Feedwater Control System are as follows :

1. Provide redundant and independent initiation and control j circuits for each AFU train such that the capability to initiate and control at least one AFW train when required l

! is maintained even when degraded by a single random failure.

Redundancy and independence will be provided from the sensors through the actuated devices, i

i 2. The redundant portions of the AFW Control System will be powered by separate Class lE vital, battery-backed busses l such that the objective of Item 1 above can be accomplished l

with the loss of a single vital bus or with the loss of all AC power except that dervied from inverters.

, t

.-__---,-,--.,---__,,---,,7,_-y, -

,,,,,,yq g %,-v,-- ,_-my_p,, y,-.y-,_.- ,,,,,,y.,,,,r7,--.--y3n,-,7 ,,-yy-,,,.,_y.,-,,,,,,-m,-%--W ww *-r--- vtr-'*'-~-w-~-'-

I

. i i 3. The ARl system and its controls' will be designed such that i ARI flow will be initated within 40 seconds of sensing the conditions listed below. This time limit includes the time required for diesel startup and generator loading.

I The Auxiliary Feedwater Control System will: i

a. Initiate on total loss of fiFW or ESFAS actuation. Low steam generator level initiation provides protection against

. partial loss of feedwater and backup to the total loss of fiFW signal.

. b. Indirectly initiate on loss of offsite power by initiating ~on loss of all RC pumps.

c. Reduce overcooling or undercooling of the primary system by controlling the rates of steam generator level increase and providing two level setpoints, one for forced reactor coolant circulation and one for natural circulation. This will ensure that adequate cooling is provided even with maximum decay heat levels while minimizing the potential for over - '

cooling by excessive AFW flow.

i The leve'l rate feature of the control system is n'ot intended

• l to be designed to single failore requirements; a single i failure could result in full AFW flow and overcooling. The

! safety function of the AFW system is to provide decay heat

]

removal. Designing level rate control to single failure

requirements would result in a degradation of the ability to l . Meet the safety function of the AFW system.

d. flot interact in any adverse fashion with the F0GG system because the AFW Control System signals will be overridden by F0GG signals.

i Dynamic response of the auxiliary feedwater control system will be demonstrated by operational testing during the plant startup 4 test program.

] F.7 Question For your intended revision to tine And initiation Logic, identify tile signals (e.g., generator levet, no feedantch flow, foss of

' pwnp suction pressate, SIAS, and toss of steam flow to pumps) i tIta.t wiLC be used to . initiate ARC and justify titeir use.

Respons_e_

flo revision to the AFW initiation logic was proposed in our initial response. The parameters sensed for initiation of AFW in the existing design and their purposes, are as follows:

1) Loss of fiFW: The AFW system provides a backup source of

- feedwater sufficient to remove A j heat and pump heat should the primary source (f1FW) be lost. The means of sensing a loss of fiFW flow has not yet been selected, i

,cw- - ~ , e , , , ,v.,r--mv.,--ew r-- - , -g,*, ,e~~,,,,,,, , , p -- -r-,,,,,v~ 4-- - , ,e,y,~ , - ,, , , ,e-ma- ,-,y. v.,me,--- .-e-,,,e,e.,nn,, ,,,e-,,me,...m.-

. .- . . . - .. _. -- _ _- _ _. .=_ _ - . - - . --

f i

I

2) Low steam generator level: Low level in either steam gen-erator is indicative of insufficient feedwater flow and provides a backup for initiation on loss of Mal.  ;

! 3) ESFAS actuation: ESFAS actuation on low RC. pressure, low steam pressure, or high Containment pressure will. result in main steam and main feed isolation on both steam generators.

! Therefore, AFU is required to remove decay heat. F0GG logic

will prevent ARl flow to a ruptured steam generator.

i F.8 Question 1

ht cddition to tlic imptoved FCGG topic to be provided as part af  ;

i your revised AFW evaluations, identify titose events and combina-tions of cuents teltielt 11 ave been and teilt be evaluated .to assure titat no confused or inadvertent inputs (sucit as from a previously unrecognized event or event combination) can tcad to a malfunetion

. or undesL1able opetation of . tite FOGG system. Also desetibe any '

stad:es and tests performed to assure ptoper in.tegration and ptteraction of tlic FOGG interlock leitit otiter systems.

_Res p_onse l The events an'd combination' of events which have been e' valuated to assure that no confused or inadvertent inputs c'a n lead' to a mal-i

, function or undesirable operation of the FOGG system will be j defined in Chapter 15 of the FSAR. Any required changes resulting

from this evaluation will be incorporated in the design.

I , F.9 Questi_on l You state titat you are consideting clianges to imptove .ti:c algorikitm used for AFW flote conttot to timLt primary cooldaten rate foltoteing l AFW aetuation. Describe how .thcoe changes teould provide .the cap-l ability to distinguish .in a positive manner between transients and accidents . Also describe how two-phase level during swell from

deptessurization affeels level detection and how this teill be Ltcated.

l Response i

} The auxiliary feedwater flow control system changes to limit primary cooldown rate following AFW actuation will not affect the j' ability to distingaish between transients and accidents. The AFW system and associated controls perform th,e appropriate function i regardless of whether the event is a " transient or an accident".

AFW is supplied to the appropriate steam generator (s) at the appro-i priate rate and to the appropriate level setpoint for the existing Reactor Coolant System and steam generator conditions, i

i Y

s

"Two-phase level" exists during all periods of steam production above 15% power and is normal for the OTSG. Steam generator depressurization can affect level detection by changing the average mixture density. While this phenomenon is considered to be minor, of short ciuration, and have little effect on core cooling, it and other error mechanisms are under evaluation and will be accounted for if necessary by analytical, setpoint, or procedural means.

F.10 Question The modifications, recommenda.tions, and stuclies you present to reduce sensitivity are in the direction of addLtional automation of the plants. While thi.s apptoach Ecaves the opeta. tor free to verify system petformance and shoned improve the conttot of ttan-sients, we are concerned fliat potential system interaction ef feels might result. Therefore, a complete and integtated review of the primary and secondary system should be perfotmed to asswte that no significant adverse interactions result from the modifications .that are ultima.tely made. Jesstibe your plans and schedules with regard to perforning such a comptchensive . integrated evaluation of these thanges, based upon consetvative and realistic analyses and sima-tator comparisons as apptoptiste.

~

Response

i  :

Improvements in the WNP-1/4 design and anticipated changes ident-ified in attachment f to our letter of December 3,1979 are intended to minimize, mitigate, or eliminate certain undesirable interactions.

A comprehensive evaluation of these changes will be performed. It

, will include interaction analysis and operability analysis. A program similar to the Abnormal Transient Operating Guideline (ATOG) program will also be considered.

The interaction analysis will be performed for each change generally as follows:

a. review of interfaces

b. development of " event trees" identifying potential inter-actions

c. analysis of interaction effects using appropriate simulation techniques and models The operability analysis wili include all normal transients and upset conditions for which the reactor is not expected to trip.

Its objective is to assure adequate margins between operating conditions and operational and trip limits.

I An ATOG program including the WNP-1/4 design would provide a realistic examination of major upsets to allow for development of appropriate operating guidelines, i

A detailed schedule has not been developed. However, when finally l developed, the schedule will show completion of a comprehensive

evaluation along the general lines described above of all potential modifications prior to fuel loading.

i j F.11 question Provide Die foCtowing analy5es:

? .

a. Ovetcooling event initiated by steam ptessune regulator on.

throttle valve malfunction resulting in inetcased steam i ftow.

i

! b. Ovetcooling event initiated by feedwatet system matfunctions

.that result in decreased feedwatet tempera.ture.

) For Bicse analyses, assume no beneficial opetator action befote

10 minutes. Also, only qualified safety systems should be assumed

• for mitigation. Identify which safety and non-safety grade systems are considered to operate during this transient and specify XItc ptrt each of these systems take in'the transien'ts. Identify Bie signats actbtg upon these systems during the stansients.

l b The analyses should be petformed for a period of at least 10

minutes af tet transient initiation. If existing analyses which

• are ptesented for a shortet duration are utili ed for this respouse, then confirm Biat during the time not shown out .to 10 mbtutes:

(1) Ho ope'iator action is required or assumed.

l (2) No changes in opetating systems are required.

i i (3) No significant changes aesult out to 10 minutes, such Biat ctttapotation f. tom the results ytesented is considered vatid.

l

Response

l .

! (a) The steam pressure regulator malfunction event has been analyzed and is presented in Reference 1.

i (b) The overcooling event initiated by feedwater system malfunc-j tions that result in decreased feedwater temperature will i be provided in the UNP-1/4 FSAR, subsection 15.1.1. The 1 overcooling effect_is less severe than the steam generator i overfill and steam pressure regulator mal function events; therefore, it is not included as part of the response to 50.54 (f). The WNP-1/4 FSAR analysis is carried out for 120 seconds.

If this analysis were continued for a full 10 minutes, operator action would not be necessary since the plant parameters would trend from their 120 seconds value as expected, to a self-regulating steady state condition.

F.12 Question You have stated during related meetinos telth NRC and scLth ACRS subecmmLttee that the analyses ptesen'ted in yowt ciutrent 50.54 (f) response teste not necessarity selected to represent the teorst case.

Provide your recommendations as to testat stlieria, assumptions, and expetience slwuld be recognized in defining the teorst case for design purposes. -

Response

A full spectrum of overcooling events from those considered moderate frequency to design basis has been provided in Reference 1 which was submitted subsequent to your March 25, 1980 supplemental request.

The results varied from no voiding in the RCS to large steam voids being formed. However, adequate core cooling was maintained in all cases analyzed.

F.13 Question To ptevent automatic ttipping of the reactor coolant pumps due .to ESFAS inLthtted by ouetcooling events, you state that .the (CNP-1/4

• yunp Ltip togic teilt include coincidence cLtcultty sensing pump motor cartent. Thls inpat is . intended to actuate on degulded pump cnttent indicative of sighificant RCS void fomnation charac-

.teristie of a LOCA; but for overcooling events, the ex. tent of void formation .should not reach a point tchere degraded pump cwstent tei~c Ltip Die pumps and undesitable pwnp .ttip teilt utus be avoided.

Describe the significant elements of the development program for o this circuitty, including tha.t phase ditccted .to the distinction of a va. lid motor castent signal. (Chat criteria teilt distingulsh a valid signat7 Ilote teltl the system be verificd in an actual nacicar poteer plan.t or undet realis tic condLtions? Provide your cartent schedute for .this ptogram.

Re s po_n s_e_

i llPPSS is pursuing the development of an automatic reactor coolant (RC) pump trip design generically through participation in the l Babcock & Wilcox (B&W) Owners Group. The goal of this effort is a design which will trip the RC pumps for all events identified by B&W analyses as being required to assure compliance with 10 CFR 50, Appendix K criteria, while limiting to the extent practicable, pump trip for non loss-of-coolant accident (non-LOCA) events. In the WPPSS reply to your 10 CFR 50.54 (f) request, it

, was stated that the llNP-1/4 automatic pump trip circuitry would I incorporate a coincidence circuitry sensing RC pump motor current

to minimize unnecessary pump trips.

Subsequent to this response, difficulties were encountered in implementing this design concept, especially in the analysis of l

i the correlation between the total RC system void, the localized l void at the RC pump suction, and the corresponding RC pump motor

! l x

current. As a result, B&W is reviewing the feasibility of RC pump motor current providing an acceptable coincidence signal while also investigating alternative concepts for providing this feature. Response to your detailed questions concerning program development and design criteria will be provided upon better definition of the design concept to be employed.

F.14 Question Af ter tlie PCRV closed dwting the transient at Crystal Rivet Ustit 3 cn Febtuary 26, 1980, tite reactor cootastt sys tan pressu,te increased from apptodmately 1400 psL to 2400 psi .in less .than

- 3 minates. The last 600 psi (from 1800 to 2400 psi) of htls inetcase ocentred in less than 1 minute. Thls caused Lifting of . tine code safety valves. Opetutting guidelines for BSW supplied plants typically recommatd termina. tion of higli pressure injection tehen hot and cold leg tanperatates are at least 50 F below the saturation tempenatwte of the existing reactor coolant systan ytessure and the action is necessary to ptevent .the indicated ptessatizet levet from going off scale.

In view of this charactetistic of rapid deptessurization (Sie),

• tchat operator. aetion, and basis thetcof, is ptoposed to reduce the potential for lif ting of the VMP-1/4 code safety valuch?

- s  : ,

Response

The uncontrolled addition of HPI can result in repressurization of the RCS. To control the rate and magnitude of the RCS pressure

. increase, the operator's principal actions are:

1. To throttle or stop HPI once control criteria are satisified.

2 To stabilize the reactor coolant temperature.

3. To manually open the PORV (i.e., if automatic controls are not operative or the PORV block valve is closed) if high RCS pressure occurs.

The first two actions above are essentially the first line of defense to controlling RCS repressurization. HPI control, in practice, can be viewed in two parts:

1. HPI may be reduced (i.e., stop all but one HPI pump or throttle flow using the HPI injection valves) anytime the reactor coolant subcooled margin is established

2. HPI may be stopped any time the reactor coolant subcooled margin is established and pressurizer level is "on-scale" and increasing. Normal makeup should be restarted i

1

, Operator action to limit RCS repressurization (control HPI) can thus be initiated as soon as the reactor coolant subcooling margin is established. An uncontrolled addition of HPI to restore pres-l surizer level as well is not necessary; pressurizer level can be restored in a more controlled fashion.

l RCS temperature control is identified because a heat-up of the reactor coolant can cause an insurge into the pressurizer (in

addition to HPI) and enhance RCS repressurization. To achieve RCS temperature control, the operator must verify proper opera-

. tion of secondary inventory and pressure control systems.

I Following severe overcooling events, a manual reduction in steam pressure (limits the temperature to which the reactor coolant will reheat) may also be necessary to stabilize pressurizer level af ter HPI is stopped.

! Use of the PORV is the second line of defense in controlling RCS

) repressurization. The PORV has sufficient capacity to prevent lifting the safety valves when the HPI system is at maximum capa-

, . city and the reactor coolant is subcooled. Operating procedures j will include instructions to verify automatic PORV operation or

to manually open the PORV or PORV block valve if high RCS pres-sures occur. .

j The cau'ses and corrective actions 'for RCS repre'ssurization will l be extensively covered in training programs and the operator will acquire practical experience on the WNP-1/4 timulator when treating abnormal transients which require HPI. In general, the operator will not be faced with as rapid system changes that were deliberately i

e induced during the Crystal River event (i .e. , the operators l initiated itPI cooling using all three HPI pumps and intentionally

^

did not control repressurization because the validity of primary and secondary system signals could not be immediately determined).

, More time for operator action will typically be available. With

training in determining the cause of RCS repressurization, the

, importance of timely action and the practical application of

! corrective action, the operator _ should be highly effective in i controlling RCS repressurization without lifting the pressurizer l safety valves.

i l F.15 Questi_on l Lt i.s our understanding Diat the B&W 205 plants operate teint a l considenabey smattet atter inventory in the steam genetators j Blan the B&W 177 peants. Explain idiat effect Btis has on the l

sensitivity of Bue 205 plants to bout undercooling and overeooling

! cvents. Include .the impact of MFW response items and reliabilities

! in your evaluation .

Response _

{ The steam generator water inventory, at rated power, is less per

Mwt in the B&W 205 plant than in the B&W 177 plant. In general,

! this effect tends to limit overcooling transients and make over-heating transients more severe. However, the relationship is not

-+--,-%c -4 . , , , --e-n -m--=+,g. ,,w-- e-vy-w+-rw-.-+.w-gy, ,,--,.-i.-ey v--.w-~~,,.m.-.,.-e. y- -,--wn-e-,%,-g-i+=y- - , - - - ~ , + - - , * ---,.9.--9,wre-,y-,

necessarily one-to-one as the system response is dependent on many factors other than steam generator inventory. Therefore, the impact of main feedwater response times and reliabilities are dependent on the total system interaction and not just the steam generator type. System behavior has been evaluated as part of the FSAR accident analyses which demonstrate acceptable response of the system. The WitP-1/4 FSAR will contain this .information in Chapter 15.

~

9 e

l

~ ~

RCS RESP 0liSE TO REACIOR TRif

u. 620 , _

~

NOT LEG B B10 >-

C

?

5

, y 600 -

c .

COLO LEG c 590 O .

a -

0 580 -

M

~

570 -

i _,

' l' I

,0 0.5 1.0 f.5 2.0 2.5 Time, Illn < i l

l REACTOR TRIP

2200 -

i

!2100 _

~

.T 2000 -

E ~

e, t; 1900 -

1 -

2 .

a.

m 1600 -

M 1700 -

l

- - - JIPI Initiation i 1600 ,

i I j

- _ _1 1_ -

t

O U.5 1.0 1.5 2.0 2.5 l Time, ein l

l

FIGUHE I (Cont'd)

+

RCS RESPO!!SE TO REACTOR TRIP 100 .

90 -

j BD -

v..

$ 70- -

es

= 60 -

B' e so -

N 45 -

{

. 30 -

u.

E. .

3 20 - l n -

=

n

=

10 -

I ' '

0 0 0.5 1.0 1. 5 2.0 2.5

~

Time, gin REACTOR TRIP 200 -

150 -

~ '

g. .

l 160

!b

~~

' M 140 -

y -

j 120 -

U 5 100 -

{l 3

.- 80 -

s h 60 -

H

's 40 -

y 20 -

l 0 t t i I 8 - f l

0 0.5 1,0 1.5 2.0 2.5

Reference 1 Letter, D. L. Renberger, WPPSS to H. R. Denton, NRC, " Response to NRC 10 CFR 50.54 Letter of October 25, 1979, Revision 1." May 5, 1980.

I

) -

t b  !

l i

l I

i j  !

- .. _ - . _ - - - . _ - _ . _ - . . . _