ML19319B041
| ML19319B041 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 07/15/1970 |
| From: | US ATOMIC ENERGY COMMISSION (AEC) |
| To: | |
| Shared Package | |
| ML19319B039 | List: |
| References | |
| NUDOCS 8001070538 | |
| Download: ML19319B041 (16) | |
Text
. _ -
JUL 15 1970 K
oCotam 30 CLEAR STATIott DocEET N06. 50-269. -270 AND -287 BAFLTE KYW raorterrow srsrEn 7
Genarel The design of the protection systems, which consists of the reactor trip system and the engineered safety feature actuation i
system, is identical for all three Oconee units. Each unit's f
protection system is completely independent ascept for the
}
shared 125 Vdc instrument power system which is discuseca later l
Our review included a detailed study of the in this report.
schematic diagrams of the reactor trip system and the actuation circuitry of the engineered safety feature systems.
Conformance of the protection system to the comunission's j
i proposed General Design Criteria (GDC), as published in the Eggggg, l
Ramister on July 11, 1967, and the Proposed IEEE Criteria for Nuclear Fover Plant Protection Systems (IEEE 279) dated August, 1968, served, where applicable, as the principal basis for our conclusion that the protection system is, except as discussed later in this report, acceptable.
l
\\
l 4
)
p-
-9 I
8001070 NM g
j
.,,y
-9,
,y.--.39 yme r-re--w
--yw-yy,gyewM=-
y
oconee 2
JUL j : r4 I
i f'
Emactor Protection System The reactor protection system consists of four identical channals, each of which utilizes general logic and de-energises (trips) upon detection of any one of the conditions listed in Table 7-1 of the FSAR. Each channel terminates in a reactor trip module which controls one or more breakers in the control rod drive power system. The system logic is 2/4, i.e., if any two protection channals trip, all reactor trip modules trip commanding all control rod breakers to trip. The entire system, from the process sensors to the control rod breakers, is testab'te during reactor operation.
a.
3ypassing section 7.1.2.3.8 of the FSAR discusses the three umans by which various reactor trip signals can be bypassed. Based on our review, we conclude that administrative controls pro-vide the only significant protection against improper use of these bypasses. Our evaluation of each of the three bypass provisions is discussed below:
1.
8%===a1 Bypass switches Section 4.11 of IEEE 279 permits one chanaal to be bypassed during reactor opera-tion but positive means of ensuring that the r==aining i
JUL 15 1970 Oconee 3
portion of the protection systema continues to meet the single failure criterion are not specifically required. Although it is possible to coupletely bypass the autoinatic portion of the reactor trip system, we conclude that administrative control of the manber of channel bypass switch keys (one per reactor unit) and of the number of channels bypassed concurrently (one per reactor unit), together with indication of the channel d ich is bypassed,sneets the intent of IEEE 279 and is acceptable. The Tecimical specification will require that no more than one trip channel be bypassed concurrently.
2.
Shutdown Bypase switchest Although a pressure Luter-lock prevents use of these switches during power opera-tion, the applicant has stated that, in order to provide adequate protection during physics testing J
and control rod drive testing, the high power level trip set points must be lowerod. The applicant proposes to change the set points manually. We have not completed our review of this portion of the design. Our conclusions regarding the acceptability of the manual set point adin.'tments will be forverded to the Comunittee in a supplemental report on the Oconee f.acility in August,1970.
4 JUL 15 1970 i
3.
Deusy Ristables: Dunsay bistables, d ich bypass the individual input signals, can be installed in each reactor trip Ammel. As presently proposed, no f
indication is provided to indicate either the ausabar of ducumy histables installed or the instrumment channel in W ich they are installed. Although we are unabic to report our final position on the use of the dunasy bistabiss, there are only three alternatives presently under considerations (1) If the design is not changed, we would not permit the use of dissey bistables; (2) The applicant has stated that the design could be easily changed to provide indication of the trip A maani, but 5
not the instrissent channel, in which duasy bistable, are installed. If this design change is made, the use of drmany bistables in one trip channel at. a time would f
meet IEEE 279. Concurrent use of a channal bypass
)
switch and dusmy histables would not aset IEEE 279; (3) If the design is changed to uset our interpretation of IEEE 279, i.e., the status of the protection system is continuously, and in a non-embiguous==aner, indicated to the operator, we could permit the use of dussay bistables within the Tehaiaal Specification requirements for a 1
min 4== of two operabia instrumasat chanasts per trip parameter with the trip channels arranged in a one-out-of-two trip logic.
M M t.
l
e 5
JUL 15 1370 Oconee b.
Operation With Less Than Four Basetor Coolant Fisys The design of the reactor protection system includes pro 71sions for operation with less than four reactor coolant pumps in service. Operation with three pumps running requires no adjustment of protection system set points because the j
An auto-power / flow trip can provide adequate protection.
matic set point change is mado when only one pump in each loop is in operation; this set point change limits reactor f
operation to less than 55% of rated power. Loss of two pisys in the sama loop will cause a reactor trip regardiese of power level. In order to restsee operation with only the other two pumps in service, the applicant proposes to insnually change several protection systen set points. Operation with only one pucy in service is not proposed. We m Masde that this design is acceptable for the Oconee units et the following reasonst operation with less than four coolant pusys running is 1.
not a planned mode of operation unissa pump failures occurg With the exception of operation with only two yusps in 2.
the same loop ranaias, the design meets IEEE 279 oritering i
i
1 Coonee 6
JUL 15 B70 3.
The probability that two pumps in the same loop will be out of service coneurrently due to pump failure i
is law; and 4.
The manual adjustments necessary to operate with two pumps in the same loop inoperable are made while the reactor is shut down.
Although we considst this design seceptable for the Oconee units, we are cont h i== to evaluate the 38N design,
{
particularly in regard to the method in d ich the protection j
i system set points are changed in preparation for single loop operation.
l e.
Reactor Coolant Flow Instruments We have nne completed our review of the reactor coolant I
flow instnaments.
l A total of eight differential pressure l
transmitters are used to provide inputs to the reactor pro-
-l taction system. The four transmitters associated with each I
j loop derive their input from the same flow noaste and utiliza the seem two reactor coolant piping penetrations. We expressed our eeneern to the applicant that the design of the flow I
instruments did not meet the single failure repirement of IEEE 279. In its response, the applicant addressed only h
l
Oconce 7
JUL 1 5 ym
{
the effects of a rupture of a single sensing line. We remain concerned that single failures (e.g., blockage of one pene-tration) could prevent all flow instr oents in a loop from responding to a flow reduction. We expect to receive addi-g tional information on this matter fro:a the applicant and will be prepared to report orally to the Coossittee.
We coaclude that, except for tLa item discussed in c. above, the reactor protection system meets the proposed GDC and IEEE 279 and is acceptable.
hineered Safety Feature Actuation Systera 1
The engineered safety feature actuation systesa consists of eight channels. Two independent actuation channels are provided for each engineered safety feature system.
The emergency core cooling systems, i.e., high pressure o
injection and low pressure injection, are actuated from the sensing of either low reactor coolant pressure er high contain-ment pressure. The applicant has stated that, for some break mises, a reactor trip is required for the emergency core cooling systems to be offective but diverse reactor trip signa h nave not been provided. The applicant's position is that tne reliability of the low reactor coolant pressure signal makas a diverse reactor
JUL 1 5 G70 trip signal immecessary. We have informed the applicant of our conclusion that all functions required for effectivemergency core ecoling shottid be actuated from the sensing of diverse veri-ables. We expect no additional information on this matter and will require that a diverse reactor trip signal be provided.
We have reviewed the schenstic diagrams and the test procc-i dures for the engineered safety feature actuation circuits with the applicant. In view of our concerns with the test espability provided by the Westinghouse design, as wish to point out some features of Babcock and Wilcox design. The entire systen, from the sensors to the actuated components (e.g., ytsups, velves) and including the bypass provisions, can be tested during reactor operation. During the periodic tests, the channel under test is not incapacitated and a valid trip signal will actuate both I
channels associated with each engineered safety feature system.
Each actuated component has its out. mit control module. The i
unit control modules are the equivalent of the Westinghouse slave relays except that each slave relay actuates several components.
4 Although the B W design, lika the Westingbouse design, does not permit an integrated systen test during reactor operation, the individual commte can be actuated one at a time using the associated unit control module in a manner Web adegastaly dup-licates the action required under accident conditions. We conclude i
oconee 9
JUL 15 1970 l
that an acceptable means of completely testing the ESF actuation circuits during reactor operation is provided.
We conclude that, except for the lack of a diverse reactor trip signal, the engineered safety feature actuation system meets the proposed CDC and IEEE 279 and is acceptable.
[
Ta=tmliation criteria 1
Un have reviewed the applicant's installation criteria relating to the preservation of the independence of redundant f
safety equipmaat by means of separation and to the prevention of fires through derating of power cables and proper tray load-ing. Us have found these critaria to be acceptabic. We intend to visit the site for the purpose of reviewing the implementation of these criteria after a majority of the protection systam equipment has been installed.
Envi m tal Testine In Section 6.1.2.12 of the FSAR, the applicant has listed the equipment thins smet be operabia during and subsequent to an accident and has described some of the environmental testa per-formed on this equipment. We have reviewed this information and acaciude that the test program is acceptable. However, we have requestad the applicant to provide a brief description of the i
JUL 15 1970 i
10 Oconeo tests usod to qualify the sansors which provida input signals to the protection systtua. We azpoet to receive this information prior to the ACRS meeting and win assure ourselves that those tests adequately simlated the post-accident environment.
I Scismic Design Criteria The applicant's seismic desige bases are that the protection systems shall function nomally during and after either a nav4==
hypothetical earthquake or desip earthquato. The protection system equipment is being dy*cally tested to show normal opera-tion during excitation in excess of the tanwinn predicted accelera-tions at its location through the frequency range expected during either earthquake.
We have evaluated the applicant's scismic desig bases and conclude that they are acceptabic.
[
l EWnNHCY PCETR SYSTEM l
1 Offeite Power
,0ffsite power is available to each unit from the 230 kV switchyard via the three 230/4.16 kV startup transformsrs. Eight 230 kV thWasion lines (four installed with Unit 13 two added y
with Unit 23 two added with Unit 3) converge at the site via l
owg.
h
l 11 JUL 15 1970 9 cones l
several rights-of-way. The 230 kV switchyard is arranged into a breaker-and-a-half configuration and each circuit breaker is provided with dual trip coils supplied from the two independent i
125 Vdc station switching power systems. Circuit protection is providad by redundant relaying. enreancing with the operation i
of Unit 3, the 500 kV switchyard will be connected to the 230 kV switchyard via an autotransfonner. The applicant has stated that i
the Duke systen in designed to withstand the loss of any single generating unit within its network.
Our review indicates that the only portion of the offsite powcr system vulnerable to a single random failura is the single startup transfon 2r for each unit. Prior to the operation of Unita 2 and 3, the only source of offsite power for thiit 1 is vir its startup transformer. We have accepted single startup transforners for three previous applications: Cinna, Robinson, and Palisades. This arrangement was accepted for those plants because of the reliability of such transformers. An additional consideration in the case of Oconce Unit 1 is the fact that the single startup transformer circuit will exist for only about one year. With the operation of Units 2 and 3 additional sources of power can be made available through manual breaker operations which eaaaact another unit's startup transformer to the emergency buses of the affected unit.
I
Oconee 12 JdL.L S 1370 1
I l
Based on our review, we conclude that the offsite power system, while not is11y meeting the proposed GDC 39, wf.11 meet draft Criterion 17 after tktit 2 begins operation and is acceptable.
oo.ite ro,
Onsite power for Iktits 1, 2, and 3 is provided by two j
I t
hydroelectric plants rather than diesel generators as for other applications. Power frasa the hydro units is available via either the 230 kY switchyard and the thnit 1, 2, or 3 startup J
transformers ~or the 13.8 kV underground feeder which utilisec its own 13.2/4.16 kV transformer. Either hydro unit can supply sufficient power, via either circuit, for operation of the engi-i neered safety feature loads of one unit plus the safe shutdown loads of the other two units.
Figure 8-2 of the FSAR shows the arrangement of the station's main buses. Bree engineered safety feature 4.16 kV buses are i
provided for each unit and these tuses are connected to both of the unit's 4.16 kV anin feeder buses. D e sources of power which i
are autoestically connected te the main feeder buses, in the order that they are - ted,are:
1.
H e 230 kV switchyard via the m it's startup transformer; I
2.
De preselected hydro tsait via the 13.8 kV aderground feeder and the station's standby buses; and 3.
De other hyda mit via a 230 kV overhead line, the 230 kT switchyard sad the unit's etartup transformer.
i.
{
l l
.. _ _ _ _ ~... _ _, _ ~.. _. _ _..... _. _.. _.,. _ _ _ _ _ _ _. _ _ _ _,.. _. _. _
Oconee 13 JUL1 5 B70 The following sources of power can be made available manually:
1.
Amether Oconee unit via the standby busess 2.
Another oconee unit's startup transformer via the station's emergency startup bus; and 3.
One of the three gas turbinas located 30 miles away at Lee stessa Station via an overhead 100 kV transmission i
I line and the standby buses.
In evaluating these power sources, we have not considered the gas turbine as a power source except as a tarprary substitute i
for the hydro units during the periods when the hydro units are not available. The applicant has estimated these periods to be 1
approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> each year plus four days every ten years when the coamaan penstock will be drained for inspection and main-tenance. During these periods, the gas turbino is manually con-l l
nected to the standby buses via a 100 kV overhead transmission line which is separated fross the transmission network.
While the Oconee system obviously has many sources of power l
I available, an aspect of the design which would not be acceptable in a current construction permit application is the lack of independent load groups. Regardless of the source of power, the three redundant engineered safety feature buses are connected in parallel through the two main feedst buses. All other recently i
y~ ~
14 JUL1 5 1970 Oconee approved facilities have provided two or more electrically 9'=;*t load groups, each with its own soures of emergency h have asked the applicant to submit an power (split-bus),
analysis of the Oconee design to show that the independence and a mAmat engineered safety features loads are reliability of the re ocuparable to the independence and reliability provided by a At present we believe that the applicant will split-bus design.
design is acceptable based on be able to show that the h the large number of power sources, the relatively large capacity of these sources, and the high reliability of the hydro units.
f l
One feature of the onsite distribution system en which we l
and the applicant have been unable to reach agreement involves the automatic transfer of power to redundant motor control As presently proposed, the three ESF 600 volt motor centers.
control centers receive power via an automatic transfer device from two of the three 4160 volt engineered safety feature buses.
l I
We asked the applicant to identify those loads which require The this automatic feature in order to meet the design bases.
only load so identified is one of the threa reactor building However, it appears that if one fan cooler were fan coolers.
commected to each of the three ESF 'ouses, the design bases wo It is our opinion that the be met without automatic transfer.
use of the automatic transfer feature unnecessarily reduces the
]
1 myw r
--,-g..,v.,
l j
oconee 15 JUL 1 :s U70 already limited independence of redundant engineered safety feature equipment. We will require that the design be changed to ethinate the automatic transfer of loads between rad'= dant engineered safety feature buses.
The arrangement of the 125 Yde Instrssmentation and Control Power System for Unit 1 is shown in Figure 8-5 of the FSAE. Ead.
of the four distribution panels associated with a particular unit receives power via diods assemblies from either of two 125 Y bat-tery buses, one in the associated unit and ons in another unit.
Therefore, the source of power to each panel is automatically transferred, albeit in a unique menner, between redundant buses.
Our concerns with the use of automatic transfer devices connected between redundant d-c buses were most recently discussed in our report to the coamittee on the Point Beach facility. Our conclusion that the Ocones design is acceptable does not conflict with our position that a split-bus design ishould be used. Our conclusion that the use of isolating transfer diodes is acceptable for the Ocones sinits is based on the following:
1.
The failure (open or short circuit) of a single diode does not result in a loss of power to any bus or loads l
2.
Diode monitors, drich are espable of inmeediately detect-l ing an open or shorted diode, are provided for each diode I
assembly; and 1
6 Geonee 16 Jt!L l 5 imi 1
3.
If it is assumed that all overload devices fail to function, a single fault could result in the loss of power to sne 120 vae vital instruesnt bus, one 125 Vdc power penal and both battery buses which supply power i
to that d-c panel. The loss of power to these buses and their loads will not reduce the capability of the i
protection system below that required to meet the mini== safety requirements of any unit.
In summary, the Ocones design is unique in the respect that the large number of betteries, together with the capability of insmediately detecting failures, provides a system which can with-stand not only a loss of power to any single load group supplied via an automatic transfer device, but also the loss of both sources of power to the transfer device.
Based on our review, we conclude that, if the automatic transfer of power to the 600 V motor control centers is eliminated, i
the onsite power systems meet the proposed GDC 39 and are acceptable.
a l
1
--