Text

-

UNITED STATES OF AMERICA i

NUCLEAR REGULATORY COMMISSION l

BEFORE THE ATOMIC SAFETY AND LICENSING 80ARD l

In the Matter of

)

)

SACRAMENTO MUNICIPAL UTILITY

)

Docket No. 50-312 (SP)

DIST.'ICT

)

)

(Rancho Seco Nuclear Generating

)

Station)

)

NRC STAFF TESTIMONY OF DALE F. THATCHER RELATIVE TO DIRECT INITIATION OF REACTOR TRIP UPON THE OCCURRENCE OF 0FF-NORMA'. CONDITIONS IN THE FEEDWATER SYSTE."

t (Board Question 9 and Additional Board Question 1)

Q l.

Please state your name and your position with the NRC.

A.

My name is Dale F. Thatcher.

I am an employee of the U. S. Nuclear Regulatory Comission.

I was responsible for the review and evaluation of instrumentation and control systems for Babcock & Wilcox (B&W) operating reactors following the Three Mile Island Unit 2 (TMI-2) incident.

Q 2.

Have you prepared a statement of professional qualifications?

A.

Yes. A copy of this statet:nt is attached to this testimony.

Q 3.

Please state the nature of the responsibilities that you have had with' respect to the Rancho Seco Nuclear Generating Station.

A.

I was responsible for the review of instrumentation and control system modifications for a number of B&W plants, including Rancho Seto. ' Speci fically, I have reviewed steps taken at Rancho Seco in the area of instrumentation and control in response to the Comissioif's Order of May 7,1979.

8003270 t5%

~

l l

Q 4.

What is the purpose of your testimony?

l A.

The purpose of this testimony is to respond to Board Question 9 and Additional Board Question 1, which states:

Board Question 9

~

Rancho Seco, being a Babcock and Wilcox design reactor, has not installed adequate hard-wire control grade reactor trip on loss of main feedwater and/or on turbine trip, and therefore, is unsafe and endangers the health and safety of Petitioners, constituents of Petitioners and the public.

Additional Board Question 1 At a meeting with owners of B&W reactors held on August 23, it was noted that, in the interim then elapsed since the TMI-2 accident, control-grade hard-wire anticipatory reactor trips (ART) had been called on to respond four times and had failed once:

a.

Is this typical of performance by control grade trips?

b.

What are the safety implications for operation of Rancho Seco before such trips are upgraded?

y 5.

With specific reference to the TMI-2 accident, describe the origin and nature of any concern on the part of the NRC Staff that the lack of a direct initia-tion of reactor trip upon the occurrence of off-normal conditions in the feed-water system poses a r.afety problem.

During the investigation of the TMI-2 accident, the staff identified a l

concern that.the B&W reactor protection system design existing at that time l

did not produce a reactor trip directly on loss of both main feedwater pumps or turbine trip.

Instead, the reactor trip is generated after the reactor coolant pressure rises to the high pressure setpoint (2355 psig). As a result, the reactor trip at TMI-2 occurnd at about 8 seconds after the initial loss of main feedwater and turbine trip when this reactor coolant pressure setpoint was reached..This delay in reactor trip coupled with the existing setpoint (2255 psig) for opening of the pilot operatbd relief valve (PORV) msulted in the concern that the PORY could open every time D

l asloss of both main feedwater pumps or turbine trip occurs, thereby raising the potantial for a failure of the PORV to reclose.

Q 6.

Were any actions taken by the Comission relative to the Rancho Seco facility to reduce the likelihood of actuating the PORV?

A.

In order to limit the reactor coolant pressure rise and to reduce the likelihood of actuating the PORV, and therefore, reduce the potential for failure to reclose, the Comission took a number of actions with respect to the Rancho Seco facility.

Q 7.

Describe the actions taken by the Comission in this area.

A.

The Comission Staff issued I&E Bulletin 79-05B on April 21, 1979.

In response to I&E Bulletin 79-05B, the licensee lowered the existing high pressure reactor trip setpoint (from 2355 psig to 2300) and raised the PORY

\\

, automatic opening setpoint (from 2255 to 2450). This action, therefore, minimizes the likelihood of automatic opening of the PORV by having reactor trip occur earlier (at a lower pressure) and limiting the subsequent reactor coolant system pressure rise.

To' provide additional margin to the DORY opening setpoint, the licensee proposed a direct initiation of reactor trip on loss of both main feedwater pumps or turbine trip to anticipate the reactor coolant pressure rise.

These reactor trip signals are independent of the existing reactor protection system and can provide an earlier trip for events involving the loss of both feedwater pumps or turbine trip, and therefore, can aid in limiting the reactor coolant pressure rise and subsecuent operation of the PORV.

The requirement to install these trips at Rancho Seco were subsequently confirmed by the Comission Order of May 7,1979. The NRC S't'aff verified that both of these trips had been installed prior to allowing the restart of the facility. See " Evaluation of Licensee's Compliance with the NRC l

1

Order dated May 7,1979, Sacramento Municipal Utility District, Rancho Seco Nuclear Generating Station".

Docket No. 50-312, dated June 27, 1979, page 14.

Q 8.

Please explain the hard-wired control-grade reactor trip which is l

l presently utilized at the Rancho Seco facility.

A.

The Rancho Seco hard-wired control-grade reactor trip utilized existing

~

plant equipment to a large extent and the equipment added was equipment i

l that is similar to that used in other plant applications such as turbine-generator control. Complete prestar' tup check-out tests were perfomed to verify the operability of the trips.

The main turbine trip is sensed by an existing, nomally de-energized relay in the main turbine / generator protection system. The relay is energized l

by the protective trips of the turbine ind/or generator. Power is supplied by an onsite battery source.

The loss of both main feedwater pumps is sensed by newly installed pressura switches (one in each of the two main feedwater pump discharge lines).

The pressure switches actuate (close) on low pressure in the header. Pcuer is supplied by i.he same onsite battery source referred to above.

In ordar to prevent an inadvertent reactor trip during startup or shutdcun, the loss of-both main-feedwater pumps signal is cut-out of the circuitry by a. key-I lock switch. The key for this switch is maintained by the shift supervisor.

When the switch is placed in the " cut-out" position, it is annunciated on the main control board. The operating procedures specify when the switch is placed in the " normal" or " cut-out" position.

l Either signal (turbine trip or loss-of-both-main feedwater-pumps) will actuate

• a reactor trip relay, which in turn provides an input to both of the shunt coils of the AC reactor trip breakers. Energizing both cf the shunt coils causes a reactor trip. Each shunt coil is powered by a separate Class IE 125 6

VDC supply and operates independ:ntly from the 120 VAC undervoltage trip coil which receives the reactor protection systems trip signal.

l Qg Are these actians which you identified in response to Question 7 adequate to provide an acceptable margin of safety at the Rancho Seco facility?

The staff has concluded that the change in the reactor trip setpoint and A.

the PORV opening setpoint provided an acceptable margin of safety to prevent PORY opening. The staff concluded that the addition of the anticipatory trips would provide an earlier reactor scram for events involving the loss of both main feedwater pumps or turbine trip and therefore, would provide an additional margin of safety for these off-normal conditions.

Although these control grade trips presently installed at Rancho Seco were not required to meet the requirements of the other reactor protection system trips (i.e., safety system requirements), it was concluded that.

in the interest of providing some additional margin for the short term,

.this would be adequate.

It was expected that some failures may occur.

However, the failure of these trips alone would not itself result in a safety concern.

I further discuss this subject later u. this testimony when I respond to the Licensing Board's question in this area.

Q 10. Are any further steps in this area planned with regard to the Rancho Seco facility?

A.

As part of the long term requirements of the May 7, 1979 Order, the licensee has committed to install safety grade anticipatory reactor trip as part of the reactor protection system.

~.

l l

4 " Safety grade" was the term used in the Order to convey the requirement that, as part of the reactor protection system, these trips were to be upgraded to meet the design criteria of the protection system. These

~

design criteria are outlined in the Institute of Electrical and Electronic Engineers (IEEE) Standard 279

" Criteria for Protection Systems for Nuclear Power Generating Stations." This standard includes criteria which are intended to help ensure a highly reliable system. The criteria address design requirements such as single failure, testability, qualification, independence and automatic remohal of operating bypasses.

Q 11. What is the schedule for implementation of the safety grade trips?

A.

The licensee has cannitted to incorpoi ate this change at the first maintenance outage after preparation is complete.

It is expected that these trips will be operational within about six months following the staff preliminary design approval,whichwasgihenbyletterdatedDecember 20, 1979 from R. Reid to J..Mattimoe.

Q 12. For each of the steps identified in response to Question 11, above, explain why continued operation of the Rancho Seco facility is acceptable prior to final implementation.

A.

It was concluded that the use of control-grade design was adequate for the short term. This was based on a number of considerations which I will identify below. But first, I would like to point out that the problems i

identified by the Staff in this area was the delay in reactor trip and the potential for a stuck open PORV.

The change in the set points alone would greatly reduce the likelihood of opening of the p0RV and the anticipa-tory trips were a secondary measure to provide additional margin.

(1)

In order to meet all the requirements of a safety grade system, a long lead time to design, procure, and implement the trips would be required.

i Therefore, the licensee recommended a control grade trip to provide some additional protection for the interim.

(2)

The control grade trips could be implemented independently of the existing safety grade reactor protection system and, therefore, the additions of a control grade trip would not degrade the safety systeas.

(3)

The control grade trips could provide additional margin for certain events, however, their failure would not result in the loss of the reactor trip function because the reactor protection system would cause reactor trip as before.

(4)

Prestertup tests demonstrated the operability of these control grade trips.

(5)

The centrol 5rade trip would be an interim measurement only and would be replaced by trips which would meet the reactor protection system requirements.

Therefore, based on the above considerations, we believe that continued operation of the Rancho Seco facility is acceptable.

l

~

The locger term upgrading will provide additional reliability for the anticipatory reactor trip function, t

l

. i Q 13. Please respond to Additional Board Question 1.

A.

It was recognized by the staff that trips which were not designed to safety grade requirements, i.e., control grade, would not have as reliable performance as the balance cf the reactor protection system trips. Therefore, a number of failures may be experienced. The number of failures would depend on both the failure rate of the equipment and the number of challenges to this equipment.

Information obtained in the August 23, 1979 meeting with owners of B&W reactors, with regard to the experience with these control grade antici-patory trips, would appear to indicate a high failure rate. Based on this information, and the long lead times.(on the order of years) projected by the licensees for the installation of the safety grade trips, the staff issued a request for additional information on September 7, 1979. The request required that the licensees improve their schedule for implementa-tion of the safety grade trips.

If the required improvement could not be committed to, the staff required that the licensees propose modifications to their existing control grade trips which would improve their reliability.

This request resulted in the licensees improving their schedules for the installation of the safety grade. trips. Some of this schedule improvd-l l

ment resulted from the ability to obtain reactor protection system components l

from B&W plants under constructio.n, rather than starting from design, through specification and procurement.

- - - - - ~ - -.

-- - - - ~

a

.g.

In addition, since the August 23, 1979 meeting about seven additional challenges to the anticipatory trips at B&W operating plants have occurred and the Staff is not aware of any other failures.

Although the Staff expressed the above concern regarding the rhliability of the control grade trip, if it should fail the safety implications are relatively minor.

These trips provide an anticipatory function and their failure will not result in violation of any safety limit. Their failure will only result in the loss of some margin in the primary pressure rise for events involving loss of both main feedwater pumps or turbine trip. The existing reactor protection system trips (such as high reactor coolant pressure) will continue to provide the reactor scram function for these type events. The changes in set points minimize the challenges to the PORV and the potential for that valve to stick open.

In the case of the one failure which occurred, the reactor tripped on high reactor pressure about 8 seconds after the turbine tripped. No PORY actuation was experienced.

l

DALE F. THATCHER PROFESSIONAL QUALIFICATIONS

('

INSTRUMENTATION & CONTROL SYSTEMS BRANCH l

DIVISION OF SYSTEMS SAFETY I am a Senior Reactor Engineer in the Instrumentation and Control Systems Branch, Division of Systems Safety, Huclear Regulatory Commission.

From May to December 1979, I was assigned to the Bulletins and Orders Task Force as a technical reviewer in the area of instrumentation and control.

Just prior to this assignment I was a member of the NRR team which aided in the Three Mile Island Recovery Operation.

In the ICSB, my primary responsibility is to perform technical reviews of the design, fabrication, and operation of instrumentation and control systems for nuclear power plants. This review encompasses evaluation of applicant's safety analysis reports, generic reports and other related information on the instrumentation and control designs.

t I

I graduated from Lehigh University with a Dachelor of Science Degree in Electrical Engineering in June 1971.

From my graduation in June 1971 until my employment at the Commission, I was an. Instrumentation Engineer with Gilbert Associates, Inc., an Architect-Engineering company located in Reading, pennsylvania.

My responsibilities included the design and evaluation of various instrumentation and control systems including primarily the areas of reactor protection systems and other safety systems.for various domestic nuclear power plants.

I joined the Regulatory staff of the Atomic Energy Commission in March 1974 as a Reactor Engineer. Since then, I have participated in the review of instrumentation control and electrical systems of numerous nuclear power stations and standard plant designs.

In addition, I have participated in the formulation of related standards and regulatory guides.

I am a member of the Institute of Electrical and Electronics Engineers (IEEE) and have participated in the development of IEEE Standard 379-1977, "IEEE Standard Application of the Single Failure Criterion to Nuclear power Generating Station Class IE Systems" and other proposed standards.

\\