ML19331C817
| ML19331C817 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 08/31/1980 |
| From: | GILBERT/COMMONWEALTH, INC. (FORMERLY GILBERT ASSOCIAT |
| To: | |
| Shared Package | |
| ML19331C815 | List: |
| References | |
| NUDOCS 8008190591 | |
| Download: ML19331C817 (86) | |
Text
{{#Wiki_filter:- . - . _ - . . -.- _ . - 1 i 4 O O l l 1 i l l i l EMERGENCY FEEDWATER SYSTEM i RELIABILITY ANALYSIS FOR THE 1 VIRGIL C. SUMMER NUCLEAR STATION ! UNIT 1 , 5 { l l PREPARED FOR ! SOUTH CAROLINA ELECTRIC AND GAS COMPANY 4 COLUMBIA, SOUTH CAROLINA
\
l l l Prepared by Gilbert / Commonwealth Reliability Section Reading, PA 19603 August 1980 8008190591 .
4 TABLE OF CONTENTS Section P_aage
1.0 INTRODUCTION
1-1 1.1 Background 1-1 1.2 Obj ectives 1-1 1.3 Scope 1-1 1.4 Analysis Technique 1-2 1.5 Organization of Report 1-3 2.0 ASSUMPTIONS AND CRITERIA 2-1 2.1 Definition of System Failure 2-1 (Fault Tree Top Event) 2.2 Availability of Electrical Supply 2-1 2.3 Data 2-1 2.4 Degradation VS Failure 2-1
- 2. 5 EF Pump Susceptibility to Suction 2-2 Starvation 2.6 Human Errors of Commission and omission 2-2 2.7 Human Errors of Commission and Omission 2-2 Pertains to EF Supply Line Maintenance Valve s 2.8 Plugging Contribution of the EF Supply 2-2 Os Line Maintenance Valve 2.9 EF Delivery Requirements 2-3 2.10 Pump Flow Recirculation 2-3 2.11 Control Circuit Definition 2-3 2.12 Undetected Loss of CST 2-3 2.13 Power Source Availability 2-4 3.0 SYSTEM DESCRIPTION 3-1 3.1 Overall Configuration 3-1 3.2 Fluid System . 3-1 3.3 Support Systems and Backup Water Source 3-4 3.4 Electrical Power Sources 3-4 3.5 Instrumentation and Control 3-5 3.6 Operator Actions 3-6 3.7 Testing 3-6 3.8 Technical Specifications 3-7 4.0 RELIABILITY ASSESSMENT 4-1 4.1 Fault Tree Approach 4-1 4.2 Comparative Reliability Assessment with 4-2 NUREG-0611 4.3 Failure Contributors to EFS Unavailability 4-2 i
. _ _ _ - , , - - , , , _ , ~ . . ..-. _ - _ . . , .- _ ..
Section h 5.0 RESPONSES TO GENERIC RECOMMENDATIONS 5-1 5.1 General 5-1 5.2 Short-Term Generic Recomendations 5-2 5.3 Additional Short-Term Recommendations 5-10 5.4 I.ong-Term Generic Recomendations 5-14 References Figures Appendix A Appendix B O O 11 2
LIST OF ABBREVIATIONS USED IN THE FAULT TREE ANALYSIS OF THE EMERGENCY FEED'n'ATER SYSTEM 4 A0V Air Operated Valve BISI By-Pass and Inoperable Status Indication CRT Circuit CST Condensate Storage Tank CV Check Valve DG Diesel Generator DT#2 Denny Terrace Station #2 l EF Emergency Feedwater EFS Emergency Feedwater System ! FCV Flow Control Valve FE Flow Element FT Flow Transmitter ICV Isolatica Check Valve IFV Isolation Flow Valve LAC Loss of AC LFW Loss of Feedwater (same as DiF) DiF Loss of Main Feedwater LOSP Loss of Off-Site Power MCC Motor Control Center MDP Motor Driven Pump MIV Manual Isolation Valve MOV Motor Operated Valve MS Main Steam MSIV Main Steam Isolation Valve PORV Pcwer Operated Relief Valve O SG Steam Generator V iii
l i 4 SRV Safety Relief Valve .t l SW Service Water i SUS Service Water System TDP Turbine Driven Pump TSC Technical Support Center J f 1 1 i I l ) lO 1 O iv __,_._ _ _. _ .. _ . _ ,.-..,_.. _.-.-.._. _ . . _ , _ . _ _ _ , _ ....a_.____...___.._... . _ . _ . . _ _ _ _ _ _ . _ . _ . , _ . _ _
4 a - . s - a v .a , _ a e-,_ ._,a .. _ , . _ __ . s
1.0 INTRODUCTION
{) ! 1.1 Background The NRC has requested that plants with Westinghouse-designed reactors that are under operating license review evaluate and consider means for upgrading the Emergency Feedwater System (EFS) reliability. This report presents the results of that reliability study for the V. C. Summer Nuclear Station Unit 1 in a form comparable with the information contained in NUREG-0611. 1.2 Objectives The objectives of this study are: A. To perform a reliability assessment of the V. C. Summer EFS and to compare its expected performance with similar systems at operating Westinghouse reactors. B. To consider any design or operational modifications necessary, based on insights from the reliability analysis and the NRC Generic Recommendations. 1.3 Scope l The EFS design was analyzed for the following three feedwater transients: Case 1 - Loss of Main Feedwater with Reactor Trip (LMF) Case 2 - Loss of Main Feedwater Coincident with Loss of Offsite i Power (UTF/LOSP) Case 3 - Loss of Main Feedwater coincident with Loss of All AC Power (LMF/ LAC) O V 1-1
l i 1 () The analysis was limited to finding the probability of EFS failure on the occurrence of each of the above postulated initiating event ! 4 cases. The causes and probabilities of the initiating sequences were not considered. External events, such as earthquakes, were also not considered. 1.4 Analysis Technique The technique used for the study is Fault Tree Analysis, which is a deductive approach where an undesirable (top) event is postulated, and the system is examined with a view to finding combinations of component failure events and human errors which can cause the top event. The technique has been applied extensively to nuclear safety analysis, most notably in the Reactor Safety Study (WASH-1400). O 3 i 1-2
1 l 1.5 Organization of Report In addition to the considerations identified above under Background (see Section 1.1), this report addresses specific requirements identified in Enclosure 1 and Enclosure 2 of the NRC March 10, 1980 letter *, as follows: Reference Response Enclosure 1 Text plus Appendix A (Fault Tree Analysis) Enclosure 2 Appendix B (Basis of Auxiliary Feedwater System Flow Requirements) O
- Letter dated March 10, 1980 from D. F. Ross, Jr., Acting Director, Division of Project Management, Office of Nuclear Reactor Regulation, to all Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Wesringhouse and Combustion Engineering.
Subject:
" Actions Required From Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering Resulting From the NRC Bulletins and Orders Task Force Review Regarding
(~} the Three Mile Island Unit 2 Accident." V l-3
2.0 ASSUMPTIONS AND CRITERIA 2.1 Definition of System Failure (Fault Tree Top Event) In order to determine what combinations of ccmponent failures or human errors will cause system failure, it is first necessary to define explicitly what constitutes system failure. For the purposes of the present study, EFS failure is defined as failure of the EFS to provide sufficient flow to at least two of the three steam generators. 2.2 Availability of Electrical Supply Case 1 - LMF - All AC and DC power was assumed available with a probability of 1.0. Case 2 - LMF/LOSP - DC power was assumed available with a probability of 1.0. All possible combinations of diesel generator availability were considered. Case 3 - LMF/ LAC - DC power was assumed available with a probability of 1.0. 2.3 Data Wherever applicable, reliability data for hardware, operator actions, and maintenance were taken from NUREG-0611 and WASH-1400. 2.4 Degradation VS Failure No degradation or degraded failures were considered, i.e. , equipment either operates as required or is in a failed state. i v 2-1
2.5 EF Pump Susceptibility to Suction Starvation Based on system engineering analysis, there is considerable con-(v) cern about the. ability of the EF pumps to survive startup in a starved condition. An EF pump startup with a closed suction flow path is assumed to fail with a probability of 1.0. 2.6 Human Errors of Commission and Omission Five basic human errors were defined in the analysis based on likely system maintenance, valve locking, valve position monitoring, walk around, mispositioning of valves, etc. Values for these errors were assigned from NUREG-0611 and WASH-1400. 2.7 Human Errors of Commission and Omission Pertaining to EF Supply Line Maintenance Valve The single manual valve (#1010) in the EFS suction line is locked open (L.O.) and repositioned only on EF suction line maintenance. The position of this valve is verified at least monthly. A limit switch initiates an audible alarm in the Control Room when the valve is closed. Its closed status is input into the Bypass and Inoperable Status Indication (BISI) computer system wherein the closed status is displayed on a CRT screen. An unavailability of 5 x 10-5 per demand due to maintenance and operating error was assigned based on considerations in NUREG-0611 and WASH-1400 con-cerning the measures taken to confirm its status. l 2.8 Plugging Contribution of the EF Supply Line Maintenance Valve Based upon data in WASH-1400, Appendix III, all manual valves are lumped into one statistical figure for the primary failure mode which is 3 x 10-4 to 3 x 10-5 per demand and is based upon plugging. This range is primarily based upon globe valves which are more prone to plugging than other manual valves. r The upper bound assessed value for the type butterfly valve utilized in the Emergency Feedwater System should be lower because plugging cannot take place in butterfly valves as frequently as in globe I 2-2 i l
- - - - - - - - ~_ ._ ._,, _ _ _ . . . _ _
valves due to inherent design. A change of flow with varying velocity as found in globe-type valves creates an environment where debris and other foreign material may accumulate near the seating surfaces and affect the opening or closing action or cause plugging. An unavailability of 3 x 10-5 due to plugging was assigned. 2.9 EF Delivery Requirements Consistent with the most recent thermal hydraulic analysis to date, adequate primary loop cooling is achieved with a minimum of one half capacity motor driven pump or one full capacity turbine driven pump on loss of main feedwater transient providing no main steam or feed-water line break has occurred. I 2.10 Pump Flow Recirculation ' Failure to establish EF pump recirculation has been included in the reliability assessment. However, this area is believed to be mainly of concern when approaching Hot Standby where EFS flow is continually i throttled back. 2.11 Control Circuit Definition
, Motor and valve control circuits are defined analogously to those appearing in the WASH-1400 AWS analysis and includes the starter control circuit, power to the start control, DC bus, breaker coils, breaker contacts, and power and control cables.
2.12 Undetected Loss of CST This quasi-basic event affects the ability of the EFS during startup i by placing a rapid demand on the automatic switchover to the SW backup supply which precludes any operator intervention. Tank rupture, tornado-induced catastrophic failure and undetected maintenance error during plant operation were considered. A value of 7 x 10-7 was i used in the assessment. \ 2-3 I I- . - - - . _-. . - . - -. - . _ - - . . . , - - . - - -.
. - . . _ . . . . . . . . - - .- . - . .- .~ _ _. ._
h 2.13 Power Source Availability i e All AC sources were assumed available for the DIF case. For the UtF/ l
. LOSP case one diesel generator set was assumed to fail to start and accept load with a probability of 1 x 10-2; the second diesel generator t.'
set was assigned a start and load acceptance failure probability of l zero. 4 i 2 a t i i i
)
1 O i i 4 e i i. t i i f f I I i l t } 2-4 l
.r---- --,,,-n. ,.,n, ,,--,,----,wa--,,nw ,,,,n-- - . - ,- c--r-ww n n.ne.,w w.n, -~~n,.,,,,..----,---~.n.-.-~v
3.0 SYSTEM DESCRIPTION
/)
(./ 3.1 Overall Configuration A diagram of the V. C. Summer EFS is shown in Figure 1. The system consists of two feedwater trains, one supplied by two half-capacity motor-driven pumps (MDP) and one by a full-capacity steam turbine-driven pump (TDP), all with a common suction source. Either of the trains can supply sufficient emergency feedwater to any of the three steam generators. 3.2 Fluid System 3.2.1 Suction The primary water source for the EFS is the condensate storage tank (CST). Of the tank's 500,000-gallon storage capacity, 150,000 gallons are available exclusively to the EF3. A common suction header for all three EFS pumps is supplied through 3
\_) a 10" line from the CST. This line has a manual valve which is locked open*, and is provided with an audible alarm in the Control Room. The line from the suction header to each EF pump has a check valve and a manual locked-open valve.*
l The backup supply is the Service Water System which is actscatically actuated by pressure sensors (two-out-of-four logic) in the common 1 suction line downstream of the locked-open manual valve from the CST. Service Water Loop A can supply the "A" MDP and the TDP. Service Water Loop B can supply the "B" MDP and the TDP. There is a normally closed motor-operated valve in each loop before the pump suction lines as well as a normally closed motor-operated valve and a check valve in the suction line of each pump. The motor-operated valves are isolation valves capable of both manual (local and remote) and automatic operation. !
- Status of this valve indicated in CR and TSC as part of BISI.
O V 3-1 /
, , , - - n-, - - r, , -- - , ,n - - - - - , e
3.2.2 Pumps and Discharge Headers There are two discharge headers, one connected to the TDP and the other to the MDP's. The discharge line from each pump to the header has a check valve and a locked-open, manually operated isolation valve.* The TDP is rated at 570 gpm including recirculation at a steam generator pressure of 1211 psig and each MDP is rated 440 gpm including recirculation at a steam generator pressure of 1211 psig. Each pump is provided with a recirculation path. This path consists of a check valve, a breakdown orifice and locked-open manual valve.* The recirculation line is sized 2" for each MDP and 3" for the TDP. Each recirculation line can pass the required pump minimum flow of 100 gpm. The recirculation lines discharge to a 4" recirculation header which returns the recirculation flow to the CST through a check valve.
. The TDP and MDP discharge headers each split into three flow paths, one for each steam generator. Each flow path has a locked-open manual valve,* a flow control valve
- and a locked-open stop check valve.* Downstream of the stop check valve, the flow paths from the TDP and MDP discharge headers combine to form one EF line to each steam generator. The common line to each steam generator contains a pneumatically operated spring-assisted check valve which serves as a containment isolation valve and two check valves near each steam generator nozzle to limit the effects of a pipe break.
3.2.3 Flow Control Valves f Two normally open pneumatically operated flow control valves
- are provided for each steam generator; one valve controls flow from the j MDP's, the other controls TDP flow. Remote manual / automatic control of the flow control valves is from the Control Room with provision for ,
local manual operation. Safety class air accu =ulators with sufficient
- Status of this valve indicated in CR and TSC as part of BISI.
O 3-2 4
,,--,,--~,.m, , . - . . , , , - ., , -- -n-- , ,n.,..w .n ,e , ,n,. ,w..-n. ,.
capacity to ensure valve closure for approximately three hours in 7s the case of a secondary line break are provided for the valves. t 4 s- ' The flow control valves fail open on loss of electric power or control air. 3.2.4 Steam Supply for the TDP Turbine The steam supply to the TDP consists of a connection taken from the safety class sections of each of two Main Steam lines (from Steam Generators B and C) upstream of the Main Steam isolation valves. Two connections are provided to obtain redundancy of supply in the event of a Main Steam line break. Each connection has a check valve and a motor-operated gate valve for positive isolation in the event
'of Nbin Steam line break. A normally closed, fail open, pneumatically operated steam inlet valve
- which pneumatically fails safe upon loss of AC or control air and is opened from 2 logic trains in automatic switchover, is provided in the common line to the turbine, which then connects to a turbine trip and throttle valve.
() 3.2.5 Valve Operation and Indication All motor-operated valves are AC powered from Class 12 buses, are controllable from and have their position indicated in the control room. Position indication and control for each valve is from the valve motor power source. The pneumatically operated flow control valves can be manually controlled from the control room or the control room evacuation panel. Audible and visual alarms will be activated and repeated at sixty-minute intervals whenever an emergency feedwater flow control valve control switch is not in the auto position (valve is open when control switch is in the auto position). Flow control in manual control (e.g. , closed during EF pump test) will go to the full, wide-open position upon automatic initiation (excluding main feedwater pump trip) of the EFS. cw
- Status of this valve indicated in CR and TSC as part of BISI.
\_- l 3-3
i Locked-open valves critical to system successful functioning and (}
'~
several normally closed valves are monitored on the Bypass and Inoperable Station Indication (BISI) system. An input entry to the BISI computer is made whenever a valve is placed into a position contrary to successful system function. This record is displayed on the control room and technical support center cat. 3.3 Support Systems and Backup Water Source The EFS pumps, pump motors, and turbine are all independent of support systems such as plant cooling systems. The turbine can operate with-out air or electrical power. Motor cooling and turbine lubrication oil cooling are accomplished using EF flow. In addition to the minimum of 150,000 gallons reserve in the CST, any extra inventory of water in the CST and makeup from the 500,000-gallon Demineralized Water Storage Tank (DWST) is available to the EFS. In the present design, the manual action required to connect the backup cs water source, i.e., Service Water to the EF suction, is the remote 's / manual opening of 6 MOV's. The operator has 20 minutes after the sounding of the CST low-low levels to accomplish this switchover. If this is not accomplished, automatic switchover to the SW is initiated by sensing in the common suction header from the CST downstream of the locked-open manual valve. This signal automatically activates the motor-operated valves in the SW supply lines to the MDP's and the TDP using 2 of 4 sensor logic to the two separate SW trains. 3.4 Electrical Power Sources A simplified diagram showing electrical power distribution to major EFS components is shown in Figure 2. AC power for EFS components necessary to establish emergency feedwater flow is derived from diesel generator backed 7200 V buses LDA and LDB. Normally (Case 1), these 3-4
buses are supplied from offsite power through the switchyard. How-ever, in the event of U4F/LOSP (Case 2), the diesel generators start
)
automatically and ESF loads are connected in Engineered Safety Features Loading Sequence (ESFLS) Step 5. Service water also remains available in this case if the CST source is unavailable. Service water is connected in ESFSL Step 3 ten seconds before initiation of the EFS pumps. At a predetermined pressure, the decreasing pressure in the EFS header initiates the transfer of EF source from the Service Water System with approximately twenty seconds of water remaining in the header. In the event of LMF/ LAC (Case 3), EFS is still adequately operable because startup and operation of the TDP is not AC dependent. 3.5 Instrumentation and Control 3.5.1 Initiation Logic A functional logic diagram for EFS initiation is shown in Figure 3. The diagram is simplified and does not show the redundancy, inde-pendence, and divisional separation of the hardware. The MDP's will start on low-low level in any one steam generator, Safety Injection Signal, or undervoltage on either ESF Bus or loss of all three main feedwater pumps. The feedwater pump trip signal is a non Class lE electrical anticipatory start signal. The TDP starts on low-low level in any two steam generators or undervoltage on both ESF buses. The control logic shown in Figure 3 is powered from battery-backed buses. 3.5.2 EFS Flow Control The flow of emergency feedwater to each steam generator from the MDP's or the TDP can be controlled by air-operated flow control valves. Flow I (~h l %) l 3-5
rates through the valves to the steam generators can be manually adjusted individually by hand controllers at either the main control ('")N
~
board or the Control Room Evacuation Panel (CREP). On EFS initiation logic that starts either the MDP's (except feedwater pump trip) or the TDP, the corresponding flow control valve for each steam generator will receive an open signal regardless of its position. Upon reset at the valve control switch the operator can regain flow control. I A high flow signal, such as in the event of a secondary line break, automatically closes the respective valve. 3.5.3 Instrumentation In addition to the valve position indication previously described, the following EFS parameters 3are indicated in the Control Room: o Pressure in the common feed line to each steam generator o Suction pressure at each pump o Level in the CST () o Flow in the common feed line to each steam generator 3.6 Operator Actions Assuming the CST is available, no operator actions are required to establish EFS flow in Cases 1, 2 or 3. If the CST is not available initially, or if the CST level has been depleted after EFS operation for several hours, operator action, backed up by automatic switch-over, establishes service water supply to the EFS or replenish CST inventory as required. 3.7 Testing Each EF Pump is tested once a month to demonstrate operability. Pump testing is accomplished by closing the appropriate FCV's from the TDP or MDP headers. If the EFS is initiated, the FCV's will open; therefore, n , N. l 3-6
+$
no EF pump is unavailable due to testing. When this test is performed, ("%' ') it is also verified that each nonautomatic valve in the flow path that is not locked, sealed or otherwise secured in position, is in its correct position and that each autematic valve in the flow path is in the fully open position whenever the EFS is placed in automatic control. At least once every 18 months during shutdown, the EFS is tested to verify that each pump starts automatically and upon receipt of each EF actuation test signal. 3.8 Technical Specifications Technical specifications require:
- 1. All three EF pumps and associated flow paths to be operable whenever the reactor is in Mode 1, 2, or 3. With one pump inoperable, three pumps shall be made operable within 72 hours or the reactor should be brought to at least Hot Standby within
() the next 6 hours and to hot shutdown within the following 6 hours.
- 2. Both independent service water loops be operable whenever the reactor is in Mode 1, 2, 3, or 4. With only one service water loop operable, restore at least two loops to operable status within 72 hours or be in at least Hot Standby within the next 6 hours and in Cold Shutdown within the following 30 hours.
l
- 3. The condensate storage tank shall be operable containing a minimum volume of 150,000 gallons of water. With the condensate storage tank inoperable, within 4 hours either:
- a. Restore the CST to OPERABLE status or be in at least HOT STANDBY within the next 6 hours and in HOT SHUTDOWN within the following 6 hours, or O
, \- / 3-7
1 i
- b. Demonstrate the OPERABILITY of the service water system as a backup supply to the emergency feedwater pumps and restore i the condensate storage tank to OPERABLE status within 7 days
<a be in at least HOT STANDBY within the next 6 hours and
, in HOT SHUTDOWN within the following 6 hours. i i
- O i
i k i 1 } 1 0 3-8 i I._____._,.-.._,__.._--____..__._.._,.__._,..__.-_-.,______..___.__._..__. _ . . _ . . _ _ . . . _ . _
O 4.0 RELIABILITY ASSESSMENT G' 4.1 Fault Tree Approach Fault tree analysis was used to assess system unavailability to a demand. In this assessment unavailability is taken as being synonomous with unreliability. This approach is consistent with NUREG-0611 and the Reactor Safety Study (WASH-1400). The analysis primarily considered the automatic initiation of the V. C. Summer EFS combined with test and maintenance-induced failures. Limited operator backup actions in the event of partial automatic startup failures were included in the assessment. These actions were in general limited to those actions that could be performed within the first five minutes of EFS initiation. In-plant corrective actions such as turning an incorrectly positioned valve were not explicitly considered because valve alignment, locking, checklist and position
. monitoring procedures provided adequate flow path availability compared \.) to other more dominant system failure contributors. NUREG-0611 generic short- and long-term recommendations currently complied with or to be implemented (see Section 5.0) have been included in tne fault tree and/or event data selection where appropriate.
The LMF fault tree appears in Appendix A. The top event in the tree is failure to achieve the minimum success criterion defined earlier in Section 2.1. The tree branches downward and is stopped at levels corresponding to the resolution of the available data. At this level there are usually basic event circles. l i Major tree branches consist of those failures affecting EF flow supply (pump train oriented) and the flow path to the steam generators. The EF flow supply failure branches dominate system unavailability with common mode and maintenance-related failures being major contributors. The interrelationship between component failure, tech spec maintenance outages and human error are developed in terms of the tree logic. The 3 (a i 4-1
degree of development is consistent with the reliability assessment goals and data available in NUREG-0611. O V Modifications were made to the LMF tree of Appendix A for assessing the LMF/LOSP and LMF/ LAC scenarios. Hand calculations were performed for each of the three feedwater transient cases to obtain values for EFS unavailability. 4.2 Comparative Reliability Assessment with NUREG-0611 Figure 4 presents the results of this reliability assessment for the V. C. Summer EFS where the demand unavailability has been determined from the constructed fault trees. The range of AFWS unavailability for 25 currently licensed units with Westinghouse JSSS is shown on this figure for comparative purposes. The basic format for Figure 4, including characterization of Low, Medium and High reliability, was adopted from Table III-5 of NUREG-0611. Bect.use of basic limitations in the data and intended scope () of this assessment and those performed as part of the NUREG-0611 effort, calculated unavailabilities are shown in comparative form only. Numerical values permitting construction of Figure 4 were ob-tained from Reference 3. Note the direct cross-comparisons of the LMF/ LAC case with Cases 1 and 2 cannot be made because the scale on Figure 4 encompasses differing orders of magnitude; the LMF and LFM/ LOSP magnitude scales are identical. 4.3 Failure Contributors to EFS Unavailability 4.3.1 Case 1 - LMF l Dominant factors resulting in EFS unavailability at startup include:
- 1. A single point vulnerability was identified in that the EFS l
suction header condensate valve (#1010) in the closed position at EFS initiation will likely lead to pump failure. This item is the single most important contributor to EFS unavailability. ' k)g l 4-2 1
A A related single point failure can occur if a loss of CST head occurs such that the reaction time required for the operator to
. () manually initiate transfer to the SWS is not available. In this case failure of the automatic switebover would result in similar failure of the pumps. However, probability of occurrence is so small as to have no credible effect on the results of the
. study.
- 2. Preventive maintenance outages on the EF pumps account for the greatest contribution to system unavailability. An MDP in maintenance presents a greater restriction on EF availability than the TDP in maintenance.
- 3. Motor circuit start failures dominate individual MDP failure.
3
- 4. Contributors to TDP failure were maintenance errors on the lube oil cooling system and failure to locally reset the turbine
- after trip.
i,
- 5. Fuspositioned pump suction isolation valves can lead to pump damage at startup.
Mispositioned pump discharge valves will result in either insuf-ficient or no flow to the MDP or TDP header, respectively. Pump recirculation and flow instrumentation are available allowing control room diagnosis of the problem without pump destruction occurring. Operator correction of closed discharge valves were not considered in this analysis as discussed in Section 4.1. Header discharge valves and EF flow paths to the steam generators had no substantial effect on EFS unavailability. This is due to 7 i the normally open EF flow control valves and automatic opening whenever the valves are in manual control including during pump , test. ! 4.3.2 Case 2 - LMF/LOSP The failure contributors for this case are similar to those in Case 1. O Loss of offsite power has no effect on the system availability when ( ,/ both diesel generators are available because all AC dependences are 4-3
. . - .. - - . ~ _ . -. .
4 . supplied by the ESF buses IDA and 1DB. O Loss of one diesel generator reduces system availability because of the loss of an MDP. All other contributors remained unaffected. 1 1 4.4.4 Case 3 - LMF/ LAC i~ The TDP train of the EFS is independent of all AC and air supplies. Primary contributors to the EFS unavailability of the TDP are those l described in 4.3.1 above applicable to the steam turbine. These items include lube oil cooling and turbine reset failures, and turbine maintenance performed within Tech Spec limits. .i i O o O l 4-4 i _ _ , , _ -..,,,.,..._,._,._.,__,,,..m._,_.,_,___,_..
i t i l l I s } 5.0 ' RESPONSES TO GENERIC RECO'tMENDATIONS i
- r j -5.1 General i I
- j. This section identifies short-ter:n and long-term generic l 1
recommendations in terms of the concerns and the recommen-
~
dation details, and indicates the specific responses for ; the V. C. Summer Plant. l 1 f I. I J 4 i . 1 , j 1 lO P i I i i 4 i 4 k l ! k i ! I ,l . !, i i l l + I i t i i ' i 4 l 5-1 ! l t ! s AAw_ emw_-_ ..- _ _ _ _ _.
O 5.2 Short-Term Generic Recommendations 5.2.1 Technical Specification Time Limit on I.FW System Train Outage Concern Several of the plants reviewed have Technical Specifications that permit one of the AFW system trains to be out of service for an indefinite time period. Indefinite outage of one train reduces the cefense-in-depth provided by multiple AFW system trains. Recommendation GS-1 The licensee should propose modifications to the Technical Specifica-tions to limit the time that one AFW system pump and its associated flow train and essential instrc=entation can be inoperable. The outage time limit and subsequent action time should be as required in current Standard Technical Specifications; i.e., 72 hours and 12 hours, respectively. O xm/ Resconse i' V.C. Su==er Technical Specification 3.7.1.2 complies. l t t f 2-2
O
\- 5.2.2 Technical Specification Administrative Controls on Manual Valves - Lock and Verify Position Concern Several of the plants reviewed use a single manual valve or ; multiple valves in series in the common suction piping between the primary water source and the AFW system pump suction. At some plants the valves are locked open, while at others, they are not locked in position. If the valves are inadvertently lef t closed, the AFN symtem would be inoperable, because the water supply to the pumps would be isolated. Since there is no remote valve position indication for these valves, the operator has no immediate means of determining valve position.
Further, the Technical Specifications for plants with locked-open manual valves do not require periodic inspection to verify that the valves are locked and in the correct position. For most plants where the valves are not locked open, valve position is verified on some periodic basis. Recommendation GS-2 The licensee should lock open single valves or multiple valves in series c). ( in the AFW system pump suction piping and lcck open other single valves or multiple valves in series that could interrupt all AFW flow. Monthly inspections should be performed to verify that these valves are locked and in the open position. These inspections should be proposed for incorporation into the surveillance requirements of the plant Technical Specifications. See Recommendation GL-2 for the longer-term resolution of this concern.
Response
See long-term item 5.4.2. (GL-2). l l
-)
5-3
- 5.2.3 AFW System Flow Throttling-Water Hammer U, g Concern Several of the plants reviewed apparently throttle down the AFW system initial flow to eliminate or reduce the potential for water hammer. In such cases, the overall reliability of the AFW system can be adversely affected.
Recommendation GS-3 The licensee has stated that it throttles AFW system flow to avoid l water hammer. The licensee should reexamine the practice of throttling AFW system flow to avoid water hammer. The licensee should verify that the AFW system will supply on demand suf ficient initial flow to the necessary steam generators to assure adequate decay heat removal following loss of main feedwater flow and a reactor trip from 100% power. In cases where this reevaluation results in an increase in initial AFW system flow, the license should provide sufficient information to demonstrate that the required initial AFW system flow will not result in plant damage due to water hammer.
Response
n s- The EF system is not throttled to avoid water hammer. C i 5-4 l l
/~ 5.2.4 Emergency Procedures for Initiating Backup Water k-)- Supplies Concern Most of the plants do not have written procedures for transferring to alternate sources of AFW supply if the primary supply is unavail-able or exhausted. Without specific criteria and procedures for an operator to follow to transfer to alternate water sources, the primary supply could be echausted and result in pump damage or a long interruption of AFW flow. Recommendation GS-4 Emergency procedures for transferring to alternate sources of AFW supply should be available to the plant operators. These procedures should include criteria to inform the operators when, and in what order, che transfer to alternate water sources should take place. The following cases should be covered by the procedures: (1) The case in which the primary water supply is not initially available. The procedures for this case should include any operator actions required to protect the AFW system pumps against self-damage before water flow is initiated. (2) The case in which the primary water supply is being depleted. I) '~ The procedure for this case should provide for transfer to the alternate water sources prior to draining of the primary water supply.
Response
South Carolina Electric and Gas Co. procedures provide criteria for transfer to the alternate water source in the above cases. O 5-5
l f'T 5.2.5 Emergency Procedures for Initiating AFW Flow Following s/ a Complete Loss of Alternating Current Power Concern Some operating plants depend on ac power for all sources of AFW system supply, including the turbine-driven pump train. In the event of loss of offsite and onsite ac power, ac-dependent lube oil supply or lube oil cooling for the pump will stop, and/or manual actions are required to initiate AFW flow from the turbine-driven pump by manually opening the turbine steam admission valve and/or AFW system flow control valves. There are no procedures available to the plant operators for AFW system initiation and control under these conditions. This could result in a considerable time delay for AFW system initiation, since the operators would not be guided by procedures dealing with this event. Recommendation GS-5 The as-built plant should be capable of providing the required AFW flow for at least two hours from one AFW pump train, independent of any ac power source. If manual AFW system initiation or flow control is required following a complete loss of ac power, emergency procedures should be established for manually initiating and controlling the system under these conditions. Since the water for cooling of the (') lube oil for the turbine-driven pump bearings may be dependent on ac power, design or procedural changes shall be made to eliminate this dependency as soon as practicable. Until this is done, the emergency procedures should provide for an individual to be stationed at the turbine-driven pump in the event of the loss of all ac power to monitor pump bearing and/or lube oil temperatures. If necessary, this operator would operate the turbine-driven pump in an on-off mode until ac power is restored. Adequate lighting powered by direct current (ac) power sources and communications at local stations should also be provided if manual initiation and control of the AFW system is needed. (See Recommendation GL-3 for the longer term resolution of this concern) .
Response
See long-term item 5.4.3 ( GL- 3 ) . O 5-6
5.2.6 AFW System Flow Path Verification Conce rn Periodic testing of the AFW system is accomplished by testing of individual components of one flow train (periodic pump recirculation flow tost or automatic valve actuation) , thus altering the normal AFW system flow path (s) . The flow capability of the entire AFW system, or at least one integral AFW system train, is only demonstrated on system demand following a transient, or if the AFW system is used for normal plant startup or shutdown. Recent Licensee Event Reports indicate a need to improve the quality of system testing and maintenance. Specifically, periodic testing and maintenance procedures inadvertently result in (1) more than one AFW system flow train being unavailable during the test, or (2) the AFW system flow train under test not being properly restored to its operable condition following the test or maintenance work. The Of fice of Inspection and Enforcement has taken action to correct Item (1) ; the recommendation below is made to correct Item (2). Recommendation GS-5 The licensee should confirm flow path availability of an AFW system flow train that has been out of service to perform periodic testing or maintenance as follows: (} (1) Procedures should be implemented to ' require an operator to determine that the AFN system valves are properly aligned and a second operator to independently verify that the valves are properly aligned. 'j (2) The licensee should propose Technical Specifications to assure that, prior to plant startup following an extended cold shutdown, a flow test would be performed to verify the normal flow path from the primary AFW system water source to the steam generators. The flow test should be conducted with AFW system valves in their normal alignment. Resconse l South Carolina Electric and Gas Co. procedur)s require that the EF system flow path be verified af ter it has been out of service to perform periodic testing or maintenance. i UI 5-7
- , . - + - - - . - +w wy , , .,.---v7 - - ,-, - -wy+y m ,3
5.2.7 Non-Safety Grade, Non-Redundant AFW System Automatic Initiation Signals Concern Some plants with an automatically initiated AFW system utilize some initiation signals that are not safety-grade, do not meet the single failure criterion, and are not required by the Technical Specifications to be tested periodically. This can result in reduced reliability of the AFW system. Recommendation GS-7 The licensee should verify that the automatic start AFW system signals and associated circuitry are safety-grade. If this cannot be verified, the AFW system automatic initiation system should be modified in the short-term to meet the functional requirements listed below. For the longer-term, the automatic initiation signals and circuits should be upgraded to meet safety-grade requirements , as indicated in Recommendation GL-5. (1) The design should provide for the automatic initiation of the AFW system flow. (2) The automatic initiation signals and circuits should be 4 designed so that a single failure will not result in the loss of AFW system function. w/ (3) Testability of the initiation signals and circuits shall be a feature of the design. (4) The initiation signals and circuits should be powered from the emergency buses. (5) Manual capability to initiate the AFW system from the control room should be retained and should be implemented so that a single failure in the manual circuits will net result in the loss of system function. (6) The ac motor-driven pu=ps and valves in the AFW system should be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses. (7) The automatic initiation signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room.
Response
See long-term item 5.4.5 (GL-5). O>
~-
5-8
--w- <iw-- -
yw , - g * - --e- --y-w -wr - ,4 *---t +,---g*' rr-r--a e-- y-*w- -
-w- e-
l i 5.2.8 Automatic Initiation of AFW Systems O Concern For plants with a manually initiated AFW system, there is the potential for fail of the operator to manually actuate the system following a transient in time to maintain the steam generator water level high enough to assure reactor decay heat removal via the steam generator (s). While IE Bulletin 79-06A requires a dedicated individual for W-designed operating plants with a manually initiated AFW system furtEer action should be taken in the short-term. This concern is identical to Item 2.1.7a of NUREG-0578. (13) Recommendation GS-8 The licensee should install a system to automatically initiate AFW system flow. This system need not be safety-grade; however, in the short-term, it should meet the criteria listed below, which are similar to Item 2.1.7.a of NUREG-0578. (13) For the longer-term, the automatic initiation signals and circuits should be upgraded to meet safety-grade requirements, as indicated in Recommendation GL-2. (1) The design should provide for the automatic initiation of the AFW system flow. (2) The automatic initiation signals and circuits should be designed (~N so that a single failure will not result in the loss of AFW \-) system function. (3) Testability of the initiating signals and circuits should be a feature of the design. (4) The initiating signals and circuits should be powered from the emergency buses. (5) Manual capability to initiate the AFW system from the control room should be retained and should be implemented so that a single failure in the manual circuits will not result in the - loss of system function. (6) The ac motor-driven pumps and valves in the AFW system should be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses. (7) The automatic initiation signals and circuits should be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room. Resconse See long-term item 5.4.1 (GL-1). O 5-9
I 5.3 Additional Short-Term Recommendations i 5.3.1 Primary AFW Water Source Low Level Alarm Concern Plants which do not have level indication and alarm for the primary water source may not provide the operator with sufficient information to properly operate the AFW system. Recommendation The licensee should provide redundant level indication and low level alarms in the control room for the AFW system primary water supply, to allow the operator to anticipate the need to make up water or transfer to an alternate water supply and prevent a low pump suction pressure condition from occurring. The low level alarm setpoint should allow at least 20 minutes for operator action, assuming that the largest capacity AFW pump is operating.
Response
V.C. Summer has redundant level indication and low level alarms in the control room for the Condensate Storage Tank, the EF system (~T primary water supply, as shown on FSAR Figure 10.4-16. The low level (/ alarm setpoint allows at least 20 minutes for operator action, assuming that the largest capacity EF pump is operating. l - (2) 5-10
5.3.2 AFW Pump Endurance Test O,(~T Concern Since it may be necessary to rely on the AFW system to remove decay heat for extended periods of time, it should be demonstrated that the AFW pumps have the capability for continuous operation over an extended time period without failure. Recommendation The licensee should perform a 72 hour endurance test on all AFW system pumps, if such a test or continuous period of operation has not been accomplished to date. Following the 72 hour pump run, the pumps should be shut down and cooled down and then restarted and run for one hour. Test acceptance criteria should include demon-strating that the pumps remain within design limits with respect to bearing / bearing oil temperatures and vibration and that pump room ambient conditions (temperature, humidity) do not exceed environmental qualification limits for safety-related equipment in the room.
Response
' () A 72 hour endurance test on all EF pumps will be performed during startup testing.
+
5-11
5.3.3 Indication of AFW Flow to the Steam Generators Co,ncern Indication of AFW flow to the steam generators is considered important to the manual regulation of AFW flow to maintain the required steam generator water level. This concern is identical to Item 2.1.7.b of NUREG-0 578. (13) Recommendation The licensee should implement the following({gguirements as specified by Item 2.1.7.b on page A-32 of NUREG-0578: ' (1) Safety-grade indication of AFW flow to each steam generator should be provided in the control room. (2) The AFW flow instrument channels should be powered from the emergency buses consistent with satisfying the emergency power diversity requirements for the AFW system set forth in Auxiliary Systems Branch Technical Position 10-1 of the Standard Review Plan, Section 10.4.9.
Response
, ( Safety-grade, redundant indication of EF flow to each steam generator The EF flow instrument channels i is provided in the control room.
are powered from the emergency buses. ) O 5-12
- 5. 3. 4 AFW System Availability During Periodic Surveillance
{} Testing concern Some plants require local manual realignment of valves to conduct periodic pump surveillance tests on one AFW system train. When such plants are in this test mode and there is only one remaining i AFW system train available to respond to a demand for initiation of AFW system operation, the AFW system redundancy and ability to withstand a single failure are lost. Recommendation Licensees with plants which require local manual realignment of valves to conduct periodic tests on one AFW system train and which have only one remaining AFW train available for operation should propose Technical Specifications to provide that a dedicated individual who is in communication with the control room be stationed at the manual valves. Upon. instruction from the control room, this operator would re-align the valves in the AFW system from the test mode to its operational alignment. Resconse em Q The V.C. Summer plant does not require the realignment of local manual valves to conduct periodic tests on one EF system. The EF control valves may be operated frem the control room to isolate the EF pumps for periodic testing. i 5-13
,3 5.4 Long-Term Generic Recommendations \~) 5.4.1 Automatic Initiation of AFW Systems Concern This concern is the same as short-term generic recommendation GS-8; namely, failure of an operator to actuate a manual start AFW system in time to maintain steam generator water level high enough to assure reactor decay heat removal via the steam generator (s) .
Recommendation GL-1 For plants with a manual starting AFW system, the licensee should install a system to automatically initiate the AFW system flow. This system and associated automatic initiation signals should be designed and installed to meet safety-grade requirements. Manual AFW system start and control capability should be retained with manual start serving as backup to automatic AFW system initiation.
Response
The V.C. Summer plant EF system is automatically initiated. O i O 5-14
,c. , . , - . ., -- -
r-, ,., . .. , , , -- - - . . ~ -
I p J 5.4.2 Single valves in the AFN Syste= Flow Path Concern This concern is the same as short-ter= generic recer=endation GS-2; na=21y, AFW system inoperability due to an inadvertently closed manual valve that could interrupt all AFN system ficw. Reco==endation GL-2 Licensees with plant designs in which all (primary and alternate) water supplies to the AFW syste=s pass through valves in a single flow path should install redundant parallel flew paths (piping and valves). Licensees with plant designs in which the primary AFW syste= water supply passes through valves in a single flow path, but the alternate AFW syste= water supplies connect to the AFN systen pu=p suctica piping downstream of the above valve (s), should install redundant valves parallel to the above valve (s) or provide autc=atic opening of the valve (s) frc= the alternate water supply upon low pu=p suction pressure. The licensee should propose Technical Specifications to incorporate appropriate periodic inspections to verify the valve positions inte
; the surveillance requirements .
s-Re sponse In the EF syste= design the primary EF system water supply passes through a valve, 1010-EF, in a single flow path, but the alternate EF syste= water supply connects to the EF system pu=p suction piping dcwnstrea= of the ahove valve. Aut==atic opening of the valves frc= the alternate water supply, Service Water Syste=, cpen icw pu=p suction pressure is provided. Also, valve 1010-EF has a limit switch which, through the BISI syste=, is alar =ed in the control roc = when it is not in the full open position. Periodic inspections to verify the valve position will be incorporated into the surveillance requirements of the Technical Specifications. r' 5-15 p- n, -- m -
, - -- -- -,,-e
5.4.3 Elimination of AFW System Dependency on Alternating Current () Power Following A Complete Loss of Alternating Current Power Concern This concern is the same as short-term generic recommendation GS-5; namely, delay in initiation of AFW system operation or maintaining AFW system operation following a postulated loss of onsite and offsite ac power; i . e., ac power blackout. Recommendation GL-3 At least one AFW system pump and its associated flow path and essential instrumentation should automatically initiate AFW System flow and be capable of being operated independently of any ac power source for at least two hours. Conversion of de power to ac power is acceptable.
Response
The turbine driven EF pump and its associated flow path and essential instrumentation automatically initiate EF system flow and is capable of being operated independent of any ac power source for at least two hours. O 5-16
-- - - - , - n e. ,- . - - , - , . . - , , , . , , , , , , _ . , . , _ ,_
3 5.4.4 Prevention of Multiple Pump Damage Due to Loss of s ,) Suction Resulting From Natural Phenomena Concern In many of the operating plants, the normal water supply to the AFW system pumps (including the interconnected piping) is not protected from earthquakes or tornadoes. Any natural phenomenon severe enough to result in a loss of the water supply could also be severe enough to cause a loss of offsite power with loss of main feedwater, resulting in an automatic initiation signal to start the AFW system pumps. The pumps would start without any suction head, leading to cavitation and multiple pump damage in a short period of time, possibly too short for the operators to take action that would protect the pumps. This may lead to unacceptable consequences for some plants, due to a complete loss of feedwater (main and auxiliary). Recommendation GL-4 Licensees having plants with unprotected normal AFW system water supplies should evaluate the design of their AFW systems to determine if automatic protection of the pumps is necessary following a seismic event or a tornado. The time available before pump damage, the alarms and indications available to the control room operator, and
' the time necessary for assessing the problem and taking action should (N be considered in determining whether operator action can be relied on to prevent pump damage. Consideration should be given to providing pump protection by means such as automatic switchover of the pump suctions to the alternate safety-grade source of water, automatic pump trips on icw suction pressure, or upgrading the normal source of water to meet seismic Category I and tornado protection require-ments.
Response
Automatic switchover of the pump suctions to the alternate safety-grade source of water is being provided to provide protection for the EF pumps. i l l 5-17
(] 5.4.5 tion-Safety Grade, !;on-Redundant AFW System Automatic \_/ Initiation Signals Conce rn e This concern is the same as short-term generic recommendations GS namely, reduced AFW system reliability as a result of use of non-safety-grade, non-redundant signals, which are not periodically tested, to automatically initiate the AFW system. Recommendation GL-5 The licensee should upgrade the AFW system automatic initiation signals and circuits to meet safety-grade requirements.
Response
The EF system automatic initiation signals and circuits are redundant and meet safety-grade requirements. In addition, a non-safety-grade, anticipatory signal, from a trip of all main feedwater pumps, is used to start the two motor driven emergency feedwater pumps. e O O 5-18
~
..y. .m. - _ _ , . - .,._-_,__y _
REFERENCES
- 1. STREG-0611, " Generic Evaluation of Feedvater Transients and S=all Break Loss-of-Coolant Accidents in k'estinghouse Designed Operating Plants," January 1950.
- 2. L' ASH-1400 (hTREG-75/014), " Reactor Saf ety Study," October 1975.
- 3. Various personal co=unications.
O O
?C s**'t.*etet 1
l !!":1
- g. - -. 4 m "f.
( aw.0 -<+-r---LT--- i s ;' m
.. t.
$ttaa I M; .-et.Y g
l= XPP.8.tF P Q . P s.L CP tM l FC . F..L CLOSE3 l w 3 LO . LOCtto CPt.e ucv . w0f04 OPttatt; vaLyt h . ., _ .l NC . hC# WALLY CLMED 8 e . Statul 6cCAr.CM ON CRT *
- P 0.
I f3 ptACtt t' 3 To h(AOct *C' TO ME ACES *A* 0 4 ) I & } f FG'c l NC 4 1 l l-]': I l I 1 l
- src .-g Z:a6aC 3
- 3014.*;-O 4:saaA : sets, G {:se,as 3 Y e T 1
l-- FC 3 g, PC g
-- l g
g LC -a
- s::s I I g-- se:A i .
l g
*A --te--w - J 576A :s se I l
l g .
. d. . 1
- _ _ _. i----.--___-..-_!______-___________ l
$7 TAM CENERATC9 C
$ttats Ctutt.atoR A STEAM CtmERATOR$
10399 1039C 1039A CONTAipeeENT
, ,10388 ,103ec
, ,123sA
' tom A FC . ~1 004 ~1C00C FC@T PC@T Q . L,3 o .
L,,O,,, . LO m ,, . L,,O,,, . 3 L.c,C . L,,O,,C I 8
' F.C. b ' P .3. 7.0.
- s 0. 3
- P.O.
- P C- b g L O
- L.3 - L, o -
L.O.C ii L.O,,C i
- L.O ii .A y i.O,A i .
, ; 3
- L,,O,, A - L,,O, LO mi .
1014 70133 10tSA N X X /
*2A LO Lo .etr.
.etr ve:. ner. I ic:::
IPP2tA EIA a xPpt a EPe213
**L
.v ~maA f m:A 4 '=O- t :.
r .y ma. -
. + LO .*
rmov % L3
- i
. ' C9 6 t001a 1411 A 10113 ,
C A, ,13C13
;; ;/ f ,
wCvtNC: 10 1:A , ?^ scca [2:S wove %C) Y ICla ioct LC 101: I L 4L3 ir Cth
.Ci ruCv s ierA M
. , , , 4 m. . Cms =ier C)
'r l
/N e ^ /\
C 1 T. g. g O g,. stK-4 00 FICURE I EPS FLC* 5 CHEM ATIC
O O O DIESEL AA TR.XTF4-E5 O T R. X T F31-E 5 DIESEL GENERATOR'A' ^^ TW GENERATOR'B' i HO l 7.2 KV BUS X5WIDA-E5 NO ]l 7.2 KV BUS X5WIDB-E5 l l l O MDEFP O MDEFP X P P 21 A.. E 5 X P P 21B- E F i 7.2 KV BUS X5WlE A-E5 7.2 KV DUS X5WIEB-E5
! O 5.W.P.
O 5.W.P. 4A TR.IDA2 x pp394,$w 5WP XPP390-5W 4 TR.IDB2 pp I I I) I) I) l MCC XMC ID A2X-E5 MCC XMC IDB2X-E5 l i MCC IDB2Y-E5
, MOV'S MOV'S MOV 1037 A- E F 10370-E F 28020-M5 1001 A-E F 100 in-E F 1008- E F 1002- E F 2802A-M5 FIGURE 2 AC POWER DISTRIBUTION TO EFS COMPONENTS
l O O O l l i e MANUAL START MDE FP 'A' a C.S. IN LOCKOUT POSITION ; MFWP 'A' TRIPPED MFWP 'B' TRIPPED
' MFWP *C' TRIPPED l
O < ^ ESFLS 'A' STEP 5 r-e MANUAL l-4--- BUS 1D A UNDERVOLTAGE
- S/G *A' LO-LO LEVEL TDEFP 2/3 4 S/G *B' LO-LO LEVEL i (OPEN VALVES e BUS IDB UNDERVOLTAGE _
2802A-MS, ; $fg C' LO-LO LEVEL 28028-MS, 2030 -MS) _ O _ U 4-- M ANU AL ST ART , MDE FP 'B' d C.S. IN LOCKOUT POSITION L_ l d ESFLS*B' STEP 5 O ' U i d t t FIGURE 3 EFS INITIATION LOGIC
LOSS OF MAIN FEEDWATER (LMF) LOW MEDIUM HIGH v.C. SUMME R g UNIT 1 ALL OPERATING . . WESTINGHOUSE H555' l
% % CRDER OF MAGNITUDE IN UNAVAILABILITY REPRESENTED LOSS OF MAIN FEEDWATER WITH LOSS OF OFFSITE POWER (LMF/LOSP)
LOW MEDIUM HIGH V.C. SUMM E R g UNIT 1 ALL OPERATING - - WESTINGHOUSE N555' LOSS OF MAIN FEEDWATER WITH LOSS OF ALL AC"(LMF/ LAC) l LOW M EDIUM HIGH l Y.C. SUMM ER A UNIT I ALL CPERATING T WESTINGHOUSE N555' I
- RELI ABILITY CH AR ACTERtZ ATIONS FOR AFws DE5lGN5 IN PLANT 5 U$ LNG THE WESTINCHOUSE N555, FIGURE lit-5, NUREG 0611.
** THE SCALE FOR THIS EVENT 15 NOT THE SAME AS THA) FOR THE LMF AND LMF/LOSP CH ART 5.
O FIGURE 4 COMPARISON OF V.C. SUMMER UNIT 1 EFS RELIABILITY WITH THAT OF OPERATING WESTINGHOUSE PLANTS
O O O
- -~* ~ -=
. . . . . - - . . .- - - m .-.. . - ~ ~ - - - ~ - ~ ~ . - - -
I I I (LeimiL 06 60$ ! To Pkada pt. sue .c.a.af stew Ta AT LENJ TW8 gTd A m G E N E R ATatt I f i l F AILuR E OF FAlluRf fo flow PM64 F Roti furpty Purtt alEAbtR$ insFFetsf alt iF To TWO SG'S Faad 1 ! I I I 1 F AILuS L OF F AIL ee r t a5 FAstasR L OF 00 Nb WEL 8f PI4s N T ( 84 AN( f 5 t tvJ 4*AT H ISM f tted Pain F Rc.M Flaw FA'M IKoM '^jp"h'37 g
#"I g' ""*I"[,[,"'"I g , g tsu sat t u j fis NP 84t a btR S riaMP tie Abt RS PUMP HEAbidi Ftow # ram BATH suspec.f.uf Ausseitut j TO 16 4 ( %'S To SG 6 4 %-( To 56-A ( %*C FF PkPer TAA8W1 EF FL td EF flow I A E i1 i
j
' APPEND!I A
- Sheet 3 et gif f
me 4 q C
-_ _ ..A ._ . _ o _ m .
J
- - s..-
. e]
=
t a~w
; t
- 2 b
l
- t. 3 4
.4 -
G wgl e ** 4 q d i1g - a a .a s . L4- c r1 *
* +
. Y. Q. .
I NI4 e t
~
J $h I : 2 e 1
~ y >$ +
s .'~ t e z
=
e6
*
- I and e a a s4 m 44*
. G ** w sf
%(
I C 3 4 st"
- 4. ' s l c:+a : s1
& ?~,55 r)
~
- i ( I;a. ;s s-:I ,
L13_J ' 4 i
*r-a 1
- e
- WC 4 4.
.l j ._ . Y 34 d i.
* ."E i
1 $a 1 1* .2 . 3%4J -<G . 3EC
<- =
*"2 ~ "s ,
b r ep.tl s I *o Se p e:n m li.s;*l g
. o
- e. #. am m 3 '
3 7 r --
~
w m.T o
-e_-- --,.n> -
0 4 i o M
= .
b W
~ a 4 W e
=
0 AG u Uo M
=23 J23w a ;- r z
~ Ii s
- 5Er,2 j 2i34
~~
4 sw.4 e.h WM 4 3 4 b (f j ES Ob.s.t.
$ &) ~
Ia~57 's' oc z y *2
; Y -l E gU 5 b i lilii I 5 ! [i' O u-2_El 0"
t~2 c2=d e b k-- oe4 N 3 u A
- *4
$3
=
5= M d E4 g
=o a** w
*w e
eo tM i 3 4
'& the *s*
e-- , -t vr w ,.me- . - - , y , .. _. ,w.,,,,.w.y,,y-- --- ,, - - - , - - . ,w, - - , ,, ,,- .nc., , 3 ,e-m.. -..,.-,-y ,-
0
)
j bitual of PsbP] TR AIN1 IANbTbP To sasPf& Y i (dicotW1iffLjs I A , 1 T 1 FAtt u R L OF FAILutE OF MbP TDP .. T RAld TRAid 1B 1 A4 4RE Altu R L OF .l l Mo' l I roe !
- L L"^'" _. _J L _"^'d _J l
i i I I Lou oF FlevJ Lon OF Flew HEADER Hs ADr R FRoM T6P To terru S E Te MbP 4t AbER TDP HEADER
^ A T
! l l 1 loss of flCw Loss or FLsu (dOH HOP h f/091 AbP B l To ADP anAMR To n DP tifMEA APPEND 12 A A A . ... , 4 e 0
L h AeasT E N A e4 C L A&iu a AT E b FAILh8t TO SuPFL1l Sus tacitwT { F L a v4 Et] 1 i + 1 g F Attu SE FAttuf t ] A150ct A1Lb vinTe Agg,g e gy g g I""O 8 " ' ve I n CST MA6MTEtt AtalE H AtHT EW ANCE i j I I I I F Attuf t but TD FA8!.UR E fan uRf. A550cs A T ED FAILu ht of Fast t#P E cf cgy TDP IN A s s 0C I AT E D MbP
- wsfee MDP 4 w iT u M h P 8 TbP P=Al'IIE M y, N Asaf rf arAWC L ' 'N 8d est MAtssif el APKr.
ste.dirs As(E
~
/A i
i TbP , g FAILURE OF f quig a g Mby TRAld l 1 1
'l i
4 1
} 'l APPENDIE A sheet 5 i
e
- n
l O O O '
- r
, btLlakEofFLlvd ' IPATH FReM PwtPg
+ NEADERS TD te-3h6-8/E$J i
i ! I I F ALLuRL OF PunP T R Alld F Ata tsr a. r4 not 065tHARGE F AILu m L ( TbP MEAbER Ftevd PATH 70 ovtKLAPPial6 VALVi Lt$CH AF.GE VALWL
%8* f.- 6 / %- C M An d T E W Adts 10 %-A/% 6[% l
/A a
I T I 4
' ti ti c.4 F A t tu R E. OF Mb9 FAntullt OF TDP sao9 A/8k out Akt led Aft P L Pld te HE mbE R htm k I AILS To FALL 5 To F A L1 To RuPfut t.itcHAR6E V AL1Et ditch ARGE. VAttf t OPE d C#E el cPEN To %-A/iG 6/%-C TO %-A/WB[.4-C
.I il il I ! I il ? 1, I i t l } k i 4 4 i 1 APPENDIE A skeen 6 1 1 1
o - O A
.e M P T 5 AIN ; . A t . P. c 4
im eu m.u. m4e, {M kis41i e4As4( L ] l l I 3 IL9 l t atee s Artus t- NICP T R AsN S Aas eWi < ovga Artie46 F4 th P ,wi s ta ppesa t. TbP mt Att t biM e6A E4 E
- ofACER Os3 tdAP51 VALwCewt4Tt W E WAtwC 794*esitespp4Lt T '
T
! <.,s m ,t.. ...- m,s . .. l4. . ..-
4_, ,,,,, ,.P .A... P ..A... A,,,,, Ot$( AARGE FLted FAlti LastnAt&E (tred FAf*
' Aids
'", .i n ss Alss-elss-c n ss Aln-slu t ..:
,c, w g n.. ra.A.ca l l l I FAittas L ( 6 Ttt FAILMAL Of F AnLuf t. of FAstust of MDP NtALLA ngAsta D85fMA760 Tgp ggp LAile+btf.E MAlsti T gg g g4 7 p ga,j NN U
,o u,.3 f5.. .f u,.c sf.-A/se-e/n-e
/,\M -
d n ab APPE%Dlx A e Ebeat 7 e O 9 4 ta_ .a -m ,
O 44 3 4 4W u O r Q
- ?
i i : -
! _E _2 , ~M O i s43 I
I i'$f$ i 1 ~n, e.t
- gw a
. me:_
,:.se nn _ 5,!;n
,e..a.
_ _ e O NG-is3a sii e > O ;U,i~ i ULb 5 l l
?
I T33 . 3 -3 a.u-?
**N o
I 2 t v T.
" t II e* .
1 _ d I I3w*
'" 4 2 .-
- 2 Z
c .c ss 3 d O
5 h 2 -
%l i O
2 4 *e b O A
.4 5 d **
k D
' a 5$
d s ea e
$ *6 E* g e
. $ 1.!. u -
g e l3 5.2.[ i!! : e 'E2 O i !. . . , G. e t $*I < L.i 3 SJ g
*7 Edw 3xNCd'E 2 a
*$ 2 *
.Sil
\ a s$,. a2's
~
,.e s .
Q 4 1e-g f O l t
. = -
% a w
u. 3a O% d S3ht- M m
. m ,.
e v =
> .s
"< s c,t
^
c # .
> ~3 Wa ~d 1 a o de 1
4 3 I sei 2 "= - Gi J "
- p: 2 s W c
~
"320 s: 1-
,a T*
$g &
J oO E u. C I O
%<-S
~ J S g>Z>
- 3004 g l ar ra d 2 g
TM
=
N l
' * $2 <$
23 E" w i< i c< = < c # l $ t, cwl .
,1 u* ,a to a01 * +'
(A b {u 0 0
<F7 WU *
?> $ Y a < >d L ;,; q "
$0 0 if O
i
m o
= ,
t i o 6 e e i E 3 o I:
= Wb
's y as m 2 4 s -e I h
- ., e 3
a 2 o> s .: w c r, ~ W a c d
.E ud 2 o 9 ; ij_a tl G see L
i!l G- !! O r
.I h $
3-$
- s1 <>5
> 8 d w"
>Et EdC' l
l l
~
a a. OO d M e O
a -+- -- a ---~r - j a~ e t i O 7%#
==:
8e M 4 F e l 0 3 I"b< 4 y4
- u. , J 23 3s' O 904 5
- vs A
$a 2o%g o a +~
d3
~3 C$,m' y 6 Md o
<j ~ce te C
e s*!* I'7A 5 It5
.I J <I 4t mom ar d r, s.n uh<3 03si~
- a
. L _ .;
.S h. 9 nd o $2J 24 IOM
$3 '
Em 1-a N< 3 ul oc J3
~gQ $ <$ eJ% 35$ -
re~ Vf m .s .
<t*
e z6
% m ,
v % w $ Q 9 a. he
- a. s I '
y j Q& on. " d O k{Q u r-e t b ari 3238 B" ( l i
. , _ , _ _ , . , , - . . ~ . - . _ . . _ . . - r.
a w *Pt d '. C) b b 4 e 14 esf
- p4" d2f
- ii C
- s .1
<.. O N
w.== N A-O 3Te s O 3 3
+
>~
eem g C _oa* 7ae. 3 a%" w G4 2w
~
wAfk m C r= 9 so4o f* =I= I 4 i dag~ osis rp a. c. 4 e
~ .
l C ~.
& .J .
J 3 I e. W 3_. :t re -
> v z,*.
12 5: ) C.!_I b5E$ A*s
<r
*T # N v:ec - .
48- J k e c . = w. 3"z 1s0' z< t
*h At
?
n .. 3 >- Ow 4.e
."S o ds zgr syd
~ **g ab M Ce e
d oss 2 kJ $ w w
-4:
l , w$'$=wo }:$ 3
- 32 3 ,
253 a .4 w O 2,ow
< ** 2 1 (
's
n O Ap - o.e ~ 3W3J
<tri a-w t ww . J.
$ o =w O
c.- n 2 O E M N N U"o W O-a
~
as s w n a roa "y d-r - s- - o asCds t s CH 6 sd
<d a
j Y yad w Q J d A ~ y 3- s-v d e1
~
w
.. y 7 s J O + wh J
O $
~
W vt a*3 I l Mb y 2 O~ E$ Nd Q L_J i C Hg 7 v.dW s
~ x. C en "E g E
2 ac iW 2
&
- O d E \m
> 4 h
- d
$U a d
>V
.6 OC f Q
e3 W 4V O o se g -t u 2s
a w-- -. L_-- .- -._.----a-m.a.-- a -.A.-_-- m = 1 g M.
. s GR.
F ** a 4 44 O .
>= 1 3 EE$ '
4C4 Im o a k *. p 2 z-tJ
- T 3 "3 O 6Mg*
1 dwm .
$ 5$
i
?
t o,e- . ie. :. i +=el c 1 ' s C 1 25 / G O. l:a E I a d5's,: 3c 2 b "W_d - " l
. b C
9 0 ww4 o"$
$4 a
m "sN"3 IUj ~ fTT . 8g w$Y' s dE5e$ l 4 S dJ 2 i< l " o.<. qvg 4 e E8 e G "x a c sw
* = = v c ZW 3 d Ed P JZ 3 O vN o
O 's 3 e U
' :: <d P
's h
I I
- - _ . - - . . _ . - , - . , - , , , ~, , - - - , . . . . . . - , ,
.,, , . _ - - , _ - _ , . ,, . - , _ , . . . , - , - ~ , _ , , , . , , - .
U C
, .c = 0
.i z z a .
23S3 % I 12 1 <.*
-vle e O e z
w 2 .ne=o b$ rm
-3"3 2376 ~
$= C dO*
$b w IL 3w ~ >O=
d '-a > c!3 3 a e O o > w eU
~ ~
i - 3
- r. c a
o as 6 k I
>=
d z: a= 5" F I
~7 O @
! =zll J g & -
O n as
-i a i
d_O - 3
>- d a, 4 + 4 4x
- Oa ~2 I $d
- t- as 553
*tz zw
.H A
w b J dq d - 4 & z yd 3-I
-mH .
. .c Z W II. b o w
~
j *a p 3 r t 2 w a , e um a 7, 5 j i
- - , - . - . . , . , ,, ,,, , - , , . . . - ~ , - , , , _ . . , , ,-_.,.,.n .,- . . - - , - - - , . , . . - , , . . , , , , , - . - - - - . , . - , , ,,
O O O j i .
- / i i
65$ O F ST E A LL4PPLI l l L_ hLINL _. ] 6 FAiLust cF cd w, I Aitut t To
$1E.At4 L t H E. 1%1(e kb Pt F IH b 150L AT E i FFESSSSL DELLES F AILS t o RuTTLaRE M A4 N ST E A ri To cLoSE cegg L td E t/f I.
i es , 1 AtluRE AnutL TRAIN A k 8 U cf OHL OF $st of W .g[M$.(, DOI N Mi B/N5-C $st'$ To pent to INefs Ariad 1L 0 a f.L65 L F AIL S 7 Rese AT i i h. i 4 APPENDIX A Sheet #7 ) i
- j .
-- ~ _ _ _ _ _ _ _ _
O O O M i. j bauf t To httuut To E11 At.Ll53 tsTAtte$M
'taf f iC if HT Ft6v4!
, !'ufftCitN1IL3
{$.tM 5td LacP] gMtvdtestb] i 1 I [ LOS (g F A 6 L u R f. OF SW do Loi\ cg F Astu Rt. et SW N0 c F ' d L**F r,11. A Leo ? A W A1 E V. IN M SW t w 6 gm g LaCP 6 WATER sg I WT L6 ART T FAtL( To 1.50L Af lot 4 sw t. oar A II" L AT ' * " 94T 6 AiTV F AILi T8 sw Loop A OPE d dALVt.S TO OPEd OP E pl VALVfC 10 CPfh 4 1 dec OR 0 KAnd A / set at IRAIN 6
- #sS7 A (tNTR8L #'[g IN p p IH 6 T 4 A14% defl 0 C##T Aot g p IsetT6 ATee teKCuer y Angs tercuar FAtt F A nt.$
- } f AILS I
e i 1 1 I
- i .
S ) 4 AFFENDlI A ) I sheet /f 1 e . l -f
5 o ed 2 i O 3 3 woe.
%e'i d .
gT* Et
- a e r1 a
- l. =l l<$$^h e
d 1
- w w*
O 5
==>3=
O o o3 C o. 5 _ s a=
- CA Q
Q N $ 3 = 35c d wo _ t o< -
.r=
O e c a n.
- c <w g
=
10 2 i $ f a%f O'* .
.g r r i ld l bd e
M
%T Sa
=
0 'b
+
w- - - - - - - - - ,-,,,,,-,,-.,w- --.wer-e,. .re...'. - - , -. -,,--,,,.-.-.,,-..-,-.----.--.---,--..e,,--.--.--,..,,,,,e-g,,-,,..
. . , . - - , , .--e-
m ._...L - , o ia -- - + - *-*a - -.w- - G< -m- h+m-~ e d .a ..is-.n.-----J J _ - _._A-6w F M O l f4 d O E es W G
- a. b U b A 4 44 h
3 O l 1 i e HO f O f U, i
- 2gI 1
s g as 4 e i h. ls%o'Is o
- k I
l D
' w 3 {
i en w 3 I O '1 o 1. I L%-I A k g O ' a s:s r S s
~wss ,
a . [-
/ w a
0
- to
> 2 '* 3 0pe
- wgs -
- -er 3524
" 3 74 i e s. 3. 0-s-
a me i g 2*:s s. . 65
- i a
i i i O r k.
.v.__-.------,_. .,....._-m. . . . . . . _ , . , . . _ . - _ _ , , . _ _ . _ . _ _ . - . _ _ _ - - _ . _ _-,. _ _ - . _ . . . . . ... .. _ _ . _ - .
O O O ItoTLof FUvli koSY cF FIoM l sum To nup abP A l lFAoM To mbPMbP o l [HEAbER ] HE AbER d , I i I I F A Lu RE. F AILL4 K L OF FAILURE OF fan Lu R E. FAILuwE oF FAILURE of os hb P A MbP A of MbP 5 MbP E 9g biscH AR6t. WLT to N flow y g btSCHARGE- $4cTiot4 TLevl
- l F Lawd P AT H F AT H Fl o ve PATH PATH
.i j b b d MeV lots A (g tggv.3021 6 CV 1015 A c Loht b
*da 1015 &
E"" "
- E CLOS E b tu nuRE a F ALLS To FAILS TD OPtd OPEN i
vet HuMAd Ht4 MAN VALv0 PLut cEh Essen EEkok l PLu %ED I i l I APPEND 12 A sheen 21
.w +
N E N a at as E 2
*C 44 0
O e N Pd u8 2 d d&:
;g<
IT d lw o w3 I e s <
; E ek O le oe me u
$< _= =
I .
= 3 3 : :-<
O 7
.4
- to 5
c
' s A% "%
~
#e* %*25 2a
<<$ -3 ,,
w .s '8E- ," 3>M 3 ea O w I I
% 3_ - > o $
r oE<- te. N
& >=
J 4)W d CH w- 5 g5 3$"tw 3d 1
%s--
ea<
- T
' P=
s O
1 I n O l g n 1 x as
% i
~
O - l l s 3* 0
~
e-3h I O 88 o K #
&""s h A as Tg 4 a 2 e6 SY
- F To -7l $
e O l*& C g 21 *I# 0 1 4
*a x
sob
~ u 4, e O y e s ny 0 NY e lU mo 1 <o!$s. TU t
a$ O "W
- J p
&O e6 o 3 3 4> s 23dW s 2 f$
": AEc O O do a
$ P o
O
A y f m fi n r i r a o NlC f o
- L o' Pd '
R l u r*^* Ai e.
/ t vA b o A H freph I
f *fb # o M l
%m o a a
o _I N T I t; _ L rT WW S ve f o a _ h 1 L(Nf pe L Pb " 8 _ R A t R A us! t C 0 s_m L U N "7 _ s n AW49 FA a C A' _ l l , A f g f ( N b A ( p g P d 4 A e L ' M ai d i MT O 4 L P M t D A 8 n AW N Q i b M i Mn 6 L 0g F A f 6p .
. f f 2 O t t f
b 5 5 o a 6 FR p p O l
- I d _ f L 7
- t' .
O
- wi l (pgN
- k E E9 AT h&m a j
g gA s L L'
- U A g '! T ILc Mpfe l
A
- I%\
A app f
-'l l t .
A e g I S A f e g H f O pN
! t. p' V A V y L R Al T
( O i!; ! i' 1 : ! l =
- I!i1 }# , - !l l+ l 4! 1 t
APPENDIX B Basis of Auxiliary Feedwater System Flow Requirements b V Question 1
- a. Identify the plant transient and accident conditions considered in establishing AFWS ficw requirements, including the following events:
- 1) Loss of Main Faed (LMFW)
- 2) LMFW w/ loss of offsite AC power
- 3) LMFW w/ loss of onsite and offsite AC power
- 4) Plant cooldown
- 5) Turbine trip with and without bypass
- 6) Main steam isolation valve closure
- 7) Main feed line break
- 8) Main steam line break
- 9) Small break LOCA
- 10) Other transient or accident conditicns not listed above.
- b. Describe the plant protecticn acceptance criteria and corresponding technical bases used for each initiating event identified above.
The acceptance criteria should address plant limits such as:
- 1) Maximum RCS pressure (PORY cr safety valve actuation)
- 2) Fuel temperature or damage limits (ONS, PCT, maximum fuel central temperature)
- 3) RCS cooling rate limit to avoid excessive coolant shrinkage
- 4) Minimum steam generator level to assure sufficient steam gener-ator heat transfer surf ace to remove decay heat and/or cool down
' the primary system. Resoonse to 1.a The Auxiliary Feedwater System (Emergency Feedwater System (EFWS) in the Virgil C. Surmer Plant) serves as a backup system for supplying feed-water to the secondary side of the steam generators at times when the feedwater system is not available, thereby maintaining the heat sink capabilities of the steam generator. As an Engineered Safeguards System, the Emergency Feedwater System is directly relied upon to pre-vent core damage and system overpressurization in the event of trans-ients such as a loss of nonnal feedwater or a secondary system pipe rupture, and to provide a means for plant cooldown folicwing any plant transient. Folicwing a reactor trip, decay heat is dissipated by evapcrating water in the steam generators and venting the generated steam either to the condensers through the steam dump or to the atmosphere througn the steam generator saf ety valves or the power-operated relief valves. Steam generator water inventory must be maintained at a level sufficient to ensure adequate heat transfer and continuation of the decay heat removal process. The water level is maintained under these circumstances by the Emergency Feedwater System which delivers an emergency water suoply to the steam generators. The Emergency Feedwater System must be capable of functiening for extended pericos, allowing time either to restore normal feedwater ficw or to proceed with an orderly cooldown of the plant to h' the reactor coolant temoerature where the Residual Heat Removal System can assume the burden of decay haat removel. The Emergency Feedwater System ficw and the emergency water supply capacity must be sufficient
l to remove core decay heat, reactor coolant pump heat, and sensible heat during the plant cooldown. The Emergency Feedwater System can also be used to maintain the steam generator water levels above the tubes i following a LOCA. In the latter function, the water head in the steam l generators serves as a barrier to prevent leakage of fission products from the Reactor Coolant System into the secondary plant. DESIGN CONDITIONS The reactor plant conditions which impose safety-related performance requirements en the design of the Emergency Feedwater System are as l follows for the Virgil C. Sumer plant. Loss of Main Feedwater Transient
- Loss of main feedwater with offsite power available
- Station blackout (i.e'., loss of main feedwater without offsite power available)
- Secondary System Pipe Ruptures
- Feedline rupture
- Steamline rupture
- Loss of Coolant Accident (LOCA)
O - Cooldown Loss of Main Feedwater Transients The design loss of main feedwater transients are those caused by:
- Interruptions of the Main Feedwater System flow due to a malfunction in the feedwater or condensate system
- Loss of offsite power or blackout with the consequential shutdown of the system pumps, auxiliaries, and controls Loss of main feedwa',c trans?ents are characterized by a rapid reduction in steam generator water levels which results in a reactor trip, a tur-bine trip, and emergency feedwater actuation by the protection system logic. Following reactor trip from high power, the power quickly f alls to decay heat levels. The water levels continue to decrease, progress-ively uncovering the steam generator tubes as decay heat is transferred and discharged in the form of steam either through the steam dump valves to the condenser or through the steam generator safety or power-operated relief valves to the atmosphere. The reactor coolant temperature increases as the residual heat in excess of that dissipated through the steam generators is absorbed. With increased temperature, the volume of reactor coolant expands and begins filling the pressurizer. Without the addition of sufficient emergency feedwater, further expansion will O result in water being discharged through the pressurizer safety and relief valves. If the temperature rise and the resulting volumetric expansion of the primary coolant are permitted to continue, then (1)
---..,,.-,,.---,,.,_,_-,,,,..-.,,,,-,,--,,..,--g, .
-_w,,.w. ny, ,,,...,g.., , , y , , , n.. ,_, , - -,_m . w e -.e,p, ue
l pressurizer safety valve capicities may be exceeded causing overpressur-O ization of the Reactor Coolant System and/or (2) the continuing loss of fluid from the primary coolant system may result in bulk boiling in the Reactor Coolant System and eventually in core uncovering, loss of natural circulation, and core damage. If such a situation were ever to occur, the Emergency Core Ccoling System would be ineffectual because the primary coolant system pressure exceeds the shutoff head of the safety injection system pumps, the nitrogen over-pressure in the accum-ulator tanks, and the design pressure of the Residual Heat Removal Leop. Hence, the timely introduction of sufficient emergency feedwater is necessary to arrest the decrease in the steam generator water levels, ' to reverse the rise in reactor coolant temperature, to prevent the pres-surizer from filling to a water solid condition, and eventually to establish stable hot standby conditions. Subsequently, a decision may be made to proceed with plant cooldown if the problen cannot be satisf actorily corrected. , The blackout transient differs from a simple loss of main feedwater in that emergency power sources must be relied upon to operate vital equip-ment. The loss of power to the electric driven condenser circulating water pumps results in a loss of condenser vacuum and condenser dump valves. Hence, steam formed by decay heat is relieved through the steam generator safety valves or the power-operated relief valves. The calcu-lated transient is similar for both the loss of main feedwater and the blackout, except that reactor coolant pump heat input is not a consider-ation in the blackout transient following loss of power to the reactor > coolant pump bus. The station blackout transient serves as the basis for the minimum flow required from either the two motor driven pumps acting together or the turbine driven pump by itself for the EFWS for the Virgil C. Summer plant. The pumps are sized so that they will provide sufficient flow against the steam generator safety valve set pressure (with 3% accumula-tion) via the above groupings to prevent water relief from the pres-surizer. The same criterion is met for the loss of feedwater transient where A/C power is available. Secondary System Pioe Ruotures The feedwater line rupture accident not only results in the loss of feedwater flow to the steam generators but also results in the complete blowdown of one steam generator within a short time if the rupture should occur downstream of the 1.ast nonreturn valve in the main feed-water piping to an individual steam generator. Another significant result of a feedline rupture may be the pumping of emergency feedwater to the faulted steam generator through the connection which is separate Such situations can result in the pump-from the main feedwater nozzle. ing of a disproportionately large fraction of the total emergency feed-water ficw to the f aulted steam generator and out the break because the system preferentially pumps water to the lowest pressure steam generator rather than to the effective steam generators wnich are at relatively high pressure. The system design must allow for terminating, limiting, r eee eter r'o* a4ca is O or =4a4=4zia9 ta>t erect 4ca or emerseacz
s-delivered to a faulted loop in order to ensure that sufficient flow will be delivered to the remaining effective steam generator (s). The concerns are similar for the main feedwater line rupture as those explained for the loss of main feedwater transients. Main steamline rupture accident conditions are characterized initially by plant cooldown and, for breaks inside containment, by increasing containment pressure and temperature. Emergency feedwater is not needed during the early phase of the transient but flow to the f aulted loop will contribute to the release of mass and energy to containment. Thus, steamline rupture conditions establish the upper limit on emergency feedwater flow delivered to a faulted loop. Eventually, however, the Reactor Coolant System will heat up again and emergency feedwater flow will be required to be delivered to the unfralted loops, but at scmewhat lower rates than for the loss of feedwater transients described pre-viously. Provisions must- be made in the design of the Emergency Feed-water System to limit, control, or terminate the emergency feedwater flow to the f aulted loop as necessary in order to prevent containment overpressurization following a steamline break inside containment, and to ensure the minimum flow to the remaining unfaulted loops. O G Loss-of-Coolant Accident (LOCA) The loss of ccolant accidents do not impose on the emergency feedwater l system any flow requirements in addition to those required by the other accidents addressed in this response. The following description of the small LOCA is provided here for the sake of completeness to explain the role of the emergency feedwater system in this transient. Small LOCA's are characterized by relatively slow rates of decrease in reactor coolant system pressure and liquid volume. The principal con-tribution from the Emergency Feedwater System following such small LOCAs i is basically the same as the system's function during hot shutdown or following sourious safety injection signal which trips the reactor. Maintaining a water level inventory in the secondary side of the steam generators provides a heat sink for removing decay heat and establishes the capability for providing a buoyancy head for natural circulation. The emergency feedwater system may be utilized to assist in a system ! cooldown and decressurization following a small LOCA while bringing the reactor to a cold shutdown condition. i l l l l l _ - - .__ _ _ . - _ _.
5 Cooldown The cooldown functicn performed by the Emergency Feedwater System is a partial one since the reactor coolant system is reduced from normal zero load temperatures to a hot leg temperature of approximately 3500F, The latter is the maximum temperature recomended for placing the Resi-dual Heat Removal System (RHRS) into service. The RHR system completes the cooldown to cold shutdown conditions. Cooldcwn may be required following expected transients, following an accident such as a main feedline break, or during a normal cooldown prior to refueling or performing reactor plant maintenance. If the reactor 's tripped following extended operation at rated power level, the EFWS .: capable of delivering sufficient emergency feedwater to remove decay heat and reacter coolant pump (RCP) heat following reactor trip while maintaining the steam generator (SG) water level. Following transients or accidents, the recomended cooldown rate is consistent with expected needs and at the same time does not impose additional requirements on the capacities of the emergency feedwater pumps, consid-ering a single f ailure. In any event, the process consists of being able to dissipate plant sensible heat in addition to the decay heat produced by the reactor core. l i O
6-O :ies oese to 1.8 Table 13-1 su:anarizes the criteria which are the general design bases for each event, discussed in the response to Question 1.a, above. Spe-cific assumptions used in the analyses to verify that the design bases are met are discussed in response to Question 2. The primary function of the Emergency Feedwater System is to provide sufficient heat removal capability for heatup accidents following reac-tor trip to remove the decay heat generated by the core and prevent system overpressurization. Other plant protection systems are designed to meet short term or pre-trip fuel f ailure criteria. The effects of excessive coolant shrinkage ar2 bounded by the analysis of the rupture of a main steam pipe transient. The maximum flow requirements deter-mined by other bases are incorporated into this analysis, resulting in no additional flow requirements. O l
O O O TABLE 18-1 Criteria for Emergency Feedwater System Design Basis Conditions Condition Additional Design or Transient Classification
- Criteria
- Criteria Loss of Main Feedwater Condition II Peak RCS pressure not to (LMFW) exceed design pressure. No consequential fuel failures Station Blackout Condition II (same as LMFW) Pressurizer does nat fill with either 2 motor driven or one turbine driven emergency feed
' pump feeding 2 SGs. Steamline Rupture Condition IV 10CFR100 dose limits containment design pressure not exceeded . Core does not uncover 5 Feedline Rupture Condition IV 10 CFR 100 dose limits. RCS design pressure not exceeded Loss of all A/C Power N/A Note 1 Same as blackout assuming turbine driven pump Loss of Coolant Condition III 10 CFR 100 dose limits 10 CFR 50 PCT limits ! Condition IV 10 CFR 100 dose limits 10 CFR 50 PCT limits Cooldown N/A 1000F/hr 5570F to 3500F
*Ref: ANSI N18.2 (This infonnation provided for those transients performed in the FSAR).
Note 1 Although this transient establishes the basis for energency feedwater pump powered by a diverse power source, this is not evaluated relative to typical criteria since multiple failures must be assumed to postulate this transient.
-8 C Ouestion 2 ~
Describe the analyses and assumptions and corresponding technical justi-ficaticn used with plant condition considered in 1.a above including:
- a. Maximum reactor power (including instrument error allowance) at the time of the initiating transient or accident.
- b. Time delay frem initiating event to reactor trip.
- c. Plant parameter (s) which initiates AFWS flow and time delay between initiating event and introduction of AFWS flow into steam generator (s).
- d. Minimum steam generator water level when initiating event occurs.
- e. Initial steam generator water inventory and depletion rate before and after AFWS flow commences -- identify reactor decay heat rate used.
- f. Maximum pressure at which steam is released from steam generator (s) and against which the AFW pump must develop sufficient head.
- g. Minimum number of steam generators that must receive AFW flow; e.g.,
1 out of 2? 2 out of 47 ac r'c coaditica -- coat 4#ued operatica of ac au=9s or a tur i O a-circul ation.
- i. Maximum AFW inlet temperature.
J. Following a postulated steam or feed line break, time delay assumed to isolate break and direct AFW flow to intact steam generator (s). AFW pump flow capacity allowance to accommodate the time delay and maintain minimum steam generator water level. Also identify credit taken for primary system heat removel due to blowdown.
- k. 'lolume and maximum temoerature of water in main feed lines between steam generator (s) and AFWS connection to main feed line.
l
- 1. Ocerating condition of steam generator normal blowdown following initiating event,
- m. Primary and secondary system water and metal sensible heat used for cooldown and AFW flow sizing.
i 1
- n. Time at hot standby and time to cooldown RCS to RHR system cut in temperature to size APA water source inventory.
A V
.g.
Resoarse to 2 Analyses have been performed for the limiting transients which define the EFWS performance requirements. These analyses have been provided for review in the Virgil C. Summer FSAR. Specifically, they include:
- Loss of Main Feedwater (Station Blackout)
- Rupture of a Main Feedwater Pipe
- Rupture of a Main Steam Pipe Inside Containment In addition to the above analyses, calculations have been performed specifically for the Virgil C. Sumer plant to determine the plant cool-down flow (storage capacity) requirements. The Loss of All AC Power is evaluated via a comparison to the transient results of a Blackout, assuming an available emergency pump having a diverse (non-AC) power supply. The LOCA analysis, as discussed in response 1.b, incorporates the system flow requirements as defined by other transients, and there-fore is not performed for the purpose of specifying EFWS flow require-ments. Each of the analyses listed above are explained in further detail in the following sections of this response.
Loss of Main Feedwater (Blackout)_ A loss of feedwater, assuming a loss of power to the reactor coolant pumps, was performed in FSAR Section 15.2.8 for the purpose of showing that for a station blackout transient, either two motor driven or one O- turbine driven emergency feedwater pump delivering flow to two steam Furthermore, the generators does not result in filling the pressurizer. peak RCS pressure remains below the criterion for Condition II tran-sients and no fuel failures occur (refer to Table 18-1). Table 2-1 sumarizes the assumptions used in this analysis. The transient analy-sis begins at the time of reactor trip. This can be done because the trip occurs on a steam generator level signal, hence the core power, temperatures and steam generator level at time of reactor trip do not depend on the event sequence prior to trip. Although the time from the loss of feedwater until the reactor trip occurs cannot be determined from this analysis, this delay is expected to be 20-30 seconds. The analysis assumes that the plant is initially operating at 102% (calori-metric error) of the Engineered Safeguards design (ES0) rating shown on the table, a very conservative assumption in defining decay heat and stored energy in the RCS. The reactor is assumed to be tripped on low-low steam generator level, allowing for level uncertainty. The FSAR A shows that there is margin with respect to filling the pressurizer. loss of normal feedwater transient with the assumption that the two smallest emergency feedwater pumps and reactor coolant pumps are running results in even more margin. This analysis establishes the capacity of the motor driven and turbine driven pumps and also establishes train association of equipment so- that this analysis remains valid assuming the most limiting single failure. O
O a=ot"re or x 4" reee ter 24#e The double ended rupture of a main feedwater pipe downstream of the main feedwater line check valve is analyzed in FSAR Section 15.4.2.2. Table 2-1 sumnarizes the assumptions used in this analysis. Reactor trip is assumed to be actuated by low-low level in the affected steam generator when the water level falls below the top of the U-tubes. This conserva-tive assumption maximizes the stored heat prior to reactor trip and minimizes the ability of the steam generator to remove heat from the RCS following reactor trip due to a conservatively small total steam gener-ator inventory. As in the loss of normal feedwater analysis, the initial power rating was assumed to be 102% of the ESO rating. The Virgil C. Sumner emer;ency feedwater design is assumed to supply a total of 350 gpm to the two intact steam generators, including allowance for feeding the affected steam generator. The criteria listed in Table 18-1 are met. , This analysis establishes the capacity of the emergency feedwater pumps, establishes requirements for layout to preclude indefinite loss of emergency feedwater to the postulated break, and establishes train association requirements for equipment so that the EFWS can deliver the minimum flow re uired in 1 minute assuming the worst single failure. Ructure of a ikin Steam Pioe Inside Containment Secause the steamline break transient is a cooldown, the EFWS is not O neeeed to remove heat 4a the short term. Furthermore, eedi 4oa of excessive emergency feedwater to the faulted steam generator will affect the peak containment pressure following a steamline break inside con-tainment. This transient is performed at four power levels for several break sizes. Emergency feedwater is assumed to be initiated at the time of the break, independent of system actuation signals. The maximum flow is used for this analysis, considering pump runout. Table 2-1 summar-izes the assumptions used in this analysis. At 30 minutes af ter the break, it is assumed that the operator has isolated the EFWS from the faulted steam generator which subsequently blows down to ambient pres-sure. The criteria stated in Table 13-1 are met. This transient establishes the maximum allowable emergency feedwater flow rate to a single f aulted steam generator assuming all pumps operat-ing, establishes the basis for runout protection, if needed, and estab-lishes layout requirements so that the flow requirements may be met considering the worst single f ailure. O
n v Plant Cooldown Maximum and minimum flow requirements from the previously discussed transients meet the flow requirements of plant cooldown. This opera-tion, however, defines the basis for tankage size, based on the required cooldown du' ation, maximum decay heat input and maximum stored heat in the system. As previously discussed in response 1A, the emergency feed-water system partially cools the system to the point where the RHRS may complete the cooldown, i.e., 350cF in the RCS. Table 2-1 shows the assumptions used to determine the cooldcwn heat capacity of the emergency feedwater system. The cooldown is assumed to ccmmence at 102". of engineered safeguards design power, and maximum trip delays and decay heat source terms are assumed when the reactor is tripped. Primary metal, primarv nater, secondary system metal and secondary system water are all included in the stored heat to be removed by the EFWS. See Table 2-2 for the items constituting the sensible heat stored in the NSSS. This operation is analyzed to establish minimum tank size requirements for emergency feedwater fluid source which are normally aligned. O l l n v 1
1 - m f, T 5 m = =
=
e. 6.- s-
=
6 - s 6 Y
- a*
S W 9 > 2 < l la =s -. - - e = s w m =_ a ..
-s - 73 a t -
es aw3
.a s
3
.q2-
--{
t
*' == --
s -g. -e s 3
=
g -,
= e- . p! # g. C
.3 *3 w w .e _p
. - < , .s -- ,.
e- . . -6 . 2
=
,a3 - 1
=.
> CE
.l s
E e g
.e s
E s E s E 4 1 -
=g E-
- _ .i *iE =< <
3 g % s s Z g:. a< 24w E O-
'e m -
as 4
-~9 9' y- e -
E -- *g 4 .. 3 -* - em N . I St -E o e d - 9 w q - e I - E et we - e % S #g .m
- E. -
% e -
-e 6 g 3
-9 = - ' Se AN O A
- J E
P{ e 9 a
. e I. 4 g .g.I-w 1 w .- %
- e = - , - -
ss .' .: 3. 2 .w &
- h 3 - e f.
e
- m. 3
*S --
=
4 2 4
=
. p -
a. w O p. e- w N # 6 gt &7 d N 4 sw - 4 N a -
- DA. N E*
-8 2 ;
s J
-pgw N d 9 C- . = 0 -2E m - A 4 e A 5 I .- *.
S E' -w A -- -- = d
-9 d 1 - %
+ -
5 4 +3 g - w r 3 I ,! ~. _g . _3 s {; a
-r - - -
s
- ~
9 e T a C ~. m & y m .y 4 % 3 g w SC g - w - 4 e 3
.- eJ S'
e me ed C d N 4
=&
w g g C Oe e* 2 Oe J b e 3 e ( C e % N 3 -e E - N > N E 3 de 3 = - 5
- w t' h E. %
- N, -&
@ w g h. ~ -
. O @ w c
M b-E- g - . a 4
- . s
< -t g. . - -f - - e #
-# p v
*~ 9 m- - 9 .
4
=
3 .O- w t > Q* e y y * .f .-2
- 1. I >> > t .,
-6 . . . 3
-=,
s = s-
~ .os-- -. s 4
_e
- = = a ,
= .s a-56* b* 4 & =
1 -0 s e s . - -e
+ E.
6 I m' g
.a
- w. a $t S e
g m
-+
& M 4
- 4 I G-e J G
. .. w 3
ee-- c .g
.5 m==&. .e . -
=&
& y s v -
, -I ~, ~~
#-- N # .L --
ee e --* 3
-y 0 & N
~
G
- ~-
w G* E 3 I E <* ~ g ~a c-
-- m-, -w ew o- 3 . - m -
t
=
g w w
=
9 s> -F. g w P. ew 9
- =
3 g3- #- N b* # ! h IT- s
!.$ g% -se I I. (I -h
,-t
-p e .s . -: - -
5 . - -g= - ms
-3 s1
-. s. 2 43
- 4. --
T 3-4
- 3s
- 9
*g 4
3
# 4 I .
[6g g i .g- { 3=2-w
- - T 2 *' g
- y . l
== g - -
3
- j. 6 - . .
g - s ; . -
- 46 a6 s- - i <. .i s. . - 4.
6 4 ,s , e J. - . -
- . 4- - = ,
-s. -
n - j -. e 9
=, Is n . ~ . -
2.3 s-4- J ~. 9 3
. 3s 2-3 El-m a
-,={-.
E-
," _3
- - E
.F, -- -
3
= E -6 $-- - ad
?
4
-- m - 3. 3. :.
9 J. T. s. =
\
TABLE 2-2 Summary of Sensible Heat Sources I Primary Water Sources (initially at engineered safeguards design power temperature and inventory)
- RCS fluid
- Pressurizer fluid (liquid and vapor)
Primary Metal Sources (initially at engineered safeguards design power temperature)
- Reactor coolant piping, pumps and reactor vessel
- Pressurizer
- Steam generator tube metal and tube sheet
- Stera generator metal below tube sheet
- Reactor vessel internals Secondary Water Sources (initially at engineered safeguards design power temperature and inventory)
- Steam generator fluid (liquid and vapor)
- Emergency feedwater piping purge fluid.
Secondary Metal Sources (initially at engineered safeguards design power temperature)
- All steam generator metal above tube sheet, excluding tubes.
O I O
Question 3 Verify that the AFW pumps in your plant will supply the necessary flow to the steam generator (s) as determined by items 1 and 2 above consider-ing a single failure. Identify the margin in sizing the pump flow to allow for pump recirculation flow, seal leakage and pump wear. Restonse to 3 FSAR Figure 10.4-16 schematically shows the major features and components nf the Emergency Feedwater System for Virgil C. Sumer . Flow rates for all of the design transients described in Response 2 have been met by the system for the worst single failure. The flows for those single f ailures considered are tabulated for the various transients in Table 3-1, including the following: A. A/C Train Failure B. Turoine Driven Pump Failure C. Motor Driven Pump Failure O O
TABLE 3-1 Emergency Feedwater Flow (1) to Steam Generators Follcwing an Accident / Transient with Selected Single Failure - GPM Single Failure TO Pump MD Pump Elec. Train Accident / Transient Failure Failure Failure A 8 C 872 gpm 704 gpm 872 gpm
- 1. Loss of Main FW Feedline Rupture 471 gpm 704 gpm 872 gpm 2.
- 3. 958 gpm 796 gpm 958 gpm Cooldown
- 4. 979 gpm 0 gpm 0 gpm Main steamline rupture (max.
requirement) > O "ot >: (1) Items 1 thru 3 are minimum expected ficws to intact loops; item 4 is maximum possible ficw to the faulted loop. l O}}