ML19339C461
| ML19339C461 | |
| Person / Time | |
|---|---|
| Site: | McGuire  |
| Issue date: | 11/10/1980 |
| From: | Parker W DUKE POWER CO. |
| To: | Harold Denton, Youngblood B Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8011180418 | |
| Download: ML19339C461 (12) | |
Text
...
...... --...-. 7 4 DUKE POWER COMPANY
' Powsm Bett.nexo 422 SocTn Caraca Srazzr, CnARLOTTz, N. C. asa,4a w t LLI A M Q PA R M ER, J R.
WCF Pars #0ges, igtgesom(; AegA 7C4 Strane Peoowcwow 373 4033 November 10, 1980 4
Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission i
Washington, D. C.
20555 4
Attention:
Mr. B. J.,Youngblood, Chief Licensing Projects Branch 1 Re: McGuire Nuclear Station Docket No. 50-369
Dear Mr. Denton:
Attached is Duke Power Company's response to the questions that the NRC Staff /Sandia Laboratories had concerning the reliability evaluation of the McGuire Unit 1 auxiliary feedwater system.
These questions were discussed in detail during the October 28-29, 1980 meeting in Charlotte with the Staff and Sar.dia representatives.
If there are any further questions regarding this matter, please advise.
Very truly yours,
~,'
s w<*
^
,' h J,
William O. Parker, Jr.
GAC:vr l
Attachment cc:..Mr. George H. Bradley Sandia National Laboratories Albuquerque, New Mexico 87185 1
fool
.5 i
lI f
atnasoAG
)
L
Response to NRC/Sandia Questions on Reliability Analysis of the Auxiliary Feedwater System for the McGuire Nuclear Station - Unit 1 WCAP 9751 (Page and Paragraph Numbers Refer to WCAP 9751) i 1.
Page - all The short and long term recommendations of NUR '.G-0611 were not addressed.
What action is being taken on each?
Response
This question was discussed during the October 28-29 site visit and it was agreed that a written response was not required.
2.
Page - all There were no recommendations made for McGuire even though the results of the analysis showed that McGuire's reliability was less relative to most of the newer plants on line. Are there an specific recommendations to be made as a result of the study?
Response
An evaluation of the cut sets which contribute to the McGuire auxiliary feedwater system unavailability indicates that requiring two motor driven pumps to deliver flow to the steam generators (as opposed to one out of three pumps) is the dominant factor which places McGuire lower than some of the operating plants analyzed in NUREG-0611.
The original McGuire AFWS design which dictated pump capacity and emer-gency diesel generator capacity allowed the flow requirements for the loss of feedwater with loss of offsite AC power to be m'd assuming only the smallest capacity pump was available. At that time no special provi-sions were made for automatic initiation of auxiliary feedwater flow for feedline rupture since plants were being licensed assuming operator action to initiate auxiliary feedwater at 10 minutes.
Later in the design stage when it became apparent that automatic establishment of auxiliary feed-water flow at one minute following a feedwater line rupture was advisable, Duke Power modified the auxiliary feedwater system design. Utilizing the existing pumps, motors and diesel load availability, a design which met the single failure criterion and flow requirements for the loss of feed-water (with and without loss of offsite power) and feedline break tran-sients was established.
This modified design, which includes a passive means (pre-set throttle valve stops) to limit the amount of water spilling to a postulated feed-line rupture, required the use of-both motor driven auxiliary feedwater pumps to supply the required flow to the steam generators to meet the assumptions of the FSAR. The decision to make the modification described is felt, by Duke Power Company and Westinghouse, to be appropriate for the following reasons.
1.
The required flow (per the FSAR) can be delivered for the following transients considering the worst single failure, a.
Loss of main feedwater (offsite power available) b.
Loss of main feedwater (offsite power lost) c.
Spectrum of main feedwater pipe ruptures.
2.
Assuming the turbine pump is available, the flow required for the loss of main feedwater with total loss of AC power can be supplied by the turbine driven pump.
3.
The shorter time response requirement for auxiliary feedwater flow delivery for the feedline rupture transient (*10 minutes) relative to the loss of feedwater transients (>20 minutes) justifies some priority being given to automating assured flow delivery for the feedwater line break.
Other modifications which could be proposed which fall short of eilimina-ting the need for two auxiliary feedwater pumps provide a negligible bene-fit on the McGuire AFWS availability as evidenced in sensitivity studies performed for this purpose. No further modifications are felt to be necessary to improve the availability of the AFWS for the reasons stated above.
3.
Page - all The study was not adequate uith respect to the following areas listed in the schedule 189.
1.
Test and Maintenance Procedure and Unavailability 2.
Potential Common Mode Failures 3.
Adequacy of Emergency Procedures 4.
Adequacy of Power Sources and Separation of Power Sources 5.
Demonstrated Use of Data Presented in NUREG-0611
Response
This comment was discussed during the October 28-29 site visit and it was agreed that a written response was not required.
4.
Page 1-2 Paragraph 1-4 What are the assumptions listed in NUREG-0611?
Response
This question was discussed during the October 28-09 site visit and it was agreed that a written response was not required.
r
- u T
5.
Page 1-3 Paragraph 1.4(1)
Is there a secondary criterion for mission success which would allow re-lease of coolant through pressurizer relief valves to adequately cool the core?
Response
The mission success criteria stated in the report was established as the the time interval of interest for all the transients to be considered to determine the unavailability of the McGuire AFW system. The criteria is commensurate with that used to evaluate other AFW systems of Westinghouse plants as reported in NUREG-0611 (Paragraph 4.3).
Steam generator dryout itself may not cause serious safety consequences. A more appropriate safety criteria is the maintenance of adequate core cooling. A secondary criterion for mission succese could be established considering adequate core cooling. Failure to obtain auxiliary feedwater flow following a transient will eventually result in the reactor coolant pressure reaching the pressurizer relief or safety valve set pcessure. Normal valve opera-tion would maintain system pressure at the valve set pressure, and would require operator intervention to depressurize the system by manually holding the relief valve (s) open and allow sufficient safety injection flow to maintain coolant inventory. Westinghouse has conducted analyses described in WCAP-9600 and WCAP-9744 submitted to the NRC staff that in-dicates the operator has time to open all power operated pressurizer re-lief valves to prevent core uncovery. With the subsequent depressurization, the reactor coolant system eventually stabilizes at a pressure at which safety injection flow matches coolant lost through the relief valves.
6.
Page 1-3 4th Paragraph Does the 25 minutes boil dry time apply to all three cases?
Response
The steam generator boil dry time stated in the report applies to all three cases. The boil dry time was calculated using the methodology pre-viously employed to supply steam generator dryout times requested by the NRC on April 26, 1979. The dryout times and method used to calculate such times for Westinghouse plants is presented in the attached form to letter addressed to D. F. Ross from T. M. Anderson, dated May 1, 1979, and June 1, 1979 (
Reference:
W document numbers NS-TMA-2078 and NS-TMA-2095).
7.
Page 1-4 Paragraph 1.4(4b.)
Why is the value from Wash 1400 used? The value is different in NUREG-0611.
Response
This question was discussed during the October 28-29 site visit and it was agreed that written response was not required.
8.
Lage 1-4 Paragraph 1.4(5)
Why were the sampl', and test lines not considered?
Response
This question was discussed during the October 28-29 site visit and it was agreed that that a written response was not required.
9.
Page 1-5 Paragraph 1.4(7)
If all AC power is lost do we lose the 120 VAC instrumentation power?
Were Battery failures considered for case 2 and 37
Response
A loss of all AC power would not result in a loss of 120 VAC instrumenta-tion. This instrumentation is supplied,by inverters backed by batteries as described in Section 8.3.2.1.4.
With regard to whether battery failures were considered, the NRC supplied data for use in conducting the study was assumed to be of an analysis depth whereby further modeling of power sources and control circuits for valves was deemed not necessary. This assumption was also made in con-nection with DC power sources.
10.
Page 2-1 Paragraph 2.1 What are the Technical Specification capacities for the water sources?
How long with the first three sources listed last before operator action is required to valve in alternate water supplies assuming Technical Speci-fication capabilities and maximum flow from the AFW pumps?
Response
This question was discussed during the October 28-29 site visit and it was agreed that a written response was not required.
11.
Page 2-2 5th Paragraph A full flow pump test loop implies a large test line. Shouldn't flow diversion through these lines be considered? Does the technical specifi-cation call for a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> endurance test of the AFW pumps?
Response
This question was discussed during the October 28-29 site visit and it was agreed that a written request was not required.
12.
Page 2-2 7th Paragraph Is there any common piping in the MFWS and the AFWS?
4
Response
The MFWS connects to the AFWS through a check vai 3 and an automatic iso-lation valve. This arrangement allows main feeduater to be supplied to the AFWS nozzle at power levels up to 30%. Other than this connection, there is no common piping in the MFWS and AFWS.
13.
Page 2-3 2nd Paragraph Is there an automatic shut off on each pump for low NPSH7
Response
There is no automatic shutoff on any of the AFW pumps on low NPSH.
In the event of low suction pressure, an automatic switchover to the assured source of water would occur, thus protecting against inadequate NPSH.
14.
Page 2-3 4th Paragraph Are there any common components in the AFWS including supply of water for McGuire 1 and 27 The condensate storage tank is designated as the normal source of water; however, on page 2-1, the upper surge tanks are designa-ted the first priority. Explain?
Response
The auxiliary feedwate condensate storage tank and the nuclear service water pond are shared between units (nuclear service water is the assured source of water). The AFW condensate storage tank (42,500 -al capacity) is vented to atmosphere and maintained by a continuous bleed of deaerated condensate quality water. The upper surge tanks (85,000 gal capapcity total) are vented to the condenser at 0.7 psia and serve as a source of deaerated condensate quality water for the condensate-feedwater system.
The AFW condensate and upper surge tanks are all normally aligned to supply flow to the AFW pumps. Since the AFW condensate storage tank is the higher pressure source, it will 'be depleted first with the upper surge tanks supplying flow after level drops sufficiently in the conden-sate storage tank. The upper surge tanks will normally be used for the remainder of the cooldown with makeup from the statior, demineralized water system or from the condenser hotwell through one of the three con-denser hotwell pumps.
15.
Page 2-4 3rd Paragraph Is the water from the NSWS and SSF steam generator grade? The 5th para-graph indicates that the NSWS water may be.
Response
Water from the nuclear service water system and from the condenser cooling water system (SSF source) is pond water and lake water, respectively, and
.is not steam generator grade.
16.
Page 2-4 4th Paragraph Are the NSWS and SSF pumps considered in the Fault Tree?
Response
The NSWS and SSF pumps were not considered in the analysis. As stated in item eleven for assumptions under Paragraph 1.4 of the WCAP, the avail-ability of water from these systems was assumed available with a proba-bility of 1.
The analysis of systems that interface with the AFW sys-tea was considered beyond bounds set for the study. Excluded from this assumption was the treatment given the condensate storage tank (CST) and that portion of the NSWS supplying cooling water to the motor driven pumps. These were considered in the early development of fault trees for the system and were not removed when a decision was made on how to treat systems that interface with the AFW system.
17.
Page 2-4 5th Paragraph How can NSWS be water of steam generator grade if pond water is used?
Can the SSF automatic open signal be by-passed by the operator before au1r initiation is expected to occur. The possibility exists to lock out NSWS and SSF sources. Has this human error event been considered?
For case 3 what operator actions would be required to activate alternate water sources?
Responce:
As stated in the rerponse to question 15, NSWS water is not steam gener-ator grade. NSWS and SSF sources open automatically on low pump suction pressure. An indicator light is provided in the control room to indicate that automatic switchover is bypassed.
Should the SSF source fail in case 3 water.would be available from the AFW condensate storage tank, the upper surge tank and the condenser hotwell.
18.
Page 2-6 Paragraph 2.3 How long will the air supply to the pneumatic operated valves last if there-is no AC power (Case 3)?
Response
The design of the system is such that upon receipt of any automatic actu-ation of the AFWS, the air.is vented from the pneumatic valves to assure the valves are positioned properly. No air supply is required for proper i
system operation under these conditions.
19.
Page 2-7 Paragraph 2.4.1
.How do the safety solenoids work? Do these valves " fail-safe open" on
-loss of solenoid power, loss of air or both?
1 Response.
The valves will go their pre-set " fail" position on loss of solenoid power or loss of air.
l i
m 20.
Page 2-8 through 2-13 Paragraph 2.4.2 Is this instrumentation available for all three esses?
Response
This question was discussed during the October 28-29 site visit and it was agreed that a written response waa not required.
21.
Page 2-13 Paragraph 2.4.3 What is the probability that the auto start defeat switch is left or fails in the " defeat" position?
Response
The circuitry associated with this function has been modified to provide for automatic removal of the auto-start defeat. Thus leaving the switch in the " defeat" positions would not prevent autamatic start of the motor driven AFWS pumps if plant conditions necessitate.
22.
Fage 2-14 1st Paragraph If the steam generator blowdown system is cat isolated, will this adversely affect the steam supply to the steam turbir.e pump?
Response
Steam generator blowdown isolation is provided by closure of uouble iso-lation valves af ter any auxiliary feedwater pump automatic start signal.
Failure of 3 of the 4 blowdown lines to isolate will not affect criterion for mission success with two mote-driven pumps available or with the turbine driven pump only available.
23.
Page 2-14 Paragraph 2.5 Describe the test procedure. Are the test done on a staggered basis?
Response
Each pump is run at least once every 31 days using the minimum flow line.
Measurements are made on various pump parameters to verify pump performance.
The testing is done on one pump at a time.
Each pump is restored to ser-vice prior to testing another pump. However, with the design of the sys-tem the pump would be automatically aligned to supply water to the steam generators if an event occurred during the testing which required the auxiliary feedwater system to function.
24.
Page 2-15 2nd Paragraph The requirements for T&M procedures are stated in the TS.
Do the T&M procedures include and adequately check all parts of the AFWS?
Response
The periodic test procedures include tests of the AFWS pumps and active valves as well as tests of the instrumentation required to activate the AFWS. Thus the important components are adequately checked to assure proper operation of the system.
25.
Page 2-17 What are valves ICA86A, ICA116B, and ICA18B used for? Why are two dif-ferent symbols for air operated normally closed valves used?
Response
This question was discussed during the October 28-29 site visit and it was agreed that a written response was not required.
26.
Appendix A There is no association of values assigned and the basic events. There-fore, there is no way to check the values presented in Figure 3 by a solution of the fault tree.
Is there a table of events and allocated reliability values? Is there a list of minimum cut sets?
Response
The fault trees presented in Appendix A of the WCAP are reduced and simpli-fied. For each event shown as an undeveloped vent there exists one or more lower level basic events. As an example consider the event "1CA59, ICA62A, ICA60, or ICA61 Valve Fault Causes Flow Blockage" of tree trans-fer number one shown by sheet two of Figure A-1.
The event consists of ten lower level faults that include:
Fault Unavailability (q) 1.
Operator Inadvertently Closes 1 x 10
A0V ICA60 2.
Control Circuit Fault Causes A0V ICA60 c
to Close Once Open
_4 3.
A0V ICA60 Plugged 1 x 10 4.
Control Circuit Fault Causes MOV ICA62A c
to be Inadvertently Closed 4
5.
MOV 1CA62A Plugged 1 x 10-4 6.
Operator Inadvertently Closes MOV ICA62A 1 x 10
_4 7.
MOV ICA62A Inadvertently Closed Due to 1 x 10 Maintenance Error
)
Fault Unavailability (q) 4 8.
Manual Valve ICA59 Plugged I x 10
..a 9.
Manual Valve ICA59 Inadvertently Closed 1 x 10 Due to Maintenance Error 4
10.
Check Valve ICA61 Fails Closed i x 10 Each of the events shown on Figure A-1 and Figure A-2 were coded with a unique alphanumeric name for computer analysis of the fault tree logic presented..The trees were analyzed using the PREP computer code to ob-tain minimum cut sets (third order or less) for use as input to the "KITT-1" computer code to obtain a quantitative estimate of AFW system unavailabilit. for the three transient cases studied. The cut seta were screened in accordance with assumption number eleven as presented in Paragraph 1.4 of the WCAP prior to use as input to the KITT-1 code. A list of the cut sets as analyzed by the "KITT" code is available for review. A table of lower level events and the allocated unavailability
,value assigned to each for the higher level events shown by Figure A-1 and Figure A-2 is also available for review.
27.
Appendix A Figures Al sheets 2, 3, and 4 and A2 Sheet 2 have been reduced to such an extent that a magnifying glass had to be used to read them. This made Fault Tree checking very dirficult. This also applies to Figure 2 page 2-17.
Response
Larger figures were provided to the participants in the October 28-29 site visit.
28.
Appendix A Why are both letters and numbers used in transfer symbols e.g. A and 1, B and 2, etc.?
Response
A number is used in conjunctie,n with a transfer syLbol to indicate the transfer is the continuation in logic development of a higher level event.
Events and logic development-that are indeed true transfer are indicated by a letter. This technique serves as an aid when one inputs the tree data to a computer fault tree analysis code such as PREP.
29.
Appendix A For valves where is the power source, control circuits, common mode, and human error events modeled? Also where are the control circuits for the
. pumps modeled.
j l
i 4
Response
The NRC supplied data for use in conducting the study is assumed to be cf an analysis depth whereby further development and modeling of power sources and control circuits for valves is deemed not necessary. A similar assumption is also made in concern of control circuit for pumps.
As stated in a previous response to a question, the fault trees presented in Appendix A are reduced and simplified. For each event shown as being undeveloped there exists one or more lower level basic events. Human error, control circuit and power source events are model as basic events and input higher level events shown in the fault tree development of Figures A-1 and A-2.
No common mode failure associated with the pumps and valves were discovered as a result of the analysis conducted and information reviewed.
30.
Appendix A Figure A-1 Sheet 2 of 5 1CA152 is a normally closed manual valve. How can this be relied upon for an alternate flow of condensate to the pumps? How much water is available from the dome of the upper surge tank? Is the dome of the upper surge tank another source of water?
Response
This valve can be opened manually by the operator to increase pump suction pressure thereby decreasing the probability of automatic switchover to the NSW source of water. Valve ICA52 and associated piping parallel the normal supply line from the upper surge tank.
The dome of the upper surge tank is not another source of water.
31.
Appendix A Figure A-1 Test and unscheduled maintenance events involve only a few valves in the system. Are these the only anes tested 'and needing unscheduled or other routine maintenance while the system is on line?
Response
See response to Question 33.
32.
Appendix A Figure A-1 Where in the fault tree are the following components considered? ICA70, ICA69, ICA111, ICA112, ICA71, ICA72, ICA68, ICA67?
Response
Valves ICA67, ICA68, ICA69, ICA70, ICA71, and ICA72 function as isolation valves in miniflow lines of the AFW pumps. These are not included in the development of the fault tree presented as the normal position of the valves is open. The valves failing " closed" will not prevent the minimum feedwater flow. requirements to the steam generator from the AFW pumps from being met.
t
Valves ICA111 and ICA112 function as isolation valves to isolate flow be-tween piping headers supplied feedwater from the AFW motor driven pumps.
The nornal position of the valves is " locked-closed". For the transient cases stadied and'in the unlikely event that both valves failed open, such a fault would act prevent the required minimum feedwater flow from being delivered to the steam generators from the motor driven AFW pumps.
For this r,tason they are not included in the development of the fault tree presented.
33.
Appendix A Figure A-1 What unscheduled maintenance is required on check valves?
(Why is un-scheduled maintenance limited to selected components in the study?)
Response
The only components for which unscheduled maintenance was considered were those components which could be taken out of service.and isolated with the unit at power. Thus (looking at the "C" steam generator flow path),
valves ICA44, ICA45, ICA48 and ICA49 could be isolated and worked on without affecting the availability of the AFWS. To work on either valve ICA47 or ICA43, would require isclation of the turbine driven pump or the "B" motor driven pump, respectively. Valves ICA46B and ICA50B could not be 43rked on at power since there is no means to isolate the, from steam senerator pressure.
1 1
..,