ML19345H385
| ML19345H385 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 05/11/1981 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19345H382 | List: |
| References | |
| TASK-05-10.B, TASK-05-11.A, TASK-05-11.B, TASK-07-03, TASK-09-03, TASK-5-10.B, TASK-5-11.A, TASK-5-11.B, TASK-7-3, TASK-RR NUDOCS 8105200227 | |
| Download: ML19345H385 (68) | |
Text
o oV i
SEP REVIEW 0F SAFE SHUTDOWN SYSTEMS FOR THE l
l MILLSTONE NUCLEAR POWER PLANT UNIT NO. 1 L
i REVISION 2 i
I
\\
'i i
1 Cata-May 1981 l
l
'8105200 N t
t--
e TABLE OF CONTENTS l
Page t
j
1.0 INTRODUCTION
1 i
2.0 DISCUSSION...............................................
7 2.1 Normal Plant Shutdown and Cooldown.............
7 2.2 Shutccwn and Cooldown with Loss of offsite Pcwer........
8 3.0 ShuTDChN AND C00LD0hN FUNCTIONS AND METHODS..................
10 a.0 COMPARISON OF SAFE SHUTC0hN SYSTEMS WITH CURRENT NRC CRITERIA....................................................
28.
4.1 Functional Requirements..................
34 4.2 Resicual Meat Removal System Isolation Requirements.........................................
35 4.3 Pressure Relief Requirements............................
37 4.4 Pumo Protaction Requirements............................
38 4.5 Test Requirements......................................
39 4.5 Ocerational Procedures...................
40 A' xi l i a ry Feedwa te r Supply............................. '
41 4.7 u
Table 4.1 Classi'7 cation of Safe Shutdcwn System............
42 Table 4.2 List of Safe Shutdown Instru~ents.................
45 Table 4.3 Safe Shutdown Systems Power Supply and Lccation..........'....................................
47 5.0 RESOLUTION OF SYSTE.MATIC EVALUATION PROGRAM TOPICS...........
50 5.1 Topic V-10.3 RHR System Reliability....................
50 5.2 Tccic V-11.A Recuirements for Isolation of High and Lcw Pressure Systems..........
51
- 5. 3 Topic V-ll.B RHR Intericek Re quirements...............
52 5.4 Tecic VII-3 Systems Require far Safe Shutdown.........
52
- 5. 0 REFERENCES...............
56 APPENDIX A. Safe Shutdown Water Requirements..............
A-1 1
l
1.0 INTRODUCTION
I f
The Systema +.ic Evaluation Program (SEP) review of the " safe shutdown" subject encompassed all or parts of the 'ollowing SEP topics, which are j
among those identified in the Novemoer 25, 1977 NRC Office of Nuclear -
Reactor Regulation accument entitled " Report on tne Systematic Evaluation of Operating Facilities":
1.
Residual Heat Removal System Reliability (Topic V-10.8) <
~
2.
Requirements for Isolation of High and Low Pressure Systems (Topic V-11.A) #
3.
RHR Interlock Requirements (Topic V-ll.3) 4.
Systems Required for Safe Shutdown (Topic VII-3) v 5.
StationServiceandCoolingWaterSystems(Top {IX-3)
The review was primarily performed during an onsite visit by a team of j
SdP personnel. This onsite effort, which was performed during the period August 17 and 18, 1978, afforded the team the opportunity to obtain current information and to examine the applicable equipment and proce-dures, and it also gave the licensee (Northeast Nuclear Energy Company) the ocportunity to provide input into the review.
The review included specific system and equipment requirements for remaining in a hot shutdown condition (defined in the Millstone lJnit No. 1 Technical Specifications as all operable control rods fully inserted, reactor mode switch in shutcown, no core alterations being
o o
2 performed and reactor coolant temperature greater than 212 F) and for proceeding to a cold shutdown candition (defined as all operable control rods fully inserted, reactor mode switch in the shutdown position, no core alterations being performed, reactor coolant temperature equal to or less than 212 F and the reactor vessel vented).
The review for transi-tion from operating to hot shutdown considerec the requirement that the capability exists to perform this operation frem outside the control room. The review was augmented as necessary to assure resolution of the applicable topics, except as noted below:
Tcpic V-11. A (Requirements for Isolation of riigh and Low Pressure Systems) was examined only for application to the Shutdown Cooling System. Other high pressure / low pressure interiaces were not investi-gated. The shutdown cooling system is the Millstone Unit No. 1 equivalent of an RHR system.
Topic VII-3 (Systems Required for Safe Shutdown) was completed except for I
determination of design adequacy of the systems.
l i
Topic IX-3 (Station Service and Cooling Water Systems) was only reviewed to consider redundcacy and seismic and quality classification of cooling water systems that are vital to the performance of safe shutdown system j
comconents.
(No discussion of Topic IX-3 is includeo in the report.
The information jathered during the safe snutdown review will be used to resolve this topic later in the SE?.)
I
w 3
The criteria against which the safe shutdown systems and components were comp red in this review are taken from the:
Standard Review Plan (SRP) 5.4.7, " Residual Heat Removal (RHR) System"; Branch Technical Position RSB 5-1, Rev. 1, " Design Requirements of the Residual Heat Removal System"; and Regulatory Guide 1.139, " Guidance for Residual. Heat Removal." These documents represent current staff criteria and are used in the review of facilities being processed for operatir.g licenses.
This comparison of the existing systems against the current licensing criteria led natur:lly to at least a partial comparison of design criteria, which will be input to SEP Topic III-1, " Classification of Structures, Components and Systems (Seismic and Quality)." This report will also be reviewed for its application to the resolution of other-topics.
As noted above, the five topics were examined while neglecting possible intuactions with other topics and other systems and ccmponents not directly related to safe shutdown.
For example, Topics II-3.8 (Flooding Potential and Protection Requirements), II-3.C (Safety-Related Water Sucply), III-4.C (Internally Generated Missiles), III-5.A (Effects of l
Pipe Break on Structures, Systems and Components Inside Containment),
III-6 (Seismic Design Considerations), III-10.A (Thermal-Overload Protection for Motors of Motor-0perated Valves), III-11 (Component jl Integrity), III-12 (Environmental Qualification of Safety-Related ll Equipment), and V-1 (Compliance with Codes and Standards) are among i'
I several topics which could be affected by the results of the safe i
lw.
- ..I i
4 shutdown review or could have a safety impact upon.the systems which were reviewed.
These effects will be determined by later review.
- Further,
.g I
![
this review did not cover in any significant detail the reactor protec-i
'g tion system ror the electrical power distribution, both of which will t.
also be reviewed later.
i The staff considers that the ultimate decision concerning the safety of any of the SE? facilities depends upon the ability to withstand the SEP Design Basis Events (CBEs).
The SEP topics provide a major input to the CBE review, both from the standpoint of assessing the probability of the-event and that of determining the consequences of the event. As examples, the safe snutdown tcpics pertain to tne listed DBEs (the extent of applicacility will be determined during plant-specific review):
Impact Upon Probabii!ty Taoic OBE Grouc or Consecuences of DBE V-10.3 VII (Spectrum of Loss of Coolant Consequences Accidents) rebability o
V-ll.A VII (Cefined acove) i V-ll.3 VII (Defined above)
Probabi i y t
VIII-3 All (Defined as a generic topic)
Consequences IX-3 III (Steam Line 3reak Insida Consequences Containment)
(Steam Line Break Outsice Containment)
IV (Loss of AC Pcwer to Station Cor.secuences Auxiliary)
(Loss of all AC Power) 4
^
3 5
-Impact Upon Probability Tooic DBE Grouo or Consecuences of DBE V (Loss of Forced Coolant Flow)
Probability (Primary Pump Rotor Seizure)
(Primary Pump Shaft Break)
VII (Defined above)
Consequences Completion of the safe shutdown topic review (limited in scope only as noted above), as documented in this report, provides significant input in assessing the existing safety margins at Millstone Unit No. 1.
Picing System Passive Failures The NRC staff normally postulates piping system passive failures as
- 1) accident initiating events in accordance with staff positions on piping failures inside and outside containment, 2) system leaks during long term coolant recirculation following a LOCA, and 3) failures resulting from hazards such as earthquakes, tornadoes, missiles, etc.
In this evaluation, certain piping system passive failures have been assumed
^
beyond those normally postulated by the staff, e.g., the catastrophic failure of moderate energy systems.
These assumptions ware made to demonstrated safe snutdown system redundancy given the complete failure of these systems and to facilitate future SEP revi,.. of CBEs and other types wnich will use the safe shutdown evaluatio-as a source of-data for the SEP facilities.
SRP 5.4.7 an. BTP RSB 5. do not require the assumption of piping system cassive failures.
6 Credit For Ocerating Procedures For the safe shutdown evaluation, the staff may give credit for facility operating procedures as alternate means of meeting regulatory guidelines.
Those procedural requirements identified as essential'for acceptance of in SEP topic or CBE will be carried through the review process and consicered in the integrated assessment of the facility. At that time, we will decide which procedures are so important to acceptance of a topic that an administrative method must be established to ensure that in the future, operating procedures are.70t changed without appropriate i
[
consideration of their importance to the SEP topic evaluation.
t b
o a
I l
l l
1 w
we..
= = -
9 7
i l
2.0 OISCUSSION 4
2.1 Normal Plant Shutdown and Ccoicawn i
Recirculation pump flow is reduced by means of the individual loop normal flow controller which in turn lowers core power. As core power is l
reduced, the reactor pressure control system repositions the turoine control vahes to maintain system pressure at approximately 1000 psig.
This flow reduction continues in a manner to produce the desired rate of 6
{
power reduction until 65 x 10 lbs/hr is achieved. Control rods are inserted until reactor power is reduced to 55%.
One of the three i
condensate and condensate booster pumps are then stopped, and power reouction is continued by recirculation speed control until core ficw is at a minimum.
F g
A feedwater pump and a second condensate pump and booster pump are shut off.
Feedwater control is maintained in automatic at this point.
Sefere f
reaching 10% power, tne station loads are transferred from the main generator by switching from the station service transformer to the
'i reserve station transformer.
Power reduction to 10% continues with I
control rod insertion, and ther the speed load changer is used for continued load reduction.
Before load is reduced to Zero, the turoine-generator is taken out of service and steam is bypassed to the main condenser to remove core heat.
j The reactor coolant system (RCS) recirculation pumes are running at minimum speed, one feedwater train is in service, the turbine is on l
8 turning gear, and RCS pressure is controlled by cooldown rate. Control rod insertion continues while subcritical until all rods are in.
l The RCS is cooled at a rate of less than 100 F per hour by bypassing steam to the main condenser.
Shutdown cooling can be placed in service
,j at RCS pressure of < 150 psig and reactor tamperature < 350 F (inter-locked).
This step is usually delayed until the bypass valvas are
,i closed, main steam line isolation valves are closed, the reactor vessel level is increased via the feedwater system, and the vessel head cooling system is in service to achieve more uniform vessel head cooling.
The shutdown cooling system (SCS) is now placed in service, with reactor building :losed cooling water system (RBCCW) providing cooling water on the secondary side of the ICS heat exchanger.
The RSCCW heat exchangers
~
are in turn cooled by the service water system which takes and returns cooling water from Long Island Sound. This system is normally used to bring the RCS below 212 F cold shutdown. Generally, the RCS is brought to approximately 125 F and maintained at this value by adjusting flow l
through RSCCW or SCS heat exchangers.
l l
- 2. 2 Shutdown and Cooldown with loss of Offsite Power A loss of offsite power would not automatically result in the loss of tne It
'I main concenser and a reactor trio because the plant is designed to withstand this transient while dumping steam to the :cndenser. However, if the condenser were unavailable for heat removal, the reactor could stay in the hot condition briefly while pressure is controlled with l
l i
l
9 relief valves. The isolation condenser would activate automatically if pressure increases to 1C85 psig for 15 sencends or if reactor low-law water level is reached.
It can also be manually initiated. The single closed valve in the return condensate line is opened, and reactor steam passes through the isolation condenser tubes boiling off water in the secondary side of the condenser. Makeup water to the secondary side of-the condenser is provided by taking suction frcm the fire water tanks or the concensate storage tank. Thus, the reactor is cooled by boiling un-til the SCS initiation temperature limit is reached. The SCS may then be out in service as above since the RBCCW and service water systems are pcwered by ensite electrical sources. Cooldown is accomplished as in 2.1.
ll With the isolation condenser unavailable, a full feedwater string could be t
pcwered by the onsite gas turbine drive'n generator and cooling could be t
provided by controlled venting via relief valves and the feedwater system.
An alternative method of depressurization is through the relief valves with makeup from the low pressure coolant injection or core spray system, with power from onsite power.
l l{'
!t i
i i
l i'
1 I
i ki
- I l'
+.
10 3.0 SHUTDOWN AND C00LDOWN FUNCTIONS AND METHODS i
I This section will describe the systems available at Millstone Unit No, 1 i
{
(Millstone 1) to accomplish the necessary~ functions for the safe shutdown t
of the reactor following either the Ir.ss of of' site power or the loss of I
onsite AC power.
Seismic and quality group classifications of the pertinent equipment (based upon USNRC Regulatory Guides 1.25 and 1.29) will be addressed in Section 4.0.
The losses of offsite and onsite AC power are not considered to be concurrent or sequntial events, but rather, for the purposes of this evaluation, are taken as wholly independent occurrences.
The loss of normal AC power is a situation which presents little difficulty for Millstone 1.
Upon loss of the unit auxiliary transformer, which is supplied from the station main generator, power is automatically pre d ed by the station startup transformer (Reserve Station Service l1 Transformer), which is in turn supplied frcm the 345 k'l switchyard. The
'f 345 kV switchyard is connected to three 345 kV lines, any of which can suoply power to the startup transformer, keeping all auxiliary loacs operating.
This transformer can suoply all auxiliary loads for Millstone 1 with the unit's main generator operating at full power.
l In-depth consideration has been given to recovery frcm the unlikely loss i
of all offsite power.
Millstone 1 has the capability for cypass to the condenser of 100% of the steam generated 'oy the reactor at full pcwer.
l
!l
11 Since Millstone Unit 2 (a pressurized water reactor) does not have this bypass capability, Millstone 1 may be automatically separated from the power grid upon loss of two (out of three) 345 kV transmission lines, thus maintaining an outlet for Unit 2's generated power.
Upon loss of the two (or three) 345 kV lines such that only the Millstone /Southington (348 line) line remain in service, and if station generation is greater than 1200 MW, an automatic trip of Millstone Unit 1 will occur. Automatic Millstone 1 actions requiring no operator response except verification include a trip of generation output breakers, select rod insert and APRM high flux setdown to 90%. When this decrease b power occurs, and the bypass valves automatically open, the feedwater heaters will no longer be effective since the automatic throttling dcwn of the turbine control valves and intercept valves will decrease the amount of extraction steam being supplied to the feedwater heaters. This results in a decrease in feedwater temperature and a subsequent increase in power.
The operator, as part of his procedural immediate action, will decrease reactor power to the minimum atteir.able using the recirculation pump manual controller and will adjust generator speed and excitation as l
required to maintain houst loads. As part of subsequent action, the operator will start the diesel generator and gas turbine generator, further assuring maintenance of in-housa ' cads.
An autcmatic reactor scram is included in the generator loac rejection (loss of offsite ::ower) protactive circuitry.
This scram will occur only if the bypass valves fail to start opening within 250 milliseconds l
n.---
12 following load rejection.
Reliance would then be placed upon the emergency power sources.
Millstone 1 has experienced two full load rejection incidents, both attributable to lightning strikes.
During the first such incident all systems functioned as intended. During the second, a turbine trip and scram occurred due to a s'econdary system malfunction.
Mcwever, at the time of the scram the diesel generator was running, as required by procedure, and it picked up essential loads immediately, assuring safe shutdown and actually demonstrating the Millstone 1 safe shutdown capability.
Even if a diesel were not running, the generator lockout signal on turbine trip would automatically start the diesel and gas turbine if offsite pcwer were not available.
It is obvious, from the aoove discussion, that under " normal" loss of offsite power conditicns, the plant's capability to run back to house loads will assure the ability to stay hot with the core cooled, and the l
requirement to start bcth emergency power sources will assure power to systems, including feedwater (powered by the gas turbine generator) i utilized for shutdcwn and cooldown.
l.
l Should a loss of offsite pcwer be folicwed by a reactor scram, the isolation condenser would automatically initiate at reactor vessel pressure greater than or equal to 1085 psig for 15 seconds.
The isolation condenser consists of:
a snell designed to American Society of l
Mechanical Engineers (ASME) Boiler and Pressure Vessel Code Section VIII l,
j _.
4 13
[
for 15 psig at 300*F; two tube bundles designed to ASME Section III and designed for 1250 psig (full reactor coolant system pressure) at 575*F, and associated connections for draining, filling, venting, and level measurement.
The isolation condenser capacity will be equal to the decay heat five minutes after isolation.
Although the isolation condenser sill assist in j
removing decay heat after the 1085 psig 15 second timer comp;etes its sequence and initiates condenser flow, initial pressure relief is provided by the six electro pneumatic relief valves.
The valves, whose setpoints range from 1095 to 1125 psig, will then lift as necessary to prevent excessive pressures until the decay heat ratio has decreased to isolation condenser capacity.
I i
.I Three of the electro pneumatic relief valves have 800,000 lb/hr capacity each, with the others each having 840,000 lb/hr relief capacity. All are DC powered, but require air for opening and remaining open.
The accumu-lators (one per valve) are sized for three openings of their valve and with their connections to the valves are Class I.
The remainder of the air suoply system to these valves and accumulators is not Class I.
However, even in the highly unlikely dual loss of the isolation :andenser and the air supoly te the accumulators, the combination of valve opening i
and the feedwater coolant injection system (?dCIS-to be discussed later) j will be satisfactory to depressurize the reactor coolant system.
!! I i
r i
i l.,.-.....
14 The isolation condenser system contains four motor-operated valves, two on the steam line from the dedicated reactor vessel nozzle to the isolation condenser, and two on the condensate return line to reactor coolant system recirculation loop 'B'.
One valve on each line (steam and ccndensate) is inside cor.taincent and is powered by " emergency" AC from ctor control center (MCC) F-3, which is supplied by the diesel generator upon loss of offsite and main generator power. The valves are not shed from the bus upon loss of normal power and are automatically reenergized i
wnen bus power is restored.
The gas turbine generator does not supply power to these valves.
The two valves outside containment, one on the steam line, the other on I
condensate, are powered by DC from 125 volt DC MCC DC-llA-2, The l
OC powered valve on the condensate return line to the reactor vessel is
{
the only one of the four motor-operated valves which is normally shut and f
which must open to initiate flow.
(The condenser tubes are thus normally e
pressur Qed to reactor coolant system pressure.) This valve is located
-l outside containme' and can be manually actuated in case of motor i
failure.
l l
1 The isolation condenser system includes excess ficw sensors on both steam l
and condensate lines, wnich would close all Mur valves upon sensing a break in either line.
This isolation system has in the past been adjusted to be too sensitive, which could possibly cause system isolation as the condenser was initiating.
If this were combined with the highly unlikely s'nultaneous loss of MCC F-3, it would result in condenser l
l I'
I
15 isolation with no means of re-initiating flow becausa of the inaccessibility of the two AC powered valves. However, NNECO has adjusted the sensitivity of the excess flow sensors, and is considering the addition of a redundant power supply for the two AC valves, although ac action has yet been taken to implement such a change.
i Level in the shell (low pressure) side of the isolation condenser is l
automatically controlled.
Level control switches function to maintain a level between 69 and 72 inches by operating the fire water makeup-to.-
l condenser shell valve 1-IC-10.
This valve is AC powered from MCC 2-1 and will be powered even upon loss of normal AC power sources.
The alve is t
readily accessible in the reactor building and can be manually operated sh ald the need arise.
It is also operable from the control room, in a remote-manual mode, if the automatic level control system should fail.
Makeup water to the isolation condenser is normally supplied by the fire water system from the fire water storage tanks (400,000 gallons minimum).
However, the condensate storage tank (225,000 gallons minimum), can also be used to supply water tc the isolation condenser through the condensate I
system via a normally locked-closed valve which is easily acce.esible. The fire water system is a shared system with Millstone Unit.'io. 2 includes two electric pumps and a diesel-driven pump, which is highly reliable ac-l l
cording to plant sources. The diesel engine is provided a 250 gallon fuel supply, normally kept at least half full. A:: proximately eight hours of running time can be obtained frcm 125 gallons of fuel.
l l
I i'
L
16 The fire water is supplied from two tanks, each of which contain 250,000 gallons. Makeup to the tanks is from a 12-inch city water supply line, thus providing substantial makeup capability.
There are only manual valves in the fire water system line providing isolation condenser makeup.
In the unlikely event that the fire water system should fail, the condensate transfer system can be used to supply makeup to the tsolation condenser.
There are two condensate transfer pumps in the system, both of whic.5 can be provided power from the gas turbine generator upon loss of all other AC sources. There is an air-operated flow control valve on the discharge of each transfer pump. The valve, which prevents flow surges on pump start, wfil fail open upon loss of instrument air, and it can be ~ anually overridden, thus as-m suring a supply of water to the condenser.
After the reactor has been sufficiently depressurizsd by the isolation condenser system, the shutdown cooling system is utilized to maintain the reactor coolant systea in J cold shutdown condition.
The shutdown cool.ng system (SCS) takes its suction frcm the "A" recirculation loop and exits the dryweil througn a normally-closed AC powered motor-cperated i
valve. Outside the drywell, the line divides into two separate branches, J
each containing (as major equipment) a DC powered motor-operated isolation valve, a pump, a heat exchanger, and a second DC powered I
motor-coersted isolation valve.
The twc branches rejoin prior to l
l l
ll!
17 s
reentering the drywell, and outside the drywell is an AC powered motor operated isolation valve prior to the system's discharge into the low pressure coolant injection system (LPCIS) and hence into the reactor coolant system.
i i
The shutdown cooling system was designed for full reactor coolant system pressure (1250 psig) at 350*F.
It incorporates interlocks to assure the j
system will not operate until temperature requirements are met.
The SCS I
pumos may not be started until the suction pressure exceeds 4 psig and the reactor coolant temperature is below 350 F as measured by sensors on each reactor coolant recirculation loop.
The AC-and DC powered valves may be opened at any time but.the AC powered valves will automatically close to isolate the SCS upon low reactor water level.
The SCS will also automatically isolate by pump trip on increase of water temperature to greater than 350 F.
Recent plant analysis indicates that the systam would have no adverse effects if the interlocks were over-
'i'.
ridcen and the SCS operated on a one-time basis at greater than 350 F.
1lI l
l Power to the AC inlet valve 1-50-1 is provided by MCC F-3 and pcwer to lI the AC discharge valve 1-50-5 by MCC E-3.
Althougn both MCCs can be l3 supolied by emergency sources, failure of eitner MCC could result in the 1
sus being inoperacle, sinca the valves are inside containment and are therefore inaccessible.
i
'I Ir:
=g,,
w w
18 The four DC-isolation valves are powered from redundant 125 volt power sources (DC MCC OC-11A-1 and DC-11A-2).
Cooling to the SCS heat exchangers and SCS pump bearings and packings is provided by the reactor building' closed caoling water (RBCCW) system.
Each RBCCW pump is 100% capacity, but depending upon time of year and I
temperature, operators must drop other RBCCW loads in order that the SCS functions as intended. Normally only two of the three RBCCW heat excha gers (which are in turn cooled by service water) are required for SCS c;oling within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after shutdown.
Both 8BCCW pumos are tripped upon loss of normal AC power and power must be restored by operator action. The "B" RSCCW pump can be supplied by the diesel generator and the "A" pump by the gas turbine generator, so l
diversity of power supplies exists.
t i
1 There are two AC powered motor-operated i:clation valvas in the RBCCW system /SCS system interface.
One valve is to the RBCCW discharge from l
the SCS heat exchanger, and the other is On the line for RBCCW suction from " nonessential" loads (SCS is a nonessential load during normal operation).
Both va?ves receive emergency AC power from MCC E-2 ana j
access is available for manual operation should tnis SCC fail.
The RBCCW heat exchangers are cooled by the service water (SW) system.
There are four SW pumas, only one of which is necessary for cooling the RBCCW under reactor snutdown conditions.
However, two pumps can be i
1
- ---w r-.
= -
19 dupplied from emergency sources.
One is supplisd from the gas turbine generator, is not shed from the bus upon loss of power, and is therefore automatically reenergized when the gas turbine generator picks ;p load.
The other is supplied by the diesel generator, is shed from the bus, but is picked up automatically when the diesel generator begins to pick up loads.
In addition, a third pump can be. added if enough other loc 's are shed from the emergency power supplies.
i All valves supolying farvice water to the RSCCW heat exchangers are, manually cperated.
The SCS is at a higher pressure than the RSCCW system, and RSCCW system pressure is higher than the SW system.
Although a leakage path from the SCS heat exchangers through the RSCCW heat exchancers to the environment is unlikely, radiation monitors have been added to the cooling medium discharge of the heat exchangers.
These monitors provide warning of any leakage.
[
The discussion above has centered on the primary means utilized at
'i,j Millstone 1 to depressurize the reactor and provide cooling following a loss of offsite (AC) power. turbine trip and a subsequent reacts scram.
Mcwever, even assuming a loss of the isolation concenser, Millstone 1 has suostantial backup capability to attain a hot or cold shutcown condition.
This cacability is in the form of the feecwater coolant injection system (NCIS), combined with the electro pneumatic relief valves and either the low pressure coolant injection (LPCI) system or core spray (CS) system.
i i
20 The FWCI system consists of one condensate pump, one condensate booster pump, and one feedwater pump, all powered by the gas turbine generator.
Two complete '! strings" of pumps (out of three) are available for PWCI operation, with selection of string A or B made from the control room.
The only air-operated valves in the system are the Feed Water Regulating l
Valves, located outsiae the containment and thus accessible if necessary for manual operation for reactor coolant level control in the reactor vessel.
The motor-operated feedwater blocking valves open, if closed, on a P4CI initiation signal.
E i
The pumps in the selected P4CI string will not restart automatically upon restoration of AC power (as provided by the gas turbine generator) unless a low-low reactor water level signal or high drywell pressure signal'(or both) exists. These signals from the reactor protection system are g
i r
indicative of a loss-of-coolant accident and would automatically enable I
the pump starting logic.
In the absence of such automatic initiation, g
the operator will t~ing the P4CI system on manually as provided by
'I procedure.
i:
'i Because the gas turbine generator is not ready to load for 48 seconds after starting, the electro pneumatic relief valves will be required to operate, relieving pressure, antil the P4CI system is operating.
At that I
time, the injection, at rates up to 3000 gpm of cold water, will provide suos'intial depresrurization, resulting in the reclosure of relief l
valves.
If the PnCI should provide such significant inventory that reactor vessel water level becomes too high prior to depressuri:ation and l
L
21 concurrent temperature decrease to SCS initiation limits, t'e operator can utilize the relief valves to continue depressurization or can increase discharge from the reactor vessel through the reactor water cleanup system.
As noted, FWCI system operation depends upon the proper operation of the gas turbine generator.
This turbine has not been as reliable as antici-pated in the FSAR and a later (1973) reliability study.
Problems have included, among others, logic errors, arroneous tripping of speed switches, and failure to meet the design 48-second on-line time. As noted above, NNECO has modified gas turbine starting circuits to preclude starting upon generator lockout when offsite power is available.
The 48-second time delay to gas turbine loading readiness and the 4
64-second time delay to FWCI automatic initiation, as described in FSAR Table VIII-7, are considered satisfactory and would not result in core uncovery in this scenario.
Figure XIV-2.6 of the FSAR notes that j
115,000 lb of coolant would have to be discharged through a main steam line break prior to uncovery of the top of the core. As noted above, l
three of the relief valves have 800,000 lb/hr capacity, and three have l,
i 340,000 lo/hr capacity, providing a total of 4,920,000 lb/hr blowdown, or 1
(
82,000 lb/ min, if all relief valves conservatively remain open.
This l
l
.eans 1.1 minutes (84 seconcs) would s' apse prior to uncovery of the top l4 of the core.
Since the Operator would realize after one or more relief i
Valves had lifted that the isolation Condenser had failed to initiate, he could direct his actions to bring FWCI an the line for depressuri:ation.
l t
t h._.
22 Esen assuming the multiple failure of tne isolation condenser and the gas turbine generator /P4CI combination, Millstone 1 still retains the capability to depressurize and cool down by remote-manual use of the relief valves and either the core spray or low pressure cociant injection (LPCI) engineered safety systems.
According to the SAR (Page VI-2.31), the relief valves, even when used automatically (with a 120 second time delay) under the adverse automatf!.
initiation conditions (small loss-of-coolant accident break and coinci-dent indication of reactor low-low level, drywell high pressure and 'FWCI low finw), can depressurize the vessel in sufficient time to allow core spray or LPCI systems (discussed below) to provide adequate core cooling to. prevent clad melting, even though the core is temporarily and partially ur. covered.
(SAR Figures VI-2.25 and V152.26).
Uncer the circumstances of this analysis we have assumed, in addition to the loss of offsite power, the loss of both the isolation condenser and the PACI system.
In this case, the operator could choose to remain at hot stardby, maintaining level with the control rod drive system while i
relieving pressure through the relief valves.
If plant conditions dictated the need to immediately decrease pressure and cool the system, the use of the relief valves sculd serve this purpose, and would probably accomolish the necessary decressurizatic1 prior to uncovering the top of l
th. core. However, even were the level to decrease to the low-low water level prior te blowdown initiation, tne SAR analysis mentioned above I
concludes tnat no clad melting would occur.
'We find the temocrary and l
l l
~
23 partial uncovery of the core in this sce'1ario to be an acceptable event, given first that we.have assumed an extremely low probability occurrence 1;
and second that no core melting would occur since a large influx of cooling water would be available upon completion of the depressurization.
Note that if the FWCI system were avai?tble to provide makeup to the recirculation system, the blowdown could be conducted in a delfberate
'I manner, unlike the automatic initiation condition postulated in the SAR, and no core uncovery would occur.
)
i The core spray system consists of two independent trains, eacn drawi'ng
'f j
water from tne torus (the condensate storage tank is an alternate supply) i anti delivering it. to the vessal through dedicated spray noz:les.
Each train is rated at 3600 gpm (at 90 psig), which is 100% of that required by loss of-coclant accident analyses.
,I
.l, Even though one core spray pump is powered frem a bus normally supplied by the gas turbine generator during a loss of offsite pcwer, this bus will be supplied by the diesel should the gas turbine fail to start.
However, only one pump can be energized at a time by the diesel generator because of load limitations.
If the first pu:4 signaled tc start does not, the second may be started.
(If the gas turbine were availaole, but the diesel were not, the loads would be supplied by the gas turbine generator in the same manner.)
i i
t There are thret motor-operated valves in each train, each of which is geweredfromemergencybuses. Mcwever, only one valve in each train is y
m 24 required to operate (open) to admit water to the core.
Failure of this valve to open can be readily overcome, since the valve is located outside primary containment.
Another system weich would be available to provide cociing water to the reactor vessel is the low pressure coolant injection (LPCI)/ containment spray cooling system.
This system includes four pumps, in two indepen-dent trains, only three of which are necessary to provide 100*4 design system flow (15000 gpm at 0 psi).
The fourth pump can i;e started if,any of the others fail. Although starting of the pumps is automatic only in a LOCA situation, tney can all receive power from the diesel generator and would thus be available in this scenario.
Like the core spray system, the LPCI system can inject ater into the core once reactor coolant system pressure is decreased to 300 psig. All motor-operated valves in the LPCI system, in addition to being provided power from buses wnich can be supplied from the diesel generator, are outside primary contair. ment and can be manually operated.
Water for the LPCI system is taken from the torus.
Approximately 630,000 gallons of water is available for use. The LPCI discharge piping is directed into both reactor recirculation loops at the discharge of the i
recirculation :: umps.
l i
F
?
25 Excess inventory in the core could be let down through the reactor water l
clean-up system to the radioactive waste treatment system, or alternatively to the main condenser hotwell.
i' Although cool",g of the torus water (after the relief valve blowdown for reactor depressuri:ation) will probably not be necessary during the shetdown and maintenance of core cooling in the short term, the capa-bility exists within the LPCI/ containment cooling system to provide such cooling.
Each train of two pumps includes a heat exchanger, the shell side of which is provided water by the emergency service water (ESW) system.
The ESW system includes fcur pumps, two supplying water to one train's heat exchanger and two to the other. '.hese pumps can be.provided power from the diesel generator, once other loads such as unneeded LPCI pumps have been shed from the bus. One LPCI pump, in the containment spray cooling mode, and one ESW pump can then be utilized to cool the torus water, while core spray provides cooling water to the core.
I I
All motor-operated valves in the containment spray cooling system are on buses capable of supply from the diesel, and are also external to containment and thus accessible for manual actuation.
The two motor-operated ESW valves on the discharge of the heat exchangers are also accessible for manual operation in case of motor or power supply failure.
Only one aspect remains to be addressed - the loss of either RSCCW or SW systems, resulting in loss of shutdown cooling system capability and subsequent reheating of the reactor coolant system.
If the isclation
- i
26
- ondenser were available, the,ituation presents little difficulty in that the isolation condenser will provide necessary cooling and only -
requires makeup watea to the shell side, as discussed above.
In the absence of the isolation condenser (acmittedly an extremely I
unlikely multiple failure, but discussed here only to illustrate the substantial backup capcbility of Millstone 1), tne operators could choose either of two methods for core cooling.
The first method is the use of the relief valves to reiteve pressure and decrease inventory, followed by the judicious use of core spray or LPCI systems to provide cold water and make up inventory losses. Carried to its extreme, this method could result in complete filling of the reactor vessel with discharge through the relief valves to the torus, returtt to the vessel by LPCI, and torus cooling by containment cooling spray. The staff is continuing to assess the ability of the electropneumatic relief valves to remain open for the i
I extended period of time necessary for long term core cooling in the cold j
shutdown condition without the availability of the plant air systems.
i The other method available to the operators if the temperature at initiation is less than 200*F is to let down hot water through the reactor water cleanup (RWCU) system to the main condenser or radioactive waste system,, bypassing the deminerali er resins of the RWCU system and overriding the high temperature interlock which would otaerwise isolate RWCU (the RWCU system nonregenerative neat extaanger is cooled by RSCCW, assumed to he out of service because of its own failure or tnat of the SW
27 system). While discharging water through the RWCU system, cold water could be acced to the vessel from core spray or LPCI.
.he RBCCW and SW systems were operable but shutdown cooling were not, some cooling could still be maintained by increasing tne RSCCW flow to the RWCU system nonregenerative heat exchanger.
Conclusion As can be readily seen from the foregoing discussion, Millstone Unit I has the ability to withstand multiple failures and still retain the capability to depressurize and cool the reactor core.
We are satisfied that Millstone Unit No. 1 can be safely shut down upon loss of onsite or offsite AC power, even consideriag failure of a single majorcomponent.
i I
l
28 4.0 COMPARISON OF SAFE SHUTDOWN SYSTEMS WITH CURRENT NRC CRITERIA The current criteria used in the evaluation of the design of systems required to achieve cold shutdown for a new facility are listed in the Stendard Review Plan (SRP) Section 5.4.7 and Branch Technical Position RSB 5-1 (or proposed Regulatory Guide 1.139).
This section discusses the comparison of these criteria with the safe shutdown systems of the Millstone Unit i nuclear power plant.
l "A.
Functional Requirements The system (s) which can be used to take the reactor from normal operating conditions to cold snutdown" shall satisfy the f'nctional requirements u
listed below.
1.
The design shall be such that the reactor can be taken frcm normal operating conditions to cold shutdown
- using only safety grade systems.
These systees shall satisfy General Design Criteria 1 through 5.
2.
The system (s) shall have suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available) the system fyn; tion can be accomplished assuming a single failure.
3.
The system (s) shall be capable of being operated from the control rocm with either only onsite or only offsite power available with an l
assumed single failure.
In demonstrating that the system can
~Processes involved in cooldown are heat removal, depressuri:stion, ficw circulation, and reactivity control.
The cold shutdown condition, ss cescribed in the Standard Tecnnica Specifications, refers to a succritical reactor with a reactor coolant temperature no greater than 200*F for a PWR snd 212*F for a SWR.
f u
y
29 perform its function assuming a single failure, limitad operator action outside of the control room would be considered acceptable if suitably justified.
4.
The system (s) shall be capable of bringing the reactor to a cold shutdown condition, with only offsite or onsite power available, within a reasonable period of time following shutdown, assuming the most limiting single failure."
Backorcund A " safety grade" system is defined, in the NUREG 0138 (Reference 1) discussion of issue #1, as one which is designed to seismic Category 1 (Regu*atory Guide 1.29), quality group C or better (Regulatory Guide 1.26),
and is operated by electrical instruments and controls that meet Institute of Electrical and Electronics Engineers Criteria for Nuclear Power Plant The Millstone Unit i nuclear power plant 4
l Protection Systems, (IEEE 279).
was constructed prior to the issuance of Regulatory Guides 1.26 and 1.29 (as safety Guides 26 and 29 on 03/23/72 and 06/07/72 respectively).
!jI Also Proposed IEEE 279, dated August 30, 1968, was issued late in the construction chase of the facility.
General Design Criterion 1 requires that these systems be cesigned, 4
fabricated, erected and tested to quality standards, that a quality assurance (QA) program be implemented to assure that these systems perform their safety functions anc that an acpropriate recorc of design, fabrication, erection and testing be kept. At the time that Millstone 1 was licensed, the NRC (then AEC) critaria for QA were under development.
b
- 30 Since that time, various QA related regulations and c iteria have been instituted by the NRC, and the QA program for operation of the plant was approved by the staff on Novemoer 5, 1976.
The plant Technical Specific tions and QA program require appropriate QA racords to be kept.
I i
General Design Criterion 2 requires that structures and equipment important to safety be designed to withstand the effects of natural phenomena without less of capability to perform their safety function.
il The Staff SER (Reference 2) addressed the design of the Millstone Unit 1 ii nuclear power plant with respect to natural phenomena.
In case of -
flooding caused by a hurricane, the Staff stated that "the plant can be shutdown and maintained in a safe condition since the critical equipment i
required for such action is protected to at least 25 ft. mean sea level" and the maximum flood height postulated by the Staff was 20.7 ft. mean sea level.
t l
ll ll The licensee's seismic design bases specify that for ground accelerations 1
of 0.17g, there will be no loss of function of critical structures and I
components necessary to ensure a safe End orderly shutdown.
The Staff, j!
in the SER, agreed that the accelerr.tions were approcriate and these l
conclusions were correct.
I t
t :
'i
'l 9
. e p-
=,
- =,em L
31 The Staff SER also states that "the design of Unit 1 is adequate to assure safe plant shutdo'<n considering the effects of wind loadings and potential missiles."
These conclusions will be reviewed as part of the SEP, General Design Criterion 3 requires that structures, systems a.,d components important to safety be deutgned and located to minimize the i
effects of fires and explosions.
The Staff has comp!eted an evaluation of the fire safety requirements of the Millstone Unit 1 nuclear power plant.
The results of this evaluation are given in Reference 3.
General Design Criterion 4 requires that equipment important to safety be designed to withstand the effects of envirormental corditions for normal operation, maintenance, testing and accidents.
Equipment should also be l
protected against dynamic effects such as internal and external missiles, pipe whip and fluid impingement.
The SEP will evaluate the extent to anich Millstone Unit I conforms to GOC 4 wnen reviewing topics III-12 " Environmental Qualification c/ Safety Related Ecuipment,' III-5. A " Effects of Pipe Breaks Inside Containment,"
III-5.3 " Pipe Breaks Outside Containment," and III-A " Missile Generation and Protection."
g'
.?
l
32 General Design Criterion 5 relates to the sharing of structures, systems and components important to nuclear safety among nuclear units.
Millstone Unit 1 and Millstone Unit 2 (a PWR) are both presently in operation at he same site.
Several systems are common to both Unit I and Unit 2.
Among those systems, the following are important for safe shutdown and cooldown of Unit 1:
(1) As mentioned in Section 3, Millstone Unit ' has 100% bypass capability and is automatically separated from the power grid upon loss of two out of three 345 kv transmission lines if the only line remaining in service is the 348 Millstone /Southington line and station cutout is greater than 1200 %.* This provides an outlet for the generated power of Unit 2.
(2) The fire water system includes two 250,000 gallon tanks. These tanks are common to both Unit 1 and Unit 2.
(
[
(3) One of tne two electrically powered fire cumps is powered from i
Unit 2.
The sharing of systems between the two nuclear units at '.he Millstone site will be reviewec as cart of SEP Tooic VI-10.3 " Shared Engineered Safety Features. On Site Emergency Power anc 5ervice Systems for Multiple Unit Facilities."
i
~
m
33 The BTP RSB S-1 functional requirements focus on the safety grade systems that ca'n be used to take the reactor frcm operating conditions to cold shutdown. The staff and licensee developed a " minimum list" of systems necessary to perforns this task. Although other systems may be used to perform shutdown and cooldown functions, the following list is the minimum number of systems required to fulfill' the BTP RSB 5-1 criteria:
1.
Reactor Control and Protection System 2.
Six Electropneumatic Relief Valves (3 of which constitute the Automatic Pressure Relief System of the ECCS) 3.
FeedwaterCoolantInjectionSystem 4.
Service Water System (for diesel generator cooling) 5.
!.aw Pressure Coolant Injection / Containment Spray System 6.
Emergency Service Water System (fo'r containment cooling) 7.
Instrumentation for shutdown and cooldown*
8.
Emergency Power (AC and DC) and control power for the above systems and ecuipment.
In addition to these systems, other systems may function as backup for the above systems and components. The preceding discussion in Section 3 described botn these systems and the systems wnich may function as backup.
Table 4.1 lists the minimum safe snutdown systems for the Millstone Unit 1 Nuclear Power Plant along with a comparison of present Safe shutdown instruments are identifiec 1 Table 4.2.
J 34 criteria with the criteria to which these. components and subsystems were designed. Table 4.3 provides safe shutdown _ system power supply and f'h location information.
The functional requirement to achieve cold if shutdown conditions within a reasonable period of time is evaluated in
- l li Aopendix A.
4.1 Functional Recuirements The Reactor Control and Protection System (RCPS) is designed on a channelized basis to provide physical and electrical isolation between redundant reactor trip channels.
Each channel is functionally indepen-dent of every other channel and receives power from two independent sources.
The power source for the RCPS is the instrument buses which can receive power from either onsite or offsite sources.
The RCPS fails safe l
(tripped) on loss of pcwer.
The system can be manusily tripped both from i
I the control room and from other locations outside the control room. The l
RCPS is cesigned so that a single failure will not prevent a reactor trip.
Initiation of a reactor trip causes the insertion of sufficient reactor cont ol rods to make the core subcritical from any credible coerating condition assuming the most reactive control rod remains in the fully withdrawn position.
l The design of the RCPS, as well as safe snutdown related electrical control and power systems will be-evaluated later in the SE7.
L i
P
s 35 d
The normal shutdown systems (and backup systems) have been reviewed in Section 3.
The isolation condenser would normally be relied upon for cooling from full power conditions upon loss of the main condenser which is not available upon loss of offsite power.
The isolation condenser is capable of cooling the reactor to near cold shutdown conditions.
If the pressure is reduced to the actuation pressure of the LPCI or core spray systems by the FWCI or Automatic Pressure Relief Systems, either of these systems could be manually initiated and would take the reactor to cold shutdown conditions.
- Thus, even if the shutdown cooling system at Millstone Unit I were inoperable, the reactor can be taken to cold shutdown conditions using the Emergency Core Cooling System (ECCS).*
4.3 RHR System Isolation Recuirements The RHP system shall satisfy the isolation requirements listed below.
i!
l j
1.
The following shall be provided in the suction side of the RHR system to isolate it from the RCS.
l (a)
Isolation shall be provided by at least two power-operated i
valves in series.
The valve positions shall be indicated in the control rocm.
l l
aThe staff is continuing to evaluata the ability of the electrooneumatic relief valves to function without the plant air systems for extended periods of time.
lI l
i 36 i
(b) The valves shall have independent diverse interlocks to prevent the valves from being opened unless the RCS pressure is below the RHR system design pressure.
Failure of a power supply shall not cause any valve to change position.
(c) The valves shall have independent diverse interlocks to protect against one or both valves being open during an RCS increase above the design pressure of the RHR system.
The purpose of these requirements is to provide assurance that a low pressure shutdown cooling system will not be exposed, either through a single operator error or failure of a single valve to a pressure greater than design pressure. Mcwever, the Millstone Unit 1 Shutdown Coolin'g System is designed for reactor coolant system design pressure, 1250 psig.
The design temperature is 350*F, which is lower than the reactor coolant l
system design temperature (57F F).
It is likely that the SCS could.
withstand the design pressure at the higher tempe'rature on a one time basis. As pointed out in Section 3, multiple failures of valves (all of which are normally shut) and interlocks would be necessary in order for this situation to exist.
Section 3 described the interlock on the RHR system which prevents opening of the suction and discharge valves on the SCS if the reactor coolant temoerature in either coolant recirculation loop is greater than 350 F.
The valves are motor operated and would fail in their "as-is" i
condition (wnich would be closed unless the SCS aere in operation).
Additionally, the pumps will trip, stopping flow and exposure to temperature, should coolant temperature increase to 350 F.
l i
\\
37
- l Thus, the Hillstone Unit 1 SCS meets the present criteria for SCS system isolation.
2.
One of the following shall be provided on the discharge side of the RHR system to isolate it from the RCS:
(a)
The valve *, position indicators, and interlocks described in item 1 (a)-(c).
(b) One or more check valves in series with a normally closed power-ccerated valve.
The power-operated valve position shall be inoicated in the control room.
If the RHR system discharge line is used for an ECCS function the power-operated valve is to be opened upon receipt of a safety injection signal once the reactor coolant pressure has decreased below the ECCS design pressure.
(c) Three check valves in series, or (d) Two check valves in series, provided that there are design provisions to permit periodic testing of the check valves for leak tightness and the testing is performed at least annually.
The Millstone Unit 1 SCS has two motor operated valves, one AC (inside containment), one 00 (outside cont;inment on each leg) which meet the requirements of 2.(a).
i 4.3 Pressure Relief Recuirements 1
l The RHR system shall satisfy the presure relief requirements listed beicw.
1.
To protect tne RHP system against accidental overpressuri:ation when it is in operation (not isolated from the RCS), pressure relief in I
38 the RHR system shall be provided with relieving capacity in accordance with the ASME Boiler and Pressure Vessel Code.
The most limiting pressure transient during the plant arating condition m
when the RHR system is not isolated from the RCS shall be considered when selecting the pressure relieving capacity of the RHR system.
For example, during sbetdown cooling in a PWR with no steam bubble in the pressurizer, inadvertent operation of an additional charging i advertent opening of an ECCS accumulator valve should be pump or n
considered in selection of the design bases.
2.
Fluid disenarged through the RHR system pressure relief valves must be collected and contained such that a stuck open relief valve will not:
a.
Result in flooding of any safety-related equipment.
b.
Reduce the capability of the ECCS below that needed tu mitigate the consequences of a postulated LOCA.
e c.
Result in a non-isolatable situation in which the water provided to the RCS to.t,4intain the core in a safe condition is discharged outside of the containment.
3.
If interlocks are provided to autu.natically close the isolation valves when the RCS pressure exceeds the RHR system design pressure, adequate relief capacity shall be provided during the time period while the valves are closing.
The Shutdown Cooling System at Millstone Unit 1 is independent of the r.ca.
iherefore, a failure of the Shutdown Cooling System would not
'I affect the ECCS.
Since the Shutdown Cooling System is designed for ll reactor design pressure, the reactor safety / relief valves could protect s
the Shutdown Cooling System as well as the reactor vessel from a pressure transient.
4.4 Fumo Protection Recuirements l
l l
The design and operating procedures of any RHR system shall have provisions to prevent damage to the RHR system pumps due to overneating, cavitation or loss of acequate pump suction fluid.
l i
r a'
a
--m r
t 39 The SCS pumps are provided with bypass lines which return the pump discharge flow to the pump suction. Thus, even if the downstream valve were closed while the pump was running, the pump would be protected frcm overheating.
t Cavitation protection is provided by the interlock which trips the pump (and prevents its starting) if the suction pressure falls below 4 psig.
A temperature interlock also protects the pump from overheating by tripping the pump if the temperature is greater than or equal to 350 F.
4.5 Test Recuirements The isolation valve operability and interlock circuits must be designed so as to permit' on line testing #.en operating in the RHR mode.
Testa-bility shall meet requirements of IEEE Standard 338 and Regulatory
/
Guide 1.22.
This is discussed in Section 5 of this report.
The preoperational and initial startup test program shall be in conformance with Regulatory Guide 1.68.
The programs for PWRs snali include tests with supporting analysis to (a) confirm that adequate mixing of borated water added prior to or during cooldown can be achieved l
under natural circulation conditions and pernit estimation of the times l
required to achieve such mixing, and (b) confirm that the cooldown under l
natural circulation conditions can be achieved within the limits speci-i fied in the emergency operating procedures.
Comparison with performance li of previously tested plants of similar design may be substituted for l
i these tests.
Regulatory Guide 1.58 was not in effect when Millstone Unit 1 was being designed and constructed; however, tne licensee committed to and per-j formed preoperational tests of the Shutdown Cooling System curing startup I
l of Millstone Unit I to confirm operability, and many uses have shown the system to be reliable for removing decay heat.
!l!
L T l'
a.
40 The licensee performs an annual calibration check of the temperature isolation interlocks of che Shutdown Cooling System.
4.6 Ooerational Procedures The operational procedures for bringing the plant f*cm normal operating power to cold shutdown snall be in conformance with Regulatory Guide 1.33.
For pressurized water reactors, the operational procedures shall fnclude specific procedures and informatica for cooldown under natural circulation conditions.
The licensee has procedures to perform safe shutdown operations incl'uding shutcown to hot standby, operation at hot standby, hot shutdown, opera-tion at hot shutdown and cold shutdown including long-tarm decay heat removal.
The licensee has also provided the operating etaff procedures covering off-normal and emergency conditions for reactor shutdown and decay heat removal under conditions of loss of system or parts of system functions normally needed for shutdown and cooling the core.
Procedures for operation of systems used in safely shutting down the reactor are also included in the piant operating procedures.
These procedures 19clude provisions identified in Regulatory Guide 1.33.
These procedures were reviewed and are in conformance with Regulatory Guide 1.33.
Certain operations were identified to the reviewers wnica constitute alternate ways and paths to achieve cocling water source alignment or heat sink alignment.
Scme of these methods are not included in their procecure system.
7 i
41 4.7 Auxiliary Feedwater Supply The seismic Category I water supply for the auxiliary feedwater system for a PWR shall have sufficient inventory to permit operation at not shutdown for at least 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, followed by cooldown to the conditions permitting operation of the RHR sfitem. The inventory needed for cooldown shall be based on the longest cooldown time needed with either only onsite or only offsite power available with an assumed single failure.
t Soiling Water Reactors such as Millstone 1 do not have an auxiliary feed system.
However, the cooling water inventory requirements for a safe shutdown of the facility, using the systems identified in Section 4.0, are evaluated in Appendix A.
i h
gy i
p =
v
~ ~ -
r vn-
r I Allt i 4.1 CI ASSlIICATION OF SAFE SilulDOWN SYSILMS Mit LSIONE I Quality Group Seismic P'lant ITlant Components /Sulisystems R.G.
1.26 Design R.G.
1.29 Design Remarks _,
Automatic Iressure fiellei $Flism Valves (3)
ASML 111 ASME 111 Category 1 Class 1 Class I Containment lorus ASML 111 ASME 111 Category 1 Class I Contains water supply Class 2 Class B for CS and LPCI systems leedwater Coolant ASML 111
?
Category 1 Class 11 Boundary of system 1
lii]ection System Class 2 provi; led in Reference 4.
N Condensate System ASHL 111
?
Category 1 Class !!
lhe piping in the condensate Class 2 and feed systems is Class 11 but has been sfiown to meet Class 1 equirements.
Main Condenser ASME 111
?
Category 1 Class 11 hotwells Class 2 IWCl Condern. ate ASHL 111
?
Category 1 Class 11 Class I requirements.
Iransfer Payss Class 2 Condensate Storage ASMf.-I l l
?
Category I Class 1 lank Class 2 Service Water System ASME Ill
?
Category 1 Class i Bourndary of system Class 3 provided in Reference 4.
t t
f i
I ABIE 4.1 (Cont.inued)
Quality Group Seismic Plant Plant Components / Subsystems R.G. 1.26 Design R.G. 1.29 Design Remarks low Pressure Coolant IEjec_ti 7Containmeint Sprays @ystem i
Ptaqis (4)
ASME 111 ASME 111 Category 1 Class 1 Class 2 Class C Piping and valves ASME 111 ASME 111 Category 1 Class I Class 2 Class C lleat excliangers (2) ASME 111 ASME 111 Category 1 Class I tube side Class 2 Class C shell siile ASME 111 ASME Vill Category 1 Class I 4
(LSW)
Class 3 lema Class R
fmergency Service Water System Pumps (4)
ASML 111
?
Category 1 Class I Class 3 i
Emergency Power Syste.)
Diesel generators N a.
Category I Class 1 DC Systems NA 4
g.-
I
-l 1 AllLE 4. I f Continueti) t I
Quality Group Seismic 3
Plant Plaint immponents/ Subsystems R.G.
1.26 llesign R.G. 1.29 llesign Remarks Gas turbine generator NA Category 1 Class I Iliesel Henerator mechanical Astu 111
?
Category 1 Class I auxiliaries Class 3 Instrumentation aiul NA Category 1 Class I Controf$ystens N
4 e
4
[
d
. z _.
4 l Alllt 4.2 LISI Of SAFE SilulDOWN INSlRUMENIS Component / System instriunem3 Instrument location References Reactor Recirculation Reactor Vessel level LI Contaisument System (LI and L1 263-112, 263-61)
Ll Control Room Reactor Vessel Wit e Range PI Contaisument i
Pressure (PI and PI 267A, 2675)
Pl Control Room Pressure Suppression lorus temperature IE Reactor Build. Corner DWG. G-187476 System (torus)
Room (-26')
(lL 1546 f.&B, 1R 1540-5)
IR Control Room lmergency Service ESW iIow IT Reactor BuiId. Corner DWG. G-187476 Water System Rooms (-26')
4*
(IT 1542 A&ll, RI 1540-1A&lB) fl Control Room Low Pressure Coolant LPCI flow fl Reactor Build. Corner DWG. G-187476 Injection / Containment Rooms (-26')
Spray System (Il 1549 A&B, IR 1540-7)
IR Control Room I cedwater Coolant IWCl Pressure PI lurbine Build.
DWG. G-187482 injection System (Pl&PH 2-27 & 2-28)
PI Control Room Condenser llotwell Level LI Turtaine Build.
(LI 2-1 & 2-2, IRC 2-1) tRC Control Room Condensate Storage Tank LI DWG. G-187487 tevel (LI & Lt 7-50)
Ll Control Room Diesel Generator Generator output Control I.ow voltage and current Gas lurtaine Generator Generator output Control Room voltage and current
M se 4
c 8
n 4
e 7
r 8
e 1
f e
G R
G W
D n
o i
t m
a o
c u
o S
.m m
m l
o o
o t
nu o
o n
eH R
H e
G m
l l
l u
l o o
o r
er r
r e
t st t
t s
en n
n o
o o
n i
I DC C
C L
)
PP deun i
t no C
/
(
n6 n
2 r
o o
4 o
i,
i t
t5 t
E a
a a) cA L
r c,
e i4) i1 l
lA r
d A
d J
e n
,2 n&
t g
)
i 3 i
n mF 1
e l r5 d
,2 d
m ea-e1 es u
sl 4 z
s ze r
ea i se i s t
i L
ges gu s
dea rsu rB n
rP euB e
ou nB nV I
t s&
e V
e s
V 5
S eS sK0 s2 WrP u48 u1 S p(
B(4 i(
l m
e r
r yt b
y w
w s
e e
s S
o o
y P
P S
r
/
e C
C t
t A
D n
a e
W y
y n
c c
o e
n u
p c
e e
g g
m i
o v
r r
C r
e e
e m
m S
I
(
ii I!
I
.-_._w-..~..----
- - w ----- -
- - ~ ~ -
=~~~~
I Allll 4.3 SAll SiltilDOWN SYSilMs POWl1R_ SUPPLY AND 10CA110N C aponent/ System Power Supply IocaLion Automatic Pressure Air operatcd in drywell (approx. 80')
Reliet valves 125 VOC Air Control solenoids leedwater Coolant lajection j
System t
leed pumps IA, Ill, IC IA, 1B - 4KV Bus #1 (14A) lurbine Build. (14')
i IC - 4KV Bus #2 (143) condensate pumps IA, IB - 4KV Bus #3 (14C)
Turbine lluild. (14')
1A, lil, IC 4"
condensate booster pumps IA, IB - 4KV llus #3 (14C) lurbine lluild. (14')
l A, 111, IC IC - 4KV llus #4 (14D)
IWCl condensate tratister 4KV llus #3 (14C)
Reactor Build. Corner l
pump Room (-8') NW I
i Condensate Storage lank In yard, east of Reactor Build.
f
.]
4 low Pressure Coolarit Injection / Containment Spray System pumps I A, Ill, IC, ID IA & IC 4KV Bus #6'(14F)
IB &lD 4KV Ilus #5 (14E)
Reactor fluild. Corner Room (-26') NE heat ext:liangers Reactor Build. Corr.er Room (-26') SW
ym
)
)
)
)
)
)
e g
'6
'6
'6
'6
'6
'6 d
n 3
3 3
3 3
i i
(
(
(
(
(
3 s
d
(
el n
o dE ni d
d d
d d
d u
l l
l l
l l
e e
lS i
i bB i i i i i i t
s s
i a
u u
u) r u
u u
u u
u o
ur B
B B
B B
l c
o l
B '4 l
o T o l
l l
L e1 t
e e
e e
e e
n n
n(
.a n
n n
n n
n gr e
e i i i i i i i
e e
b re b
b b
b b
b
, r r
r en r
r r
r r
r c
c u
me u
u u
u u
u S
S l
EG l
l T
T l
l r
r e
e 46 w
w
)
o o
8 4
d P
P 3
e ss u
uu e
e s
l l r
t t
s u
n ii i i u
B i
))
e t
fE VV w
s s
B n
44 KK l
t I
f V
o 11 44 e
P f
f V
K C
((
s o
O K
4
(
y re r
e 4
l 65 ei e
t r
r r
i o
o r
o 3
p BD wd w
p II o(
o s
r o
4 u
ss P
)
P f
e ^
^
^
w 7
7 r
r As S
uu f
l 2 e l
O o
o o
E BB 35 o
P t
t L
r o
i a
a e
VV r& r r
r l
w KK ss t
a t
o e
5 6
r r
l A
1 o
44 uu dn2i an t
e e
eo
/ i n
n P
BB eo l
tCsi tC 4
s s
s e
e VV r
ux r
f e
e G
G r
CD KK aCBu aC s
f s
s e
II 44 tD a
tD u
O u
u l
l w
sVV sV B
B B
e e
o s
s p
r50 r5 V
V V
e e
i i e
K K
1I 1I A14 A1 4
4 4
D D
t is I
fo ro ss 0
D o
1 I
l C
C r
g i
m I
o i
I e
t i
a r
t em s
8 r
u 1
m ce 1
y 1
r e
d 1
e it S
o n
t e
e t
vs s
ry A r
A a
G 1
2 3
4 5
6 c
y eS I
e I
r r
S S
t e
e u
/
r s
a s
n n
os t
ye p
W p
e i
n ct m
m G
b i
e na i
e u
r s
s s
s s
s l
n eW p
c p
l u
lu u
u u
u u
am l
l l
l l
e l
l l
l l
i i
o g
i r
p r
v s
m e
r e
s V
V V
V V
V o
a K
K K
K K
K N
o m
e i
C E
D G
4 4
4 4
4 4
4 i{
jj l
n.-
IABLE 4.3 (Continued)
Coinponent/Sys tein Power Supply Location 4KV lius
.#/
Gas furbine Generator or Of fsite Power Turbine Build. (36')
(23KV line) 480V Bus
- 2 4KV Bus #5 (14E) 480V Bus #2A 4KV Bus #6 (14f) 125V Balleries 1 & 1A Battery Reum (36', lurbine Building)
O 4
e
I 50 5.0 RESOLUTION OF SEP TOPICS l
The SEP topics associated with safe shutdown have been identified in the INTRODUCTION to this assessment.
The fallowing is a discussien of how Millstone Unit No.1 (Millstone 1) meets the safety objectives of these topics.
5.1 Tooic V-10.8 RHR System Reliability The safety objective for this topic is to ensure reliable plant cooldown capability using safety grade equipment subject to the guidelines of SRP 5.4.7 and STP RSB 5-1.
The Millstone 1 systems bave been compared with these criteria, and the results of these comparisons are discussed in Section 4.0 of this assessment. Based on these discussions, we have l
concluded that the Millstone I systems fulfill the topic safety objective i
j w':h the following comments:
l i 1.
The Shutdown Cooling System and isolatio.i concenser are not considered to be safety grade systems. However, the ECCS systems, l
including FWCI, ADS, LPCI, and Core Spray, can be utilized to effect l
L reactor cooldown.
2.
Comoonent redundancy and single-failure proof requirements are not l
l met in the case of the shutdoe cooling system, in that failure of the AC powered suction valve inside contair.r.ont would result in loss of the system.
However, the ECCS systems would still be available.
i 1
I'
- 51 3.
Component redundancy (and single-failure proof) requirements are also not met in the case of the isolation condenser.
The single supply (steam) and return (condensate) lines each include an AC powered isolation valve which is inside containment.
Failure of these valves in the closed position would result in system inopera-bility. However, these valves are normally open and fail open on loss of electrical power.
As noted in Section 3, it would take i
simultaneous spurious isolation of the condenser and loss of the I
l power supply to create any problem. Additionally, even if this highly-unlikely scen6rio were to occur, the ECCS systems would still be availaole.
4.
No procedure exists to perform a shutdown and cooldown to cold conditions with the systems identified in Section 4.0.
The licensee will be required to develop such a procedure.
5.2 Tcoic V-11. A Reouirements for Isolation of High and Low Pressure Systems The safety objective of this topic is to assure that adequate measures are taken to protect low pressure systems connected to the primary system from being subjected to excessive pressure wnici could cause failures and in some cases potentially cause a LOCA outside of containment. As noted in Section I, only tha shutdown cooling sys*em was examined.
The shutdown cooling system is designed for full reactor pressure but less than full reactor temperature.
Therefore, interlocks (with the exception
~..
+
e
-52 of the pump suction low pressure interlock) are based upon temperature considerations.
System operation cannot begin until temperature in both reactor coolant recirculation loops and at the pumps' suctions is less than 350 F (and pump suction pressure exceeds 4 psig).
This will enaule pump-start-permissive interlocks and allow the system to be started. Additionally, the pumps will trip, effectively isolating the system (a check valve on the system discharge prevents backflow) if temcerature should increase to 350*F when the system is in operation.
Because of the system's full pressure design and the incorporated interlocks (even though they are temperature-based)., we conside*r the-applicable requirements to have been met. Also, tnere are annual calibration requirements for these interlocks which we consider acceptable.
5.3 Tooic V-11.8 RHR Interlock Reouirements
- 1 The safety objective of this topic is imtical to that of Topic V-ll. A.
The staff conclusion regarding the Mill.. tone 1 interlocks, as discussed i
in Section 5.2, is that adequate interlocks exist.
- 5. 4 Taoic VII-3 Systems Recuired For Safe Shutdown r
The Safety cbjectives of this tooic are:
i
+
-l 53 1.
To assure the design adequacy of the safe shutdown system to (a) initiate automatically the operation of appropriate systems, including the reactivity control systems, such that specified acceptable fuel design limits are not exceeded as a result of anticipated coerational occurrences or postulated accidents, and (b) initiate the operation of systems and components required to bring the plant to a safe shutdown.
2.
To assure that the req'lired systems and equipment, including necessary instrumentation and cintrols to maintain the unit in a safe condition during hot shutdown are located at appropriate locations outside the control room and have a potential capability for subsequent coid shutdown of the reactor through the use of suitable procedures.
3.
To assure that only safety grade equipment is required for a plant to bring the reactor coolant system from a high pressure ccndition to a low pressure cooling condition.
Safety objective 1(a) will be resolved in the SEP Design Basis Event reviews.
These reviews will dstermine the acceptability of the plant response, including automatic' initiation of safe shutdown related systems, to various Design Basis Events, i.e., accidents and transients.
l l
54 Objective 1(c) relates to availability in the control room of the control and instrumentation systems needed to in:tiate the operation
~
of the safe shutdown systems and assures that the control and instrumentation systems in the control room are capable of following the plant shutdown from its initiation to its conclusion at cold shutdown conditions. The ability of Millstone-1 to fulfill objective 1(b) is discussed in the preceding sections of this report. Based on these discussions, we conclude that safety objective 1(b) is met by the safe shutdown system at Millstone 1 subject to the findings of related SEP Electrical, Instrumentation, I
and Control topic reviews.
i Safety objective 2 would require the capability to shutdown to both hot shutdown'anc sold shutdown conditions using systems, instrumen-tation, and controls located outside the control room. The Millstone 1 procedures include four directed at shutdown outside the t
'i control room, two of which assume that initial actions have been
'l taken inside the control room.
Two also assume failure of the isolation condenser.
The procedures provide tne steps to operate the necessary equipment to place the plant in a shutcown condition.
None of these include specific steps to proceed to cold shutdown conditions.
The licensee will be required to provide such procedures.
The adequacy of the safety grade classification of safe shutdown systems at Millstone Unit No. 1, to show conformance with safety j
~
i 55-
~
objective'3, will be' completed in part under-5EP Topic III-1,
[
" Classification of Structures,. Components, and Systems (Seismic and Quality)," and in part under the Design Basis Event reviews.
Table 4.1 of this report will be used as input to Topic.III-1.
i i
i e
i 4
i t
l!
1 i
I
'I
c
~$
56
6.0 REFERENCES
I 1.
Staff Discussion of Fifteen Technical Issues Listed in Attachment to i
{
November 3, 1976 Memorandum from Director, NRR to NRR Staff, NUREG 0138, November 1976.
i i.
I 2.
Letter'to Millstone from AEC Division of Reactor Licensing transmitting Safety Evaluation Report for Millstone Unit 1, March 13, 1976.
3.
Letter to W. G. Counsil, Northeast Nuclear Energy Company frem D. L. Ziemann, USNRC dated September 26, 1978.
4.
Northeast Utilities letter W. Council to 0. Ziemann, dated September 13, 1979 forwarding additional information on Millstone 1 Inservice Inspection and Testing Program.
I 1
l l
r s
i
APPENDIX A r
SAFE SHUTDOWN WATER RE0VIREMENTS Introduction Standard Review Plan (SRP) 5.4.7, " Residual Heat Removal (RHR) System" and Branch Technical Position (BTP) RSE 5-1, Rev. 1, " Design Requirements of the Residual Heat Removal System" are the current criteria used in the Systematic Evaluation Program (SEP) evaluation of systa.iis required for safe shutdown.
STP RSB 5-1 Section A.4 states that the safe shutdown systems shall be capable of oringing the reactor to a cold shutdown condition, with only 0,f fsite or onsite power available, within a reasonable period of time following shutdown, assuming the most limittag single failure.
BTP RSS 5-1 Section G, which applies specifically to the amount of auxiliary feed system (AFS) water of a pressurized water reactor available for steam generator feeding, requires the seismic Category I watar supply for the AFS to have sufficient inventory to permit operation at hot shutdown for at least four hours, followed by cooldown to the conditions permitting operation of the RHR system. The inventory needed for cooldown shall be based on the longest cooldown time needed with I
either only onsite or only offsite power available with an assumed single failure.
A reasonable period of time to acnieve cold shutdown conditions, as stated in SRP 5.4.7 Section III.5, is 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
For a reactor plant cooldown, the transfer of heat from the plant to the environs is accomplished by using water as the heat transfer medium. Two maces of heat removal are available.
The first mode involves tne use Lf reactor plant heat to boil water with the resulting steam eented to the atmosphere. The water for this process is A-1 F
I typically demineralized, " pure" water stored onsite and, therefore, is available only in limited quantities.
The systems designed to use this type of heat removal process (boiloff) are the steam generator for a pressurized water reactor (PWR) or the emergency (isolation) condenser for a boiling water reactor (BWR).
.he second heat rem m mode involves the use of power operated relief valves to remove heat in the form of steam erergy directly from the reactor ccolant system.
Since it is not acceptr'21e to vent the reactor coolant system directly to the atomosphere following certain acci-l dents, the steam is cypically vented to the containment building from where it is removed by containment heat removal systems.
The containment heat removal systems are in turn cooled by a cooling water system which transfers the heat I
to an ultimate heat sink - usually a river, lake, or ocean. When using the blowdown mode, reactor coolant system makeup water must be continuously supplied to keep the reactor core covered with coolant as blowdown reduces the coolant inventory.
Systems employing the blewdown heat removal mode have been designed into or l
backfitted onto most SWRs.
The efficacy of the blowdown mode for PWRs has received increased staff attention since the Three Mile Island Unit 2 accident i
in March 1979.
Additional studies of the viability of this mode for NRs are in progress or planned.
Thic evaluation of cooling water requirements for safe shutdown (and cooldown) i is based on the use of the systems identified in the SEP Review of Safe Shutdown Systems which has been completed for each SEP facility. The Review of Safe Shutdown Systems used SRP 5.4.7 anc STP RSB 5-1 as a review basis.
It should be noted that the SEP Design Basis Events (DSE) reviews, which are A-2
currently in progress, may require the use of systems other than those which are evaluated in this' report for reactor plant shutcown and cca:down.
In those cases, the water requirements for safe shutdown will have to be evaluated using the assumptions of the DBE review.
DISCUSSION The requirement that a plant achieve cold shutdown conditions within approximately 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />, as profferred in BTP RSB 5-1 and SRP 5.4.7, is based mainly on the fact that the amount of onsite-stored water for the AFS of a PWR is limited, and it is desirable to be able to place the RHR system in opera-tion and transfer the plant heat to an ultimate heat sink prior to the exhaustion of the onsite-stored AFS water supply.
Remaining in a hot shutdown
~
condition, with reactor coolant system temperature and pressure in excess of RHR initiation limits, requires the continued expenditure of pure water via i
the boiloff mode to remove reactor core decay neat. A SWR relying on the emergency condenser system for ccoldown would also be susceptible to the potential exnaustion of onsite-stored pure water.
Should tae onsite-stored water succly at a plant be expended, the capacility
'i-usually exists to use raw water frcm a river, lake or ocean for examole, to I
l supply the boiloff systems.
Hcwever, use of raw water can lead to the degradation, through corrosicn, of the boiloff system materials, i.e., steam generator and emergency condenser tuces.
This degracation can cccur rapidly even if fresh water makeup is usec.
If seawater were used, cnloride stress corrosion cracking of the tubes could occur. ell within one neek.
If raw I
A-3 i
t
.. ~ _.-
fresh water were used, caustic stress corrosion cracking of tube materials could occur in less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for both stainless steel and inconel tube materials through NaOH concentration.* A plant cooldown and depressurizatica would help reduce the rate of tube cracking by reducing the stresses in the tube materials. Also, the leakage rate of reactor coolant through potential cracks in the tubes would be reduced if the plant were io a cool, depressurized state.
The original design criteria for the SEP facilities did not require the ability to achieve cold shutcown conditions.
For these plants, and for the majority of cperating plants, safe shutdown was defined as hot shutdown.
i Therefore, the design of the systems used to achieve cold shutdown was determined by the reactor plant vendor and was not based on any safety concern. Our safe shutdown reviews have pointed out a difference in the vendor approach to system design for cold shutdown.
This difference is reflected in the Standard.Techn: cal Specification definition of cold shutdown.
For a ;WR, cold shutdown requires reactor coolant temperature to be 1212 degrees Fahrenheit.
For a PWR, cold shutdown requires reactor coolant temperature to be 1 200 degrees Fahrenheit. These differences in cold shutdown temperatures require the use of additional systems to cchieve cold shutdown for a PWR over and above the systems needed for a SWR. For example, a BWR could use an isolation condenser alone to reacn 212 degrees Fahrenheit (although the
<vanRooyen, Daniel and Martin W. Kendig, " Impure Water in Steam Generaters and l
IsclaLion Generators," BNL-NUREG-28147, Informal Report, June 1980.
l A-4 1*
m
approach to 212 degrees Fahrenheit would be asymptctic); but a PWR, in addition to the steam generators, must use an RHR and supper;ing systems to jat below 200 degrees Fahrenheit.
EVALUATION Table 1 provides plant specific data and assumptions used in the staff calculation of safe shutcown water requirements for the Millstone 1 nuclear plant.
Table 2 provides the results of the calculation. The systems used to conduct the cooldown are identified in Section a 0 of the SE? Safe Shutdown Report for Millstone 1.
The cooldown method employed is reactor system depressurization (and cooling) with the safety / relief valves.
Reactor system inventory is maintained by tne feedwater coolant injection (FWCI) system at high pressures until the low pressure cooling injection (LPCI) can supply l
flow.
(The contol rod drive hydraulic system could also be used to maintain reactor system inventory at high pressures, but no credit is taken for this system since it was n'st designed as a safety system.) The LPCI pumps can-inject water to the reactor system at a pressure of approximately 350 psig or less.
No credit is taken in this analysis for the reactor system c001down caused by the injection of cold water by the FWCI.
In this analysis, the F'aCI is assumed to be strictly a makeuo system to maintain reactor system coolant inventory.
l Reactor system temperature as a function of time during the coolcown is shown l
cn Figure 1.
After reactor trip, the plant is heating uo to the safety / relief valve setpoint (558*F) because the main condenser is no icnger available for l
A-5 l
w
9 heat removal (offsite power is lost). One of three relief valves in the-Automatic Pressure Relief System is capable of removing core dect.y heat a few seconds after reactor trip.
After one of the relief valves lift, the reactor system coolant inventory will begin to decrease, and a feedwater coolant injection (FdCI) pump is used to maintain reacP vessel level. The FWCI pump capacity (8000 gpm) is sufficent to maintain vessel level immediately after the reactor trip. The source of water for the F4CI pump is the Condensate Storage Tank (CST) which contains a minimum of 225,000 gal. (1,875,500 lb.) of water for FWCI use alone.
The relief valves discharge to the primary containment torus. The volume of water which is normally stored in the torus provides a heat sink for the energy removed from the reactor system by condensing the steam discharged from tne relief valves.
To cool the torus, the plant operator would use the containment heat removal systems:
LPCI and emergency service water (ESW).
l The ESW system transfers the reactor system heat to the ultimate heat sink.
When reactor system pressure is reduced to below 350 psig, the LPCI,,.. m can I
take over tne coolant injection function of the FWCI.
Since the L?CI system i
}
catdins its water from the torus, consumation of onsite pure w ster ceases, and I
long term reactor cold shutdown conditions would be maintained '2y the relief i
valves, LPCI, E5W and the crimary containment systems.
In the above describec cooldown, the single active failure that was postulated was the failure of one safety / relief valve out of the three availaole. The A-6
LPCI and ESW liave redundant trains and any single active failure would not prevent these systems from performing their functions.
If a failure of the FWCI pump power supply were assumed, the operator would be required to commence the cooldown immediately by opening tne relief valves to depressurize the reactor system sufficiently for LPCI system use. This would be done by manually starting the LPCI system and initiating the Automatic Pressure Relief (APR) system.
Based on our review of safe shutdown water requirements at Millstone 1, we have concluded that sufficient onsite-stored pure water exists to perform a plant cooldown in a reasonable period of time in accordance with BTP RSB 5-1.
However, as noted in Section 5.1 of the SER Review of Safe Shutdown Systems, the licensee must develop a procedure for shutdown and cooldown with the systems identified in Section 4.0 of that report.
i 1
t 1
A-7
I
(
TABLE 1 i i Plant: Millstone 1 Power (MW):
2011 I
l Nermal Operating Temp. ( F): 547
' i' Safety valve lift (psig):
1115 j
Initial secondary inventory (lbm):
NA 4
Secondary makeup sater temp. (*F): NA PJRV flew area (ft 2):
0.098 (one safety / relief valve)
Emerg Condenser total ht. xfer, coeff.:
NA i
Stored sensible heat (BTU / F):
fuel - 29000, metal - 224,000 water - 1,540,000 I
Pure water onsite (ibm):
1,876,500 (technical specification limit in the CST)
I Cooldown assumptions:
3 1.
At t=0 reactor trips.
2.
Cecay is in accordance with proposed ANS 5.1 (1973).
3.
Plant remains at not snutdcwn for four hrs. prior to cocicewn.
4 Relief valve mass ficw rate is in accordance with the Moody critical ficw model.
A-3 l
~,-
n,
i 1
TABLE 2 Plant: Millstone 1 Phase I (reactor trip to safety lift):
Time to safety valve lift (sec):
30 Ptase II (safety valve lift to cooldown start):
Time to boil secondary dry, assume no feedwater (min): NA Decay heat generated prior to cooldown start (BTV):
338E6 Feedwater expended prior to cooldown start (1bm):
257,400 lb (from the CST)
Phase III (cooldown):
(a APR valve)
Time (hrs)
Temcerature ( F)
Pressure (osia)
Decay heat generated (BTV) 4 558 1115 338E6' 4.5 401 249 368E6 l
5 365 162 396E6 6
331 104 45156 8
301 68 553E6 10 283 51 646E6 12 172 43 732E6 22 250 30 1098E6 24 248 29 1180E6 t
l l
l l
i l
A-9
I ct-v l
t i
I l
W l
i I
i e
i I
w C
m i
-e l
c:
I p
=e i
f
=-
nn
~
a-m I
e sea w<w O
C
~
w m
e
=
0 3
C
+
_e u
=
w
=
E W
e
=
c-
' m w
Gu oo a
=
=
C e
C.
4 O
C C
==
i i
e C
u O
m l
C h.
I f
e i
w I
I i
I i.
.c 8
8 8
8 8
e m
e n
~
( :,e %)
.+=
=.,p,,y...
- L s
. C:Ch.,.
w
.