ML19346A363
| ML19346A363 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 06/12/1981 |
| From: | Adler R PENNSYLVANIA, COMMONWEALTH OF |
| To: | |
| References | |
| NUDOCS 8106190214 | |
| Download: ML19346A363 (22) | |
Text
i PA 6/12/81 hM' A
/
9 f /.'",. r X,'* /,s UNITED STATES OF RdERICA C
."L u j ]~j,Q g
e IUCLEAR REGL7.ATOIE CQMISSION
- .101937 m h me. THE AITIC SAFErl AND UCENSEU BOARD
,^'
OQ
'b h.
- N s M "*** ; f )
5 gr ;I O 7
}
In thd5 atter of
)
1981 > I ik POIITAN EDISON 00tfANY,
)
Docket Ib. 50-289 (Three Mile Island Nuclear
)
(Restart) y e
Statien, Unit Ib.1)
)
00tNFAL2H OF PESSSh.VANIA'S PEOPOSED FINDINGS T FACT AND 00tcUSIOE OF IAW ON FIANr EESIGN AND FDDIFICATION (SECOND SET)
VII. BOARD OLTSTION 6 171. The reliability and perfor::ance characteristics of the IIE-1 sergency feechater systs tere raised as issues in the August 9,1979 Order and Notice of Hearing. See Slio cp. at 3-5.
172. F.cergency fee &ater rmmhility ms also raised as a hearing issue in Board Question 6:
Is a loss of emergency feedwater follcwing a rain a.
feedwater transient an accident sich ::ust be protected against with safety-grade equipment? Would such an accident be caused or aggravated by a loss of non-nuclear instrumentation, such as occurred at Ocenee?
b.
In that respect is the emerge. icy fee &ater system 1
vulnerable to non-safety-grade syste failures and to opstor l
errers?
What has been the experience in other pcuer plants c.
with failures of safety-grade eergency fee &ater systec:s, if they have such systes in other pcar plants?
Q 8106190 MIc
1 d.
What operator action is required to operate in a l
feed-and-bleed code following a loss of ecergency feedwater?
e.
If the emergency faaA.=ter syscan were to fail, that assurance do we have that the system can be cooled by the feed-and-bleed node? 'Ihis is of parHmlar concern if the PCRV's and saferf valves have not been tested under tw-phase mixeres.
f.
Can the system be taken to cold shutdown with the feed-and-bleed cooling only? Are both high pressure injection OiPI) pucps required to dissipate the decay heat in the feed-and-bleed node? 'Ihe board would like an evaluation of the raliability of the feed-and-bleed system. Has there been any experience usig that systan?
g.
If there is a loss of steam in the secondary systen which results in failure of the turbine-driven feedwater pgs, will both notor-driven pt=:ps be required to sucply the requisite amount of feedwater? Does this meet the usual single-failure dteria sinr_a it appears that a redundant system requires multiple ccxnpanents to operate?
h.
Can the turbine-driven ptuos and valves be operated on Direct Current, or are they dependent upon the Alternating Current safee/ buses?
1.
Will the r=14=h414ty of the emergency fesowater syscan be greatly improved upcx1 conversion to safety-grade, and is it the Licensee's and Staff's position that the i= proven:ent is enough such that the feed-and-bleed back-up is not required?
j.
Will the short-term actions proposed i+ wee the i
reliability of the emergency fee &=ter systan to the point ubere restart can be pen:itted?
l 1
k.
Question 6 should be addressed with reference to Florida Power & Light Co. (St. Incie, Unit 2), AIAB-603 (July 30, 1980); i.e. whether loss of emergency fa=*.=cer is a design basis event rotwithstanding whether design criteria are met.
- 2. 2394-96.
173. Be emergency fem- (E W) syst e serves to provide a maans of primary reactor coolant syste heat reaval via the steam generators.
Capodanno, et al., ff. 2. 5642, at 3.
Keaten, et al., ff. 2. 16, 552, at 6.
174. Operation of a steam generator and the EN syste is necessary to bring the plant to cold shutdown. Keaten, et al., ff. 2. 16, 552, at 12. Licensee argues that the plant can r-in in a hot shutdown condition for " extended periods" without ccmprcatsing plant safety.
Keaten, et al., ff. E. 16, 552, at 8.
See also Wer=iel, et al., ff.
Te. 6035, at 6-7.
Yet the Staff also testifies that "it may be necessary to rely on the EEW system to remove decay heat for extended periods of time. " Wermiel and Currf, if. W. 16, 718, at 6.
175. D e preferred method of removing heat frce the primary system is througit the steam generators bar==e it is not necessary to open another reifaf path in the system. Tr. 4700 (Jones).
176. Maintenance of feedwater is necessary to maintain natural circulation. Otherwise, for small break IDCAs (smaller than.005 feet),
the systen will repressurize and acFvate the safety valves in order to provide heat reaval.
E. 4693-94 (Jones). According to Licensee's witness frcm 36W, "the steam generators or the relief valves, depending on whether or not you have feedwater, play the role of taking the energy aMai to the fluid by the core decay heat and getting it out of the t
I
Primary systs in order to keeo the syste pressure in scoe sort of balance." Tr. 4694 (Jones).
177. Se 'DE-1 amargescy fee &ater systs will not be fully safety grade prior to restart. B erefore, Licensee's witnesses testified that a postulated loss of emergency feedwater event must be protected against by the use of safety grade eqdpmant, so that plant safety limits are not exceeded. Capodanno, et al., ff. h. 5642, at 1-2.
Exanples of aspects of the 'IMI-l EEW systs that will not be safety grade at restart follow.
178. In order for the EEW systs to perferm its safety function, proper control of the regulator valves is necessary to control flow to the steam generators.
E. 5710 (Lanese). The regulator valves are currently controlled either nrually or by the IG, which is not safety grade.
Id_. at 5710-11.
179. The EFW systen may be disabled by operator errors.
W. 5738 (Capodanno). This can occur by canual valves being closed by the operator, controls in the control roan incorrectly being in a closed position, or circuit breakers for the motor-driven pumps incorrectly being racked out by an operator.
Id.
180. The instr ment air supply is not safety grade. t. 5734 (Capodarro).
181. Only power operated valves in the EFW systen have position indication in the control room.
- h. 5739 (cap ~1-mn).
182. The 'DfI-1 EFW system probaly will not be upgraded to fully safety grade until the first refcaling outage after restart.
W. 21, 1
161-62 (Silver, Jacobs).
183. Licensee's witnesses testified, however, that:
'Ihe 'IME-1 EEW system at restart will have redundancy, diversief and sufficient capacity to act as a water supply for reactor coolant system cooling under the normal single-failure assumptions applied to safety-grade systes.
Keaten, et al., ff. E. 16, 552, at 7.
184. 'Ihe Licensee originally took the position dat, at restart, the 'IME-1 EFW system would be safety grade for small-break loss of coolant =er h s and for loss of main feedwater events. Tr. 5780 t
(Ianese). 'Ihe Staff agreed with this assessment. Tr. 6200-01 (Wermiel).
185. Licensee's witness judged dat the likelihcod of a small break loss of ecolant accident ms higher than for a high erergy line break involving a guillotire rupture. Tr. 5781 (Iarase). For this reason, it is not as essential for the EP4 system to be envirorcentally qualified for high energy line breaks at restart as it is for the systen to be safety grade for s=all break IOCAs. M.
186. It is also i=portant for the EF4 system to be safety grade with respect to loss of main feedwater events. According to Licensee's testimony, the plant transient resulting in the "::est severa plant heatup" is loss of main feedwater. Capodanno, et al., ff. t. 5642, at 7.
187. Licensee's witness testified that the 'IMI-l emergency feedwater systen at the time of restart will meat "those applicable general design criteria for the loss of feeduater events and for the small break IDCA events in drich the systems m uld por * =117 be required." Tr. 5706-07 (Lanese). Wreover, even as designed at the time of the accident, the witness clafmad that the system was suitably ralinhle that a total loss of feedwater was not a design basis event. M.at5707.
188. Licensee's witness testified that, as a result of conventing the EIN system to safety grade for SBIDCAs and loss of main feedwater transiants, the reliability of the system would be " ope 4=4='."
'Iherafore, the ralinhility of the system will be improved sufficiently that it will not be necessary to rely on the feed-and-bleed mode of primary systes heat renoval.
- 2. 5786 (lanese).
189. 'Ihe Board finds acceptable this general approach of makir.g certain EIM improvemmes prior to restart, with a full safety grade upgrade scxnetime subsequent to restart. However, the Board also directs that the following M4c4 andes be r== died in order to provide reasonable assurance that 'IMI-l can be operated without endangering the health and safety of the public.
a.
Condensate Storage Tark Alarms 190. 'Ibe condensate storage tanks provide the water supply for the a::ergency feedwater system. Keaten, et al., ff. Tr. 16, 532, at 4.
'IMI-l technical specifications require 150,000 gallons of water in each condensata storage tank during reactor operation.
Id. at 10.
191. 'Ihm power supply to the existing condensate storage tank level W4a= tion is part of the non-nuclear instnznantation. 'Ibe Staff's witness did not know the prcbability of failure of that power supply.
W. 21,165 (Jacobs).
192. 'Ihe aucLstung 1sval (wHeators are also not poWared from redundant power supplies.
W. 21, 356 (Jacobs);* t. 17, 002-03 (Wermiel).
193. Based on raliability studies performed on various emergercy feedwater system designs, it was determined by the Staff that rad"ndant
'Ihe Restart SER (NUREG-0680) is incorrect in this respect.
W.
21, 356-57 (Jacobs,' ; see Staff Ex.1, at Cl-8.
i l f 1
level indication and control room alarm to wrn that there r%s a 20-minute supply of meer in the condensate storage tank should be provided price co restart. h Staff concluded that each tank should have its own level indication powered from separate redundant powr supplies and that the Licensee muld install the alam prior to restart.
Staff Ex. 1, at Cl-8.
See also, Wermiel and Curry, ff. Tr.16, 718, at 6.
194. Accordingly, the Licensee originally agreed to couply with a
this requirement prior to restart. Licensee Ex. 15, at 7.
195. In IUREG-0680 Supplanent 3, the Staff indicated that the Licensee had reported that these alar:ns will not be from independent power supplies prior to restart. h Staff reported that it will require independent power supplies for the alam in accordance with the schedule for implementation of Item II.E.1.1 in NUREG-0737, currently January 1, 1982. In the meantime, the Staff indicated that de instrument will alarm a loss of power and local level readings can be taken.
Staff Ex.
14, at 13.
196. In testimony, the Staff indicated that the condensate storage tank unter level alarm upgrade is long-tem primarily because of equipment delivery time. Tr.16, 833 (Wemiel).
197. h Board notes that Licensee's coumitment is not to install the alarms by January 1,1982, but to install the alams in accordance with tiin 10 REG-0737 schedule, which currently calls for a January 1, 1982 implemstation date. Since the I;UREG-0737 date is flexible, there is no assurance that the alams will be installed by January 1,1982.
Tr. 21,147 (Jacobs).
In fact, there is no firm delivery date for the
- L
necessary level transmitters.
_I_d_.at 21, 158. Raa14stically, the d
Staff's DE-1 project managers indicated that it is likely that the alamm will not be installad tmtil the first ran=14M outage after restart.
W. 21,161-62 (Silver, Jacobs).
198 H e Staff based the acceptability of deferring this item on the low probability of occurrence of loss of power to the existing almma prior to the IUREG-0737 implementation daad14ne.
Staff Ex. 14, at 13. Yet the Staff did not detemine a precise probabilief for this event.
- 2. 21, 159 (Jacobs).
He probabilief was judged only "in the subjective sense or relative sense."
- 2. 21, 160 (Jacobs).
- 199. 'Ihe Staff's second reason for permitting deferral of the new alarms is the amount of time available to take manual action. Staff Ex.
14, at 13. Yet the Staff's witness did not knew hcw much time would be needed to take the required local readings. Nor had the Staff analyzed the nature or reliabilief of the local level indicators.
- 2. 21, 353-59 (Silver).
200. Be Staff's original determination that 20 minutes is an acceptable time for operator action to transfer to alternate supplies if the primarf supply (condensate storage tanks) is depleted also was not based on firm criteria. Rather, this decision was based on "past experience and past kraaledge that most operator actices can be taken within time time period, so long as they are clearly defined.
I do not know that there is anything magic about the 20-minute number." Tr. 16, 768 (Wermiel).
201. Re condensate storage tank level indication is iqmumit to ensure the ralf abili y and proper functioning of the emergency feedwater t
l system for various transients. At the b@ ming of the transient it is
- l
important to know that sufficient water is available in tb4 condensate storage tank. Tr. 17, 002 (Curry). %e operator would also use the ccW=ta storage tank water level indication to hida den to switch to an alternate source for the emergency feedwater system. %e Staff witness stated that if a power supply failed, the operator has two '
indications, one on each tank, and since the tanks are rm=11_y connected through a ccamon suction, he should get divergent indication and check which is proper. Tr.16, 848, 850 Ge= del). However, as stated previously, since the condensate storage tank level transmitters are powered frcm the same bus, the operator would not be alerted of low tank level.
202. %e same Staff witness stated that at the time of restart, because there will not redundant level instrunencation, the operabilief of the e:cisting instru: station (no change) should be the subject of a limiting condition for operation. Bis is due to the fact that wi.th this instrtemt unavailable the operator cculd not verify that he was meeting his technical specification requiranent for water level nor could he determine when he needed to switch to an alternative water source. Tr. 16, 851-852 Germiel). %e Staff also testified that making the power supply for the condensate storage tank level instrunent frtm redundant vital buses would certainly dwwve the ra14ahility of the syste, although the witness did not believe that this would be a n.ajor contributor to the ra14=h414ty of the anergency feedwater systan.
Tr.17, 005-06 (Curry).
203. The Staff testified that, as an interim measure, it would be possible te power the existing alaans frca redundant power supplies.
He Staff has not, however, investigated the feasibility of this interim measure. Tr. 21, 357-58 (Jacobs).
l 204. The Board finds that the current configuration of a single power supply for both condensate storage tank level transmitters and 21mma is adequate for restart in tN short-tem. Iiowever, um require that the Staff certify to the Countssion that the loss of power alarm exists and win cnable de operator to decemine level locally in a sufficient period of time to re-m4r=te adequately with the control room and enable the agn siate corrective measures to be taken. The o-Staff shan verify that this contingency is adequitely covered by procedure. 'Ihe Staff's review shan include a deter =ination of the reliability of $e local level indicators proposed for use in this procedure.
205. Da existing configuration is acceptable for restart because of the short time period currently anticipated between projected restart and January 1,1982, and the fact that the Licensee is currently.
required to instan the safety grade system by January 1,1982. Fcaver, due to the uncertainties in the Staff's reascning for pemitting deferral of this requirement, it is not acceptable for compliance with this itan to extend beyond January 1,1982.
206. If the Licensee reports that the safety grade alam and level indication win not be installed by January 1,1982, thm the Board finds that the Staff shculd require that the existing level transmitter and associated indication and alam fmetions should be pc;
.d fmn iet, vital power supplies until the safety grade =44f4r=Hm can be made.
b.
Simultaneous Steam Generator Isolation 207. On loss of pressure in a steen generator to below 600 pomds,
for exacple due to a leak, the EN is designed to taminate flow to that steam generator autxatically. Tr. 5730 (Lmese). 'Ihis accident is within the design basis fo the plant. M.at5731.
208. There is reason to believe that such occurrences are of greater concern for BW reactors than for other manufacturers. According to the Staff's witness:
Because of the eller inventory of BW steam generators, dryout would occur cuch sooner if all feedwater wre lost than would occur under similar circi3Istances for a Westinghouse steam generator. This results in a more strdg ent response requirement for an aw414a7 feedwater system associated with a B W NSSS than one associated with a Westinghouse NSSS because significantly less ra14ance on cperator intervention to rectify syst e faults can be credited for the B W response than~the Westinghc:use response.
Wermiel and Curry, ff. Tr. 16, 718, at 41.
209. In fact, there is evidence that the steam generators at IMI-l muld dry out e:ctra::ely rapidly en a loss of feedwater. Acccrding to the Staff's witness, "the significance of the five minute reliability estimate is due to the unstable system condition induced by the dryout of the steam generators in BW plants if no feedwater is providad in this period." Wermiel and Curry, ff. Tr. 16, 718, at 33. 'Ihare is no assurance that manual initiation of EN could be accmplished in sufficient tie to prevent this occurrence.
210. Autzxnatic iniH=Hm of Em on low stasm generator level and on low differential pressure will not be installed prior to restart.
Tr. 5825 Ganese). At restart, the EN system will have cc auto-initiation signals: loss of main feedwater and loss of all 4 reactor coolant ptags. Tr. 582$ Ganese). Therefore, m==1 iniH= Hon of l
energen g feedwater may be required for certain transients. See Tr.
5709-10, 5723-24 (Ianese).
211. In cross-examination on Board Question 6 concecning emergency feedwater system reliability, the Licensee's witness testified that, if a transient occurs which requires manual initiation of emergeng fat = after both steam generators have steamed d:f, the stem generator ruptura detection system could isolate all feedwater flow to both steam generators. Tr. 5924 (Ianese).
212. A Staff witness testified that a similar problan occurred during an overcooling event at Crystal River which caused a depressurization of both steam generators. 'Ihis depressurization caused i both steam generators to be isolated from all feedwater by the stema generator rupture logic. On further cross-examiration, this witness believed that there are plans to address this problan at 'IMI-l' by the first refueling after restart. Tr.16, 922 (Powsome).
213. Re Licensee stated that the n:pture detection isolation signal can be bypassed in the control room to allow unisolation of the steam generator but that this contirgency needs to be ircluded in an energen g procedure. Tr. 5926 (Lanese).
214. The Board finds that, prior to restart, the NRC Staff should verify and certify to the Occmission that the 'IMI-l energeng procedures are adequate to msure that the operators can bypass the steam generator npture detection logic if the steam generators are 1.h ently Isolated due to depressurization. 2 e Staff should also certify that this procedure has been covered adequately in Licensee's operator training progran.
l 1 !
215. In addition, the Board finds that this short-term remedy alone is not sufficient to provide reasonable assurance the TMI-l can be operated in the long-term wittout endangering the health and safety of the public. Licensee is directed to develop a permanent solution to the steam generator bypass logic problan as soon as practicable. Ite Staff shall verify that the Licensee.has initiated this program prior to restart.
9 e
l 1
VIII. UCS 14 - (Pressurizer Ievel Instruments)
IX:S Contention 14 states:
The accident deconstrated that there are systems and ccx:ponents presently classified as non-safety-related which can have an adverse effect on the integrief of the core because they can directly or indirectly affect tecperature, pressure, flow and/or reactivief. This issue is discussed at length in Section 3.2, "Syste Design Requiraaents,"
or NUREG-0578, the TMI-2 Iassons Iearned Task Force Report (Short Term). The following quote frcxn page 18 of the report describes, the problem:
There is another perspective on tMs question provided by the IMI-2 accident.
At IMI-2, operational proble::s with the condensate purification system led to a loss of feedwater and initiated the sequence of events the eventually resulted in damage to the core. Several nonsafeef systems were used at various times in the mf.tigation of the accident in ways not considered in the safety analysis; for example, long-tenn maintenance of core flow and cooling with the steam generators and the reactor coolant pu::ps. The present classification system does not adequately recognize either of these kinds of effects that nonsafety system can have on the safeef of the plant. Thus, requirements for nonsafety systems may be needed to reduce the frecuency of occurrence of events that initiate or adversely affect transients and - W es, and other requirements tay be t=adad to inprove tM current capability for use of nonsaferf systems during transient or accident situations.
In its wcrrk in this area, the Task Force will include a more raalistic assessment of the interaction between operators and systems.
1he Staff proposes to study the problem further.
This is not a sufficiant answer. All systems and ccx:ponents which can either cause or aggravate an accident or can be called upon to mf.tigied as ate an accident I:ust be identified and classi.
cocpcoents important to saferf and required to meet all safety-grade design criteria.
Direct tastinony en this contention was presented by UCS,
~
Licensee, and the Staff.
218. h witness for UCS testi.fied that:
Other exacples of systems classified as non-safety tinich affected tha course of the
'IMI-2 accident are the pressurizer level instruments.. 2e failure of the pressuriner level instrunents required termi. nation of reactor coolant pucp operation. However, at M -1 the classificaticn remains unchanged.
As a result, although provisions have been made to supply onsite power to the pressurizer level instrunents, the design is such that a 3
single failure will result in loss of power to all three pressurizer level instrunents.
Pollard, ff. Tr. 8091, at 14-5.
D e Board is concerned with the fact that a single failure will result in loss of power to all three pressurizer level instnrunts.
~
219. Emergency power supply requirements for pressurizer 1evel instrumentation are contained in RammwndaHnn 2.1.1 of NCREG-0578:
Provide redundant emergency power for the i
minimm nuioer of pressurizer baaters required to =4nn4n natural circulation mndi ions in t
the event of loss of offsite power. Also provide emergency power to the control and motive pwer systems for the aower-operated relief valves and associated'alock valves and to the pressurizer level indication instrument channels.
NURED-0578, at 7.
Since F=mm=ndation 2.1.1 of WREG-0578 is a Category A requirement (Table B-1), couplimv
- with this item is anveeed by short-term order item 8 of the August 9,19,79 Order and Notice of Hearing.
220. h basis for requiring upgrading of the power supply for pressurizar level instrununtacion is set forth in EREG-0578, at 6:
Proper functioning of tiin pressurizer level instrunent is necessary to ~4nnin satisfactory pressure control for natural circulation using the pressurizer heater.
Bis position is anplified in the appendix to WREG-0578, at A-4:
2 ere is a need to have pressurizer level information when offsite power is not l
1. _ _.
avnf l able. De pressurizer level indication will be used in conjunction with the pressurizer heater to = 4nhin pressure control for the reactor coolant systan dL2 ring da natural circulation mode of operation.
221. Position 3.1.1 of NUREG-0578, at A-4, states:
1he pressurizar heater power supply shall provide the capability to supply, fr m ei &er the offsite power source or tm eergency power source (when offsite power is not available),
a predetermined nmber of pressurizer heaters and== w f= tad controls necessary to establish and maintain natural circulation at hot stardby condition. Da required heater and their controls shall be connected to de arargency buses in a runner that will or#de redundant power sucoly cacacility. (et:phasis acded) 222. Accordingly, Licensee agreed to provide a redundant onsite power supply to the pressurizer heaters:
Le design provides the capability to realign one of the heater banks to de RRD onsite emergency power systan and another bank to the-redundant and indeoendent GRER onsite energency power supply." 21s would accccedate the single failure of an ansite er.ergency power supply"and maintain system functicual capability.
Staff Ex.1, at CS-7.
223. Despite the stated linkage between tM requirenent for upgrading power supplies to the pressurizer heater and to the pressurizer level iMireim, the Staff appears to be treating these two requirements differently. Position 3.2.4 of NUREG-0578, at A-5, states:
"24 pressurizer level indication instrument channels shall be powered frcxn the vital inetrument buses. Esse buses shall have the capability of being supplied from either the offsite power source or the emergency power source when offsite power is not available." Here is no requiranent for redundant onsite power supplies as there is for the pressurizar heater even thous;h the level instrtxnents are required in conjunction with the heater to =4nt =4n pressure control during natural circulation.
224. In contrast to the pressurizer heats, therefore, the pressurizer level instrumentation will not be powered from radundant onsite power sources. Licensee's Restart Report states: "The present plant design is such that emergency diesel generator power will be suppli-1 to the pressurizer level instrument pcwer supplier upon loss of offsite power. The pressurizer level insertroent power supolies are part of the ICS/tNI Systen and are powered from the 120 volt ICS/INI Power Distribution Panel ATA. That paral is, in turn, powered from the 120 volt Vital Distribution Panel VBA." Licensee Ex.1, at 2.1.7.C (Am 22).
Licensee's witness added that a total failm e of power to that system would result in the failure of all three pressurizer level instruments.
Tr. 7810 (Keaten).
225. Based on the fact tbt NUREG-0578 states that both pressurizer level and heaters are necesnc; to c:aintain pressure control during natural circulation, t% k.d res not understand the Staff position that the pressurizer her_ers ted to be puwered frcm redundant ensite power supplies but the pressurizer level instruments do not.
226. The PCRV and the PORV block valve are also includad in Reconnendation 2.1.1 of NUPEG-0578. Positions 3.21 and 2 of NUREG-0578, at A-5, state that notive and control components of the PCRV and block valve shall be capable of being supplied from either the offsite power source as the energency power source when offsite power is not available. This appears consistent with the requirement for pressurizer level instrtunents. However, clarification 2 states that, "the motive and control power for the block valve should be supplied frcxn an
1 energency bus different from that dich supplies the PORV." Staff Ex.
1, at C8-9. H e Staff's SER states the Licensee position as follows:
"the PGW is powered from the RED /YEUDR battery. 'Iha motor operated 1
block valve CRC-V3) is powered from Valve Control Center 1C which may be connected to either of the two onsite AC power sources.----If, however.
the PORV sticks open and the RED AC power source is disabled, Valve Control Center 1C c:n be transferred to the GREEN bus by means of a switch in the control room, allowing the block valve to be closed." M.
'Ihus, the function performed by the PORV and block valve can be powered from rad'
- c onsite power supplies. He IRC Staff agrees that this design is acceptable for meeting the requirement of clarification 2 for providing Nedant power to the PORV and block valve. M.atCS-10.
227. Re clarification and the method of meeting the Staff position for the PORV and block valve, $erefore, also appears to the Board to emeed the requirements for the pressurizer level instruaentation, although the original position appears to be based on similar concerns.
The Board believes that the pressurd2.er level instruments require equally stringent treacaant with respect to power supplies as da pressurizer heaters, and the PORV and PORV block valve.
228. Licensee's emergency procedure 1202-6B, states that high pressure injection should only be throttled if the saturation margin crie=dem is met and the action is necessary to prevent the pressurizer level from sping offscale high. UCS Ex. 6, at 8 (r=nHm Item B).
229. The Licensee's procedures were changed from the ord W position contained in IE Bulletin 79-05A, which allowed termination of i
high pressure injection if the HPI system was in operation for 20 ednutes and if the system is 50 degrees subcooled. Staff Ex. 1, at C2-10.
- l l
'Ihe current Staff position involves use of the pressurizer level insertxnent. 'Ihe Staff witmess stated that the pressurizer level instrm=nr is adequate to detWna whetkr the high pressure injection should be termirated, but not adequate by itself to determine whetMr the core is covered. However, the witness was not aware of whetbr the pressurizer level instrumentation at 'IMI-l was safety grade.
W. 6701-02 sJensen).
230. Licensee's witness stated that the B W operator g"4dal % es which have been developed to deter =ine whether the reactor vessel is full during venting operations rac-d using the pressurizer level instrument for this purpose.
E.10, 777-78 (Jones).
231. Furthermore, there does not appear to be any ralf ahle, unambiguous method for rapidly deternining pressurizer level if the pressurizer level instnzrantation fails. Licensee's witness stated that the operatoi could add makeup water to the systen so that eventually the pressuriner would go solid, ard that this condition muld be irdicated by a raoid rise in oressure on the safety grade reactor coolant pressure instrunent. Tr. 7857 (Keaten). 'Ihis method is neither rapid nor unambiguous. The Board found earlier in this opinion, with respect to methods of obtaining incore thermocouple readings, that iapertant safety parameters should be measured by raliable, redurdant, aixi unambiguous means. See findings 102-123, suora. (see escardally 1120).
232. In cross-examination by IIS, Licensee's witness conceded that the present arrangenent of a single power supply for all three pressurizer level instrunents is not desirable. 'Ihis determination was made in response to an incident at Crystal River 3, where the ICS/tNI bus was lost. In response to this incidant, Licensee is "mak1ng provisions for t
j,
alternate power supplies for some of the instnments which are presently powered from the ICS/?UI power supply systs, and the pressurizer level is on that list." Tr. 7649 (Kaaten). 'Ihe Licensee witness fu*
stated that the intent of the new modifications vill be that "if power from the ICS/tEI system is lost, that there will be nevertheless a pressurizer level signal which will be avnflable to the operator. Tr.
7810 (Keaten). He Licensee's witness further stated that the design was currently under development, but that he was not aware of the details.
Nor did he know what the schedule was for upgrading these power supplies.
Tr. 7650 (Kaaten).
In response to UCS cross-examiration, the Licensee's witness did agree that in order for the pressurizer level instn=entation systs to be single-failure proof, there would have to be an alterrative power supply for at least ene of the level instruments that is independent from power supplv ATA. Tr. 7857 0' eaten).
233. We Board finds that the pressurizer level instrucents need to be highly reliable. 'Ihis is due to the fact that they are necessary to maintain pressure centrol during natural circulation when using the pressurizer heater, and for certain emergency procedures. Rese instnamt: are of particular cencern because there is no readily available, unambiguous backup instrument to give the operator the necessary information.
I 234. He Board therefore directs that, prior to escalation above 5".
l power, the presM-level instrumentation shall be upgraded such that 1
power can be supplied frco redundant vital power supplies. He design should also assure that failure of the ICS/NNI power supply would not l
cause a loss of all pressurizer level instruments.
l l
~
l 't
i f...
235. 'Ihis requirement is necessary to provide reasonable assurance
'that 'IME-1 can be operated without endangering the health and safety of the :=alie.
Respectfully subnitted, r
t. ),: Qw-- t,3 1t l
, ~,
! L., ;&.
g
.'- [, : V. L.L w l, ;i ROBERT W. ADIZR
/
Attorney for tF4 C W th
4 UNTIED STRIES T AMERICA NUCEAR REGUIATORY 02MSSICN BEFORE THE AINIC SAFETI AND LICENSItU BCE In the Matter of
)
)
MEIROPOLITAN EDISON C0fANY,
)
)
Docket No. 50-289 CIhree Mlle Island tbclear
)
(Bestart)
Station, thit No.1)
)
utaal.CAIE & SERVICE I hereby certify that copies of the attacFad "Cocurxrmalth of Pennsylvania's Proposed Findings of Fact and Conclusions of Law on Plant Design and Modification (Second Set)" were served on the parties on the at*h service list, by deposit in the U.S. mail, first class postage prepaid, this 12th day of June, 1981.
m 1
/ -
(,/-
.Ei )d4v% e.6 V, Lic.tOQ l
ROBERT W. ADIZR
(
Attorney for the Ccm:cmealth i
l
..