ML20009A610
| ML20009A610 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 06/30/1981 |
| From: | Crutchfield D Office of Nuclear Reactor Regulation |
| To: | Counsil W NORTHEAST NUCLEAR ENERGY CO. |
| References | |
| TASK-07-02, TASK-7-2, TASK-RR LSO5-81-06-133, LSO5-81-6-133, NUDOCS 8107130370 | |
| Download: ML20009A610 (16) | |
Text
m
~
- ~. - r p.
g.
M Me '
<gpf e
'a h w
M June 30, 1981 Docket No. 50-245 LS05 06-133 yp 9
Jdj j) f "JUL ;o1931., g Mr. W. G. Counsil, Vice President Nuclear Engineering and Operations
M T m j Northeast Nuclear Energy Company Post Office Box 270 9
Hartford, Connecticut 06101 co y
Dear Mr. Counsil:
SUBJECT:
SEP TOPIC VII-2, ESF SYSTEM CONTROL LOGIC AND DESIGN MILLSTONE NUCLEAR POWER STATION UNIT 1 A copy of our contractor's draft evaluation of Systematic Evaluation Program Topic VII-2 is enclosed. This assessment compares your facility, as described in Docket No. 50-245, with the criteria currently used by the regulatory staff for licensing new facilities.
Please infom us if your as-built facility differs from the licensing basis assumed in our assessment within 30 days of receipt of this letter.
In addition to correcting any errors that may e: dst in our evaluation you are requested to provide responses to the enclosed request for additional information within this same 30 day period.
This evaluation will be a basic input to the staff's safety evaluation report for this topic for your facility unless you identify changes needed to reflect the as-built conditions at your facility. This topic assessment may be revised in the future if your facility design is changed or if NRC criteria relating to this topic are modified before the integrated assessment is completed.
Sincerely, a
l Dennis M. Crutchfield, Chie' Operating Reactors Branch 5
Division of Licensing i
Enclosure:
l As stated g'
i-8107130370 810630 cc w/ enclosure:
gDRADOCK 05000245 6
i gg gyh7)
See next page PDR n
SEP -
ORB #5:DL:PM OR D SA:DL SEPB:DLp omer) SEPB:DL iuma=> RSc k
RHermann WRussell JShea DCrotchfieli 'Gla nas b/y, 1,,
6h,h81 6g/8[
6/f[,/81f, 6/h81 6/hf81 om>
!suc rosu m no e nscu eno OFFCCIAL RECORD CDPV
- "" ' *8
- 3"
4 -
Mr. W. G. Counsil cc William H. Cuddy, Esquire Connecticut Energy Agency Day, Berry A. howard ATTN: Assistant Director Couns.elors at Law Research and Policy One Constitution Plaza Development Hartford, Connecticut 06103 Department of Planning and Energy Policy Natural Resources Defense Council 20 Grand Street 917 15th Street, N. W.
Hartford, Connecticut 06106 Washington, D. C.
20005 Director, Criteria and Standards Division Northeast Nuclear Energy Coapany Office of Radiation Programs ATTN: Superintendent (ANR-460)
Millstone Plant U. S. Environmental Protection P. O. Box '128 Agency Waterford, Connecticut 06385 Washington, D. C.
20460 Mr. James R. Himmelwright U. S. Environmental Protection Northeast Utilities Service Conpany Agency P. O. Box 270 Region I Office Hartford, Connecticut 06101 ATTN: EIS C0ORDINATOR JFK Federal Building Resident Inspector
' Boston, Massachusetts 02203 c/o V. S. NRC P. O. Box Drawer KK Niantic, Conne:ticut 06357 Waterford Public Library Rcpe Ferry Road, Route 156 Waterford, Connecticut 06385 First Selectman of the Town of ' Wat erf ord Hall of Records 200 Boston Post Road Waterford, Connecticut 06385 John F. Opeka Systets-Superintendent Northeast Utilities Service Corpany P. O. Box 270 Hartford, Connecticut 06101 6
m he o
0419J
.s
./
SEP TECHNICAL EVALUATION
'. TOPIC VII-2.
ESF SYSTEM CONTROL LOGIC AND DESIGN MILLSTONE I Docket No. 50-245 June 1981 D. J. Marken 6-18-81
e
. 1
~ CONTENTS 1.0. INTRODUCTION.......
1 2.0 CRITERIA........................................................
1 3.0 DISCUSSION AND EVALUATION.......................................
2
. 3.1 Gene-al...................................................
2.
3.2 Emergency. Core Cooling System.............................
3
-3.2.1
' Core Spray System.................................
3 3. 2. 2 -- Feedwater Coolant Injection System................
4 73.2.3
- Autcmatic Depressurization System.................
5 3.2.4 Low Pressure Coolant Injection System.............
6 3.3 Isolation Can' denser System................................
.7 3.4
- S tandby Liquid Control System.............................
8 3.5-Primary Containment Isolation System......................
9 4.0 SUMNARY.........................................................
9
5.0 REFERENCES
10 4
e a
w 4 e r.-
+,y
,..g
SEP TECHNICAL 'EVALVATI N TOPIC Vll-2 ESF SYSTEM CONTROL LOGIC Aku DESIGN MILLSTONE I
-i
./
.y
1.0 INTRODUCTION
ofs The objective of this review is to' determine if non-safety systems w1ich are electrically connected to the Engineered Safety Features (ESF)
~
~
are properly ieolated from the ESF and if the isolation devices or tech-niques osed meet current licensing criteria. The qualificaticn of safety-related equipment is not within the scope of this review.
Non-safety systems generally receive control signals frem ESF sensor c urrent loops. The non-safety circuits are required to have isolation devices to ensure electrical independence of the ESF channels. Operating experience has shown that some of the earlier isolation devices or arrange-ments at operating plants may not meet current licensing criteria.
2.0 CRITERIA General Design Criterion 22 (GDC 22), entitiec, " Protective System Independence," requires that:
The protection system shall be designed to assure that the effects of natural pheromena and of normal operating, main-tenance, testing, and postulated accident conoitions on redundant channels do not result in loss of the protectio'n function, or that they shall be demonstrated to be accep-table on some other defined bases. Design techniques, such as functional diversity or diversity in component design and principlesofoperation,shallbeusedtotheex}entpract-ical to pr event loss of the protection function.
General Design Criterion 24 (GDC 24), entitled, " Separation of Protection and Controi Systems," requires that:
1
~. -
The protection system shall bf. separated from control systems to the extent that failure of'any single control system component or channal,,or failure or removal from service of
- any single protection system component or channel which i common to the_ control and protection sys; ems, leaves intact a system-that satisfies all reliability, redund3ncy,.and independence requirements of the protection system.
Inter-
' connection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.2 lIEEE-Standard 279-1971, entitled, " Criteria for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2, states:
~ The transmission of signals from protection system equipment for control system use shall be through isolation devices which shall be classified as part of the protection system and.shall meet all the requirements of this document. No
' credible failure at the output of an isolation device shall s
prevent the associated protection systen channel from meeting the minimum performance requirements specified in the design 3
bases.
Examples of credible failures incluce short circuits, open circuits, grounds, and the application of the maximum cre-dible AC or DC. potential. A failure il an isolatien device ment in the protection system.5 as a f silure is evalaated in the same manne f ther equip-3.0 DISCUSSION AND EVALUATION
)
3.1 General. The Standard Review Plan, Section 7.1-III defines Engineered Safety Feature (ESF) systems as those functions which are required to function to mitigate the consequences of a postulated acci-l3 dent. Millstone 1 Provisional Operating License identifies the following as ESF systems:
i-l'.
Emergency Core Cooling System a.
b.
Feed Water Coolant Injection (FWCI) System c.
Automatit Pressure Relief (APR) System d.
Low Press ire Coolant Injection (LPCI) System e.
Containment Cooling System.
2 4
i j
1 --
s 2.
Isolation Condenser Systam '
3.
Standby Liquid Control System (SLCS) 4.
Primary Containment Isolation System f
3.2 Emergency Core Cooling y, -
- ,2.1 Core Spray System;.~.5 Discussion.
The core spray system 'provides coolant to the reactor core in the event of a loss of coolant accident. The system is composed of two, redundant coolant loops each with one core spray pump, piping and 'associ-ated valves.
Initiation of the core spray is from high dry well pressure relay signals from the LPCI bistable sensors PS 1501-90 A, B, C and D or by low-low reactor water level sensors LIS 263-72 A, B, C, and D and low reactor pressure monitored by bistable pressure sensors PS 263-52A, 54A, 52B and 54B. The sensors each drive relays the contacts of which are arranged in two logic channels with two subchannels per channel in a one-out-of-two-twice logic. Redundant relay contacts from these sensors will initiate startup of the diesel generator, the gas turbine generator and the core spray pumps in each loop. Valves for coolant flow are opened automatically when reactor pressure decreases to a preset level.
The pumps and thei-associated valves can be operated individually from manual control switches in the cgntrol room for override or testing purposes.
Use of relay logic in separate channels provides electrical isolation between channels of the core spray system and from other control and non-safety systems.
Valve position indication and annunciation is from position switches on the valves. Bypasses and test circuity are by contacts of manual switches inserted in cnd around the relay logic circuitry.
3
r Flow and pressure instrucentation for monitoring the' core spray is by transmitters and recorders independ nt of the control logic.
. Power for the system logic is 125 V DC. Channel 1 is fed from dis-tribution switchboard DC-llA-2 and Channel 2 from distribution switchboard DC-11A-1. Pumps and valves from loop 1 are powered by the diesel gener-ator bus 6 and for loop 2 by the gas turbine generator bus 5.
Isolation of power circuit from other systems on the same buses is by air circuit breaker. ' Each logic channel is separately fused for further protection and isolation.
Evaluation. The core soray system uses redundant channels with relay / switch logic which provides adequate isolation between channels and f rom other control and non-safety function. Power to the loops is from separate buses and isolated from other systems by circuit breaker and fuses.
3.2.2 Feed Water Coolant Injection System.6 Discussion. The FWCI system utilizes the existing feedwater pump system. Upon receipt of a low-low water level signal and loss of off site power one pumo string, manually selected, will start automatically receiv-ing power from the gas turbine generator.
Initiatior of FWCI is by elay contact frcm the core spray low-low water level or from high dry well pressure sensors.
Two bistable sensors LS-2-23 and 34, monitoring condenser low water level, and two contacts f rom the 4160 volt switch gear buses No. I and 3 are connected in series with
. the system initiation logic relays.
Power for the logic circuitry is from the 125 V DC distribution switchboard DC-II A-1 ckt No. 22. The logic is protected by circuit breaker and fuses.
Evaluation. Although the FWCI initiation logic is redundant, the series arrangment_of the condenser level switches and the breaker contacts as well as the single loop Select switch make i.t vulnerable to single 4
9
failures.
Isolation from other safety, control and non-safety systems is by relay and switch contacts, circuit breakers and f".es.
donitoring of systemsperformanceisbyinstrumentationseparStefromthalogic circuitry.
The logic system is isolated from control and non-safety systems.
P
.4 3.2.3 Automatic Depressurization System, Discussion.
The APR system pr.ovides automatic blowdown of reactor pressure upon sensing high drywell pressure or low-low reactor water level and discharge pressure from either'the core spray pumps or the LPCI pumps.
High drywell bistable pressure sensors PS 1620 A, B, C and D and low-low reactor water level relay contacts from the core spray system senso-Lis 263-72A, B, C and D ready the APR system.
Pump discharge pressure sensors PS 1462 A, B, C and D and 1501-72 A, B, C and D monitor the core spray and LPCI discharge pressures; contacts of relays actuated by thes'e sensors complete the APR initiation requirements.
i Contact from relays actuated by the above sensors are arranged into two channels in a one-out-of-two-twice logic to actuate the three relief valves. Manual override switches with contacts in the logic circuitry permit actuation of individual relief valves for testing.
Status indica-tion and annunciation is from relay contacts and isolated pres 5ure switches.
Primary power for the APR logic is from the 125 V DC distribution switchboard DC-ll A-2 ckt #21 with back-up power f rom distribution switch-board DC-IIA-1 ckt #25.
Energized relay logic transfers power to the backup bus on loss of primary power.
Circuit breakers isolate the power systems from other systems on the same buses.
The two logic circuits and the three relief valves are further protected by individualy fused circuits.
Evaluation.
Isolation of the APR systems from other safety, control und non-safety systems is by relay and switch contact.
The system's two channels are redundant and independent. Both channels and the three relief valves are fed from a common power source.
However, automatic transfer to 5
)
3 6
f an alternate power source and individual logic circuit fusing arovide adequate electrical-isolation in the system.
3.2.4 Low Pressure Coolant Injection Systems.8 Discussion. The LPCI system acts as a backup to the core spray system.
It can also be manually diverted to containment spray or suppression pool cooling.
Initiation of the LPCI system is from low-low reactor water level sensors LIS 263-72 A, B, C and D or high drywell pressure sensors 1501-90 A, B, C and D in conjunction with reactor low pressure monitored by pres-sure sensors PS 263-52A, 54A and PS 263-52B, 548. The sensors activate relays whose contacts are arranged into two channels operating in a one-out-
-of-two-twice logic. System initiation will start the diesel generator, gas turbine ~ generator, LPCI pumps 1502-A, B, and C in a timed start sequence, ready the valves for coolant injection and shut down the emergency service water pumps. Low LPCI pump discharge pressure from any pump will cause it to be automatically shut down and pump 1502-0 to start.
Delta pressure monitors DPIS 261-36A, 36B, 37A and 37B will sense a break in a coolant loop automatically closing the recirculation valves in
.the unbroken loop and open the LPCI injection valves to provide a path for
]
LPCI flow into the bottom of the reactor plenum, Two of the three operating pumps may be shut down when the water level in the reactor covers 2/3 of the core. Two emergency service water pumps are then manually started and the valves on the heat exchanger for the operating *DCI pump manually opened to extract heat from recirculating LPCI water. Reactor water level switches LIS 263-73 A and B measure water level in the core shroud and provide the permissive for manual valve realignment for containment cooling spray or suppression pool cooling.
Status irdiration and aununciation of the LPCI is by valve position switches and relay contacts. Separate flow and differential pressure transmitters provide input to the emergency service water valve modulator 6
.y- -.
9-
circuit as well as to recorders. Reluy, contacts from the valve modulator control system provide controller isolation from_the LPCI logic circuitry.
T Power for the LPCI control logic and the solenoid vaho, for Channel 1 is from distribution switchboard DC-llA2 ckt No. 23 and for Channel 2 is f rom DC-ll Al ekt. No. 25.
Each channel is isolated f rom other systems on thesamebusbyaircircuitbreakerandindividualline) fuses.
The 4 kV bus #6 feeds LPCI pumps 1502A and C and+eSergency service water pumps c
1501-65A and C.
4 kV bus #5 feeds,.LPCI-pumps 1502 8 and 0 and emergency service water pumps 1501-65 6 and"d.
Loop 1 valves are fed from MCC 2A-3 and loop 2 valves from MCC 2-3.
Evaluation.
LPCI control' logic consists of dedicated sensors, relays and switches.
Individual switches provide manual control for test'ing and override action. Separate relay contacts, manual switch contacts and valve position switches provide status indication and annunciation.
Separate pressure switenes 1501-74 A and B, 1501-76 A and B, and 1501-78 A and 8 monitor the status of head pressure, core flood flow and differential pres-sure of the service water tube outlet to shell inlet of the heat exchanger.
Each channel receives power from separate power buses with individual breakers. Logic channels and solenoid valves are further isolated by line fuses.
o 3.3 Isolation Condenser System.'
Discussion.
The isolation condenser operates to cool the reactor by natural circulation.
Two valves in series in the steam line are normally open.
Two valves in the condensate line to the reactor operate with the inboard valve normally open and the outboard valve normally closed.
Initiation of the isolation condenser is from high reactor pressure monitored by pressure switches PS 263-53 A, B, C and D or low-low reactor water level from relay contact 1530-103, 104, 203 and 204 from the LPCI system.
Flow in the steam and condensate lines is monitored for possible line breaks by delta pressure switches 1349 A, B and 1350 A, S.
Any one of i
7 l
a
these monitors will initiate closing of all valves in the isolation condenser loop upon detecting high flow.
The initiating sensors, with the exception of the delta pressure sen-
- sors, are' arranged into two logic channels in a one-out-of-two twice systems. The delta pressure sensors eperate in a one-out-of-two logic to
~
f initate isolation. Manual switches provide contact in the valve circuits to permit individual control of each valve for testing or override purposes.
System status indication and annunciation is from separate contacts of the actuating relays and valve position switches.
Separate c
instruments monitor the radiation levels at the isolation condenser vent ~
gg and the water level in the condenser.
Detection of high radiation will initiate closing the loop valves isolating the isolation condenser from the reactor.
Power for logic channel 1 is from the 125 V DC bus "A" and for Chan-nel 2 is from 125 V DC Sus "B".
Each is isolated from other systems by line' fuses. The outboard valves are DC actuated and the inboard valves are AC operated.
Each is isolated from other systems on the power buses by circuit breake. Available drawings and docket information'were not adequate ~te identify the specific power buses supplying these valves.
Evaluation. The isolation condenser logic is arranged in two redun-dant logic channels using relay and switch contact.
Separate switch con-tacts on the' valves supply valve status indication.
Isolation of logic channels frcm each other.and from control and non-safety functions is ade-quate.
Isolation of power sources to the valves could not be determined.
- 3.4 Standby Liquid Control System.10 1
Discussion.
The standby' liquid control system-is a manually operated backup system for reactor shutdown.
It consists of two, dual squib act-uated valves, two positive displacement pumps, a liquid storage tank and l
associat iping.
Initiation of the system is by manual switch 1130-301 employing separate contacts for each pump and squib circuit. Motor control contacts are installed to permit only one motor to start at a time; however, these have been jumpered out.
The pump and explosive valve circuit is s
8 4
m'.-.
, -... _ ~,,
... _,., ~
selected by switch position.
Local manual pushb'utton switches permit-test-ing each pump. LowcurrentelectricalmonitoriigcircuitOrovidespilot i
l light indication of squib circuit continuity.
Status indicators and annun-ciation are activated from separate relay-contacts in_ the: logic circuits.
Valve position is indicated by valve position switches'.
The liquid tank ~
level is monitored by a separate level transmitter. ' Ci i
,s
+-
Powe'r for the pumps and associated ' logic circuit is' f rom MCC 2A-1 for -
1-pump 1102A and from'MCC 2-1 for p4sp 11028.
Isolation of the pump circuits
~
from other' systems on the same buses is by air circuit breaker.
,~
Evaluation.
The actuation logic is~ arranged in two independent chan-nelspoweredbystep-downtraniformersfromthepumpmotorbuses.
Use of j
relay logic provides adequate isolation from c'ontrol and non-safety sys-tems.
Separate innrumen1.ation monitors liquid tank level and pump dis-4 charge pressure.
3.5 Primary Containment Isolation System.
II-I2 Discussion. Docket information describes the primary contain-ment isolation system in considerable detail.
It indicates the logic is a I-dual logic channel system, similar to the RPS system (ref. 11, par. 2.4),
that the sensors, circuitry and logic channels are no*; used in the control of any process system (ref.11, par. 5.7) and is tolerant of a* single f ail-i ure of any component in the system (ref.12, par. 3.2).
However, drawings I
of the containment isolation system were not providec as requested, making
_it impossible to perform a detailed evaluation of the circuit isolation as required in Section 2 of this report.
Evaluation. No evaluation was made for this system.
i.
4.0.
SUMMARY
l Based on current licensing criteria and review guidelines, the ESF
~
' systems comply with all current licensing criteria listed in Section 2'of this report except for the following:
9
_ _-.~.._._ _ _-_. _ -. - _,,
s l.
Isolation of the power sources to the isolation condenser valves
.could not be determined.
2.
Lack of drawings of the primary containment isolation system prevented detailed evaluation of this system.
i
5.0 REFERENCES
1.
General Design Criterion 22, " Protection System Independence," of Appendix A, " General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilization Facilities."
2.
General Design Criterion 24, " Separation of Protection and Control Systems," of Appendix A, " General Design Criteria of Nuclear Power Plants,"'10 CFR Part 50, " Domestic Licensing of Production and Utili-z ati,on Facilities."
3.
IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
4.
Millstone Point Nuclear Power Station Unit 1.
Final Safety Analysis Report, Amendment 5, Vol. 1, 2 and 3.
March 14, 1968.
5.
Drawing 25202-31001 sheets 740-Rev. 1.7, 741-Rev. 11, 742-Rev. 6, 743-Rev. 5, 744-Rev. 10, 745-Rev. 6, 746-Rev. 8, 749-Rev. 5, 7 51-Rev.14, 752-Rev. 9, ' 753-Rev. 6, 754-Rev. 6, 755-Rev. 9, 756-Rev. 6 and 757-Rev 8.
6.
Drawing 25201-31001, sheet 325-Rev. 6.
7.
Drawing 25201-31001, sheets 488-Rev. 7, 488A-Rev. I and 489-Rev. 9.
8.
- Drawing' 25201-31001, sheets 759-Rev. 10, 760-Rev. 7, 761-Rev. 13, 762-Rev.'12, 763-Rev. 11, 764-Rev. 9, 765-Rev. 5, 766-Rev. 5, 767-Rev. 5, 768-Rev. 5, 769-Rev. 6, 770-Rev. 4, 771-Rev. 5, 772-Rev. 5,.773-Rev. 7, 774-Rev. 7, 776-Rev. 6, 777-Rev. 5, 778-Rev. 3, 779-Rev. 3, 780-Rev. 10, 781-Rev.13, 781 A-Rev. 2, 782-Rev. 5, 783-Rev. 5, 784-Rev. 9, 785-Rev. 7, 786-Rev. 12, 787-Rev. 9, 787-Rev. 9, 788-Rev. 9, 789-Rev. 8, 790-Rev. 5, L
791-Rev. 5, 792-Rev. 5, 793-Rev. 5, 794-Rev. 5, 796-Rev. 5, 797-Rev. 3, I
798-Rev.-7, 799-Rev. 7, 800-Rev. 5, 801-Rev. 5, 802-Rev. 3 and 803-Rev. 4.
9.
Drawing 25201-31001, sheets 612-Rev. 9, 881-Rev. 7, 882-Rev.
5,-
883-Rev. 6, and 884-Rev. 7.
10.
Drawing 25201-31001, sheets 665-Rev. 7, 666-Rev. 6, 667-Rev. 3, and-668-Rev. 9.
- 11. Millstone Nuclear Power Station Unit 1, Final Safety Analysis Report Amendment 16.
September 4, 1969.
i I
10 L
- 12. Letter, Peter A. Morris to the Milistone Point Company. " Provisional Operating License No. OPR-21 with Technical Specificatinns," October 7, 1970.
T
- 13. Amenament 67, Provisional Operating License DPR-21, dated May 8, 1980.
8 9
9
.y-
~
,b e
9 11
. ~
REQUEST FOR ADDITIONAL INFORMATION ON SEP TOPIC VII-2, ESF-SYSTEM C0llTROL LOGIC AND DESIGN
-1.
Provide electrical one line diagrams showing the power sources for the 2
ac powered isolation condenser vali:es.
^
2.
-Provide electrical schematics, one line diagrams, and functional logic drawings for the primary containment isolation system.
E I
J 4
J e
1 f
a i
.