ML20010G085

From kanterella
Jump to navigation Jump to search
Forwards Addl Info Re SER Open Items,Per NRC Request
ML20010G085
Person / Time
Site: Wolf Creek, Callaway  Wolf Creek Nuclear Operating Corporation icon.png
Issue date: 09/11/1981
From: Petrick N
STANDARDIZED NUCLEAR UNIT POWER PLANT SYSTEM
To: Harold Denton
Office of Nuclear Reactor Regulation
References
RTR-NUREG-0666, RTR-NUREG-666 SLNRC-81-100, NUDOCS 8109150310
Download: ML20010G085 (7)


Text

.

03 t'  %

SNUPPS Standardized Nuclear Unit f.

Power Plant System *Q. 4h '

j ,

Nicholas A. Petrick 5 Choke Cherry Road Rockville, Maryland 20850 v.es gym Executive Director (301)8694010 9 M 7m September 11, 1981 SLNRC 81 100 FILE: 0278 SUBJ: PSB Review

. Harold R. Denton, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Confission Washington, D. C. 20555 Docket Nos. STN 50-482, STN 50-483, and STN 50-486

Dear Mr. Denton:

In discussions with Dr. Gordon Edison, NRC project manager for the SNUPPS applications, it was determined that additional information was required by the Power Systems Branch in order to close SER open items. The attached information addresses the following:

a. Justiftsation for not bypassing the failure-to-start diesel trip.
b. Justification for no battery high discharge alarm,
c. Additional information on electrical separation in-side panels,
d. Response to NUREG-0666.

Very truly yours,

\

-Q kbO(~

Nicholas A. Petrick RLS/jdk Attachment cc: J. K. Bryan UE G. L. Koester KGE D. T. McPhee KCPL /

D. F. Schnell W. A. Hansen UE AO l' S I NRC/ CAL T. E. Vandel NRC/WC 6'l 8109150310 810911 PDR ADOCK 03000482 E PDR

Start Failure Relay ,

l The start failure relay is provided to interrupt the starting of the diesel generator if a predetermined speed is not attained within a predetermined time l period frem receipt of a start signal. This design fencure is intended to preserve '

the starting air so that not all of the air is exhausted on an unsuccessful start attempt. .

If the diesel generator fails to reach a given speed within a given time interval,,

it is generally indicative of a more serious problem, auch as a lack of fuel t

reaching the engine cylinders. By removing the starting air at the appropriate time and providing an alarm in the control room, an operator can be dispatched to correct the fundamental problem and restart the diesel with the remaining air.

Once running, spurious operation of the start failure relay will not shutdown its diesel generator.

Like the diesel generator protective relays, the start failure relays are environ-mentally and seismically qualified. Separate relays are applied to the redundant diesel generators. They are mounted in a remote, free standing control panel that is not subject to engine-induced vibration. The relays are therefore virtually immune to vibration-induced contact bounce.

For additional reliability, the AC speed source is derived from tachometer generator.

This device is inherently simple and, due to its electromagnetic nature, immune from interference caused by engine vibration. It is pinion driven off the governor drive and is wired to the control circuit where its signal is processed to drive logic relays.

The intent of ICSB BTP 17 is to remove from the diesel generator trip circuit those protective functions that are susceptible to false operation due to engine vibration. It is not the intent of this BTP to necessarily remove all protective trips and leave the emergency diesel generators in a free-running state. Such a course of action would not be judicious if the protective function permits the diesel to be quickly restored by preventing serious damage to it.

Based on the above considerations, we feel that retaining the start failure relay during accident operation la justified.

. -- - _ . . = .

j Battery High Discharge Alarm A high discharge rate alarm is not provided. During normal operation, the batteries are float-charged by their battery charger. Periodic observation of the control room DC indicators and interpretation of them will provide the operator with a total i

indication of the DC system availability. During float operation, any additional a load (either normal or abnormal) will be picked up by the battery charger. The output current will increase until, in the event of a fault, it enters a current limiting mode. Near that point, the battery charger voltage will decrease below that of the battery and only then will the battery begin to discharge. Before this point is reached however, distribution fuses will blow to clear the fault because the battery chargers are sized to supply all steady state loads and charge the battery simultaneously. There is not enough steady state DC load to constme all of

. the battery charger output.

Upon loss of AC to the battery chargers, the DC loads are fed from their associated battery. The battery will continue to discharge at a rate determined by the load until either AC is restored or until the minimum battery terminal voltage is reached at which time the battery channel is considered unavailable. Before the minimum voltage is reached however, an undervoltage alarm is sounded in the control room to alert the operators of impending battery trouble. Any high discharge of the batteries (above that determined by the loads) will be cleared by distribution fuser, since any such discharge can only be produced by a fault.

At all times, battery discharge to ground through a ground fault is protected by a ground alarm in both positive and negative legs.

The B0P computer provides continous monitoring of each class IE battery current and can be programmed to alarm if the operators feel it is required.

Based on the above system design, a battery high discharge alarm is not provided becaust the exirting instrumentation is adequate for the system availability to be evaluated. A high discharge alarm cannot provide any additional information

or protection not already provided.

It should also be noted the SNUPPS class IE DC system is composed of four inde-pendent DC subsystems. There are no interconnections, load transfers, or shared loads between any of these subsystems. If any subsystem is lost for any reason, the remaining DC subsystems are capable of safely shutting down the reactor.

l 4

h

. _ . = _ - . -_. _-_ . - . - - - . - , . -

4 Barriers In Control Ptnels The barriers employed for the purpose of separatica between Class IE and non-class IE wiring, as well as the barriers employed for the purpose of separation between redundant Class IE wiring, are installed with the intention of preventing the propagation of a failure in one separation group of wiring into the other separation group. In ghneral, six inches of free air space is deemed adequate and is dictated by IEEE-384-1977. Where six inches is not practical, a barrier such as a conduit, steel plate,' fire resistant material or other material that provides an equivalent'

, _ 6 inches of free space separation is used.

When such barriers are employed, no additional separation between the barrier and one or both separation groups of wiring is necessary. The basis for this allowance is that the barrier itself provides the necessary isolation and is so designed to inhibit the propagation of any fault through its bcundaries.

The design of the barrier is conservative with respect to the hazards that exist in its vicinity. All wiring, non-class IE as well as Class IE, is required to pass the flame resistance test of ICEA S-19-81, part 6.19.6. The thernal conductivity of the insulation is low. The thermal conductivity of the barrier, if it is metal, is high and it will rapidly conduct heat away from the fault, while simultaneously shielding the unfaulted wiring from flame impingement. The thermal conductivity of a fire resistant barrier is close to zero and it will not conduct the faulted wiring energy to the other separation group wiring. Ity too will shield the other wiring from flame impingement.

Thus the event that a fault in one separation group wiring will be of sufficient magnitude to ignite the insulation, burn sufficiently long to drive sufficient thermal energy through the intervening barrier, ignite and cause failure of the other separation group wiring is not a credible event. The use of barriers

) constitutes acceptable protection and no further separation between the barrier and wiring is necessary.

l r

l l

.o Response to the Recommendations of NUREG-0666 General The SNUPPS DC power system as described in Section 8.3.2 of the FSAR con-sists of 4 independent Class IE DC power subsystems, DC Subsystems 1, 2, 3, and

4. DC power Subsystems 1 and 4 provide control and instrumentation power associated with AC power Load Groups i and 2. DC Subsystem 2 provides control and instrumentation power for 1) the turbine driven auxiliary feedwater pump and
2) other separation group 2 components including one steam line power operated relief valve. DC Subsystem 3 provides spearation group 3 control and instrument-ation power including one steam line power operated relief valve.

The 4 independent DC po.,er systems are separated and contain no inter connec-tions to one another.

NUREG-0666 Recommendation 1 Assure that design and operational features of the DC power supplies used for shutdown cooling do not compromise division independence. This includes eliminating use of a bus tie breaker, if provided, and revising test and maintenance activities with the potential for human error causing more than one DC division to be unavailable. Specific administrative controls proce-dures should be provided where the human factor is involved.

Response

The SNUPPS design assures divisional independence between all subsystems of the DC power system. There are no provisions in the design (such as bus tie breakers) which would compromise this independence. Therefore, the relia-bility assessment of the SNUPPS design would-show a considerable decrease in the probabilities of the dominant failure sequences identified in Table 7 of NUREG-0666.

A Page Two NUREG-0666 Recommendation 2 Assure that test and maintenance activities required for battery operability also include preventive maintenance on DC buses, procedures to demon-strate DC power availability from the battery to the bus, and administra-tive controls to reduce the likelihood of battery damage during testing, maintenance, and charging.

Response

Preventive maintenance procedures on safety related batteries will include steps to verify the integrity of the bus connections. Loss of DC power to DC bus will initiate an undervoltage alarm that triggers an annunciator in the Control Room. This alarm serves to monitor DC power availability from the battery to the bus. To reduce the likelihood of battery damage; test-ing, maintenance, and charging will be performed in accordance with approved procedures or administrative controls.

NUREG-0566 Recommendation 3 Stagger test and maintenance activities and crews to the extent practi-cable. This should include weekly pilot cell observations, preventive maintenance on batteries and bus connections, battery discharge and load tests, battery charger maintenance, and off line battery charging.

Response

Battery test and maintenance activities will be performed by qualified personnel in accordance with approved procedures. These activities will be staggered so that no more than one battery subsystem is out or service at any one time. Adequate maintenance and testing will be assured without any special efforts to stagger the crews.

NUREG-0666 Recommendation 4 Assure that plant design and operational features are such that following the loss of one DC power supply or bus: (a) redundant capability is main-tained for providing shutdown cooling in the hot standby condition; (b) RCS J

i

Page Three integrity and isolation capability are maintained; and (c) operating proce-dures, instrumentation, and control functions are adequate to initiate and maintain shutdown cooling in the hot standby condition. In essence, reactor core cooling capability should be maintained following the loss of any one DC power supply or bus and a single independent failure in any other system required for shutdown cooling.

Response

The SNUPPS auxiliary feedwater system design and secondary side heat removal capability via the steam generators and the power operated relief valves is such that no two failures, either DC or AC, will result in loss of reactor core cooling capability. Consequently, the SNUPPS design provides for maintaining RCS integrity and isolation capability with the loss of any two power supplies. Plant operating procedures will be developed with con-tingencies for such power supply losses. Redundant instrumentation and controls are powered from redundant power supplies so that actions necessary to initiate and maintain shutdown cooling in the hot standby condition can be accomplished assuming such f ailures. Thus shutdown heat removal from the core via the steam generators is assured for all accident sequences. Therefore SNUPPS design features reduce the probabilities of core damage from those reported in the NUREG.

- - - , - - - - , - - -- .--,e,, --r--r - . , , . , e- - , , , - -- 4 . , , , , , - - , , -