ML20038C616
| ML20038C616 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 12/01/1981 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20038C615 | List: |
| References | |
| NUDOCS 8112110280 | |
| Download: ML20038C616 (2) | |
Text
.
o tre
/
UNITED STATES 5,
g NUCLEAR REGULATORY COMMISSION y
g p
wAsmNoTom, o. c. 20sss
\\.... /
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO THE EMERGENCY CORE COOLING SYSTEM FOR SINGLE FAILURE FOR THE PRAIRIE ISLAND NCULEAR GENERATING PLANT, UNIT NOS 1 AND 2 C0CKET NOS. 50-282 AND 50-306 Introduction By letter dated April 12, 1976 we requested information supporting the single failure analysis of the Emergency Core Cooling System (ECCS) and its supporting subsystems for the Prairie Island Nuclear Generating Plant Unit Nos. 1 and 2.
The Northern States Power Company (NSP) issued by letter dated December 22, 1976 a report titled "ECCS Actuation System". The licensee provided additional information by letters dated July 17, August 5 and September 10, 1981 and held discussions with the staff regarding this subject matter. A detailed review of the licensee's response was performed by EG&G Idaho, our consultant, who issued a final report of their review titled
" Emergency Core Cooling System Review, Prairie Island Nuclear Generating Plant, Units Nos. I and 2, Docket 50-282 and 50-306", EGG-EA;5571. Accopy of this final report is attached.
Discussion and Evaluation By the submittals described above the licensee provided the necessary infor-mation to (1) verify that the analysis demonstrates that the ECCS and sup-porting subsystems meet the single failure criterion as defined in IEEE Std 279-(1971) and (2) determine the acceptability of any proposed design modifications required as a result of the single failure analysis. The review of the licensee's submittal by our consultant showed that certain safety related electrical equipment may not meet our current qualifications criteria for radiation exposure during accident conditions.
In cases where equipment is not adequately qualified for radiation exposure the licensee proposed to either:
a.
replace unqualified equipment with equipment that meets the requirement of IEEE Std 323-1971, b.
test existing equipment to a higher radiation limit than is required, or c.
relocate the questionable equipment to an environment for which the equipment is qualified.
8112110280 811201 PDR ADOCK 05000282 P
?,
. l We have reviewed the licensee's proposal and find it acceptable. However, we will require the licensee to include this questionable equipment under the equipment qualification program for safety related equipment currently under review. This requirement was discussed with and ageed to by-the licensee.
We agree with our consultant that the safety injection pump discharge cross connection valves should be controlled by Appendix "A" TS of the license rather than operating procedures alone. This matter was discussed with and agreed to by the licensee.
Based on our review of the licensee's submittal and the enclosed report by our consultant, we find that the licensee has adequately responded to our concerns regarding the possible single failure criterion for the Prairie Island Nuclear Genercting Plant, Unit Nos. I and 2.
We further conclude that the design of ECCS does meet our criterion for single failure and therefore, these systems are acceptable. Based on the above, we consider the single failure criterion concern for ECCS at Prairie Island Generating Plant, Unit Nos. 1 and 2 is resolved and the review of this issue is complete.
Date: nIO C11931
EGG-EA-5571 NOVEMBER 1981 EMERGENCY CORE COOLING SYSTEM REVIEW, PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT NUMBERS 1 AND 2, DOCKET NUMBERS 50-282 AND 50-306, TAC NUMBER 6853 A. C. Udy U.S. Department of Energy Idaho Operations Office
- Idaho National Engineering Laboratory up. =
- a ye.-z.
Q " ~ fzi,y.z spuQ
.m p
c
~_T/,
C.
io r
- JQ:
.i C
I I
h
.' xki&
> : ~'
'Y A_. l0Y W M W *
- A'
~
x -... M.%n - -
_um
..~ q-
-~.m:
.M -
p&
g
-,._{-p'-
%q p p*$~
.m gg g-47 ms: mum W " T ~. ~._
y 8,f W -
-~
,w m-s umumme; w,,.
k M,@b-O W
-3 N E
Ri n sW.g-2a_.M+mgh x.
Ng~.
% p*&. -
- g-m.-
rw.
._ms E
l l
,4 This is an informal report intended for use as a preliminar/ or working document Prepared for the U.S. Nuclear Regulatory Comission l
Under DOE Contract No. DE-AC07-76ID01570
" "*^
6 6 E 6 oano 4
>% ewnSqpmfe
h EScG..
FOM8 EG4G 398 e ii m INTERIM REPORT Accession No.
Report No. EGG-EA-5571 Contract Program or Project
Title:
Selected Operating Reactor Issues Program (III)
Subject of this Document:
Emergency Core Cooling System Review, Prairie Island Nuclear Generating Plant.
Unit Numbers 1 and 2, Docket Numbers 50-282 and 50-306, TAC Number 6853 Type of Document:
Informal Report Author (s):
A. C. Udy Date of Document:
November 1981 Responsible NRC Individual and NRC Office or Division:
J. N. Donohew, Division of Licensing This document was prepared primarily for preliminary or internal use. it has not received full review and approval. Since there may be substantive changes,this document should not be considered final.
EG&G Idaho, Inc.
Idaho Falls, Idaho 83415 Prepared for the U.S. Nuclear Regulatory Commission Washington, D.C.
Under DOE Contract No. DE-AC07 761001570 NRC FIN No.
A6429 INTERIM REPORT
0535J EMERGENCY CORE COOLING SYSTEM REVIEW PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT NUMBERS 1 AND 2 Docket Numbers 50-282 and 50-306 A. C. Udy Reliability and Statistics Branch Engineering Analysis Division EG&G Idaho, Inc.
November 1981 TAC Number 6853
1 ABSTRACT This Safety Evaluation Report discusses the review of the Prairie Island Emergency Core Cooling System (ECCS), and confirms that the ECCS and supporting subsystems meet the single failure criterion as defined in IEEE Std. 279-1971.
FOREWORD This report is supplied as part of the " Selected Operating Reactor Issues Program (III)" being conducted for the U.S. Nuclear Regulatory Com-mission, Office of Nuclear Reactor Regulation, Division of Licensing, by EG&G Idaho, Inc., Reliability and Statistics Branch.
The U.S. Nuclear Regulatory Commission funded the work under the authorization B&R 20 19 01 06, FIN A6429.
i 5
e ii
tn s
CONTENTS 1.
INTRODUCTION...................................................
1.
2.
EVALUATION.....................................................
l.,_
2.1 Emergency Core Cooling Actuation System...................
1:
2.2 Onsite Emergency ~ Power System.............................
2 2.3 Electrical Equipment Qualification........................
3 2.4 Submerged EleEt'rical Equipment............................
4
~
2.4.1 Submerged Motor-0perated Valves requ i red for,ECCS............ ;.................
5 2.4.2 Submerged Mator-Operated Valves c required for3 Containment Isolation.
5 2.4.3 Protection of<the Electrical '
f Distribution' System from the Effects
/
of Submergence..................................=
6 2.5 Electrically Operated Flu'id System Components.............
6
~
- ~,
2.6 Electrical Interlocks.....'................................
7 2.6.1 4160 V AC.. I n t e r l oc k s.............'................
- 8 2.6.2 480 VAC Interlocks..............................
8 2.6.3 120 VAC Interlocks..............................
8
~
2.6.4 125 VDC Interlocks..............................
8 2.7 Electrical and Physical Separation Criteria...............
8 3.
CONCLUSIONS....................................................
10 4
REFERENCES........................................'~............
11
-u - >
If i '
/
+
I t
i f
J
/
/
s iii
n EMERGENCY CORE COOLING SYSTEM REVIEW PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT NUMBERS 1 AND 2
1.0 INTRODUCTION
The NRC requiredl documentation of an analysis of possible failure modes of emergency core cooling system (ECCS) equipment and the effect of such failure on,the ECCS performance. The docu:nentation was to show that theECCSandsupportjngsubsystemsmeetthesinglefailurecriteriadefined-in IEEE Std 279-1971 and to show that any modification needed as a result 1
i of the analysis was acceptable and implemented.
-T
/
>/
Northern States Power Company (NSP), pursuant to this request, issued
<a report entitled "ECCS Actuation--Compliance with the Acceptance Criteria I
for ECCS for Licht Water Nuclear Power Reactors.=3 This report was sent
/
to the NRC,on December 22, 1976.4 This~ report discusses the review of this NSP documentation and further
,'infopatienfrovidedbyNSPgylettersdatedJuly 17,1981,bAugust5, s
14,1981.ger10,1981 and by telephone on July 27, 1981 and 1981 and Septem August 2.0 EVALUATION The Prairie Island ECCS consists of high-head injection, low-head injection, accumulator injection and boric acid injection. These functions are automatically initiated by the ECCS actuation system to cool the core
'following a loss-of-coolant accident (LOCA). These four functions are sup-ported by the following systems: diesel-generator systems, fuel and diesel oil systems, diesel generator room cooling systems, instrument power distri-a r -bution system, 4 kV class lE distribution system, DC power sources and dis-tribution system, component cooling system, cooling water system, equipment heat remov01 system, chilled water safeguards system, screen house heating and vent system, battery room special ventilation system and the control, relay and computer room heating, ventilation and air conditioning system.
p The operation of these systems is discussed in Reference 3.
2.1 Emergency Core Cooling Actuation System. The ECCS actuation sys-tem is part of the engineered safety features actuation system (ESFAS) which
'/
is a protection system that initiates operation of various enginaered safety features equipment to mitigate the consequences of a LOCA. Each ECCS safety injection train is automatically actuated by two-out-of-three containment pressure high, or by two-out-of-three pressurizer pressure low or by either loop A or loop B steam generator steam line pressure low (each loop is two-out-of-three logic).
Independent manual actuation by the operator is also possible. Each ECCS train is designeo to be capable of mitigating a LOCA assuming that the other train does not activate.
Each train has a block signal that allows reactor depressurization.
Two-out-of-three pressurizer pressure block permissive low signals will allow the block to be engaged. The block negates the pressurizer pressure low (the bistables and setpoints effected are independent from the block-1 l
~
B W
t i
-permissive signals) and the two steam line pressure low signals:for that train. There is also a safety injection block switch for each train that stops an ECCS actuation after a predetermined time period.
ECCS support equipment is started by the use of auxiliary contacts on the electric starter or circuit breaker of the ECCS_ equipment. Train'A components actuate only Train A support equipment and Train B components 4
actuate.only Train B support equipment.
s' The cooling water system normally operates in a' loop configuration with-
~'
one pump out of five capable of supplying sufficient cooling water for a LOCA in one unit concurrent with safely shutting-down the other unit..This j
cooling water loep is isolated into two components, on a safety injection lw signal. Additionally, a safety injection signal starts two diesel driven
- ~
. cooling water pumps.: One pump supplies each half of the isolated loop in addition to any op'erating electric pumps. Both diesel-generators (separate from the diesel cooling water pumps) can receive cooling water from either half of the isolated loop via check valves.
A review c'f the information provided by the licensee shows that the present design of the ECCS support equipment and cooling water system actuation circuits, in conjunction with administrative controls, meet the single failure criterion. The administrative controls consist of technical specification requirements except for the safety-injection pump discharge crossover valves. These are bigcked open and tagged per integrated.
operations checklist Cl.l.18-1.'
2.2 Onsitd-EmergencyPowerSystem. The onsite emergency power system for each unit supplies electrical power to the Engineered Safety Features (ESF) equipment when there is a partial or a total loss of offsite power.
Each unit has two redundant and independent Class lE distribution systems tiiat have some interunit ties. Each distribution system consists of 4160 V, 480 V and 120 V AC load centers and a 125 V DC load center. The Prairie Island station has multiple, redundant interconnected (see Sec-tion 2.7.1) offsite power sources that supply 4160 V power when the unit generator is not'accessable through either unit auxiliary transformer at the station and when offsite power is available. Redundant 4160 V buses in a unit cannot be tied together.
.. When no offsite or unit generator derived power is available, the Prairie Island station has two diesel-generators (DG) each automatically tied to a single 4160 V Class lE distribution system in each unit. Each DG has,the capacity to supply the ESF (including the ECCS) loads for a design E
~
basis 'accidgnt in one unit concurrent with a f alse SIS (no accident) in the other unit.
s s.
The unit ESF loads are divided betwe'4 u' two class lE 4160 V buses of that unit. Each of these buses suppli ', I (t i V cus and associated loads i V buses can be tied together via separate 4160/480 V transformer.
Da
- through two series connected circuit e.e1 Each 480 V bus in turn sup-plies 208/120 V AC via separate trant?ormers acj a 125 V DC bus via a bat-ti_
tery charger. Redundant 120 V AC buses cannot be faterconnected.
2 4
+
e e
,-,-,-,n-,
~ - - - -
e
Each unit has two 125 V DC batteries and dedicated battery chargers (powerec by the redundant 480 V AC buses). The battery chargers are the normal source of power, while the batteries are a redundant power source for the DC distribution systems. There are no built in interconnection capabilities between the stations four DC batteries or DC buses.
Four inverters in each unit supply normal power for ESF instrumenta-tion. These are normally powered by 480 ac, auctioneered to 125 V DC power if the AC source is inadequate. If an inverter is not available, a mainten-ance connection to 208/120 V AC bus 117 (217 in Unit 2) is available (this power is derived from a Class lE 480 V bus). These instrumentation buses cannot be interconnected, however, non-class lE 117 (217) could be powered (back-fed) by the maintenance connection (see Section 2.6.3).
The diesel generators are started by stored air pressure. Two parallel selenoid valves deliver starting air to the twelve cylinder air start valves of each diesel. Each diesel has its own air starting system, including a 480 V air compressor and two accumulators. Redundant series connected man-ual valves normally block the interconnection of the two diesel air starting systems.
Engine coolant and lube oil are continuously heated and circulated while a diesel is not running. This is to aid in the starting ability of the diesels. These auxiliaries are powered by the 480 V Class lE bus in Unit 1 that is associated with that diesel. No provision is made for an alternate power source, however, a failure of this system would only affect one diesel, and it would not prevent the diesel from starting.
Fuel oil for each diesel is stored in a day tank that supplies that diesel. This supply can be sufficient for two hours of operation, and is replenished automatically by independent fuel oil transfer systems, which are verified operable monthly.8 Interconnected storage tanks supply fuel oil to the day tanks. Technical specificiation 3.7.A.5 requires a minimum of 70,000 gallons of fuel oil to be stored on site. The day tank level alarms are calibrated, as is the inst mentation associated with the day tank fill circuit, on a regular basis NSP indicates that a failure of the clean fuel return pump (Diesel 2) could have prevented that diesel from operating. This pump was powered by a120VacsogrceassociatedwithDGl.3 NSP stated that they have changed, in May 1976, the power source for this pump to eliminate this potential non-conformance with the single failure criterion.
Each distribution system is capable of furnishing power to the equip-ment load groups that meet the minimum requirements to safely shutdown one reactor and to mitigate the consequence of a design basis accident in the other unit.
^
2.3 Electrical Ecuipment Qualifications. The qualification require-ments for safety-related equipment are a measure of the equipment's ability to withstand the design basis env.ironmental and seismic conditions.
3
NSP has documented that all safety related motors, cables, instruments and other equipment located inside the containment which must operate during and subsequent to an accident, will be capable of functioning under the fol-lowing post-accident conditions for the time periods required:
286*F 1.
Temperature 60 psig 2.
Pressure 3.
Humidity 100%
4.
Radiation 1x rads /hr, gamma
.12g 5.
Seismic Westinghouse,theNuclearSteamSupplySystem(NSSS) manufacturer.gtedby An environmental and seismic qualification program was implem The program confirmed that all safety related instrumentation located in the containment would satisfy the above listed LOCA conditions for the required time period. This qualification program has demonstrated, by testing and by analysis, the operability of the instrumentation and of the electrical equipment under LOCA conditions inside containment. The temperature, pres-sure and seismic conditions tested to are in excess of the design basis event. The level of radiation to which the equipment was exposed in this program was 1 x 106 rads / hour gamma. This level of radiation exposure plant.gd the then current criteria for the period of construction of this satisf Section 3.8 of the Nuclear Regulatory Commission " Equipment Evalua} ion Report"fecommends a minimum total integrated Beta-Gama dose of 4 x 10 roentgens.
NSP has shown that the majority of the safety related motors, cables, instrumentation and other equipment, both inside and outside of the containment, which must operate during and subsequent to 7 roentgens (inside of containment)or2.7x10gstedtominimumof4x10 roentgens (outside of containment).a NS an accident, have been t for those pieces of equipment not presently shown to be qualified for this radiation dose, proposed to a) replace with equipment qualified to IEEE std 323-1974, b) test existing equipment to the higher radiation limit or c) relocate the equipment to an environment for which the equipment is qualified.
With the satisfactory completion of the above program, NSP will have shown that the safety-related motors, cables, instrumentation and other equipment located inside the containment, which must operate during and subsequent to an accident, will be capable of functioning for the required period of time.
2.4 Submerged Electrical Eauipment. The licensee's analysis shows that the maximum depth of water that can accumulate in the primary contain-ment building following a LOCA will be 8 ft 3 in. This yields an upper elevation of water in the containment of 705 ft 9 in. (the base slab of the containment building is elevation 697 ft 6 in.).
The licensee has surveyed the primary containment building, and all the electrical equipment that is located below the LOCA flood level (705 ft 4
9 in.) has been identified. Some of this electrical equipment that can become submerged is safety related. This equipment is discussed below.
2.4.1 Submerged Motor-Operated Valves Required for ECCS. The licensee has listed in a submir,tal dated October 21, 19/d, those motor-operated valves associated with short or long term cooling that are lgqated inside of containment that could become submerged following a LOCA.'J Valve nurt rs in parentheses are for Unit 2.
HiHeadSafetyInjection{SI)LoopAand8 MV-32070 MV-32068 Cold Leg Isolation Valves (MV-32173)
(MV-32171)
(MV-32172)
Hi Head Safety Injection Reactor Vessel Injection Isolation Valve MV-32071 Loop A and B Accumulator Isolation Valves MV-32072 (MV-32174)
(MV-32175)
MV-32164 Loop A and B Hot Leg Residual Heat Removal MV-32230 Suction Isolation Valves (MV-32192)
(MV-32232)
-None of these valves are required to function following a LOCA. Flood-ing of these valves following a LOCA will not prevent proper operation of the ECCS, and is, therefore, acceptable.
2.4.2 Submerced Motor-Operated Valves Recuired for Containment Isolation. N5P has indicated that no containment isolation valves will be submerged following a LOCA. However terminal boxes are identified as being below the 705 ft 9 in flood level which are associated with the following containment isolation valves. NSP states that these valves are the only safety related equipment associated with these terminal boxes. The first 4 valves listed are for Unit 1, the last 3 valves listed are for Unit 2.
CV-31300 11 Reactor Coolant Loop B Hot Leg Sample CV-31325 11 Regn Heat Exchanger Letdown Line CV-31326 Isolation Valves A, B, and C CV-31327 These valves are normally locked open.13 a.
5
CV-31347 2 Letdown Orifice Isolation Valves A and B CV-31348 CV-31349 1 Letdown Orifice Isolation Valve These valves are air operated, fail closed valves. Loss of power due to a flooded terminal box would cause the valves to isolate the containment penetration. Loss of air, isolated on a containment isolation signal would also cause the valves to close. These valves are not required to open following a LOCA. Proper operation of the ECCS will occur regardless of the flooding of these terminal boxes. Therefore, the design is acceptable for this review.
2.4.3 Protection of the Electrical Distribution System from the Effects of Submergence. N5P 5as stated that terminal boxes inside of Con-tainment, if immersed, could become flooded. Protective measures ensure that these terminal boxes and the above valves will not cause the loss'of
' vital motor control center (MCCs) because of electrical faults at these locations following submergence. The 480 V combination motor starters are provided with air circuit breakers and with overload relays. This provides penetration, cable and motor protection, and the isolation of individual motor circuit faults so as not to affect other MCC loads. The control cir-cuits associated with 480 V MCCs are protectived by individual control cir-cuit fuses that isolate electrical faults and limit the effects of such electrical short circuits to the circuits involved. The protection of the 120 Vac and 125 Vdc instrument power circuits is similar. Selective trip-ping is assured by using protective devices in these circuits that will clear a fault quicker than the bus or MCC supply circuit breaker can react.
curvestoassureoperability.gilytestedagainstcalculatedmanufacturer Circuit breakers are periodic These designs for preventing the malfunctioning of the Class lE electrical power systems as a result of submerged equipment inside of con-tainment are adequate.
2.5 Electrically Operated Fluid System Components. The following systems were analyzed in accordance with EICS Branch Technical Position BTP-18, " Application of the Single Failure Criterion to Manually-Controlled Electrically-Operated Valves" to determine if a single failure could result in loss of capability to perform a safety function:
1.
Auxiliary Feedwater System 2.
Component Cooling System 3.
Cooling Water System 4
Fuel and Diesel Oil 5.
Residual Heat Removal (low head safety injection) 6.
Safety Injection.
Additionally, NSP has determined that the failure of the following manually-operated single fluid system component could result in a loss of the ECCS capability to perform its safety function:
6
11 Accumulator Loop A isolation valve--Unit 1 8800 A 12 Accumulator Loop B isolation valve--Unit 1 8800 B 21 Accumulator Loop A isolation valve--Unit 2 8800 A 22 Accumulator Loop B isolation valve--Unit 2 8800 B
~
Technical specifications allow these valves to be closed for up to one hour. Other valves were identified by NSP, however, they are locked in the position required for ECCS operation.
Each accumulator has one vent valve that, if one failed open, could cause the ECCS action of both accumulators to not supply water the core.
This is because the final safety analysis report assumes that the contents of one accumulator goes directly through the postulated pipe break and onto the containment floor.
If the vent valve of the other accumulator were to f ail, it would have no nitrogen pressure to inject this coolant into the -
core. Prairie Island technical specification 3.3.A.l.b requires both accumulators to be operable. With pressure and level annunciators on loss of pressure or loss of level from either of two redundant instrument sets per accumulator, the operator would know of an accumulator vent valve failure.
The discharge of the two safety injection pumps has a cross connection that has two series connected manually operated valves. Both of these valves must be open to meet the single failure criterion. While not con-trolled by technical specification, these cross-connection valves are admin-istratively controlled by Integrated Operations Checklist Cl.l.18.1, and are blocked and tagged open by this procedure. This procedure then insures that either safety injection pump, by itself, has the ability to mitigate the consequences of an accident.
Based on the above analysis, it is concluded that a single failure will not result in adverse consequences to the ECCS performance, and therefore the ECCS performance is acceptable. However, should an operator inadver-tantly leave a safety injection pump discharge cross connection valve closed, only one safety injection pump would be immediately available to pump borated water into the core. Should this one pump fail on demand, the operation of the ECCS system would be compromised. Therefore, the NRC should require that these valves be controlled by technical specification to minimize this possibility.
2.6 Electrical Interlocks. Electrical interlocks are used as a means of preventing redundant divisions of the Class lE distribution system from being tied together. Electrical independence of redundant portions of the Class 1E electrical distribution system is assurred by these interlocks.
There are several points in the distribution system which allow for energizing equipment from the redundant power sources. They exist at various voltage levels, and are addressed in the following paragraphs.
Interlocks provided at each voltage level satisfy the single failure criteria and the intent of Regulatory Guide 1.6, " Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems."
7
2.6.1 4160 Vac Interlocks. There are no bus ties between redundant 4160 V Class lE buses in either unit at the Prarie Island station. Further, there are no 4160 V loads that can be selectively powered by either bus. At the 4160 V level, the Prairie Island station meets the single failure cri-teria and the intent of Regulatory Guide 1.6.
There are bus ties between non-redundant buses 15 and 26 and 16 and 25. The buses that can be con-nected are in different units, and are, therefore, non-redundant. Cooling tower buses 11 and 12 also have an automatic bus tie. The bus tie breaker
~
is interlocked with the source breakers so that redundant load groups within a unit are not connected together automatically upon the failure of a single electrical distribution system element. These bus ties also satisfy the single failure criteria and the intent of Regulatory Guide 1.6.
2.6.2 480 Vac Interlocks. Two normally open, manually closed bus tie breakers separate redundant 480 V Class lE buses 110 and 120 in Unit 1.
Buses 210 and 220 in Unit 2 are similarly separated. Since they are not automatic, and there are two independent circuit breakers between redundant buses, this satisfies the single failure criteria. Additionally, protective relaying exists so that the two redundant power sources cannot be connected in parallel. This satisfies the requirements of Regulatory Guide 1.6.
No other bus ties at this voltage level were evident in the NSP submittals reviewed for this report.
2.6.3 120 Vac_ Interlocks. The four 120 Vac Class lE buses in each unit are normally suppliec power by four independent 480 Vac powered (with auctioneered DC backup) inverters. No interconnections exist such that the failure of one inverter or circuit breaker would cause the failure of another inverter. Should an inverter f ail, there is a common 208/120 Vac interruptable power source-Panel 117 (217 in Unit 2) for a third source of power to the bus. Technical Specification 3.7.A.7 prevents connecting more than one 120 Vac Class lE bus to this source. Each conr.ection to these alternate sources have two disconnecting devices. Thus, the single failure criteria and Regulatory Guide 1.6 are satisfied.
2.6.4 125 Vdc Interlocks. Each unit has two 125 Vdc buses. There are no interconnections between redundant buses, batteries or battery chargers. The load groups are arranged so that failure of one 125 Vdc bus will not affect the ECCS capability supplied by the other bus. The single failure criteria and Regulatory Guide 1.6 are satisfied for this voltage level.
The switching capability and the interlocks provided at the Prairie Island station adequately prevent the propagation of faults between redundant Class lE buses. Therefore, it is concluded that the interlock system designed to prevent compromising electrical independence is acceptable.
2.7 Electrical and Physical Separation Criteria. Engineered safety feature circuit separation includes separation of power sources, control and power devices, protective device sensors and interconnecting cables.
8
1 NSP indicates that the engineered safety feature (ESF) 4160 V switch-gear and 480 V load centers are located in areas that minimize their expo-j sure to mechanical, fire and water damage. The 480 V motor control centers are located near areas of electrical load concentration.
The application and routing of control, instrumentation and power cables minimizes their vulnerability to damage from any source.
Cables related to engineered safety features are color coded for identification and have been routed and installed to maintain the integrity of their respective redundant channels.
j.
Cable is carried by rigid and flexible conduit, cable tray, junction and terminal boxes, containment penetrations and raceways within equipment cabinets.
The separation of redundant cables of the engineered safety features system circuits is accomplished through the use of separate, redundant cable carrying components.
l The separation distances for trays containing redundant cables are as j
follows:
a.
Horizontal Separation: A minimum separation of 36 inches between adjacent tray side rails. Approved protective barriers are provided in missile areas so that no credible missile will cause damage simultaneously to both redundant ESF circuits.
Barriers are also provided where space does not allow normal separation, where a non-safeguard tray infringes on the air space of an ESF tray or where two redundant ESF trays cross, b.
Vertical Separation: A minimum separation of 36 inches between redundant ESF trays or between reactor protection channel trays is provided. A minimum separation of 15 inches between ESF and reactor protection channel trays is provided. This dimension is from tray bottom to tray bottom. The minimum clear air space between the bottom of any upper tray and the top of any adjacent bottom tray is 9 inches.
Barriers are provided for the same conditions as in horizontal separation.
The ESF and Reactor Protection System (RPS) relay racks are located in the relay room.
Train A and Train B groups are separated by a five foot aisle.
Redundant ESF instruments and control stations are separated by a l
minimum three foot air space, have an appropriate barrier placed between them or are mounted on independent racks that are a minimum of three feet apart.
ESF and Class lE electrical system components mounted on control boards, panels and relay racks are designed with physical separation so that at least 4-1/2 inches exists between redundant cables.
An exception to this is the manual safety injection switches, where actuation of either switch actuates both safety injection trains.
In this case, separation is 3
maintained at 3-1/4 inches between switches. Teflon insulated wire and cable is used for intra panel wiring.
i 9
i
It is concluded that the physical independence of the electrical systems is adequate and acceptable, e
b
3.0 CONCLUSION
S The NSP analysis for the Prairie Island station ECCS actuation has been evaluated in Section 2 of this report. The changes mentioned have been completed, This review has determined that:
4 1.
The design of the emergency core cooling system actuation system meets the single failure criterion and present NRC requirements.
]
2.
The onsite emergency power system meets the single failure criterion, f
3.
The safety-related electrical equipment is environmentally and seismically qualified except for the issue of level of radiation r
exposure. The NRC is investigating this separately as IE Bulletin 79-01B.
4 The submergence of equipment inside of containment will not prevent the proper operation of the emergency core cooling system or containment isolation system nor will it cause malfunctions of the emergency power system.
5.
The redundancy of systems and valves satisfies the requirements of EICS Branch Technical Position 18, and precludes the malfunc-tioning of the emergency core cooling system due to operator error or the single failure of electrically operated fluid system components.
However, the safety injection pump discharge cross connection valves (band operated manual valves) should be controlled by technical specification, rather than by existing operating pro-cedure only. This will minimize the potential for operating the reactor with an ECCS lineup that is prone to a single failure.
6.
The interlocks provided to prevent the propagation of electrical faults between redundant safety buses satisfy the requirements of NRC Regulatory Guide 1.6.
7.
The electrical and physical separation between redundant divisions satisfies the separation criteria in effect during the construction of these units, and will not cause functional loss of redundant emergency core cooling system equipment.
In sumary, the emergency core cooling system at the Prairie Island station satisfies the single failure criterion, is seismically qualified and is environmentally qualified (except for potential insufficient radi-ation testing. This is being addressed separately under the review titled
" Environmental Qualification of Safety-related Systems," TAC No. 42500.)
Therefore, the emergency core cooling system at the Prairie Island station is acceptable.
10
}
4.0 REFERENCES
1.
NRC letter, D. L. Ziemann to Northern States Power Company (NSP),
April 12, 1976.
2.
" Criteria for Protection Systems for Nuclear Power Generating Sta-tions," IEEE Std 279-1971, The Institute of Electrical and Electronic Engineers, Inc., New York, NY, 1971.
3.
NSP report "ECCS ACTUATION--Compliance with the Acceptance Criteria for ECCS fo,r tignt water nuclear Power Reactors."
}
i 4
NSP letter, L. O. Mayer to D. L. Ziemann, NRC, "ECCS Actuation Systems," December 22, 1976.
I 5.
NSP letter D. Musolf to R. E. Martin, NRC and A. Udy, EG&G Idaho, e
Inc.,(EG&G), July 17, 1981.
6.
NSP letter, D. Musolf to A. Udy, EG&G, August 5, 1981.
7.
NSP letter, D. Musolf to A. Udy, EG&G, September 10, 1981.
8.
Telecon, D. Musolf, NSP and A. Udy, EG&G, July 27, 1981.
9.
Telecon, D. Musolf, NSP and A. Udy, EG&G, August 14, 1981.
- 10. Topical Report, WCAP 7744 Volume 1 (August 1971), And Volume 2 (January 1972), " Environmental Testing of ESF Related Equipment,"
J. Locante and E. G. Igne,
- 11. " Safety Evaluation of the Prairie Island Nuclear Generating Plant Units 1 and 2," Atomic Energy Canmission, September 28, 1972.
12.
" Equipment Evaluation Report for the Prairie Island Nuclear Generating Plant Units 1 and 2," NRC,79-01B.
13.
NSP letter, L. O. Mayer to Director of Nuclear Reactor Regulation, NRC, "Reponse to lE Bulletin 79-018 Safety Evaluation Report,"
August 26, 1981.
14 NSP letter, L. O. Mayer to D. L. Ziemann, NRC, " Submerged Valves Following a LOCA," October 21, 1975.
O 11
-