Text

. -. -. -..

}

f

%,'{

UNITED STATES I

' g-NUCLEAR REGULATORY COMMisslON j

WASHINGTON, D. C. 20658 I

k*****j e

.]

APR 121977 DOCKET N0. STN 50-561 VEND 0R:

BABC0CK & WILC0X COMPANY (B&W)

SUBJECT:

SUMMARY

OF MEETING TO DISCUSS SYSTEM OPERATING SEQUENCE DIAGRAMS AND FAILURE MODES AND EFFECT5 ANALYSES, BSAR-205 On March 24, 1977 representatives of B&W met with the NRC staff to discuss concerns identified in a report to the NRC by EG&G Idaho, Inc.

An Attendance List is enclosed.

EG&G wa's engaged by the NRC (Reactor Systems Branch) to review the subject portions of the BSAR-205 standard plant Safety Analysis Report..

EG&G completed their task with the transml~ttal 6f i' litter ~~

~

report to the NRC on February 22, 1977. This letter report was made available to B&W on March 17, 1977, and was the basis for this meeting. The. meeting was intended to clarify bot.h the staff and B&W p-understanding of the coments made by EG&G, prior to the staff's taking any position on any of the matters identified in the report.

R. E. Lyon of EG&G attended the meeting to facilitate this understanding.

The 21 comments listed in the Di.scussion section 'of the report (Enclosure 2).were discussed in order. Following are sumary ren. arks on each item. Actions to be taken as a result of,the discussion are described.

(1) B&W stated that their design philosophy, to co.nsider pressure relief and check valves as passive devices which are not subject ho to single " active" failure assumptions, is consistent with 'the ASME Code _and with the General Design Criteria. G.Mazetis(NRC) stated that the staff held similar views regarding spring loaded A

or other non-powered check valves, but considered power-operated devices (such as an electrically operated pressurizer relief valve) to be subject to single activt failure. The staff will give further consideration to B&W's analyses with respect to the identification of single active failures.

i l

v 9201210413 810403 i

PDR FOIA MADDEN 80-515 PDR f

. APR 1 2 1977 i O

j (2) B&W stated that BSAR-205 system design is such that taeir W

inclusion of the " worst case" single failure in a failure

.y'

~

l mode and effects analysis effectively bounds the expected effects from all initiating events while meeting the Comissions', >~~

j criteria i.e., to assume single rather than multiple active

1. [

I failures. They used as an example the fact that equipment v

i in containment is designed to withstand the effects of the LOCA 1

(initiating event) while acting to mitigate the consequences of

=. !

the event: The staff will initiate further dialog with EG&G on the specific nature of EG&G's general comment. Additional single failure analyses may be required in the BSAR-205.

j (3) The staff has been aware of, and in agreement with, the B&W g

format for the System Operating Sequence Diagrams. The diagrams -

were not intended to document the details of the single failure analyses but rather to show in an abbreviated fonn what systems are required to be single failure proof.

(4) B&W stated that their design is predicted on the Regulatory Guide.l.47 " Bypassed and Inoperable Status Indication for Nuclear Power Plant Systems". They feel that the recommendations of this guide are applicable to manual valves within a system intended to provide a safety action. This guide essentially 8

i recomends the provision of control room indication of safety 5g.g C-system unavailability when any required element of the system, is bypassed or otherwise set in a way that would cause system inoperability. The responsibility for implementation of the recommendations of the regulatory guide will lie with the applicant referencing the BSAR-205 design.

G. Mazetis (NRC) stated that current staff policy in this area and its application to BSAR-205 will be reviewed prior to a detennination on this comment.

(5) B&W referred the staff to Table 6.3.7 and their response to request number 212.112.

G. Mazetis (NRC) recommended that the response to f 212.112 be incorporated into the table, which will put this type of information in one location. B&W agreed to do this.

(6) B&W stated that where makeup is an essential part of the single failure analysis, it is included. The EG&G report does not identify f specific deficiencies in this regard; a re-check for specific p,

W)g deficiencies will be made by EG&G and the staff.

g W

(7) B&W stated that turbine trip was sometimes assumed even though not 55 necessary to the safety sequence. Where turbine trip is a requiremeny,f f it is shown on the diagrams and is actuated by the ESFAS.

R. Lyon, L7 (EG&G), stated that there was no further concern in this area.

['

v

=.

m

. ;;R i n 577 1

I (8) B&W stated that the alternate source of demineralized water is I

(m) to be used only during relatively rapid reactor power changes during power operation. They will add such a description to the BSAR-205 Chapter 15 analyses and discuss the potential for O gEIL inadvertant operation. A description of the alternate source design will be included in Chapter 9. The alternate source.

f

.}

will be accounted for in the systems operating sequence diagram e

i on the Chemical and Volune Control System in Appendix 15 C.

d, (9) This comment by EG&G'is related to item 8 above. B&W will I

indicate, in the new descriptive-material to be added to BSAR-205, that deboration is not terminated automatically.

5 (10) This item concerns a drawing error which has been corrected.

(11) B&W stated that their analysis for the large LOCA does not take j

credit for tha reactor trip or startup of the auxiliary feedwater e

system, therefore those actions are not included on the system operating sequence diagrams 15 C.13-1.

f (12) B&W stated that the operator has 20 minutes to accomplish the necessary manual action. They will add a detailed descriptien p of the actions required, with justification that the time available to complete the action is sufficient.

,l d

13 & 14)B&W stated that the diagrams do not contain a sequence for main

(_(:

steam system isolation because that action is not required, even g though assumed in analyses. B&W will clarify their assumption-in the text. B&W agrees with the coment on the LPI sequence, and will revise the diagram.

oY,M, t/'pp/$pi (15) The NRC staff wished to consider the overpressurization potential of the BSAR-205 design further. This subject will be the topic of separate discussions with B&W.

(16) B&W stated that this topic was outside the BSAR-205, design scope.

They stated that NSSS safety was not dependent on turbine trip since secondary side cooling would be accomplished through atmospheric dump and relief valves if'necessary. NRC staff will deliberate further on the EG&G concern.

(17 & 20)

B&W stated that the EG&G coments are important if shutdown to unpressurized conditions (" cold shutdown) is required. B&W 0V reiterated that their design philosphy is that safety grade systems are required only to take plant to a safe " hot" shutdown state.

G. Mazetis noted that the staff is continuing to move toward the requirement to go to " cold" shutdown with only jJ safety grade equipment.

(18) B&W stated agreement with this comcat by EG&G and comitted to a correction of a figure reference to maintain consistency.

1. bei yt C8tk N.

MR 12 M7 N

[o ]I (19)

B&W acknowledged that they do not describe a make-up line break J)

]

accident in Chapter 15. They will revise system operating sequence diagran 15 C.38 to incorporate the response to request i

number 212.227, and will include a reference to a sequence of events discussion elsewhere in the BSAR-205 text.

t (21)

B&W stated that the systen operating sequence diagram 15 C.40

/

is based on their position as expressed in responses to request UTn /

numbers 212.222 and 212.229, which responses also reference the BSAR-205 text at sections 15.1.24 and 7.6.1.1 G.Mazetis(NRC)

Si felt that the staff may already have the infonnation necessary from B&W in order to arrive at a staff position in this matter.

The staff will evaluate B&W's responses and may ask for more discussion with B&W.-

Thomas H. Cox, Project Manager Light Water Reactors Branch No. 3

. Division of-Prbject Management

Enclosure:

w I

l.

Attendance List 2.

Part II, Discussion, from EG&G Idaho, Inc. Report To NRC dated February 22, 1977

.. ~. -. -...... _.. -.... _

J APR 12 1977 l

(')

ENCLOSURE 1 ATTENDANCE LIST MEETING - B&W & STAFF - 03/24/77 Name O_rganization T. Cox NRC i

R. Lyon EG&G 2

G. Brazill B&W J. Happell B&W R. Schomaker B&W L. Cartin B&W R. Brockman B&W i

S. Newberry NRC G. Ma'zetis NRC l

J. Hamilton B&W i

I f

k l

f r

e J

t

+

i I

.e*

l e

i iG' m...

r7-

- ~ - -......

At'.achmen?. to %ir-6' -:'

c Pa-e 4 C

II. DISCUSSION i

A review of the System Operating Sequence Diaarams revealed several areas of potential concern regardino the adeauacy of the diaarams. These items are discussed below. Althouch not specifically included in the scope of this task, the review of supportinn analyses and other docunentation in conjunction with the diagrams, generated several additional connents related to the supporting information. These items are also listed in the followine discussion. Some of the items discussed below are ceneral in nature ard are so identified. Others are appitcable to a specific trans'ient and are identified with the figure number of the associated System Operating Sequence Diagram.

(1)' General (3

AJ B&W considers pressure relief valves and check valves as beira passive devices and thus not considered durfag the active failure analysis. The Rtactor Safety' Study, WASH-1400(2), classes them as active components with failure rates comparable to those of pumps, valves, etc.

If a failure of this type is considered, it could have an effect on system availability, in particular pressurizer and secondary safety relief valves and the core flood and low pressure injection systems.

(2) General The failure modes and effects analyses (FMEA's) presented by B&W in Table 5.3-7 to establish the effect of sinole active failures appear not to have considered the effect of the initiatina event on the availability of the system. Many of the results

(;

listed under the coments headina of the Table will vary widtly l

l dependinn on the initiating event.

It would seem that in oreir to

At achment to itic.-62 ' 5 Pa"e 5 O

be meaningfui, that the different initiatino events should be considered in the FMEA's and that the Section 15 analyses she ild show that these configurations, or at least the limiting confInuratic :.

have been analyzed and found acceptable.

(3) General The System Operating Sequence Diagrams show the systems which must be single failure proof, but in general, it is untlear from rist of the analyses what single failures have been consi<tered,* what iffect they have on the systen, and if they are the wors'. case sinal e failure.

(4) General As a single failure, perhaps. it might be appropriate to consiier the possibility that manual valves might be left in the wrong position, undetected, until the accident occurs (e.g. the system

(

test valves in the LPIS). The Reactor Safety Sturiy shows thai this event has a high probability of occurrence.

(5) General In order to meet the single active failure requirement, it is necessary for ti:e breakers on several valves to be racked out to minimite the possibility of inadvertent actuation. At the present tine, it appears that all the necessary valves have been ccvered, but the requirements are contained in several locations, i.e., the FPIA, Section 6. Section 7, etc. These requirements will eventual 1 < be tr.cluded in the Technical Specifications, but it would great 1s j

l facilitate review of this and later documents if they were co lected l

in a single location at this time.

i (6) General Many of the diagrams show actuation of the pressurizer and/or j

g secondary safety valves.

Is it necessary, or do t,e analyser ass:ime, i

_._.1__._.

Attachment to. tin 6 Par e 6 c-I that makeup is provided? If so, this should be included in t te diagrams, with the appropriate sinale failure designations.

(7) General Many diagrams contain the note that it is assumed in the anal esis tri-

~

the turbine generator is tripped via the Control ".od Drive Coitrol Is this a wo-st System (CRDS) after a reactor trip is actuated.

case condition or is it a necessary condition to achieve the esuh5 of the analysis? If it is a necessary condition *. hen the appropria e component blocks and r, ingle failure destanations !.hould be arHed to the diagrams.

Chemical and Volume Control Syste.n (CVCS) Malfunction (15C.4)

(P.)

A recent revision to Fiaure 9.1-1 has added an alternate sour:e cf demineralized water which bypasses the makeup tank.

It is pr) ham e that this line is used in a shutdown or refueline mode, with the Engineered' Safeguards Actuation Signal (ESFAS) bypassed; thue,

the extent of the transient is no longer limited,'y the capacity of the makeup tank.

In this case the operator must he relied on to teminats deboration and prevent criticality from occurring.E (9) Chemical and Volume Control System Malfunction (15C.4)

The analysis during power operation assumes that e.he reactor tric closes-the makeup tank outlet block valves and teminates the deborttior.

The diagram should reflect this action with appronriate ESFAS syrtem entries and single failure designations.

(10) Loss of Coolant Accident (LOCA) (15C.13) e V410.

Figure 9.3-1 shows and ESFAS-A input to valves ValA V438 ant The input to V43D is probably a dr,awine errsr, but jf not, a failure IL

.. _. ___ _.,_i.,._,____.

Attachment to Stin-62-77 Pace 7 in the ESFAS-A systern could prevent opening the three lines ollowing,

a break in the fourth line, resulting in a complete loss of I PI flow.

(11) Large LOCA (15C.13-1)

The diagram does not contain a sequence for reactor trip or 'or startup of the auxiliary feedwater systen.

(12) Small LOCA (15C.13-3)

The diagram assumes that the operator manually isolates Hioh Pressure Injection (HDI) supply lines which are affected if the break 7

is in an HPI line. Does the operator have sufficient time ard

.y can he be relied on to accomplish this? Several items will iend.to h

hinder completion of this action; (a) The break location will not be apparent until HPI is p

.pW initiated and flow is established in the supoly lines.

2,,

(b) Because of th; cross-connect lines inside containment i' will be necessary to isolate two supply lines.

If the subser vent J

nMih,.

single failure is loss of a vital power sou'rce, one of these lines must be isolated by closino the valve with the hardwheel Z

~ ' - - ~ ~

located at the valve. The discussion in Chapter 6 and the analysis in Chapter 15 do not adriress this particular accident.

(13) Small LOCA (15C.13-3)

-h, O

i The diagram does not contain a sequence for main steam syster isolation.

In addition, since piggyback operation is assumer, the Low Pressure Injection (LPI) system is not used for initial core l

cooling as shown on the diagram. The LPI sequence would mors appropriately enter the diagram at the point at which the opt rator realigns the system for piggyback operation.

Att *chment to ' tio-62-77 Pa# > 8

! O (14) Core Flooi Tank Line Break (15C.13-4) 9 The diagran does not contain a sequence for main steam system

~

isolation.

Overpressurization of Decay Heat Removal System (15C.24) l (15)

As noted in a previous report (3), the system design may be surh that it is not imune to this event as stated on the diaoram.

(16) Loss of Condenser Vacuum The analysis assumes that the turbine trips on hiah condenser pressure.

If the turbine Is this inherent.or is some control action required?

If les:

did not trip would.this be more or less conservative?

conservative, then any control ~ actions required to trip the turbine should be single failure proof.

In this esse it wouli be m(,

appropriate to have the systems necessary to cause the turbint trip, with the applicable single failure designations, shown rn the diagram, and then reference Figure 15C.7 for the ' remainder of the r

I systems.

t (17) Loss of Instrument Air (15C.31)

The diagram states that no actions are required to support thr Nuclear Asnotedinapreviousreport(3), failure of the SteamSystem(NSS).

f instrument air may prevent nomal cooldown of the reactor coo' ant system; Inadvertent Closure of Main Steam Isolation Valve (15C.35)

(18)

There is a disagreement between the diagram and the Chapter l';

The diagram analysis as to the limiting event for this traasient.

refers to Figure 15C.7, the turbine trip, while the analysis refers to Section 15.1.8, the loss of nomal feedwater system.

(19) Makeup 1.ine Break (15C.38)

There is no corresponding description of the accic'ent in Sect ton 15.1,

=%,s

(

Attachment to itia-62-77 Tace 9

~

212.147 that but it would appear fram the B&W resconse to NRC nuestion 4

The operator relies on certain ala rms and the diagram is incomplete.

These should be hown indications to inform him of the condition.

on the diagram along with the appropriate single failure desicnations.

(This may be inferred in the balance of plant safety related ontrol and instrumentation (BOP SRCI) controls boxes, but this is no : clear).

This sequen :e Also the reactor trips on low pressurizer level.

should also be shown on the diagram. -

(20) Cold Shutdown Systems (15C.39)

()

As noted in a previous report (3), some of the systems may not be single failure proof.

(21)' Overpressure Transient There is no corresponding description of the accident conside ed in Section 15.1, but it would appear that the diagram may not be adequate, especially in the mode where the decay heat remov.a1 system is not-in operation.

0 I

L

.