Text

.-

Enclosura 2 0058j SYSTEMATIC EVALUATION PROGRAM TOPIC VII-3 ELECTRICAL, INSTRUMENTATION AND CONTROL FEATURES OF SYSTEMS REQUIRED FOR SAFE SHUTDOWN LA CROSSE BOILING WATER REACTOR Docket No. 50-409 February 1982 R. O. Haroldsen EG&G Idaho, Inc.

l Draft 2-2-81 8203170341 820309 DRADOCK05000g

CONTENTS

1.0 INTRODUCTION

1 2.0 R EV I E W ' C R I TE R I A.................................................

2 3.0 RELATE D SAFETY TOPICS AND INTERFACES............................

2 4.0 REVIEW GUIDELINES...............................................

3 5.0 D I S CU SS ION AND E VAL U AT IO N.......................................

5 5.1 Instrumentation...........................................

5 i

5.1.1 Evaluation........................................

6 5.2 Safe Shutdown Systems.................

6 5.2.1 Onsite Power Unavailable..........................

7 5.2.1.1 E v al ua t io n..............................

7 5.2.2 Offsite Power Unavailable.........................

7 5.2.2.1 Evaluation..............................

8 i

5.3 Shutdown and Cooldown Capability Outside the Control Room..............................................

8 5.3.1 E v al u at i o n........................................

8 5.4 RHR System Reliabil ity and Interlocks.....................

8 l

l 6.0

SUMMARY

9 7.0 SAFE ' SHUTDOWN EI&C FEATURES FOR CONSIDERATION BY SEP TOPIC III-1.................................................

9

8.0 REFERENCES

10 l

i 11

SYSTEMATIC EVALUATION PROGRAM TOPIC VII-3 ELECTRICAL, INSTRUMENTATION AND CONTROL FEATURES OF SYSTEMS REQUIRED FOR SAFE SHUTDOWN LA L:ROSSE BOILING WATER REACTOR

1.0 INTRODUCTION

This report is part of the Systematic Evaluation Program (SEP) review of Topic VII-3, " Systems Required for Safe Shutdown. The objective of this review is to determine whether the electrical, instrumentation, and control (EI&C) features of the systems required for safe shutdown, including support systems, meet current licensing criteria.

The systems required for safe shutdown have been identified by the NRC SEP. The systems were reviewed to ensure the following safety objectives I

are met:

(1) Assure the design adequacy of the safe shutdown system to automatically initiate operation of appropriate systems, including reactivity control l

systems, such that fuel design limits are not i

exceeded as a result of operational occurrences and postulated accidents, and to automatically initiate systems required to bring the plant to a safe shutdown l

(2) Assure that required systems, equipment, and con-i trols to maintain the unit in a safe condition dur-ing hot shutdown are appropriately located outside l

the control room and have the capability for subse-quent cold shutdown of the reactor using suitable procedures (3) Assure only safety grade equipment is required to bring primary coolant systems from a high pressure to low pressure cooling cir 11 tion.

The scope of this review specifically includes an evaluation of the electrical, instrumentation, and control features necessary for operation of the identified safe shutdown systens.

1

The review evaluates the systems for operability with and without off-site power and the ability to operate with any single failure. The EI6C review of safe shutdown systems only includes those features not covered under other SEP Topics. Specific items which will be covered under other SEP reports are identified in Section 3.0, Related Safety Topics and Interfaces.

2.0 REVIEW CRITERIA Current licensing criteria for safe shutdown are contained in the following:

(1)

IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations" (2) GDC-5, " Sharing of Structures, Systems, and Components" (3) GDC-13, " Instrumentation and Centrol" (4) GDC-17, " Electric Power Systems" (5) GDC-19, " Control Room" (6) GDC-26, " Reactivity Control System Redundancy and Capability" (7) GDC-34, " Residual Heat Removal" (8) GDC-35, " Emergency Core Cooling" (9) GDC-44, " Cooling Water."

3.0 RELATED SAFETY TOPICS AND INTERFACES l

The following list of SEP topics are related to the safe shutdown topic with respect to EI&C features, but are not being specifically reviewed under this topic:

l (1) SEP III-10.A, " Thermal Overload Protection for Motors of Motor-Operated Valves" (2) SEP VI-7.A.3, "ECCS Actuation System" 2

l

~

(3) SEP VI-7.C.1, " Independence of Onsite Power" (4) SEP VI-10.A, " Testing of RTS and ESF Including Response Time Testing" (5) SEP VII-1, " Reactor Trip System" (6) SEP VII-2, "ESF Control Logic and Design" (7) SEP VIII-2, "Onsite Emergency Power Systems--Diesel Generators" (8) SEP VIII-3, " Emergency DC Power Systems" (9)

SEP IX-3, " Station Service and Cooling Water Systems" (10) SEP IX-6, " Fire Protection."

4 Where safe shutdown system EI&C response is affected by the above-mentioned topics, that particular SEP review has been consulted for determination of overall safe shutdown system performance. Where the SEP topic review is not available, the effect on safe shutdown system performance is based on an assumed operating condition of the effecting

~

system. The safe shutdown review will be considered preliminary until resolution of the effecting topic is completed and found to be in accordance with assumptions made in this review.

The completion of this review impacts upon the following SEP topics, since capabilities relating to safe shutdown are required in the topic:

(1) SEP VIII-1.A, " Potential Equipment Failures Asso-ciated with a Degraded Grid Voltage" (2) SEP VIII-2, "0nsite Emergency Power Systems--Diesel Generators."

4.0 REVIEW GUIDELINES The capability to attain a safe shutdown has been reviewed by evaluat-ing the systems used for normal shutdown (onsite power not available) and 3

l emergency shutdown (offsite power not available).

SRP 7.4 was applied to each system to ensure the following guidelines were meet:

(1)

They have the required redundancy (SRP 7)

(2) They meet the single failure criterion (RG 1.53, ICS8 BTP 18)

(3) They have the required capacity and reliability to perform intended safety functions on demand (SRP 7).

Additionally, SRP 5.4 recuirements contained in BTP RSB 5-1 were reviewed to determine if the systems required for residual heat removal meet the following criteria:

(1)

The systems are capable of being cperated from the control room with only offsite or only onsite power available (2)

The systems are capable of bringing the reactor to cold shutdown with only offsite or only onsite power available within a reasonable period, assuming the most limiting single failure (3)

The RHR system has the required isolation features to prevent overpressurization when RCS pressure is above RHR design pressure (4) Protection from RHR pump overheating, cavitation, or loss of suction is provided (5)

Isolation and interlock circuitry is testable during RHR operation and is tested in preoperational and initial startup test programs.

The electrical equipment environmental qualification and physical separation are being reviewed under other topics, as is the seismic equipment qualifi-cation, and are not reviewed in this report. Section 7.0 consists of a list of safety related EI&C equipment necessary for safe shutdown to be used in resolving SEP Topic III-1, " Classification of Structures, Components, and Systems."

4

. - - =

5.0 DISCUSSION AND EVALUATION 5.1 Instrumentation The NRC SEP Review of Safe Shutdown Systems identified the instrumen-tation available in the control room necessary to bring the reactor from the hot shutdown to cold shutdown condition. Various system parameters, sucn as pump running or valve position indications, are not included in the list of safe shutdown instruments of the SEP Review as indication is provided by the control / operate circuitry. Availability of control / operate circuitry to run the system also means availability of the required indication.

Similarly, if the control / operate circuitry is unavailable such that system operation is not possible, then system indication is not mandatory.

The source range nuclear instrumentation has redundant channels but all are powered from the same vital non-interruptible bus. Failure of this bus would result in the loss of shutdown indication from the nuclear instruments.

The control rod positions are indicated by two independent display systems. An indication that all rods are inserted is a reasonable indica-tion that the nuclear reaction in the reactor has been shutdown. However, loss of offsite power and one of the non-interruptible power buses would disable both rod position indicating systems.

Reactor coolant level is indicated in the Control Room on redundant independent indicators powered from independent non-interruptible power buses. There are no single electrical f ailures that would result in the loss of this critical reactor parameter indication. Reactor coolant temper-ature and pressure are indicated redundantly in the control room but are all powered from the coninon vital non-interruptible bus 18.

Other control room indicating instruments used to monitor supporting safe shutdown systems are generally non-redundant. There are, therefore, single electrical f ailures that would render the monitors on these systems inoperable. For example, the water level on the shell side of the shutdown condenser is monitored in the control room by the single LG-62-42-803 level 5

Indicator operating from the non-interruptible bus 1B.

Valve position indi-cators for this system are all powered from the 125 volt DC distribution bus. Make-up water for the shutdown condenser is controlled by a single controller. The condensate make-up water tank has both level indication and an independent level alarm in the control room but both are powered from the same power source.

The feedwater pumps have supply interlocks.

5.1.1 Evaluation. The instrumentation necessary for reaching and maintaining cold shutdown at La Crosse does not meet current licensing cri-teria since single failures may result in loss of instrumentation required to shutdown the reactor and/or maintain the reactor in shutdown condition.

Suitable direct reading local indicators and manual override could be used

'c.~ operators were stationed at local indicators and controls. Such action may be justified by the licensee under the topic of limited operator action outside the control room.

5.2 Safe Shutdown Systems The SEP review of Safe Shutdown Systems identified the systems required for safe snutdown for conditions when only onsite power is available or only offsite power is available. The systems identified do not include the Tur-bine Bypass or Decay Heat Removal Systems, which are the systems used for normal shutdown.

Normal shutdown utilizes short-term cooling provided by bypassing steam to the main condenser via the turbine bypass valve or steam jet air ejectors and gland seal.

The feedwater system then returns the condensate water to the reactor. When the reactor coolant temperature drops below 470*F, the decay heat cooling system may be placed in service. On loss of offsite power, the main condenser is unavailable for cooldown and the feedwater pumps cannot be used for reactor coolant make-up because onsite power has insufficient capacity.

The systems identified for safe shutdown in the SEP review are systems that are operational either with onsite power unavailable or offsite power unavailable.

6 L

5.2.1 Onsite Power Unavailable.

During normal operations all power for the reactor systems is supplied from the unit auxiliary transformer con-nected to the generator. Loss of the main generator power during operation will result in automatic transfer to the reserve auxiliary transformer connected to the 69 KV bus of the external grid.

There are no single f ailures of EI&C features that can disable the normal short-term cooldown methods. The Decay Heat Removal System normally used for long-term cooldown is subject to single EI&C failure but this system is not required for shutdown. The Shutdown Condenser System provides backup for both short and long-term cooling.

5.2.1.1 Evaluation. The systems required for short-term and t

l l

long-term cooling at La Crosse are capable of providing the required cooling I

assuming no onsite power is available and a single EI&C failure. However, loss of either the non-interruptible bus lA or 1B will result in loss of some non-redundant parameter indications in the control room for these systems.

5.2.2 Offsite Power Unavailable.

During normal operation a loss of offsite power would probably result in the loss of the main condenser and a I

reactor trip. The feedwater pumps require more power than could be supplied from the emergency diesel powered generators. Shutdown with offsite power unavailable would utilize the Shutdown Condenser System (SCS) l which is capable of providing both the short and long-tenn cooling requirements of the reactor.

The SCS operates on convection on the reactor side at the condenser and has redundant parallel control valves on the inlet and outlet to the conden-ser. These pneumatically operated valves fail open on loss of air or elec-trical power. The condenser shell side water level is controlled from a' single controller that provides make-up water from the demineralized water storage tank.

If the demineralized water is insufficient, water is taken from the High Pressure Service Water Systems (HPSW). The two demineralized water transfer ptsnps are powered from separate diesel generator supplied essential buses. The HPSW automatically provides make-up water using 7

either of two diesel powered pumps which takes suction directly from the river.

Another method of cooling is available but is to be used only if other methods f ail. This method requires activation of the manual deprc:suriza-l tion system (MDS) and subsequent use of the alternate core spray (ACS) sys tem. This is not included as a means for removal of decay heat in plant procedures since venting to containment requires significant plant downtime for cleanup and restoration to normal conditions. The primary purpose of the ACS system is responding to loss of coolant events.

I

{

5.2.2.1 Evaluation. The systems required for short-term and long-term cooling at La Crosse are capable of providing the required cooli,ng assuming offsite power is not available and a single failure (other than the I

diesel powered generators), loss of the SCS level controller will result in the requirement for manual local control (inside containment), and loss of either the non-interruptible bus lA or 1B will result in loss of parameter i

indications in the control room for these systems.

5.3 Shutdown and Cooldown Capability Outside the Control Room The capability to shut down and maintain the plant in hot shutdown from outside the control room exists at La Crosse. Reactor parameters can be nonitored at locations outside the control room. Local control stations exist for pumps and valves of the systems required for safe shutdown.

Critical control valves are capable of being manually operated. Procedures l

exist and have been demonstrated for reactor shutdown from outside the control room.

5.3.1 Evaluation. Adequate capability exists to shut down, to main-tain the reactor in hot shutdown and to take the reactor from hot to cold shutdown from outside the control room.

5.4 RHR Systen Reliability and Interlocks The RHR system was evaluated with respect to BTP RSB 5-1 (SEP Topic V-II.B) and reported as a part of Topic V-II.A.

8

6.0 SUMARY With the exceptica of instrumentation, the systems required to take the reactor from hot shutdown to cold shutdown, assuming only offsite power is available or only onsite power is available and a single failure, are cap-able of automatic initiation to bring the plant to a safe shutdown and are in compiiance with current licensing criteria, and the safety objectives of SEP Topic VII-3.

The instrumentation available in the control room to monitor the shut-down systems parameters does not meet current licensing criteria since a loss of one of the non-interruptible power buses would result in the loss of critical parameter indication. The level controller for the shutdown condenser has no backup and is similarly subject to power supply failure.

The capability to maintain the reactor in hot shutdown from outside the control room exists and is in compliance with the safety objectives of SEP Topic VII-3. Procedures exist to take the plant from hot to cold shutdown from outside the control room which satisfies the safety ob~jective of SEP Topic VII-3. The SDC system safety criteria of SEP Topic V-II.B for RIE System Reliability and Interlocks are satisfied.

7.0 SAFE SiUTDOWN EI&C FEATURES-FOR-CONSIDERATION BY SEP TOPIC III-1 ELECTRICAL DISTRIBUTION (including support structure, but not individual loads)

~

1.

2400 volt buses 1A and 18, 480 volt buses 1A and 18, 120 volt non-interruptible buses, reactor protection buses; including all feeders, incoming and outgoing, control circuits, indicating circuits bus work and support structures 2.

ALL DC BUSES--including 125 Y batteries, chargers, inverters, breakers, bus work, and support structures 3.

DIESEL GENERATORS--including control and indicating circuitry, and control and indication of vital DG auxiliaries such as lube oil, fuel, and cooling 9

INSTRUMENTATION (including support structures) 1.

REACTOR LEVEL 2.

REACTOR PRESSURE 3.

REACTOR TEMPERATURE 4.

REACTOR PROTECTION SYSTEM 5.

NEUTRON MONITORING (including in-core monitoring) 6.

AREA AND SYSTEM RADIATION MONITORING 7.

SIUTDOWN CONDENSER LEVEL CONTROLLER AND LEVEL INDICATION SYSTEMS (includes pumps, valves, control, indication, and support structures) 1.

CONTROL R0D DRIVE SYSTEM 2.

SHUTDOWN C0lOENSER SYS1EM 3.

DEMINERALIZED WATER TRANSFER SYSTEM 4.

HIGH PRESSURE SERVICE WATER SYSTEM 5.

ALTERNATE CORE SPRAY SYSTEM 6.

EMERGENCY CORE SPRAY SYSTEM 7.

OVERHEAD STORAGE TANK 8.

CONTROL AIR SYSTEM 9.

INSTRUMENTATION 10.

EMERGENCY POWER 1

8.0 REFERENCES

1.

Technical Evaluation Report- " Systems Needed for Safe Shutdown--

La Crosse Boiling Water Reactor" Franklin Research Center, October 9, 1981.

2.

Dairyland Power Cooperative letter, Frank Linder to Director of Nuclear Reactor Regulation, dated February 2, 1981.

10

3.

Dairyland Power Cooperative letter, Frank Linder to Director of Nuclear Reactor Regulation, dated March 13, 1980.

4 Dairyland Power Cooperative letter, Frank Linder to Director of Nuclear Reactor Regulation, dated November 26, 1980.

5.

Code of Federal Regulations,10 CFR 50, Appendix A, " General Design Criteria for Nuclear Power Plants."

6.

IEEE Standard 279-1971, " Criteria for Protection Systens for Nuclear Power Generating Stations."

7.

NUREG 0800, Nuclear Regulatory Commission Standard Review Plan 7.4,

" Systems Required for Safe Shutdown" and 5.4.7, " Residual Heat i

Removal "

1 I

l 11

?

__