ML20044G706
| ML20044G706 | |
| Person / Time | |
|---|---|
| Site: | 05200002 |
| Issue date: | 05/19/1993 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML20044G705 | List: |
| References | |
| NUDOCS 9306040126 | |
| Download: ML20044G706 (100) | |
Text
{{#Wiki_filter:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . CKF EVALUATION FOR LIMITING FAULT EVENTS
- 1. INTRODUCTION The draft NRC policy on common mode failure (CMF) of protective system software (Reference 1) specifies the need to perform an evaluation of the capability of the plant design to cope with the event initiators in Chapter 15 with a postulated pre-existing common mode failure of the protection system software. As a bounding analysis of the capability of the diverse equipment to cope with such a condition, the evaluation in Reference 2 assumed that all automatic responses of systems using the protective software and the capability for manual actuation using these systems would be precluded. The evaluation assumed nominal plant conditions at the initiation of each event and best estimate responses for the diverse reactor trip and emergency feedwater actuation equipment, and for the normal control systems and operator action.
A review of the evaluation was performed in Reference 3. Subsequent discussion of the evaluation with the reviewer and the NRC staff (Reference 4) determined that the capability of the diverse equipment to provide adequate protection had been demonstrated for 19 of the 28 event initiators in Chapter 15. Discussion of the evaluation with NRC management (Reference 5) determined that a revised evaluation would be appropriate for the remaining 9 events while applying more relaxed criteria than those applied in Chapter 15, and crediting use of manual controls implemented in the design to comply with position 4 of the Reference 1 draft policy statement. The evaluation presented here presents the results of the revised evaluation of the 9 events which demonstrate the capability of the diverse equipment and reasonable operator response to provide adequate protection. The manual controls credited for actuation of Engineered Safety Feature 9306040126 930519 PDR ADDCK 05200002 A PDR l
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 2 of 100 i systems equipment are those presented in Reference 6 and shown in Figure 1-1. These comply with position 4 of the Reference 1 policy statement with the addition of a switch to manually actuate closure of the containment air purge valves and a letdown line isolation valve. m
,,,__ _ mmmmmmea mmmmm - imes ... - - - - - - - - - - - - - - - - - - -
i! !! M<Uc$gz *gOW rw5eHE .,#@ s . Mh,9m 6 v e y Oet MOO I s c fv Ct
, l
< Ss a
. I t
s-e i t,. e 1 r
. tm t I %t N - c tvPy O TS I . v s
- e. -
= GrMta S
tUPv TN . l I AE e ,,.. ] 1 UN T,. . l , C TO ;.
" 1.. , u c
=
I CrL vV CP ;, t c a
- S tA W
AM t. 1 O "'I .. ._ , . n o <, c. i
- FC t
- ... r..
I lS *. . e. C c t
.'.c.
p EF 8 ,
= S v E S v'c t'
. l O
t , Cn v RLE e'.au i v I UA f
# l I GUO 5
, i a(
I NT c V FA C C f
- + c t
= fe t
sM s eW ME f E I C EA SF RR EE z '" VTN I DI -- 1 n c l cal I l
" l 1
s,
= '
i 1 o, t r, u c Iv
=.
I t
;
- Gi Ss a
oc c s w c 1 1
- e. l I (
' c tvV te t - -
l l
- ort tta V
N1a
*a D ie e @ eO e tapt v f
,m e ;
1 c n 1
.*U c T u s i
r e r U's , 4 l t
; t 2- ,
v
%g tC sA t t c e t
t c I G r@y t e a = S tL Pa tr i iOeO~oGo lvS v e s a e p l w c 1 Pv D t e 1 l t i , v 2 c l i D . t** tt s, r. , e a e.
'r .
s t t r i r a l i l i
< s st c,
t, E w t1r u c e V e ,- t. a l c
- < s*.u M pV I
~ - l
- - 9 1
8 9t 1 9 i:
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 4 of 100
- 2.
SUMMARY
The evaluation consisted of analyses of the 9 events to estimate the outcome of each event applying the initial conditions, equipment operability, operator actions and acceptance criteria described herein. The emphasis of the evaluation was to ensure a reasonable ability to cope with the events in a manner which preserves core coolability, prevents excessive RCS or containment overpressure, prevents excessive offsite doses and relies on reasonable operstor response times. The criteria for core coolability, RCS pressure, containment pressure, offsite doses and operator action time are chosen to be appropriate for the beyond design basis categorization of each event when a concurrent low probability CMF of the protection system software is also assumed. 2.1 Evaluation Approach The evaluations of nine events in conjunction with a hypothetical CMF in the NUPLEX 80+ software are enclosed. The nine events are: l i
- 1. Total Loss of Reactor Coolant Flow l
- 2. Single RCP Shaft Seizure i l
- 3. Single RCP Shaft Break l l
- 4. CEA Ejection
- 5. Letdown Line Break
- 6. Steam Generator Tube Rupture
- 7. Main Steam Line Break
- 8. Feedwater Pipe Break
- 9. Loss of Coolant Accident (LOCA)
1 l l i l 1 CMF EVALUATION FOR LIMITING FAULT EVENTS Page 5 of 100 ] i The evaluations use best estimate assumptions regarding initial operating-conditions and assume continued operability of the RCPs (except in the . case of the loss of offsite power event), the main. steam and feedwater 1 systems, and the NSSS control systems since they are not affected by the CMF. The Alternate Protection System (APS) provides an automatic high l ! pressurizer pressure reactor trip and an automatic actuation of . the > 1 emergency feedwater equipment on low steam generator level. .
?
2.2 Instrumentation Available to the Operator 7 operator response is necessary to help mitigate the short term effects and f to accomplish subsequent recovery actions following each event. Diversity in the NUPLEX 80+ equipment and software assures that adequate instrumentation and controls will remain available for timely diagnosis - and mitigation of the event initiators with the postulated software CMF. The NUPLEX 80+ safety related display instrumentation is implemented in 3 segments: DIAS-N (Discrete Indication and Alarm System - Channel N), DIAS- 1 P (Channel P) and DPS (Data Processing System). Since the DIAS-N equipment may be affected by the postulated CMF,- this evaluation conservatively assumes that the alarms and displays generated by this system will be disabled. Reference 6 presents the implementation of hardwired communication for the DIAS-P display of key indicators of critical safety functions, as shown in Figure 2-1. These displays comply with Position 4 in the Reference 1 policy statement. They provide a dedicated display of the Category 1 parameters specified in Regulatory Guide 1.97 and would remain unaffected by the postulated common mode failure in the NUPLEX 80+ protection system software. The parameters i displayed are listed in Table 2-1. !
CKF EVALUATION FOR LIMITING FAULT EVENTS Page 6 of 100 The DPS, which provides a redundant and diverse display of the indications and alarms presented by DIAS-N, would not be affected by the postulated failure. The DPS receives information used for display and alarm from the Process-Component Control System (P-CCS), the Power Control System (PCS) and the Engineered Safety Feature-CCS (ESF-CCS). The P-CCS and the PCS would not be affected by the postulated failure. Information provided to the DPS by the EST-CCS is assumed to become unavailable due to the postulated failure. The P-CCS and PCS obtain key plant parameters either from isolated safety channel signals at the Auxiliary Process Cabinets or via control channel sensors which are separate from the safety equipment. .The P-CCS and PCS obtain the sensed parameters in Table 2-1 via the former method. The DPS performs signal validation of this information and then compares the validated value for each parameter to the validated value determined by DIAS-N and generates an alarm if they are inconsistent. As a result, the operator will be alerted if a failure occurs in DIAS-N, and can compare DPS and DIAS-N indications to the DIAS-P display to determine if either ! system is providing an unreliable indication for the key parameters. Each DIAS-N and DPS display screen incorporates a rotating icon in the lower right corner to indicate that the dieplay device is receiving data updates from its network. If the display device stops receiving data updates, the icon stops rotating. If a common mode failure were to lock up DIAS-N such that the displays remained on but the data provided to the display devices was not being updated, the icon would stop rotating on every affected display screen. The PCS implements independent control channel sensors for excore neutron flux data and detection of dropped control rods. Therefore, the DPS
+ CMT EVALUATION FOR LIMITING FAULT EVENTS Page 7 of 100 display of core power, and the core mimic representation of a successful-reactor trip are not affected by the postulated failure. The DPS provides alarms for conditions associated with reactor trip, pre-trip and ESF actuation which would not be af fected by the postulated failure. The IPSO display of critical function status and key plant parameters is supported by the DPS and would not be affected by the postulated failure. Detection of high radiation levels in the secondary system, such as in the SG blowdown or the condenser, is performed by a radiation monitoring system which is diverse from the protection system and would not' be affected by the postulated failure. Monitored information from this system is data linked to both the DPS and the DIAS. Therefore, the DPS displays of high radiation alarms in these areas would remain operable with the postulated failure.
--_---_x- - - - - - - - -
CMT EVALUATION FOR LIMITING FAULT EVENTS Page 8 of 100 } 2.3 Basis for Operator Response Time Estimates As discussed in Reference 2, the evaluation of the capability of the l System 80+ design te provide adequate protection for a common mode f ailure of protection system sof tware coincident with a Chapter 15 event initiator credits reasonable operator action. The operator response times for the manual actuations presented in the following discussion are estimated by reviewing the sequence of steps called for in the Emergency Procedure Guidelines (EPGs). The time i required for each step is based on information provided . in the draft ~ 1 revision to the ANS/ ANSI-58.8 Standard, ' Time Response Design Criteria for Safety-Related Operator Actions," and its Appendix (Reference 7) and in the Accident Prevention Group Report, ' Application of the EPRI Operator Reliability Experiments Data to Update the ANS-58.8 Standard" (Reference 8). The ANS-58.8 Standard provides analysts with a methodology to evaluate the ; i acceptability of response time intervals afforded to operators by the plant design. The . assessment verifies that the design, including it s automatic protective features, will provide operators with a sufficient
]
margin for safety-related manual actione. The applicability of ANS-58.8 extends to Design Basis Events (DBEs) that result in (automatic) reactor trip. For such scenarios, the model and criteria of ANS-58.8 have been empirically tested and shown to produce estimates that bound the actual cperator response data with 95% confidence. L'hu c , ANS-58.8 provides conservative estimates for the operator response times to be credited in a safety analysis. j
I CMF EVALUATION FOR LIMITING FAULT EVENTS Page 9 of 100 To provide a reasonable estimate of the operator response for the beyond design basis analysis presented here, the ANS-58.8 model is adapted based on information provided in its Appendix and in Reference 8 which discuss - the empirical operator response data used to verify the conservatism of the values presented in ANS-58.8. In the general ANS-58.8 model, the 1 earliest time for operator action is preceded by a~ diagnostic time interval. It permits the operator to observe plant parameters, verify-automatic system responses, ard plan subsequent actions. A longer diagnostic time interval is allocated for less frequent events for which the operator responses are less familiar. This is applicable for circumstances in which the protective system functions normally .and the operator's role is to observe those responses and diagnose the plant condition to determine appropriate subsequent actions. For this evaluation, in which the protective systems are assumed to fail to act, it is appropriate to credit operator action to initiate a reactor trip consistent with response time data determined for ATWS scenarios. The data discussed in the ANS-58.8 Appendix and in Reference 8 indicate that the earliest time for operator action-in this scenario is typically less than 1 minute. The DPS will provide alarms indicating conditions corresponding to reactor trip setpoints on displays which the operator normally uses, including the indication of an alarmed condition for key indicators of critical function status displayed on the IPSO. The display of rod bottom lights on the PCS core mimic, which is a normal indicator of a successful reactor trip for the operator, would indicate that a trip had not occurred. This would be confirmed by the nomal DPS display of core power and by the IPSO display of cora power and reactor trip status. The true core power can readily be verified by comparison to the hardwired DIAS-P display. Based on the
CMF EVALUATION FOR LIMITING FAULT EVENTS .Page 10 of 100 availability of f amiliar indications and alarms indicating the need for a reactor trip, the availability of familiar indications that one h.ed not occurred, and the empirical response data discussed above, operator action ' to initiate a manual reactor trip within two minutes of reaching an alarmed trip condition is ' considered a. reasonable estimate for the purposes of this beyond design basis analysis. The operator actions called for in this evaluation would be performed by; the control room staff as part of the Standard Post-Trip Actions which-would be initiated immediately after a' reactor trip and ~ would precede event diagnosis. Since it is common for operators to memorise_ the standard post trip actions during their training, this procedure is considered to be highly familiar. The DPS provides a f amiliar display of all parameters called for in this procedure to verify critical functions. Most of these are also provided on the dedicated DIAS-P display. Four minutes are allocated during the first nine minutes of the response sequence, for the supervisor and two operators to identify that a global problem has occurred in the DIAS-N-displays and to determine that the DPS - displays should be used instead. This decision is supported by the' DPS alarm indicating inconsistency between DPS and DIAS-N validated parameter values, as well as the DIAS-P display which uses hardwired input of sensed parameters. Subsequent to this decision, if a step in the EPG involves simple verification of parameters which are readily available on a normal DPS display and can be verified on DIAS-P, and the value can be expected to be within the acceptable range, then that step in the EPG is estimated to take 1 minute per manipulation. This is consistent with the ANS-58.8 model for performing familiar actions. The evaluation assumes that the normal full staff are available, as follows: initially 2 operators and one supervisor are available in the
- - - --_ -__--,---___.__s----.------.----- - . _ - - - _ - - , -
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 11 of 100 main control room (NCR), and all 3 are in the control work space within one minute after reaching en alarm condition calling for a reactor trip. A 3rd operator and a 2nd supervisor are assumed to arrive in the MCR i within 5 minutes of the alarm calling for reactor trip and a STA is assumed to arrive within 10 minutes of that alarm. To determine an estimate for the total time involved in performing each of the manual actuations credited in the evaluation, a time line is constructed which sums the time involved for operator responses performed in series. Credit is taken for activities which the operators would perform in parallel. Specific estimates of reasonable response times are provided in the following event evaluations. 2.4 Specific Response Time Estimates For the main steam line break outside containment, the DPS would display alarms indicating high power, low steam generator pressure and low pressurizer pressure within 15 seconds. All of these are normally associated with a reactor trip condition. The DPS core mimic display would indicate that the rod bottom lights ordinarily associated with a successful reactor trip had not come on. The DPS display of core power would also indicate that a reactor trip had not occurred. The IPSO would also indicate that a reactor trip had not occurred and that the reactor remained at 100% power. It is probable that the effect of the CMF on the DIAS-N displays would be a lack of indication or en indication of no change, rather than a false indication of a reactor trip. With these familiar indications of the need for a reactor trip, a reasonable best estimate is that the operator would manually actuate the reactor trip within 2 minutes of event initiation. i j I
s CMF EVALUATION FOR LIMITING FAULT EVENTS Page.12 of 100 The DPS's validated display of pressurizer pressure (confirmed by the DIAS-P display) and associated low pressure alarm, would indicate the need to manually actuate safety injection. The DPS's validated display of SG pressure and RCS temperature (confirmed by the DIAS-P display) and associated alarms, would provide indication of the need to close the main feed valves and the MSIVs. A reasonable estimate of the responses of the control room operators in proceeding through the standard ' post-trip actions indicates that safety injection would be manually actuated in 15 minutes, the main feed valves closed in 17 minutes, and the main steam isolation valves would be closed in 20 minutes. For the feedwater line break at the economizer nozzle, the. reactor trip would be initiated automatically by the Alternate Protection System on f high pressurizer pressure. The DPS's validated. display of SG pressure, RCS temperatute and containment pressure (confirmed by the DIAS-P display) and associated alarms, would provide indication of the need to close the main feed valves and the MSIVs and actuate containment spray. A reasonable estimate of the responses of the control room operators in confirming the automatic trip and proceeding through the -emergency procedures indicates that manual closure of the main feed valves would j occur at 16 minutes, manual closure of the MSIVs within 18 minutes and l 1 manual actuation of containment sprays at 17 minutes. i For a loss of coolant accident, the DPS's validated display of pressurizer pressure and level (confirmed by the DIAS-P display) and associated alarms would provide indication of the need to manually initiate reactor trip and safety injection. A reasonable estimate of this response indicates that manual actuation of the reactor trip would occur within 2 minutes after the low pressurizer pressure alarm is generated at 1825 psia. Safety injection would be actuated within 14 minutes after the low pressure
l 4 i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 13 of 100 alarm. Also, two RCPs would be tripped at 15 and 21 minutes following this alarm. For the limiting LOCA addressed in this evaluation, these times correspond to manual actuat!?n of a reactor trip within 3 minutes, safety injection within 15 minutes, and RCP trip within 16 and 22 minutes of event initiation. For a CEA ejection, the DPS would provide an immediate indication and alarm of the power excursion, which would be followed by indications associated with a LOCA. A reasonable estimate of the response tinie s indicates manual actuation of a reactor trip at 2 minutes and safety injection at 15 minutes after the CEA ejection. For the letdown line break the following alarm, provided by the DPS, would ' alert the operator immediately of the event: Letdown line low pressure alarm (downstream of the break). A few seconds later, the nuclear annex high radiation, high temperature and high humidity alarms would be triggered. Within a few minutes, alarms indicating pressurizer low level, high sump level in the nuclear annex, and a low level in the volume control tank would occur. Based on these alarms and indication of a continued letdown flow with a continued ! I decrease in pressurizer level, the operator should be able to determine the need to isolate the leak within 10 minutes. The operator is estimated to attempt isolation via the ESF-CCS, determine that this has failed and initiate isolation via the hardwired controls within 15 minutes of event initiation. . For the steam generator tube rupture, as discussed in the Reference 2 evaluation, isolation of the affected steam generator is normally
J l l i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 14 of 100 initiated by operator action, per the emergency procedures. - The DPS provides high' radiation alarms . and indications appropriate for . these - i actions. The delays involved in determining a lack of response to the ESF-CCS MSIS signal.and initiation of manual closure of the main steam e isolation valves via the hardwired controls and termination of normal feedwater flow via the P-CCS would not cause radiological releases to exceed 10 CFR 100 guidelines. l i 2.5 Non-LOCA Coolability Criterion ; i The coolability criterion used for non-LOCA events is the.10 CFR 50.46 limit of cladding temperatures less than 2200'F. DNBR, although not used , as a coolability criterion, was used as an indicator that the 2200'T limit , was not violated in cases where the DNBR remained above the specified acceptable fuel design limit of 1.24. l 2.6 Event Definitions e For breaks in small lines (e.g., the 6" pressurizer safety valve line) the capability of the diverse equipment and -operator action to provide , protection are evaluated. The core coolability acceptance criteria used l are the 10 CFR 50.46 criteria. Operator action is credited to mitigate ] the event and realistic assumptions are made regarding initial operating conditions and equipment operability. The event was also evaluated with respect to offsite doses. Steam line breaks outside containment are considered, including . the double-ended break of a main pipe. The steam line break is considered for its impact on core overpower, core coolability, offsite doses and peak RCS
4 't CMF EVALUATION FOR LIMITING FAULT EVENTS Page 15 of 100. pressure. Operator action is assumed at 30 minutes to perform steam and . i feedwater line isolation, and safety injection actuation using available, ; diverse equipment. , Double-ended feedwater line breaks are considered inside containment. , check valves inside the containment prevent steam generator blowdown for.- breaks outside containment. Hence, the feedwater ' line break 'inside , containment and downstream of the check valves is evaluated for-its impact I on containment pressure. The: evaluation assumes the-lack of automatic steam /feedline isolation and the continued addition of main feedwater to the steam generators. The acceptance criterion is the ASME Service Level C stress limit which corresponds to approximately 145 psia. L The letdown line break outside containment and the steam generator tube rupture events are slow depressurization events for which the control i systems have more significant benefit. These events allow'at least 30 minutes for operator intervention without fuel damage. f The loss of flow, RCP shaft seizure, RCP shaft break and CEA eje'c tion (without primary system rupture) events were evaluated crediting the best- I estimate overpower margin of about 135% in the system 80+ design. This allows these events to result in minimum DNBRs above the specified acceptable fuel design limit. In addition to DNBR, the CEA ejection event was evaluated with respect to core coolability and fuel enthalpy. ~ For the CEA ejection event with primary system rupture, the event-was evaluated with respect to 10 CFR 50.46 criteria and offsite dose consequences. I I l
-. . ~ . . . _ _ . . . . _ . . . . _ . . _ _ . _
CKF EVALUATION FOR LIMITING FAULT EVENTS Page 16:of 100 ! TABLE 2-1 KEY INDICATORS OF CRITICAL FUNCTION STATUS t ! DISPLAYED CONTINUOUSLY VIA DIAS-P 1 i Sr.nsed Parameters: j RCS Pressure j Coolant Temperature (Hot) l Coolant Temperature (Cold) Containment Pressure (Wide Range) Containment Pressure (Narrow Range) Steam Generator Pressure Steam Generator Level (Wide Range) Pressurizer Level Neutron Flux Power Level (Safety Channels) Reactor Cavity Level RCS Rad'intion Level Containment Area Radiation Containment Hydrogen Concentration Containment Isolation Valve Status Emergency Feedwater Storage Tank Level Calculated by PAMI computer: Core Exit Temperatures Reactor Vessel Coolant Level RCS Subcooling
3- . f -t
- i
+
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 17 of 100 t
+
r
?
8 A- , 8 l - - ~m-s, .
- I %-
-r i _ _x .!
&.J .$ $
3 i
- r. ~
e " 5
-- wS5 "I Wi-(*'25 zu Q D.:
eta I h. EIg: (d oz-.:I' e5 I" x- ry, *s. 3re-n.< , a
.c -
a W1 c- . t .;Y E ex -
.---__p_-____,_____-_J------ T------ 1---- WY" !
I i a ji- , I I l -1 E'= - I i I i y{ ,._2 u e ~8 i .i I *
,n ,
I i sc ?8 .I l-Sr - -
' .05' l, I 'l , '3 i o I am i i ts:- i q .- _ .- - _ _ . 1. 7 _ - - - - - _ _ q - SQ i e'
u I
.I l il il I l' Ng"o i il 31 - l' i =
E I I 11 st ~ l l 1 i I i 18 ii si. 3 I =y O. 1 I 31 5 8 '- . l I ji
- i I
~
g I .gi I -I .!
>- --, se 3 l- si i .. I ,
Of I Il 1 l j O e e i 11 ' i t C 1 I i ll l
=
u i
- I '
;w I I ! , I ll 1 j ru < 1 3 s e r- - - -
l ll .g g l u A t- l l
. , tI 1 ai a ..t 20 L. $ 0 v
l e ll i t i I II i n a e v r o 4-g= t= H 11 i i 11 4. h. .
~>- * .11 l l[ A tl' - !
k< .E' E 11 ! g ll Y E I i m p m-
- l. i. !. -- i,- i, l 1
>= "
..; e e p-. i -
I'-*j *~ [@fi . . i f@!. =E ? .- r :-- z
- E
~
q( . 3 i
,E. ( y EI, .
o i ao
.s..
g M M 1 0 g I
.. : I m ll1 -e 'y ..-
Of 111 I ~ " 1 1 y *~ . m . ,666, E
. ; 4... . . . .
ca 1
- 1 O -
gE af * "
- T
~ 6 W'% c ,
=Wy Y 25 .C, g.. -
y:
.". Ao -
M 00C , E= a> W M 0 % o
,y. ,.- --.-,tr- - - t , w wyv i wv y -g--g -- *y g -
y rw-y--,-vg1 y ew'-* *T--tw= W- '-w'*wt-p ---e'rer-y
l .I I i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 18 of 100
- 3. INDIVIDUAL EVENT EVALUATIONS ,
I 3.1 Total Loss of Forced Reactor Coolant Flow -i i 3.1.1 Identification of Events , This ev. _,t.aused by the simultaneous loss of power to the 13.8 KV , electrical buses supplying the Reactor Coolant Pumps (RCPs).' The only credible failure that can result in the simultaneous loss of power to these buses is a complete loss of of fsite power- to the unit main and l auxiliary transformers that would also result in a turbine-generator (T/G) trip and loss of normal electrical power to station equipment. ' The postulated common mode software-failure is assumed to preclude PPS initiation of a reactor trip on low RCP speed. However, upon the T/G trip, a rapid reduction in reactor power would be initiated by the Reactor Power Cutback System (RPCS). A full react.or trip would occur soon thereafter, as follows. The loss of normal electric power to station equipment would include the j 4.16 KV non-safety buses that power the motor-generator sets that provide power to the Control Element Drive Mechanisms. As discussed in the Reference 2 evaluation, on loss of power, the Control Element Drive Mechanisms (CEDM) motor-generator sets would begin to coast down and an under voltage relay would open an output breaker. This would cut power to the CEDMs, allowing the control rods to drop into the core by gravity. Even quicker action would be taken by an output contactor on each motor-generator set, that will open at four seconds after power is lost on the bus, cutting power to the CEDMs and causing the CEAs to drop into the core at that point. I 1 1 1
f l l CMT EVALUATION FOR LIMITING FAULT EVENTS Page 19 of 100 , .l ~ 3.1.2 Analysis of Effects and Consequences ; e i A. Mathematical Models I The NSSS response to a total loss of reactor coolant flow was simulated using the CESEC-III computer program. The minimum DNBR was calculated f using the CETOP computer code which uses the CE-1 CHF correlation. These codes are described in Section 15.0 of CESSAR-DC. l r B. Input Parameters and Initial Conditions i The input parameters and initial conditions used to analyze the NSSS i response to a total loss of flow are presented in Table 3.1-1. i s C. Results
- +
l The dynamic behavior of important NSSS parameters following a total loss of reactor coolant flow is provided in Figures 3.1-1 through 3.1-5. The loss of offsite power (assumed to occur at 1.0 second) causes the plant to ! experience a simultaneous turbine trip, loss of main feedwater, condenser inoperability, and a coast down of all four reactor coolant pumps. At 5. 0 l seconds power is interrupted to the CEA holding coils. Shortly thereafter, the CEAs begin to drop resulting in a rapid reduction in core power. The reduction in reactor coolant flow together with the core being maintained at full power preceding CEA drop results in a degradation in DNBR. The minimum DNBR of 1.74 occurs at 6.9 seconds. Subsequent to this minimum, the DNBR continuously increases until 30 minutes at which time the operator is assumed to take control of the plant. ~ Figures 3.1-1 through 3.1-5 demonstrate that the plant remains in a steble condition I for at least 30 minutes. l i l 1
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 20 of 100 3.1.3 Conclusions The minimum DNBR was 65own to remain well above the specified acceptable' fuel design limit of 1.24 ensuring that no fuel f ailures occur. Also, the plant was shown to remain in a stable condition for at least 30 minutes ensuring that the operator has sufficient time to take control of the-plant in order to execute a controlled cooldown. l l l l i l' l 1
i I 1 i 1
-1 Page 21 of 100-CMF EVALUATION FOR LIMITING FAULT EVENTS d
TARI.E 3.1-1 ~ , LOSS OF RCS FLOWRATE } t INPUT PARAMETERS AND INITIAL CONDITIONS i
?
I
' PRESSURIZER PRESSURE 2250 PSIA COLD LEC TEMP 5567 VESSEL FLOW RATE 461,200 GPM .
I CORE POWER- 3914 MWt t ASI - 0.07 I FR 1.50 I i 4
~
6 5 h l-t f b k i t l t
- .4, - , .--r.w-+me,,. e ---e- - . . --.w--, ve< wn
i i r
)
I l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 22 of 100 3.0 - l 2.8 - 2.8 - 2.4 - ! i a: l
@ 2.2 - >
ca 1 2.0 - I 1.8 - 1.6 - , i 1.4 - i i i 1 1.2 - 1.0 i , , , , , , , , , , , , , 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 TIME. SECONDS 4
- LOSS OF OFFSITE POWER Figure h& /b U WITH NO RPS ACTUATION MINIMUM DNBR vs TIME 3.1-1 !
I
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 23 of 100 I d 1.2 _ 1.1 2 1.0 _ 3: : o - g 0.9 - _ w - o 0.8 - - O ~ I O w 0.7 _ N - 3 _
< 0.6 -
2 - E o : z 0.5 - 0.4 -
~
0.3 _ _
~
0.2 . i,,,,,,,,,,,,i,,,,,,,,,,,,,, 0 3 5 8 10 13 15 TIME, SECONDS l l l l
= LOSS OF OFFSITE POWER Figure I
WITH NO RPS ACTUATION
! NORMALIZED CORE FLOW VS. TIME
^
s i 2 CMF EVALUATION FOR LIMITING FAULT EVENTS Page 24 of 100 ; 120.0 _ l
- +
ii 100.0 h '
- b t
80.0 i H z m o w i S 60.0
,t C
W i 3 t O i D-40.0 - i t
- 1 20.0 f i
~
0.0 O.0 200.0 400.0 600.0 800.0 1000.0 1200.0 1400.0 1600.0 t TIME, SECONDS : t w LOSS OF OFFSITE POWER Figure ; E mFJ" dg8 / WITH NO RPS ACTUATION P0k'ER, PERCENT 3.1- 3
'l 1
I
's CMF EVALUATION FOR LIMITING FAULT EVENTS Page 25 of 100 2800.0 _
I i i 2600.0 2400.0 I' I 5 m 1 t c , cf ! m t-w 2200.0 ~ [ i n i en o C . 2000.0 - t l
- g i 1800.0- r- !
l
' ' ^" " '" ' " ' ' "' '"
1600.0 0.0 200.0 400.0 600.0 800.0 1000.0 1200.0 1400.0 1600.0 TIME, SECONDS l
= LOSS OF OFFSITE POWER Figure WITH NO RPS ACTUATION
/
EUE 3.1 ! JM RCS PRESS PSI.A
l l
-l l
i i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 26 of 100 640.0 _ ! l t 620.0 i u. 6 o 600.0 . o ($ 1 ~---- -- g w ] i-in -
@ 580.0 t
560.0
' ^' ' * " " ' " ' " " ' " " " ' " ' " ' ' ' " ^" "" " ' "
540.0 0.0 200.0 400.0 600.0 800.0 1000.0 1200.0 1400.0 1600.0 , TIME, SECONDS I
~ LOSS OF OFFSITE POWER Figure ;
3M /h u WITH NO RPS ACTUATION RCS TEMPS, DEG. F 3.1 -5 1 l l i l l I u _ - _
1 CMF EVALUATION FOR LIMITING FAULT EVENTS Page 27 of 100 3.2 Single RCP Shaft Seizure / Shaft Break ) 3.2.1 Identification of Events l i A single reactor coolant pump shaft seizure can be caused by seizure of the upper or lower thrust-journal bearings. A single reactor coolant pump i shaft break could be caused by mechanical. failure of the pump shaft. 3.2.2 Analysis of Effects and Consequences , i. A. Mathematical Models The NSSS response to a reactor coolant . pump shaft seizure / break was , simulated using the CESEC-III computer program. .The minimum DNBR was calculated using the CETOP computer code which uses the CE-1 CHF i . l correlation. These codes are described in Sect. ion 15.0 of CESSAR-DC. ; l l B. Input Parameters and Initial Conditions c s The input parameters and initial conditions used to analyze the NSSS response to a reactor coolant pump shaft seizure / break are presented in Table 3.2-1. j l o t \ l I i l l l l l
4 . i P t CMF EVALUATION FOR LIMITING FAULT EVENTS Page 28'of'100 i C. Results [ r , The dynamic behavior of important NSSS ' parameters following a reactor 7 coolant pump shaft seizure / break are provided in Figures ' 3.2-1 through > 3.2-7. The reactor coolant pump shaft seizure / break results in a rapid decrease in reactor coolant flow. The flow reduction terminates within a few seconds and stabilizes at a flow of approximately 75% of the initial ; flow. The reactor is assumed not to trip due to the CMF. ~ The flow reduction results in a degradation in DNBR. The minimum DNBR of 1.59 occurs at 4.2 seconds. Subsequent to this minimum, the DNBR slowly increases until an essentially constant value is reached. At 30 minuces the operator is assumed to trip the reactor at which time the DNBR will again increase. The operator will.then perform a controlled cooldown of the plant. Alarms and indications would be provided via equipment not' f affected by ' the CMF to support operator action to trip the reactor. Figures 3.2-1 through 3.2-7 demonstrate that the plant remains in a stable condition for at least 30 minutes. 3.2. 3 - Conclusions j The minimum DNBR was shown to remain well above the specified acceptable 7 fuel design limit of 1.24 ensuring that no fuel f ailures occur. Also, the plant was shown to remain in a stable condition for at least 30 minutes ensuring that the operator has suf ficient time to trip the reactor and , take control of the plant in order to execute a controlled cooldown. i I i i
I \ CMF EVALUATION FOR LIMITING FAULT EVENTS .Page 29 of 100 l t b emar.m 3.2 1 a t. SINGLE RCP SEAFT SEISURE /many , INPUT PARAMETERS AND INITIAL CONDITIONS-l PRESSURIZER PRESSURE 2250 PSIA i l 1 COLD LEG TEMP 5 5 6*F i , l VESSEL FLOW RATE 461,200 GPM l CORE POWER '3914'MWt i [ ASI - 0.07 - I I FR 1.50' l l -i ' t I
?
l b r i f
?
I , t i i I
+
* =.e ..r-.-s .m _. , , . , _ , . , , . , . , , , , , , , , . , , , , , , , , ,m.,,. ,.
.- . - . - _~ ..
I f l 1 CMF EVALUATION FOR LIMITING FAULT EVENTS Page-30 of 100 l 3.00. _ ! 2.50 ;
!- i 2.00- , )
L ! i i C - b a - z 1.50- r i O - 1
- l
- I l
1.00 ; 0.50
-~
e
, , , , ,,, ,,,,i , ,,,a ,, ,, ', ,,, ,,
0.00 60 0 12 24 36- 48 TIME, seconds
~
SHAPT SEIZURE / BREAK
/ WITH NO RPS ACTUATION DNBR 3.2-1.
I CMF EVALUATION FOR LIMITING FAULT EVENTS Page 31 of 100 I l 3.00 _ 5
. i l
2.50 7 l 1
- I
~
I 2.00 7 1 a-m z 1.50 7 51 l 0 - i l
- j 1.00 7 l
O.50 7 0.00 0 360 720 1080 1440 .1800 TIME, seconds l l i
Figure !
SHAFT SEIZURE / BREAK [ l WITH NO RPS ACTUATION 3. 2- 2, ' JF4 < oN8R i l L
CMT EVALUATION FOR LIMITING FAULT EVENTS Page 32 of 100 4 'l i 1.10 _ o
.i
- -i 1.00 h -
I 0.90 . i 8 E .; o
._ 0.80 - -
u_ , 1 0.70 0.60
.l 0.50 O 12 24 36 48 60 .!
TIME, seconds 1 SHAFT SE1ZURE/ BREAK 3Ya / WITH NO RPS ACTUATION RCS FLOW, FRACTION 3.2-3 , i
r CMF EVALUATION FOR LIMITING FAULT EVENTS Page 33 of 100 ; 1.10 _ , 1.00 f 0.90- h i f
- i c
.e _
13 - m -
. 0.80- b 3: :
o - d ' 0.70 h
~
- i 0.60 l
0.50 O 360 720 1080 1440 1800 TIME, seconds - SHAFT SEIZURE / BREAK
/ WITH NO RPS ACTUATION RCS FLOW, FRACTION 3.2-4 ilt N:-. .- .- . .. _ . . - .
CMT EVALUATION FOR LIMITING FAULT EVENTS Page 34 of 100 1 2500 _ m l- 2400 h - I l i 2300 l- es i !i g
- a. -
m - E - D 2200 - m : m . m _ C -
~
2100 r e um 2000 h 1 1 1900 O 360 720 1080 1440' 1800 l TIME, seconds ; I i l l e v
-d.
T Figure SHAFT SEIZURE / BREAK WITH NO RPS ACTUATION 3,2.'y I jfd w RCS PRESSURE,. PSIA. -+
?
l l l
'1 I
i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 35 of 100 ; J l 110 -
)
- - i i _
i _ i
- j
- I l
100 F u r
~
\
1
, i
~
l l 90 7 i E -
.g :
l B : \ o.- _
)
d 80 7 i 3 o n.
~
f 1 70 - 60 r l -
~
50 0 360 720 1080 1440 -1800 TIME, seconds 1 t l 1 l l l 1es Figure SHAFT SEIZURE / BREAK Jg / WITH NO RPS ACTUATION' POWER, PERCENT 3* M 1 l
I i i i
)
r t CMF EVALUATION FOR LIMITING FAULT EVENTS Page 36 of 100 l
. i, 700 _
- L
-650 -
t
- y. .,
600 - 1 en N-
)
c) - V - ui : 1 3< 550 K w
- n. -
2 - w - l ~ l i 500 _
- \
t l : 1 450 7 ! b
, , ,i,,,,,,,,,i ,,,,,,,,1 .. ,,,i, 4 , . - -
0 360 720 1080 1440 -- 1800 i TIME, seconds l SHAFT SEIZURE / BREAK WITH NO RPS ACTUATION 3;;_7 RCS. TDiPERATURE, DEC. F
-l l
l
-l l
l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 37 of 100 I i i 3.3 CEA Ejection I
-\
3.3.1 Identification of Events j l I l l A CEA ejection results from a circumferential rupture of the control ! element drive mechanism (CEDM) housing of the CEDM nozzle. However, the case presented in this section does not assume rupture in the primary system. The consequences of a CEA ejection event resulting in primary system rupture are discussed in Section 3.8. 3.3.2 Analysis of Effects and Consequences A. Mathematical Models The NSSS response to a CEA ejection event was simulated using a method of , l analysis based on that referenced in Section 25.0.3 of CESSAR-DC. i B. Input Parameters and Initial Conditions l The input parameters and initial conditions used to analyze - the NSSS ! ! I l response to a CEA ejection event are presented in Table 3.3-1. )
-I l
I w
I l l l !' CMF EVALUATION FOR LIMITING FAULT EVENTS Page 38 of 100 i l
.i l'
C. Results The dynamic behavior of important NSSS parameters following a CEA ejection event is provided in Figures 3.3-1 through 3.3-4. The ejection of the CEA l causes the core power to spike to approximstely 117% in less than 100 ms. The reactor coolant system pressure increases due to the increase in RCS temperatures caused by this power spike. The pressurizer pressure peaks at approximately 2280 psia within a few seconds of event initiation and is then reduced to nominal operating values by the pressurizer sprays due to the-action of the pressurizer pressure control. system. 'The Doppler and l moderator reactivity feedback due to the heatup caused by the pow &r spike, l coupled with the constant turbine power demand, . result in core power f alling back to re-stabilize at 100% power within approximately 90 seconds ] i i l following event initiation. The DNBR decreases rapidly following the )' i power spike caused by the ejected CEA. The minimum DNBR is greater than 1.5, thus no fuel failures would be expected to occur. Subsequent to the minimum, the DNBR increases due the reduction in core power. The peak 1 clad temperature obtained during the transient was less than 700'F, well l below the 2200'F limit. Also the peak centerline temperature was less than 2 800*F , which is approximately half of that at which fuel melting could occur. The peak radially averaged fuel enthalpy was. less than 40% of the 280 cal /gm value normally used for event acceptance. The . resulting radiological consequences of the CEA ejection event are bounded by the doses presented in Section 3.8, since no fuel failure was predicted to occur. At 30 minutes the operator is assumed to take control of the plant ! in order to trip the reactor and execute a controlled cooldown.
)
i I I
- . ~ . - - _ - . -- .. -
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 39 of 100 1 l 3.3.3 Conclusions I The minimum DNBR was shown to remain well'above the specified acceptable . fuel design limit of _1.24 ensuring that no fuel failures occur. Also, the . peak cladding temperature was shown to be well below the 2200*F limit. No I fuel melting occurred . and the peak radially averaged fuel enthalpy I remained less than 280 cal /gm. The radiological consequences for this j event meet'10 CFR 100 guidelines. The maximum RCS pressure was well below ; i i the Service Limit C value as defined in the ASME Code. 1 i ! l l I f 9 '
---y -
7 - ~ , ,3 n 7 n - - w ar. s , ,e y,
i i i 1 l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 40 of 100. i. l TABLE.3.3-1 CEA EJECTION INPUT PARAMETERS AND INITIAL CONDITIONS I i PRESSURIZER PRESSURE .2250 PSIA ' COLD LEG TEMP ' 5567 VESSEL FLOW RATE 461,200 GPM-CORE POWER 3914 MWt ASI - 0.07
'i FR PRE-EJECTED = 1.0 l l
POST-EJECTED.= 1.75 i I 1 l d I ( l l l- 'l 1.. l 1 y am- + -m- ---r4%- -- wr y ., -. y. p y y- .e .-- y. -p +-epr--- -ey >-mp .m y
l l r i ! i F. : I I -' CMF EVALUATION FOR LIMITING FAULT EVENTS Page 41 of'100-
- 2.0 4!
'i
. i
.i t
9 1.5 - , a: w i
- s O .
w- .
.c w '
W m 1.0 -
\ -!
o U z c U '. i 5 m I l 0.5 - 0.0 3 i aii . 4 iiiiiiiiiiiiiiiiii i: iiiiiiiii.i iiiaii 0 400 800 1200 -1600 2000 l TIME, SECONDS , l 'l i. I I Figure i CEA EJECTION WITH NO RPS/ESTAS' ACTUATION 3 3-I JM core AVERAGE POWER VS. TIME u. l
~l
I : L i t { l CMF EVALUATION FOR LIMITING FAULT EVENTS ~ Page'42 of 100 5-
-1 I
4-3- a: m z - m 2-t l 1-
~
l j l- '1 L 0 . -,,i. .i .. ... . . ... -.. ,i. .. ..i.... .... j O' 400 800 1200 1600 2000' TIME, SECONDS 1 i I g l Figure
'CEA EJECTION WITH NO RPS/ESFAS-ACTUATION-jyj 'MININUM DNBR VS. TIME 3.3-2 l
l
=
l. j l
, . .. , , .. . ~ . . - - _ _ . . , .- _ . ..
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 43 of 100: 664 - 662 - I 660 - L - en d 656 - Ec
. 656 -
w E - s 654 -
-ha 6
~
P
- g. 652 -
z,
-c ,
t c 5 j 650 - v
~
a - w
@ 640 - ,
646 - 'f
. .i 644 - l t
~
f 642 - t 640 i,,,,,,,,,,,,,,i,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 0 400 800 1200 1600 2000 . TIME, SECONDS 1 i
- n. . Figure '
JM / CEA EJECTION WITH NO RPS/ESFAS ACTUATION' MAXIMUM CLADDING SURFACE TEMPERATURE VS. TIME
.. . -. . ~. . .
CMF EVALUATION FOR LIMITING TAULT EVENTS Page 44 of 100 2600 , 2700 - I 2600 -
~
t w
- l <
un 2500 - w - w ! w
~
! 2400 - ! I g E'! i:- N w 2300 - b - l H l ig 2200 - , ! a . I e i w w 2100 - a , w 5 2000 - r i-1900 - , 1800 - I 1700 ..ii,,,,,3i,iiii iiiiiiii .ii;iiiiiiiiiiiiiiiiiii 0 400 600 1200 1600 2000 l TIME, SECONDS i i
= . .
Figure CEA EJECTION WITH NO RPS/ESFAS ACTUATION 3M MAXIMUM' FUEL CENTERLINE TEMPERATURE VS, TIME I
CMF EVALUATION FOR LIMITING FAULT EVENTS.' Page 45 of 100 l I 3.4 Letdown Line Break outside Containment , t 3.4.1 Identification ot. Events Direct release of reactor coolant may result from a break or leak outside containment of a letdown line, instrument line, or sample line. The double-ended break of the letdown line outside containment, upstream'of the letdown control valve was selected for this analysis because it is the - largest line and, thus, results in the largest release of reactor coolant outside the containment. A letdown line break can range from a small crack in the piping to a complete double-ended break. 1 The cause of the event may be attributed to corrosion which forms etch pits, or to f atigue cracks resulting from vibration or inadequate welds. 3.4.2 Analysis of Effects and Consequences I A. Mathematical Models i The NSSS response to a letdown line break event was simulated using the CESEC-III computer program. The minimum DNBR was based on the results of the steam generator tube rupture event results (see Section 3.5 of this I i report). The DNBR for the steam generator tube rupture was calculated using the CETOP computer code which uses the CE-1 CHF correlation. These codes are described in Section 15.0 of CESSAR-DC. l I l B. Input Parameters and Initial Conditions I l The input parameters and initial conditions used to analyze- the NSSS-response to a letdown line break event are presented in Table 3.4-1.
l I CMF EVALUATION FOR LIMITING FAULT EVENTS Page 46 of 100
- c. Results i
The dynamic behavior of important-NSSS parameters following a letdown line { break is provided in Figures 3.4-1 through 3.4-3. The letdown line break l causes the RCS pressure to decrease due to the loss of primary coolant f inventory out the break. The pressure decrease is arrested due to the i action of the pressurizer heaters. However, the pressuriaer liquid level . l continues to decrease. The, small pressure decrease' does cause a { i degradation in DNBR. This degradation is bounded by the-results of the j steam generator tube rupture event presented in Section 3.5lof this report' , since both events are loss of reactor coolant inventory events and the , tube rupture results in a much more significant reduction in pressure and-thus DNBR than does the letdown line break ' event (see Figure 3.5-1). Since no fuel failures were experienced in the tube rupture analysis,.and , in the Chapter 15 analysis event termination was assumed to be initiated ., manually at thirty minutes via isolation of the letdown line; the radiological consequences of this event will be bounded by those presented in S.ction 15.6.2 of CESSAR-DC. The capability to perform this isolation ; will be available with a CMF since the hardwired manual controls prohsed , in Reference 6 will be augmented to include a switch for closing a letdown isolation valve and containment purge valves. 3.4.3 Conclusions The minimum DNBR was shown to remain well above the specified acceptable fuel design limit of 1.24 ensuring that no fuel failures occur. Also, the plant was shown to remain-in a stable condition for at least 30-minutes ensuring that ttie operator has sufficient time to take control of the 1 plant in order to execute a controlled cooldown. The radiological i r:ensequences meet 10 CFR 100 guidelines. e --- e ei- -- -- --a w w-- , s'w i<-y e w- ,,,9,,ig
i J I Page 47 of 100 ) CMP EVALUATION FOR LIMITING FAULT EVENTS-l s Y 5 ematz 3,4-1 , LETDOWN LINE RREAK , INPUT PARANETERS AND INITIAL CONDITICIIS - j l CASE FOR , l ' MINIMUM DNBR l PRESSURIZER PRESSURE 2250 PSIA COLD LEG TEMPERATURE 5 5 6*F - i VESSEL FLOW RATE 461,200 GPM ;
- i CORE POWER 3914 MWt ASI - 0.07 I
FR 1.50 J i i J l l l l l l l l l I . l 1 i j 1
~
i I l I l i
+ e -- -. ,n -
. -- .~
r --nw.,--., ..+ma ---~ en-,- y-,- y-
,.-a s n a ~ . . , .- -. n+
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 48 of 100 2500 - 2400' r i
)
i a a. 2300 r ui : c p. m e : E- 2200 r
- n. ..
e - w - . N : a - D ' th - ! m 2100 r w c- :
- c. _
l : l- : l 2000 r i k 1900 r l '' 1800 ''''''''''''''''' ' ' ' ' O 300 600 900 1200 1500 1800 TIME, SECONDS -
- LETDOWN LINE BRE AK, OUTSIDE CONTAINMENT, Figure UPSTREAM OF LETDOWN LINE CONTROL VALVE 3.4-1 PRESSURIZER PRESSURE vs TIME'
i
)
f i i i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 49 of 100 i t ! r l 30 _ _ i
- i
~
25 i i - i i W -
% 20 :
d 1 t g - 3 e _ w _. i Q _ l 3 15 i e y U - m - o w t m - , w _ E 10 a 5 , i _ l we 0 0 300 600 900 1200 1500 1800 TIME, SECONDS
~
LETDOWN LINE BREAK, OUISIDE CONTAINMENT, 9#* UPSTREAM OF LETDOWN LINE CONTROL VALVE 3.4-2 PRESSURIZER WATER LEVEL vs TIME ! l
~ - .
l
)
CMF EVALUATION FOR LINITING FAULT EVENTS Page 50 of 100 , i 1 I 60000 _ j ( : (
- i
- l 50000 E :
r 3 : , l or : I O _
\
c . I 40000 7 l l O - 1 i E - o - 4 j 1
.J ~
o 30000 r O . N< E - E2 : !
- a. _
i g 20000 - W - c - 0 - w
~
10000 r i i 1 l 0 V '1' ' 't f' t 'f 0 300 600 900 1200 1500 1800 TIME, SECONDS I
- LETDOWN LINE BREAK, OUTSIDE CONTAINMENT, - Figure f UPSTREAM OF LETDOWN LINE CONTROL VALVE INTEGRATED PRIMARY COOLANT OtSCHARGE vs TIME 3.4-3
- _ _ _ _ _ _ _ _ . _ - _ _ _ . . m y- g
1 i I i ! 1 l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 51 of 100 > 3.5 Steam Generator Tube Rupture 9 5 3.5.1 Identification of Events - 1 0
- The Steam Generator Tube Rupture (SGTR) accident is a penetration of the
- barrier between the RCS and the main steam system and results from the
- a f ailure of a steam generator U-tube. The most likely failures involve the 1
formation of etch pits or small cracks in the U-tubes or cracks in the i i welds joining the tubes to the tube sheet. However, for this evaluation 'l 4 a double-ended rupture is assumed as this is most limiting. i 3.5.2 Analysis of Effects.and Consequences. A. Mathematical Models. The NSSS response to a steam generator tube rupture was si.mulated using the CESEC-III computer program. The minimum DNBR was calculated using the !
)
CETOP computer code which uses the CE-1 CHF correlation. These codes are ; d described in Section 15.0 of CESSAR-DC. B. Input Parameters and Initial Conditions The input parameters and initial conditions used to analyze the NSSS-i response to a steam generator tube rupture are presented in Table 3.5-1. i l C. Results i i The dynamic behavior of important NSSS parameters following a steam generator tube rupture is provided in Figures 3.5-1 and 3.5-2. This evaluation focuses on the determination of the minimus DNBR since the
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 52 of 100 radiological consequences of this event will be bounded by the CESSAR-DC , Section 15.6.3.1 event if no fuel failure occurs. The Chapter 15 event l assumed an early reactor trip as this was determined to be limiting with respect to radiological releases. Thus a trip at 30 minutes due to a CMF would result in less adverse consequences provided the affected steam , generator can be isolated. Stwam generator isolation can be assumed to occur at 30 minutes with a CMF due the addition of the hardwired manual l [ controls proposed in Reference 6. Upon rupture of a steam generator tube, the RCS pressure decreases due to the decrease in RCS inventory. This reduction in pressure results in a degradation of DNBR. This degradation continues until 30 minutes at which time the operator is assumed to trip the reactor and isolate the affected steam generator. The minimum DNBR of 1.35 occurs at 30 minutes. Since the DNBR remains above the specified acceptable fuel design limit of 1.24 no fuel failures occur. Thus, the consequences of a steam generator tube l rupture event with a CMF are bounded by the Chapter 15 event. Steam generator overfilling for this event prior to operator action will be prevented by the feedwater control system. ' Subsequent to operator action, utilizing the methods recommended in the Chapter 15 analysis will prevent overfilling. ; 3.5.3 Conclusions l The minimum DNBR was shown to remain well above the specified acceptable fuel design limit of 1.24 ensuring that'no fuel failures occur. Also, overfilling of the affected steam generator will be prevented. Since the radiological consequences are bounded by the Chapter 15 analysis, the offsite doses meet 10 CFR 100 guidelines.
+ $ wc -, _m. y + m--+--$mya w,--s--3 ve w g- p- w -;
i l l t I i i l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 53 of 100 l i 1 i I ! TABLE 3.5-1 STEAM. GENERATOR TURE RUPTURE INPUT PARAMETERS AND INITIAL CONDITIONS , l s CASE FOR MINIMUM DNBR , 4 PRESSURIZER PRESSURE 2250 PSIA' COLD LEG TEMPERATURE 5 56'F l' . VESSEL FLOW RATE' 461,200 GPM r l- ' CORE POWER- 3914 MWt l !' ASI - 0.07 FR 1.50 t l f 4 t- *w- e w -M vp t y F ^ WT
, . ~ - . . _ _
1 l i CHF EVALUATION FOR LIMITING FAULT EVENTS Page 54 of~100 l 2600.0 2400.0 - i 1 L , 2200.0 - 'l en . en ! w i E l
- cL 2000.0 i 4 I en 1 g
[ 1800.0 1600.0 t 1400.0 O.0 360.0 720.0 1080.0 1440.0 1800.0 TIME STEAM GENERATOR TUBE RUPTURE Figure f WITH NO RPS ACTUATION RCS PRESSURE VS. TIME
- m. .
4 l l l i ! i l
- f. CMF. EVALUATION FOR LIMITING FAULT EVENTS ' Page 55 of 100.- ,j
.t,j
.a I
2.5 . - _- s
,- , ~!
g : m 2.0 - Z - ! O -
'~
2 - 3 - ' j 2 ! g
- f. 2 :_
1.5 - l N l , _~ 4 i l- _ l
.l 1.0 ....... . . ....... ... ...i.i.... .
0- 500 1000 . 1500 TIME, SECONDS- ' i l l I:
- Figure STEAM GENERATOR TUBE RUPTURE f WITH NO RPS ACTUATION :
MINIMUM DNBR VS. TIME 3.5-2 i I
. . , , . e -
=m- -- ,e + r-, ,, I
- - . - - - ~.
r i CKF EVALUATION FOR LIMITING FAULT EVENTS Page 56 of 100 3.6 Main Steam Line Break 3.6.1 Identification of Events This evaluation considers double-ended steam line breaks outside I l containment. The assumed absence of a reactor prott Nion system automatic reactor trip and automatic main steam and feedwater isolation challenges-the ability to maintain core coolability. However, the nominal overpower ! margin in the core and doppler reactivity feedback which limits the power increase help to mitigate the effect of the assumed failures. 1 1 3.6.2 Analysis of Effects and Consequences i l A. Mathematical Models , l 1 The NSSS response to a main steam line break with a postulated common mode , failure of the plant protective system software was simulated using the CESEC-III computer program- (CESSAR-DC, Section 15.0.3.1.3). The CESEC results were input to the STRIKIN-II computer program (CESSAR-DC, Section 15.0.3.1.5) to calculate fuel pin centerline and cladding temperatures and into the TORC computer program (CESSAR-DC, Section 15.0.3.1.6) to calculate the minimum transient DNBR. j B. Input Parameters and Initial Conditions Table 3.6-1 presents the input parameters and initia1' conditions used to analyze the NSSS response, and the assumptions used in the calculation of ! the resultant of f site radiological doses for a double-ended break of a main . steam line outside of containment with a postulated common mode failure of the plant protective system software. I i
l l t
'l f
CKF EVALUATION FOR LIMITING FAULT EVENTS Page 57 of 100: .l i h C. Resulte : The dynamic behavior of important NSSS parameters following a double-ended .
]
break of a main steam line outside of containment with a postulated comanon l i mode failure of the plant' protective . system software is provided in Figures 3.6-1 through 3.6-6. The large energy extraction caused by the l 1 break reduces steam pressure dramatically and the turbine-generator shuts i down, terminating'. the resupply of water - to . the .. feedwater system ' via . j condensation of the turbine steam. The feedwater control' system will tend s to increase flow to the' steam generators based on the low level and high , steam. flow measured in the steam generator integral nozale/ venturis. It ! is conservatively assumed that initiation of the steam line break results in an immediate loss.cf all- feedwater heating, causing ' the feedwater. enthalpy to drop to that of.'the condenser hotwells. It - also is conservatively assumed that the feedwater system and feedwater control system are able ' to maintain the mass _ of liquid in the.-- steam generators i-essentially constant until the - entire T supply of main _ feedwater is
~
exhausted. The resulting cooldown causes a rapid increase in core power which is calculated to peak at approximately 180% power within 50 seconds of event initiation, and thereafter, reaches a plateau near that value. The transient minimum DNBR of 1.00 occurs at approximately 50 seconds. Although this DNBR value is indicative of.localiaed boiling, no credit was taken in the analysis for void reactivity feedback to reduce core power. The maximum cladding and fuel centerline temperatures follow the same trend as the power, reaching' peak. values of less than 1150*F and 4550'F, respectively, at about one minute into the transient. The mass' of feedwater in the system at the beginning of the event is sufficient'to ! supply feed to the steam generators-at a rate equal to the steam flow through the break for about 6 minutes. Thereaf ter, it is assumed that the
- . ,._ _ 2. 2. . , _ . . _ .,_ , , ,m._ _ ~. . . .
l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 58 of 100 feedwater flow is drawn from the deaerator storage tank, which is at a ; somewhat higher enthaply, until that source is also exhausted within a l little more than two minutes. Since the feedwater enthalpy is higher j during this interval, the rate of energy extraction and the resulting core power are calculated to be lower during this time period. As the feedwater in the deaerator storage tank is completely expended, the source ; of feedwater becomes the condensate storage tank, which is assumed to be j l at the same enthalpy as that of the original condenser hotwell liquid. . The core power increases again, therefore, to its original level, i remaining there until the feedwater supply is totally exhausted at 16 , minutes into the transient. The core power then drops off quickly due to the heatup that occurs with the loss of feedwater flow. The steam i generators begin to dry out. The emergency feedwater actuation setpoint is reached at 16.5 minutes. The drying out of the steam generators causes , i a large primary pressure spike, which results in a reactor trip on high pressurizer pressure by the Alternate Protection System at 17.1 minutes after event initiation. The RCS pressure peaks at less than 2950 psia within approximately 3 seconds of generation of - the high pressurizer pressure trip signal. The steam generators' are calculated to be completely dried out at 17.4 minutes into the event. Emergency feedwater delivery begins to reach the steam generators at 17.5 minutes. The reactor operator manually closes the main steam isolation valves 30 l minutes after event initiation and initiates a controlled plant-cooldown. 1 e The calculated maximum cladding and fuel centerline temperatures demonstrate that the core would remain coolable for this event. All pins with DNBRs below the specified acceptable fuel design limit of 1.24 were assumed to experience DNB. The value of minimum DNBR results in less than 6% of the fuel to be computed to be in DNB. All fuel pins in DNB are assumed to fail. To obtain bounding values for offsite radiological t I .-_
j CKF EVALUATION FOR LIMITING FAULT EVENTS Page 59 of 100 1 1 doses, however, calculations were performed using the assumption that, in j the limit, 100% of the fuel pins fail.. The resulting two hour inhalation ; thyroid dose and whole body dose. at the EAB . are 92 and 3' REN, respectively. The eight hour doses for the LPZ are 41 REM for inhalation l thyroid and 0.3 REM for whole body. These values are well within 10 CFR . 100 guidelines. 3.6.3 Conclusions The calculated maximum cladding and fuel centerline temperatures demonstrate that the core ' would remain coolable for' a main steam line j t i i break with a postulated common mode f ailure of the plant protective system i l software. Less than 6% of the fuel is computed to f ail.. Using a bounding l value of 100% fuel - f ailures, however, _results in calculated offsite ; radiological doses which are well within 10 CFR 100 guidelines. The peak
- RCS pressure remains below the Level C limit of 3200 psia.
I ! l l l 1 l l 1 I I l l ,-
. . . . . .~
i ! i CMF EVALUATION FOR LIMITING FAULT EVENTS Page E0 of 100 TABLE 3.5-1 STEAM LING marmr INPUT PARAMETERS, INITIAL CONDITIONS AND ASSUMPTIONS INPUT PARAMETERS AND INITIAL CONDITIONS . I l 1 PRESSURIZER PRESSURE 2250 PSIA l 1 COLD LEG TEMP 5567 ) VESSEL FLOW RATE 461,200 GPM CORE POWER 3914 MWt i J ASI - 0.07 FR 1.50 i
)
l l ASSUMPTIONS USED IN OFFSITE DOSE EVALUATION l MAIN STEAM LINE ISOLATION MANUALLY AT 30 MINUTES l 2004 GAP FISSION PRODUCTS RELEASED NO SG SECONDARY SIDE DECONTAMINATION FOR THE AFTECTED SG NO SG SECONDARY SIDE DECONTAMINATION FOR 30 MINUTES FOR THE INTACT SG PRIMARY-TO-SECONDARY LEAKAGE PER NUREG-0017 (REV 01): 0.00625 GPM l l EPRI URD Chi /Qs NUREG-1465 SOURCE TERM I I i { l. I I l l l r .nsu = r y
- W
i
?
e CMT EVALUATION FOR LIMITING FAULT EVENTS Page 61 of 100 , Y P 200 180 i
\ [ [
160 t i 140 l l l s i j 5 120 ) ! O cr w L - i i 100 F < w : 5 : O : a : w cc 80 r
- 2 o
- l o : -
60 f_
- i i
40 r
)
20 !-
' '1' ''i''''t''''f**''t' ''1 '' '
0 O 200 400 600 800 1000 1200 1400 1600 1800 TIME, SECONDS RJLL POWER STEAM UNE BREAK OUTSIDE CONTA!NUENT, Figure UPSTREAM OF WSNs WITH NO RPS/ESFAS ACTUATION 3.6-1 CORE POWER vs TIME i t o
1 l
.1 CMT EVALUATION FOR LIMITING FAULT EVENTS'- Page 62 of 100- -.
i 1 J i i j 400000 r _ t m 6
\
300000' { i E '
- l
>. 3
= _
}
C ; r - z t w i 3 - l
$200000 r 2 -
l
= -
O _ I
$ - I et - .}
am i z _ ; W ! o - 2 -
-7 g100000 -
!. 9 y ! 03 - I
~
f t 0 0 200 400 600 800 1000 1200 1400 1600 1800 TIME, SECONDS FULL POWER STEAM UNE BREAK OUTS!DE CONTAfNLiENT. 9#' d / u UPSTREAM OF WSNs WITH NO RPS/ESFAS ACTUATION . STE AM GENERATOR MASS INVENTORIES vs TIME 3*6~2 l' l
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 63 of 100 3000 _ :
, 1
- i 2750 7 i 2500 h 4 : ,
-m _
cL - 1 tu- _ tt _ l 5 m 2250 - uJ , CI* CL u) O cc 2000 f 1750 f 1 f I i 1 1 1 I f f f f f f 9 9 9 1 1 ! I ( ) 1 0 9 f f I I ff 1 9 I t9i ft y f f 9 1 f y 9 l f f g yj g gg g 9y g y 9 9 p g 9 0 200 400 600 800 1000 1200 1400 1600 1800 TIME, SECONDS
~
FULL POWER STEAM UNE BREAK OUTSIDE CONTAINMDJT, 9# 3M / u UPSTREAU OF WSNe WITH NO RPS/ESFAS ACTUATION RE ACTOR COOT. ANT SYSTEM PRESSURE vs TIME 3.6-3
l l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 64 of.100 l l l 650 _ 630;r CORE OUTLET 610 r [ u. p_ h590 o i \ D , i i a ; CORE AVERAGE
- n' 570 r 2 -
I
/ X 9
z< 550 - - s O : O
$530 ';
, O i H O 4 - su 510 ! hh [ \ q 490 f ' i CORE INLET l 470 r i 450 0 200 400 600 800 - 1000 1200 1400 1600 1800-TIME., SECONDS
~
FUt1 POWER STEAM UNE BREAK OUTSIDE CONTAINMDJT, Figure
/ u UPSTREAM OF MSNs W.TH NO RPS/ESFAS ACTUATION REACTOR COOLANT TEMPER ATURES(A) vs TIME
' 3'6- 4 l
l [. ., l CMF EVALUATION FOR LIMITING FAULT EVENTS Page.65 of 100.~ il. fi i 3 1 l 1 5000_ : g : HOT ROD ci w : ( \ f 1 l o - :
-4000 -
w : '
.m _ ;
o E-
-1 4 _
m - w : . . i Q-
- E 3000 -
AVG ROD-w -
't w : x , !
w z
- .i -
i
$2000 s-I:1 i Z 'i r w -
o -
- a. - !
w : - D u_ 1000_ _ i i t _- 0~ ...,iiiii........iiiiiiiiiiiiiti i>>> 1 0 400 800 1200- 1600-TIME, SECONDS l l ~ Figure FULL POWER STEAW UNE BREAK OUTSIDE CONTA!NWENT. Yb / UPSTREAM OF WSNs ETH NO RPS/ESTAS ACTUATION FUEL CENTERUNE TDAPERATURE vs. T1WE 3.6- 5 l i i.'t.
i r 9 i l CMF EVAL'0ATION FOR LIMITING FAULT EVENTS: Page 66'of 100-l t. l' ? i 1
~i
, i-1 i : i- . 1500 g .i t u_ _ 1 o w - O - HOT ROD- 1 w - i- x - i ct - 3 g 1000.- l cr w - a (L _ .: 2 - i
-w 4
' AVG. ROD' l 0
E ~' O - . O _ i
$o 500- _
I _J - W _ i D i u - l
~
l 0 .. i. ...i.. ..... ....._..._,,.......i.
- 0 400 800 1200 1600 TIME, SECONDS
~
FVU. POWER STEAM UNE BREAK dUTSIDE CONTAINuENT, F9m-UPSTREAM OF MSNs WITH NO RPS/ESFAS ACilJATION ,
.4Ya / rua cu=No TrueERATuaE w. TiuE.
u-s
l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 67 of 100 3.7 Feedwater Pipe Break 3.7.1 Identification of Events l l The feedwater line break event is initiated by a break. in ' the main feedwater system piping. The break is assumed to occur downstream of the feedwater line reverse flow check valves which are . located ~ inside containment. This location allows-a continuous. blowdown through the broken feedwater line. This analysis focuses on the containment response as the primary system response will be bounded by the results of the Section 3.6 steam line break event. 3.7.2 Analysis of Effects and Consequences i A. Mathematical Models The containment response to the feedwater line break event was simulated using the SGN-III computer program. The reference for this computer program can be found in Section 6.2 of CESSAR-DC. l i B. Input Parameters and Initial Conditions The input parameters and initial conditions used to analyze the containment response to a feedwater line break event are presented in Table 3.7-1.
-ww
CMF EVALUATION FOR LIMITING TAULT EVENTS Page 68 of 100 C. Results The containment pressure response is presented in Figure 3.7-1. Upon rupture of the feedwater line, the steam generator mass and energy released to the containment results in a rapid increase in containment pressure. In this analysis a reactor trip on high pressurizer pressure via the Alternate Protection System occurs at 23 seconds. At 120 seconds the supply of high energy main feedwater is assumed to be exhausted, thus the rate of pressure increase decreases. Steam generator dryout occurs at 490 seconds further reducing the rate of containment pressure increase. At 30 minutes two containment spray trains and main steam isolation of the af fected steam generator are assumed to be manually actuated. Containment pressure, steam generator pressure and level alarms would provide indication of the need for operator action. The actuation of containment l sprays serves to terminate the pressure increase and causes the pressure to begin decreasing. Emergency feedwater was assumed to be continuously added to both steam generators. The peak containment pressure obtained was 94 psig. This is less than the Level C limit of 130 poig. Subsequent to containment spray actuation and main steam isolation, the operator can begin a controlled cooldown using the MSIV bypass valves of the intact steam generator and the steam bypass system or the atmospheric dump valves using the hand wheels if necessary. With respect to the primary system response, the consequences of the feedwater line break are bounded by those of the Section 3.6 steam line break. The steam line break resulted in high reactor power together with the nearly simultaneous dry out of both steam generators. The resulting primary to secondary power mismatch near the time of trip is greater than could be experienced for a feedwster line break event; thus peak RCS l pressures will be lower for the feedwater line break event. With respect l i I
l l 1 I CMF EVALUATION FOR LIMITING FAULT EVENTS Page 69 of 100 i to offsite doses, since the steam line break dose calculation assumed 1004 l fuel failures - and the blowdown of both steam generators along with an l outside containment break, the offsite doses following the feedwater line ) break will be bounded by the steam line break event. l 1 i 3.7.3 Conclusions ; 1 l j i Tne peak containment pressure following a feedwater line break event 1 remains less than the containment Level C limit of 130 psig. The peak RCS - l l pressure remains less than the RCS Level C stress-limit of 3200 psia. I j Also, the offsite doses meet 10 CFR 200 guidelines. i ( l i l l l l l l l l l l l 1 i
, =vw - -, v: -- r e m,
! I i CMF EVALUATION FOR LIMITING FAULT EVENTS-- Page~70 of 100 i l I l TABLE 3.7-1 l FEEDWATER LINE BREAK > INPUT PARAMETERS AND INITIAL CONDITIONS CONTAINMENT ANALYSIS E ! Core Power 3914 MWt ; Pressurizer Pressure 2250 PSIA Cold Leg Temperature 5567 STEAM GENERATOR I I Pressure 1000 PSIA i CONTAINMENT
- Pressure 15.1 PSIA ,
Temperature 1107 Relative Humidity 10% 9 l i p,=-- I
i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 71 of 100 100 i CONTAINMENT DESIGN PRESSURE = 53 PSIG
- CONTAINMENT LEVEL C LIMIT = 130 PSIC 80 r
52 - i m - C -
\ STEAM GENERATOR
] -
_DRYOUT , m w C _ W _
\ HIGH ENERGY 40 MAIN FEEDk'ATER [
q _ EXHAUSTED l- - i z O - O - p 20 :- 1 0 O 400 800 1200 1600 2000 TIME, SECONDS . FEEDWATER LINE BREAK AT FULL POWER p WITH NO RPS/ESFAS ACTUATION' 3. 7 2 u CONTAINMENT PRESSURE VS. TIME
-- . . . ~. . , , m-- . -
CMF EVALUATION FOR LIMITING FAULT EVENTS 'Page 72 of 100 3.8 Loss of Coolant Accident . 3.8.1 Identification of Events i t For pipes which are 12 inches or larger'in diameter, a detectable. leak l would - occur significantly in advance of a major rupture. Thus, the j j operator would have sufficient time to shut down and depressurize the l plant prior to a large break occurrence. This evaluation credits this j characteristic of large pipes and the System 80+ leak. detection equipment to cope with large breaks. A failure of pipes smaller than 12 inches may not allow sufficient' time for leak detection prior-to break. .Therefore, these small break loss of coolant accidents (SBLOCAs) require additional evaluation crediting the capability of diverse equipment and operator action for mitigation. The evaluation of these small pipe breaks 7 1 conservatively envelopes the results of assumed . f ailures of piping i J flanges, valve packings'and gaskets or pump seals in pipes which are 12 i i inches or larger in diameter since'their effective-break areas are much I 1 smaller. The evaluation assumes the RCPs operate during the event until l they are manually tripped by the operator. l
~
l j 3.8.2 Analysis of Effects and Consequences A. Mathematical Models The NSSS response to SBLOCAs with a postulated common mode failure of the I plant protective system software was simulated using the CEFLASH-4AS/ REM computer program (Reference 9). CEFLASH-4AS/ REM is specifically. designed l for application to realistic analysis of SBLoCA transients. l l l t l-
I CMP EVALUATION FOR LIMITING FAULT EVENTS Page 73 of 100 B. Input Parameters and Initial Conditions I Table 3.8-1. presents the input parameters and initial conditions used to analyze the NSSS response for SBLOCAs with a postulated common mode - i failure of the plant protective system software. j C. Results I l I A realistic evaluation was performed of the response to breaks in branch lines connected to the RCS which are smaller than 12 inches in diameter. None of the breaks analyzed resulted in core uncovery for the events described in Section 3.8.1. The results of a break of the largest branch line smaller than 12 in diameter, the 6 inch pressurizer safety valve nozzle, and a break in a 3 inch cold leg nozzle are presented in this J section. The dynamic behavior of important NSSS paramaters following these SBLOCAs with a -postulated common mode failure of the plant protective system software is provided in Figures 3.8-1 through 3.8-7 for l the 6 inch break, and in Figures 3.8-15 through 3.8-21 for the 3 ' inch break. ! In addition, a 0.041 ft2 SBLOCA at the top of the upper head was analyzed in order to evaluate the potential radiological consequences of a CEA ejection with a postulated common mode failure of the plant protective i system software. The dynamic behavior of the significant NSSS parameters l for this SBLOCA is provided in Figures 3.8-8 through 3.8-14. [m l [ An assumed double-ended guillotine break of a 6 inch pressurizer safety valve nozzle results in a rapid depressurization of the RCS. The consequent moderator voiding reduces core power. As discussed in Section t l
. . . _ _ . ._ . ~ _ _ _ -
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 74 of 100 1 2.4 above, a reasonable estimate of reactor operator response would indicate that manual actuation.of the reactor trip would occur within 3 l 1 minutes of event initiation. No ' credit 'for this 'tr'ip was taken, however, I for the analysis presented here. The results presented-rely entirely on' l the moderator reactivity to shut the core down. j The most bnportant operator action for these events was found to be the , 1 manual actuation of the high pressure safety injection (HPSI) pumps. The i initiation of HPSI flow adds liquid inventory to the RCS. Also, injection of the HPSI fluid into the steam space of the partially voided reactor vessel annulus contributes to a second RCS depressur.ization. This, in turn, results in safety injection tank (SIT) discharge. The flow from the SITS adds substantial inventory to the RCS and' essentially terminates the event. A reasonable estimate of reactor operator response, as discussed in Section 2.4, would indicate that manual actuation of HPSI would take place within 15 minutes of initiation of this event. In this analysis the HPSIs were conservatively assumed to be activated 16 minutes after event initiation. Based upon the emergency procedures, no action would be taken to trip l reactor coolant pumps (RCPs) prior to reactor trip and HPSI actuation. It l . . ! l was found to be conservative for this event to delay RCP trip, once HPSI 1. l actuation had occurred. Therefore, even though the operators could be reasonably expected to trip two RCPs within 16 minutes and two more within I l l 22 minutes (section 2.4), it was assumed that all four RCPs were tripped 23 minutes after event initiation. At no time during this event is there core uncovery. Therefore no cladding ballooning or consequential cladding l rupture or high temperature oxidation are predicted. The reactor operator would initiate a controlled plant cooldown 30 minutes after event initiation. l l
,+-
l _ _
i CMF EVALUATION POR LIMITING FAULT EVENTS Page 75 of 100 i l A 3 inch break in a cold leg nozzle results in a rapid depressurization.of l the RCS. The consegaent moderator voiding also reduces core power for this event. As discussed in Section 2.4 above, a reasonable estimate of reactor operator ' response would indicate' that manual ' actuation of the- j reactor trip would. occur within 3 minutes of event initiation'. No credit for this' trip was taken, however, for the-analysis presented here. The results presented rely entirely on the moderator. reactivity.to shut the- .j
\
core down, i i
)
Considering the assumed absence of a reactor trip, the most.important i operator action for this event was found to be the manual actuation of the high pressure safety injection (HPSI) pumps . The initiation of HPSI flow . adds liquid inventory to the RCS. Also, injection of the HPSI fluid into the steam space of the partially voided reactor vessel-annulus.later in the transient contributes to a second RCS depressurization. However, this second depressurization does not result in safety injection tank discharge 1 for this event. A reasonable estimate of reactor operator response. as indicated in Section 2.4, would indicate that manual actuation of HPSI would take place within 15 minutes of initiation of this event. In Ihis
~
I l analysis the HPSIs were conservatively assumed to be activated 16 minutes i after event initiation. Based upon the emergency procedures, no action would be taken to trip I reactor coolant pumps (RCPs) prior to reactor trip and HPSI actuation. It- j was found to be conservative for this event to trip the RCPs early once HPSI actuation had occurred. Therefore, it was assumed that all four RCPs , were tripped 17 minutes after event initiation. At no time during this 1 event is there core uncovery. Therefore, no cladding ballooning or ; consequential cladding rupture or high temperature oxidation are 1 i
?
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 76 of 100 g I predicted. The reactor operator would initiate a controlled plant , i 2 . cooldown 30 minutes after event initiation. l' A 0.041 ft2 SBLOCA at the top of the upper head due to a postulated CEA ejection naturally results in a somewhat less rapid depressurization of. j the RCS than that which is calculated to occur for the break of a 6 inch > pressurizer safety valve nozzle. The general features of the event are, however, mainly the same, but more benign. The moderator _ voiding reduces I core power from the peak it reaches consequent to the CEA ejection. As , discussed in Section 2.4 above, a reasonable estimate of reactor operator response would indicate that manual actuation of the reactor trip would ; occur within 3 minutes of event initiation. However no credit was taken 3 for this trip, thus, the results presented rely entirely __on the moderator { reactivity to shut the core down. A reasonable estimate of roactor j operator response, as discussed in Section 2.4, would indicate that manual actuation of HPSI would take place within 15 minutes of initiation of this event. In this analysis the HPSIs were conservatively assumed to be activated 16 minutes after event initiation. The initiation of HPSI flow adds liquid inventory to the RCS at a rate suffielent to keep the core covered. (Since the mixture level in the reactor vessel downcomer is above the HPSI nozzles at the time of HPSI initiation, a further rapid RCS , depressurization does not occur for this event. There is, therefore, no discharge of the SITS.) Based upon the emergency procedures, no action I would be taken to trip reactor coolant pumps (RCPs) prior to HPSI I actuation. It was assumed that all four RCPs were tripped one minute after HPSI initiation. At no time during this event is there core uncovery. Therefore no cladding ballooning or consequential cladding rupture or high temperature oxidation are predicted. The reactor operator would initiate a controlled plant cooldown 30 minutes after event initiation. l
l 1 ! 1 CMF EVALUATION FOR LIMITING FAULT EVENTS Page 77 of 100 i ! t
)
An offsite dose evaluation was performed. The aasumptions utilized ~in l this evaluation are provided in' Table 3.8-1.and result in doses which ; i
?
bound the cases presented in this section. The resultant two-hour EAB. ! l thyroid and whole body doses are less than 297 rem and 3 ram, I respectively. The resultant 30 day LPZ thyroid and whole body doses are l l less than 46 rem and 0.7 ram, respectively. l l ; ! i l ! 3.8.3 conclusions j I A realistic evaluation of the response to breaks in branch lines connected ! f to the RCS which are smaller than 12 inches in diameter shows that core i uncovery is not calculated to occur for SBLOCAs with reactor coolant pump i t i operation and postulated common mode failure of the plant protective ! l l system software. Consequently no' cladding rupture or high temperature ; oxidation are predicted. Also, the SBLOCAs were shown to result in dose j l consequences which meet 10 CFR 100 guidelines. The ' hardwired manual controls proposed in Reference 6 will be augmented to include a switch' for ! closing the containment air purge valves to further reduce any potential
]
for offsite radiological releases. i l l l i 4 I r i :'
I l' i r CMF EVALUATION FOR LIMITING TAULT EVENTS Page 78 of 100 i l TARI2 3.5-1 1488 OF COOLANT ACCIDENT INPUT PARAMETERS, INITIAL CONDITIONS AND ASSUMPTIONS' i I- I I ! INPUT PARAMETERS AND INITIAL CONDITIONS j i l l l i i PRESSURIZER PRESSURE 2250 PSIA COLD LEG TEMP 5 5 6*F CORE POWER 3914 MWt . ( ! MODERATOR TEMPERATURE COETFICIENT -0.7 x 10d Ap/*F I . SITS 4 TANKS e 600 PSIA CHARGING / LETDOWN. PLCS IN AUTOMATIC ; l ASSUMPTIONS USED IN OFFSITE DOSE EVALUATION CONTAINMENT ISOLATION AND SPRAY MANUALLY AT 30 MINUTES' ANNULUS VENTILATION SYSTEM OPERATION MANUALLY IN 60 MINUTES 1 100% GAP TISSON PRODUCT RELEASE INITIATED AT 30 MINUTES PRIMARY-TO-SECONDARY LEAKAGE PER NUREG-0017 (REV01): 0.00625 GPM MAXIMUM CONTAINMENT LEAKAGE 0.5% PER DAY l l INITIAL PRIMARY COOLANT IODINE CONCENTRATION: I MICRO-CURIE / GRAM EPRI URD CHI /Qs NUREG-1465 SOURCE TERM l s i i f I
i + CMF EVALUATION FOR LIMITING FAULT EVENTS i 1.2 4 t
- t i
1.0 , i i 1
~
0.8 7 \ C - LU - 3: : 2 0.6 _ i
- : +
O _ : V 0.4 : i v 0.2 T
, ,,,,,1 1, , , l' ' ,,,,,, ,,i,, l O.0 i 0 600 1200 1800 2400 3000 i
[ TIME IN SEC l t l l l i-SBIDCA OF 6 INCH PRESSURIZER SAFETY VALVE NOZZLE j m 2 / WITH NO RPS/ESFAS ACTUATION CORE POWER VS. TIME 3,g 1 l'
T . CMF EVALUATION FOR LIMITING FAULT EVENTS Page 80 of 100 2400 _ 2000 7 1600 7 . ih -
~
II. W - C - D 1200 U) _ V) _ i W _ i C - l 1 - i i - 800 h
~
400 r l ~_ l
~
0 O 600 1200 1800 2400 3000
-TIME IN SEC l
l l 1 l- $= Figure SBLOCA OT 6 INCH PRESSURIZER SATETY VALVE NOZZLE Egfg d a sur, / WITH NO RPS/ESTAS ACTUATION RCS PRESSURE VS. TIME-3.8-2 , i ! i i l -- ,-
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 81 of 100' 47500 . 39500 31500 : O : Lu - D - l b
-J
- }
Lij - l Q 23500 e : o - d : 15500 I 7 i i - 7500 r
-500
, , , ,,t,,,, , ,,i 1 IN .P J - -
I ' I O 600 1200 1800 2400 3000 ' TIME IN SEC l l l-l SBIDCA OF 6 INCH PRESSURIZER SAFETY VALVE NOZZLE
/ WITH NO RPS/ESTAS ACTUATION CORE FIDW RATE VS. TIME 3,g 3
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 82 of 100 1200 _ 1000 7 1
~
800 O W to
-J >
W 600
~~
C ' 3 o J _ LL l 400
- _ i
. i
~
l 200 r j i i :
, , I,,,, ,,i1i ,,,,, ,! ,,, , iI i,.,, ,,
0 600 1200 1800 2400 3000 TIME IN SEC SBLOCA OF 6 INCH PRESSURIZER SAFETY VALVE N0ZZLE J p
/ WITH NO RPS/ESFAS ACTUATION BREAK FIDW RATE VS. TIME 3.8-4 ,
_.~ _
I I J l i l I CMF EVALUATION FOR LIMITING FAULT EVENTS Page '83 cf 50 ! 300 _ l l J l l .250 7 . i i _ i . t l _ 200 7 l : O : i l w - l 52 . m a : : m - Q 150 7 cc : o J l 1 _ 100 50 L t l -
- , ,,,,,t ,,,,,,,,t,,,,,,, ,I i,,, ,,I ,, ,,,,i ,
'O O 600 1200 1800 2400 3000 i
l TIME IN SEC
~ '
SBLOCA 0F 6 INCH PRESSURIZER SAFETY VALVE N0ZZLE y 2 / WITH NO RPS/ESTAS ACTUATION SAFETY INJECTION' TANKS DISCHARGE RATE VS. TIME 3.B-5 1 i
~ - . , - , . . - . . . , . . . . , - . . - , _ . - . - , . . , , , , , -
i CMT EVALUATION FOR LIMITING FAULT EVENTS Page 84 of 100 1 1
'l 48 _ '
I l 1 40 1 \ l , t 1 _1 ' t 32 ,
~
m
- u. : M~
,m,,, , [
p - I q q - ri - I" I - 0 24 i w i I X
- TOP OF FUEL [ !
5 1 16 _ . l j
- i 8 : :
\ -
,,, , ! ,, ,,t ,, ,,,,,t ,,, ,,,,1,, ,i1 ,,,
l 0 600 1200 1800 2400 3000 TIME IN SEC l
.. . Figure SBLOCA 0F 6 INCH PRESSURIZER SAFETY VALVE N0ZZLE d
E / WITH NO RPS/ESTAS' ACTUATION MIXTURE LEVEL IN CORE VS. TIME 3.8-6 l l 1 I l
i l l l l I i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 85 of 100
)
48
~
i i l 40 l l
- i
- I i
32 r-{ ! l l :f. l F- - , ! w - i 24
%J y :
l O I"T{ ;
- TOP OF FUEL 16 7 '
8 f f 1 % 1 1 I 9 9 ? I F t P 1 1 i f f f 9 f 1 f f f iF f f i 1 0 600 1200 1800 2400 3000 1 1 TIME IN SEC 1
~
SBIDCA OF 6 INCH PRESSURIZER SAFETY VALVE NOZZLE
/ WITH NO RPS/ESTAS ACTUATION COLLAPSED LIQUID LEVEL IN CORE VS. TIME 3.8-7 t-
1 CMF EVALUATION FOR LIMITING FAULT EVENTS Page 86 of 100 i 1.2 __ 1.0 P_ 0.8 : [ : w _ l 3 - l 2 0.6 h ? O : F- _ l 0.4 : l : l 0.2
- i
_ 4
~
i i
~
! 0.0 O ' '' ' ' '''. 600 1200- 1800- 2400 3000 TIME IN SEC l l
- 2 0.041 rT SBLOCA AT TOP .'Or ' UFFER HEAD 0#'
J s
/ ICEA EJECTIONI wITH NO RPS/ESFAS ACTUATION CORE POWER VS. TIME 3,8 --
I i, t' l
4 . ( l i I i l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 87,of 100 i i 2400 _
) -
i I . 2000 : 5 1 1600 7 i
<c '
55 : ,
- c. _ _ - = :_ ~ := .
w - [ - 3 1200 7 : m _ i i W - t w _ 6 C - g - i
- i i
800 ! _ L l : ! l r
- p 400 7 0
O 600 1200 1000 2400 3000 : TIME IN SEC i l l l 0.041'FT SBLOCA 2 AT TOP' OF UPPER HEAD Figure pgEye JTaiiFIE / {CEA EJECTION 1 WITH NO RPS/ESTAS ACTUATION RCS PRESSURE VS. TIME 3.B-9
l f CMT EVALUATION FOR LIMITING TAULT EVENTS Page 88 of 100 47500 _ _ \
- i 39500 <
l : I _ i 31500 7 o : W _ W m : w Q 23500 _ C g o : c' : 15500 :
~
7 7500 7 I
=
___f, b
~
-500 0 600 1200 1800 2400 3000 TIME IN SEC l
~
0.041 TTr SBLOCA AT TOP OF UPPER HEAD Figure [CEA EJECTION]
/ uh WITH NO RPS/ESTAS ACTUATION CORE FLOW RATE VS. TIME 3.8-10 w -y e..,.e .g e.e y--w-- gwy- g y re-,e-a
i
~
l . I CHF EVALUATION FOR LIMITING FAULT EVENTS Page 89.of 100
- l. 1200 _ ,
i
~
1000 - l - l: : 800 7
~
O l w _ (D - I d5 [ a W Q .600 J z i 5 o'
- {
i d - 400 7 I l 200 7 ( ; I 1 0 O 600 1200 1800 2400 3000 TIME IN SEC 0.041 rTr SBLOCA AT TCP OF UPPER HEAD- Figure pur 2 faf / U (CEA EJECTION) WITH NO RPS/ESFAS ACTUATION BREAK FLOW RATE VS. TIME
'3*O~11 l
1
)'
t 1 4 i CMT EVALUATION FOR LIMITING FAULT EVENTS Page 90 of 100 l
* ?
300 _ l
- i
~
250 r 1 t I ]
- I i
l 200 _ o w m 1 i a : w -
> 150 :
t. i E g : . l O : LL - 100 l pp. l t 50 - l l i 0 O 600 1200 1800 2400 .3000 i TIME IN SEC ! l l
~
0.041 rT2 SBLOCA AT top OF UPPER HEAD Figure i 1 (CEA EJECTION) d WITH NO RPS/ESFAS ACTUATION l SAFETY INJECTION TANKS DISCHARGE RATE VS. TIME l
, , . _ ._. _ - _ . . _ . _ - . . ~ . . . _ __. . ~ . -
i . l k i-l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 91 of 100 i 48 . l l ~ u
- i l : i 1
40 - l
- 1
~
l i 32 r b - E : V
- W -
! I - J 24 0 w : TOP OF FUEL f 1 I M
- /
2 l 16 : l - 8 - 1 i i
- i 0
L 0 600 -1200 1800 2400 3000 l TIME IN SEC i l l 0.041 rTr SBLOCA AT . TOP OF UPPER HEAD figure NF JTaiN / [CEA EJECTION) WITH NO RPS/ESTAS ACTUATION MIXTURE LEVEL IN CORE VS. TIME ' 3.8-13 l
l 1 CMT EVALUATION FOR LIMITING FAULT EVENTS Page 92 of 100 l 48 _ 40 - 32 : i l l- - w - w -
- u. -
l "i 24 :
' ^
~ TOP OF FUEL
- d /
o _ i l 16 : 8 : 1 i !- : 1
~
( 0 O 600. 1200 1800 2400 3000 i TIME IN SEC I . i
~ 0.041 rT 2 SBLOCA AT Top or UPPER HEAD- Figure
/
i [CEA EJECTION) dfd / WITH NO RPS/ESTAS ACTUATION COLLAPSED LIQUID LEVEL IN CORE VS. TIME
l l I .l L , i t l l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 93 of 100' l l l
.1.2 _
I _ 4
}
l- .1.0 _V
- l
-1
- 1 0.8 7 i
- i cc : !
Lu _ , 3 - o
- n. 0.6 I
w - 1 h ! W y~ 0.4
- /
i : l : 1 - 0.2 0.0' 0 600' 1200 1800 2400 3000- -l TIME IN SEC . j i
'l i I
- Figure SB LOCA OF 3 INCH COLD LEC N0ZZLE F
min / WITH NO RPS/ESTAS ACTUATION CORE POWER VS. TIME 3
- 8- 15 '~ I
I i i CMF EVALUATION FOR LIMITING FAULT EVENTS Page 94 of 100 2400 - f l i
)
2000 l t
~
1600 r
~
g _ c. w - T - a 1200 7 m - (n w _ T -
- n. _
~
800 - N l
~
l
~
_ l i 400
~
0 0 600 1200 1800 2400 3000 TIME IN SEC Figure
/ SB LOCA 0F 3 INCH COLD LEC N0ZZLE WITH NO RPS/ESTAS ACTUATION 3.8-16
/ RCS PRESSURE VS. TIME
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 95 of 100 47500 _ l 39500 i
~
j 31500 r l 0 : h' w _ E - O b w - Q 23500 7 m : 5 - o : d :
~
! 15500 r i 7500 l
-500
, ,, ,I , M A O$ 144 , f c h AV <
O 600 1200 1800 2400 3000 TIME IN SEC ( i SB LOCA 0F 3 INCH COLD LEG N0ZZLE ((d / LJ WITH NO RPS/ESTAS AC"TUATION CORE TLOW RATE VS. TIME 3.8-17 l l i h I-
I l l l l l I j l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 96 of 100 l l
.i 1200 _ )
> i
.i l : l l :
l : ! 1000 i i 1 : . 1 ! t l t t l 800 l 0 w l i CD 3J \ 'l 1 l W - l Q 600 : l a : y _ o J LL - l l _ l 400 : 200 : f
\h5 ~
~
l l - i 0 O 600 1200 1800 2400 '3000 TIME IN SEC SB LOCA OF 3 INCH COLD LEC N0ZZLE
-p 2 / WITH NO RPS/ESFAS ACTUATION BREAX FIDW RATE VS. TIME 3,8-18 i
l-l l-
1 1 i t l CMF EVALUATION FOR LIMITING FAULT EVENTS Page 97 of 100 1 L 300 _
-l
- l
- I l : :
1 250 : ( t i i 200 _ : o : w _ 1 Q m
- i J :
w _ Q 150 CC S - l 1 oJ : u. _ i l - l- 100 7 l -
~
50 r '
)
~
O O 600 1200- 1800 2400 3000 TIME IN SEC
~
SB LOCA 0F 3' INCH COLD LEG N0ZZLE
/ u WITH NO RPS/ESTAS ACTUATION SAFETY INJECTION TANKS DISCHARGE RATE VS. TIME 3, g.3 9 l
l 1 i
- 1. ;
CMF EVALUATION FOR LIMITING FAULT EVENTS Page 98 of 100 I 48 _ i l t 40 h l _ 32 7 !
~
[ u! LL i
% \ , . . . . _ -
& -i I
H l y _ e 24
)
TOP OF TUEL M 5 f 1 2 : 16 7 l 1 ~ l 8 1 l .
, ! ,, ,,I ,, ,, , 1,,,,,,, ,I i i i !
0 i 0 600 1200: 1800 2400 3000 : l TIME IN SEC l Figure F4EE M FmW / SB LOCA 0F 3 INCH COLD LEG N0ZZLE WITH NO RPS/ESTAS ACTUATION MIXTURE LEVEL IN CORE VS. TIME 3.9-20
r 4 1 l CMT EVALUATION FOR LIMITING FAULT EVENTS Page 99 of 100 l I l
-1 48 _
]
I l q 40 7 i 1 l j j - i 32 7 l
~
> - 1 W -
W - I U
$ 24 7 d l g
j i T]j
; I i
s : j ' ! _ TOP OF FUEL , l 16 7
. .I i
8 r
,,, ,,t,, ,,,,,,t,,,,,,i,t,,,,,,,,1^ ,,, ' ' ' ,
0 600 1200 1800.~ 2400- 3000. TIME IN SEC - i l Figure. SB LOCA 0F 3 INCH COLD LEG N0ZZLE s A / b" LJ WITH NO RPS/ESTAS ACTUATION COLIAPSED LIQUID LEVEL IN. CORE VS. TIME 3, g_2 } ' i l l ' i
-..n ,-, . . . , ,- . . - , ~ ,,,r.. .,_ - ne
_. - - - . _ _ ~ . _ _ 1 I CMF EVALUATION FOR LIMITING FAULT EVENTS Page 100 of 100 I
- 4. REFERENCES -
(1) SECY-93-087, " Policy, Technical, and Licensing Issues. Pertaining to Evolutionary and Advanced Light-Water Reactor.-(ALWR) Designs,"
~
April 2, 1992. (2) ALWR-IC-DCTR-31, " Evaluation of Defense-In-Depth and Diversity in the ABB-CE NUPLEX 80+ Advanced Control Complex for the System-80+ Standard Design," ABB-CE, September 1992. (3) J. V. Palomer, R. H. Wyman'(LLNLL), "A Review of the CE 80+ FMEA and'
'D&DID Analysis," December 8, 1992.
(4) January 6, 1993 Meeting of ABB-CE IGC staff and NRC IEC staff with Lawrence Livermore reviewers to discuss their review results for the , ABB-CE D&DID Evaluation. ! i (5) January 11, 1993 Meeting,in Windsor, CT..of ABB-CE Management with. l NRC Management on the Status of the Design Certification Review of ! System 80+. ; (6) LD-93-011, "DSER (Open Item 7.2.2.2-1) Response Submittal," { February 2, 1993. (7) ANS/ ANSI-58.8-1992, draf t dated November 5,1992, "American National l Standard Time Response Design Criteria for Safety-Related Operator Actions." (8) Accident Prevention Group Report # 12, Rev. 2, ' December, 1990,
" Interim Report, Application of the EPRI . Operator. Reliability Experiments Data to Update'.the ANS-58.8 Standard."
1 (9) CEN-420-P, "Small Break LOCA Realistic Evaluation Model, Volume 1, l Part 1: Calculational Models", February 1993. l 1 i l'
..}}