ML20052D825
| ML20052D825 | |
| Person / Time | |
|---|---|
| Site: | Shoreham File:Long Island Lighting Company icon.png |
| Issue date: | 05/04/1982 |
| From: | Bridenbaugh D, George Minor SUFFOLK COUNTY, NY |
| To: | |
| References | |
| ISSUANCES-OL, NUDOCS 8205070247 | |
| Download: ML20052D825 (51) | |
Text
l l
0 % UNITED STATES OF AMERICA
, NUCLEAR REGULATORY COMMISSION crETP BEFORE THE ATOMIC SAFETY AND LICENSING BOARD j g [ y _6 lJi
- )
In the Matter of )
)
LONG ISLAND LIGHTING COMPANY ) Docket No. 50-322 (0.L.)
)
(Shoreham Nuclear Power Station, )
Unit 1) )
)
PREPARED DIRECT TESTIMONY OF GREGORY C. MINOR AND DALE G. BRIDENBAUGH ON BEHALF OF SUFFOLK COUNTY REGARDING SUFFOLK COUNTY CONTENTION 28 (a) (i)
N MD , Im SOC CONTENTION 7. A(1) ,p 7 o
RESTART OF CORE SPRAY AND T I/ g/ 'O 5
LPCI SYSTEMS ON LOW LEVEL e j, 6 sg t May 4, 1982 of 8205070247 820504 PDR ADOCK 05000322 lbjI PDR
i t i
SUMMARY
OF TESTIMORY l
Following the TMI-2 experience in which an operator turned off the coolant injection and the low water level subsequently resulted in core damage, BWRs were required to make changes to their ECCS logic to override a similar erroneous operation by the operators. This requirement is set forth in NUREG-0737, Item II.k.3.21.
LILCO has decided not to implement the NUREG-0737 change, and the NRC Staff has endorsed that position. The main reasons 1
cited are trust in the operator and the complexity of the change. i However, LILCO has provided no analyses to demonstrate that these
" reasons" justify an exemption from NUREG-0737 or that Shoreham, without the Item II.k.3.21 fix, will meet the safety goals mandated by the Commission's Action Plan. There is no assurance LILCO has met the regulatory requirements of 10 CFR 50 Appendix K.
Exhibits
- 1. BWR Owners' Group Evaldation of NUREG-0737 Item II.k.3.21 " Core Spray and Low Pressure Coolant Injection Systems Low Level Initiation" (Attachment 1 to SNPS-1 FSAR Section II.k.3.21)
- 2. Memo, Speis (NRC) to Lainas et al. (NRC),
" Evaluation of BWR Owners' Group Generic Response to Item II.k.3.21 of NUREG~0737, " Core Spray and Low Pressure Coolant Injection Systems Low Water Initiation", April 14, 1982.
-s e
, 3 UNITED STATE'S OF' AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD
)
In the Matter of ) 7
) !
LONG ISLAND LIGHTING COMPANY ) Docket No. 50-322 0.L.
)
(Shoreham Nuclear Power Station, )
Unit 1) )
) _
PREPARED DIRECT TESTIMONY OF DALE G.'BRIDENBAUGH AND GREGORY C. MINOR REGARDING SUFFOLK COUNTY CONTENTION 28 (a) (i) AND SOC CONTENTION 7. A(1) ,
RESTART OF CORE SPRAY AND LPCI SYSTEMS ON LOW LEVEL I I. INTRODUCTION This testimony was prepared by Dale G. Bridenbaugh and ,
Gregory C. Minor.b! A statement of our qualifications and experience has been separately provided to the Board. The testimony addresses the concerns expressed in NUREG-0737, Item II.K.3.21, which states (in part) :
"The core-spray and low pressure, coolant-injection (LPCI) system flow may be stopped !
by the operator. These systems will not re- i start automatically on loss of water level if an initiation signal is still present. The '
core spray and LPCI system logic should be modified so that these systems will restart, if required, to assure adequate core cooling."
LILCO has decided not to modify' the systems at Shoreham to protect against this condition.
b! The Contention was discussed jointly between the two authors. j The first draft was prepared by G. C. Minor and subsequent revisions and editing were contributed by both authors.
Accordingly, it is not possible to specify responsibility l
for particular portions.
i l
l l
~
, 3 4.'
that improper operator action does not cause core uncovery or otherwise exacerbate an accident situation.
There is persuasive basis for the NUREG-0737 requirement that an automatic restart capability for LPCS or LPCI should be provided. In the TMI-2 accident, under the extreme pressures
~
of' coping with the events which occurred, reactor operators made serious errors in manually shutting off ECCS systems, thus per-mitting water level to decrease to an unsafe level. The NUREG-0737 requirement responds to this problem of operators making mistakes in the midst of coping with severe accident conditions l
l by ensuring that key ECCS systems will restart automatically if I
conditions warrant such action. Indeed, the BWR Owners' Group l 1
has noted that unsafe conditions could occur if improper operator actions occurred. The Group noted three such circumstances:
- 1. Deliberate operator termination of multiple ECCS during the earlier phases of an incident when the systems have been automatically initiate.d. . . .
- 2. A second general circumstance during which errors and omissions could potentially lead to degraded core cooling conditions would.be failure of the operator to adequately consider core cooling re-quirements during the long term period. . . .
- 3. During upset transients and small breaks, . . .
it is highly desirable for the plant operators to intervene in this automatic process and l
assume manual reactor water level control. The i key incentive is to prevent the water level frcm l reaching Level 8 since in addition to the HPCS, both the feedwater system (if operating) and the RCIC will be tripped on high level. Consequently, it is probable that for the types of events described in Tables 2 and 4, the plant operators
, i 5.
will intervene fairly early and assume manual HPCS control.3/
Notwithstanding the benefits of ensuring automatic ECCS restart, LILCO has not proceeded to implement NUREG-0737, Item ;
II.K.3.21. Instead, as part of the BWR Owners' Group, LILCO had GE prepare a generic response to the NUREG-0737 concern about manual shutoff of a needed ECCS function. The Owners' Group /
LILCO conclusion was in two main parts:
- 1. General Electric and the BWR Owners' Group have reviewed the current CS and LPCI system and have concluded that overall BWR safety would not be enhanced by the type of control system modification suggested by the NRC._4/
- 2. Our evaluation of Item II.K.3.21 has considered the potential benefits of modifying the HPCS logic to extend automatic restart on Level 2 following manual termination. . . . It has been concluded that such HPCS changes are not required by plant safety considerations. How-ever, the changes that would provide this capability appear to be relatively straight-forward gnd may provide additional safety margin._5f The NRC Staff evaluated the Owners' Group position and concluded that the position was acceptable, basically adopting the Owners' Group's words:
2! BWR Owners' Group Evaluation of NUREG-0737, Item II.K.3.21
" Core Spray and Low Pressure Coolant Injection Systems Low Level Initiation," pp. 22-24.
II Ibid. 3, p. 2.
5[ Ibid. 3, p. 24.
I I
)
, i 6.
We agree with the Owners' Group position that logic modifications for LPCI and core spray (except for HPCS) are unwarranted. The Owners' Group did propose a modification to the HPCS logic (applicable to BWR/5s and BWR/6s only; LaSalle will be the first operating BWR/5) which is simple and improves the safety func-tion. The Owners' Group felt that the HPCS modification was beneficial but not required for safety. We agree with the Owners' Group assessment that the HPCS logic modification is beneficial and is a simple modification; therefore, it should be implemented. This position on the HPCS logic is consistent with the positions included in the SERS for near-term OLs.6/
However, the Staff review did not highlight the applicability of its conclusion, to Shoreham, nor did the Staff mention other ECCS modifications being considered for older BWRs. The Staff's SER for Shoreham similarly reflects no Shoreham-specific analyses to determine whether the NUREG-0737 changes ~ would be appropriate for Shoreham.1I III.B. NO ADEQUATE JUSTIFICATION HAS BEEN PROVIDED TO JUSTIFY FAILURE TO IMPLEMENT THE NUREG-0737 REQUIREMENT AT SHOREHAM The justifications for failing to institute the NUREG-0737 changes at Shoreham are not persuasive and provide no basis for exempting LILCO from compliance with the NUREG's requirements.
First, the Owners' Group recommendation concerning HPCS is completely inapplicable to Shoreham. Shoreham, a BWR-4, does not 5! Memo: Sp<is (NRC) to Lainas (NRC) " Evaluation of BWR Owners' Group Generic Response to Item II.K.3.21 of NUREG-0737, " Core Spray and Low Pressure Coolant Injection Systems Low Level Initiation," April 14, 1982.
t 2[ NUREG-0420, Supp. 1, Sept. 1981, pp. 22-84 and 22-85.
i i
l
. i 7' have an HPCS. Shoreham relies on a HPCI system with an RCIC as back-up for the high pressure /small LOCAs. Unfortunately, the Owners' Group position was silent on these systems, merely stating that:
l There are some plant to plant variations in these systems but these variations are not important to the overall technical conclusions presented in this memorandum. Neither the High Pressure Coolant Injection system (HPCI) provided on some pre-BWR/5 reactors nor the Reactor Core Isolation Cooling system (RCIC) is discussed.8/
8/ Ibid. 3, p. 2. In addition, the technical specifications for Shoreham provide conditions for system unavailability which cannot be exceeded without jeopardizing the safety of the reactor. For example, it is permissible to have the HPCI out of operation for up to 14 days, based on the demonstrated operability of redundant and diversified low pressure core cooling systems. The low pressure ECCS at Shoreham are the LPCI and LPCS. LILCO Resp. to SC First .
Doc. Request, Request #3, Pre. Tech. Spec. GE STS (BWR 4), .
pp. B 3/4, 5-1, 5-2 (Doc. submitted to NRC Feb.1,1982) .
However, these are the same systems which II.K.R.21 is requiring to be automated, and the same systems that LILCO would like to be able to divert or shut off if the operator should decide to do so. The operability of the LPCS is assumed tion.
to be verified by surveillance testing during opera-However, operability cannot be assured unless operator action to shut off these systems can be overriden under the necessary circumstances. Many of these ECCS systems can be turned off by the operator if he perceives an improvement of the conditions which originally caused the system to ;
actuate. If done improperly, this could lead to serious s problems and even core damage. This is the issue brought up in NUREG-0737, Item II.K.3.21. I l
l l
l
. i 8.
Second, there is no evaluation of Shoreham-specific modifica-tions to achieve the NUREG-0737 goals. Rather, the general dis-cussion in the Owners' Group evaluation focuses on the multiple use of the RHR (in LPCI mode, Suppression Pool Cooling mode, etc.)
and the complexity of the alterations necessary to change its mode of operation from one mode to another (e.g., from Suppression Pool Cooling to LPCI). It is on the basis of this complexity of logic modification that the fundamental decision was made to not modify the plant. The Owners' Group suggests that there would be new failure modes introduced and this would potentially result in a net reduction in safety. This is not substantiated in the Group's discussion.
In the Shoreham FSAR, LILCO cites the alleged complexity of necessary changes in addition to several other points, as justifica-l tion for not modifying the ECCS logic.
The current system design is adequate and no design changes are required. This adequacy is based on several factors including the following:
- 1. Comprehensive nature of BWR operator training.
- 2. Emphasis on reactor water level control during training.
- 3. Emergency Procedure Guidelines.
- 4. Relatively long time available for operator action.
Any further automation would unnecessarily in-crease system complexity, reduce system reli-ability and restrict operator flexibility.2/
However, there are no analyses to support LILCO's statements on operator training, nor any indication that LILCO considered A[ FSAR, p. II.K.3.21-1 and -2.
1
. . i 9.
the questionable reliability of the vessel water level instruments under certain accident conditions (see Suffolk County testimony on Contention 73). Similarly, there is no indication that LILCO has analyzed the Shoreham ECCS to verify that the reduced system reliability argument and length of time available for operator action are actually applicable to the Shoreham design.
Finally, it also appears that alternatives to modification of RHR and LPCS logic were not considered. For example,.the pos-sibility of adding auto restart for only LPCS on low water level was not specifically addressed, despite the facts that (a) com-parable HPCS logic modifications were described as simple to 1
implement for BWRs 5 and 6; and (b) despite the fact that other BWRs are considering whether modifications'of LPCS are desirable.
IV. CONCLUSIONS TMI-2 showed the danger of over-reliance on operators to make the correct decisions regarding manual operation of ECCS. NUREG-
! 0737 included a requirteent to analyze and implement an auto re-start of LPCS/LPCT w EP~ ' a . In evaluating the desirability of automating a restatt of LFCS and LPCI, Shoreham has adopted a BWR I
Owners' Group position which is mainly focused on BWR Ss and 6s and is silent regarding modifications being considered for older BWRs (pre BWR 5). Thus, plants without 2PCS should be considered separately and evaluated for various modifications including LPCS auto restart. Further, the reasons cited for rejecting the auto restart have not been justified for the Shoreham design. LILCO has, in effect, asked for a waiver from the requirements of II.K.3.21 but has not demonstrated adequate justification for deviation from the requirements. Until a plant-unique analysis
, , 10.
is conducted for the present ECCS, operator training, and agaip-ment at Shoreham, there is no assurance that Shoreham will meet the requirements of 10 CFR 50, Appendix K and 10 CFR 50.46 under the worst case conditions of mis-operation of ECCS.
c
i ATTACliMENT 1
. i BWR OWNERS' GROUP EVALUATION OF NUREG-0737 ITEM II.K.3.21 CORE SPRAT AND LOW PRESSURE COOLANT INJECTION SYSTEMS LOW LEVEL INITIATION Revision 22 - July 1981
CONTENTE
SUMMARY
- 1. INTRODUCTION 2
- 2. GENERAL ELECTRIC ECCS DESIGN FBILOSOPHY 4
(
I 2.1 LOCA Signals 5 l l
2.2 Automatic System Initiation 7 2.3 Automatic System Termination 7 2.4 System Termination on High Level 8 2.5 Operator Termination 9 2.6 Long Tem Control 13 2.7 BWR Geometry Considerations 16 l
- 3. TYPICAL EVENTS INVOLVING ECCS INITIATION 17 l l
3.1 Event Description 17 3.2 Assessment 22
- 4. CONCLUSIONS 28 APPENDII A: HPCS DESIGN CHANGES 29 LPPENDII B: CORE COOLING CONSIDERATIONS 32 APPENDIX C: PARTICIPATING UTILITIES 34 ,
i Revision 22 - July 1981
NURD60737 ITDs IX.n 3 21
- '- ' ~~
s i CORE SPRAY AND LOW PRESSURE COOLANT INJECTION STSTEMS LEVEL INITIATION
SUMMARY
The NRC has suggested certain modifications to the BWR Core Spray (CS) and Low Pressure Coolant Injection (LPCI) systems provided as part of the BWR ECCS network. These NRC suggestions center on control system logic modifications that would provide greater automatic system restart capability following manual termination of system operation. General Electric and the BWR Owners' Group have reviewed this issue on a generic basis and do not believe the NRC suggr:stions are required for plant safety considerations. This conclusion is based on the adequacy of the current ECCS logic design coupled with the potentially negative impact on overall safety of the proposed changes. For the low pressure ECCS these negative impacts include a significant escalation of control system complexity and restricted operator flexibility when dealing with anticipated events. Therefore, we conclude that no modifications be made to the low pressure ECCS with respect to automatic restart.
GE and the BWR Owners' Group have evaluated a modification to the HPCS system which would automate its restart on low level following its trip by the operator. This change would make the EPCS restart logic similar to the EPCI logic which already permits an auto restart on low level. We have concluded that this change, although not required for safety reasons, would lead to a net safety improvement which could be implemented without adverse impact on system performance.
This memorandum provides an overview discussion of GE's BWR ECCS design philosophy and presents the technical rationale for the GE/0wners' Group position on this issue.
i i
Revision 22 - July 1981
- 1. INTRODU6 TION This nemorendu= bas besa prepared in response to Item II K.3.21 of ,
NUREG-0737. In this Item, the NRC suggested cartain modificaticus to the ,
Core Spray (CS) cud the Low Pressure Coolant Injection (LPCI) Emergency l Core Cooling Syste=s (ECCS) that are provided as part of the BWR ECCS '
network. The NRC suggestions center on incorporating additional control '
system logic to provide automatic system restart from a low reactor water level signal following actions by the operators to terminate system ,
operation. The NRC concern is that the reactor operators may terminate ECCS operation when a high reactor water level condition exists but may neglect to reinitiate the systems if a low level condition recurs. l General Electric and the BWR Owners' Group have reviewed the current CS l and LPCI system for the plan % identified in Appendix C and have concluded that overall BWR safety would not be enhanced by the type of control i system modification suggested by the NRC. This memorandum describes the current CS and LPCI logic design and provides the technical rationale for the GE/0wners' Group position. This discussion is generic and includes the LPCI and both the low and high pressure core spray systems (LPCS/HPCS). There are some plant to plant variations in these systems ,
but these variations are not important to the overall technical conclusions presented in this memorandum. Neither the High Pressure Coolant Injection system (HPCI) provided on some pre-BWR/5 reactors nor the Reactor Core Isolation Cooling (RCIC) system is discussed.
Section 2 of the memorandum describes the major elements of the GE ECCS design philosophy that are relevant to any discussion of providing expanded system automatic restart capablity. A full understanding of the significance of CS and LPCI logic changes must be based on a recognition that these systems are part of the interdependent BWR ECCS network; any changes in one system must consider the possible interactive effects amongst the other systems making up the overall ECCS network. This must also include the potential impact on supporting systems such as the standby power supplies and the emergency service water system.
l l
Revision 22 - July 1981 l i
~~ '- ~ ~
' ~
1A9i?BLYGD3?G, GEO LSM( OPOGGR 80 0 889-Op68e= 07 GLhe Basi 6ual L%ea8 dem2 val (RER) system'which has other safety related functicus such as cuppression pool (centainmsnt) cooling cud containmsnt sprcy. Clearly, these other safety functions must not be compromised by any changes in the LPCI mode of operation.
Section 3.1 describes the sequence of events that would occur during several key reactor system transients. This information is for typical BWR transients and identifies system actions which occur automatically and l
also what operator actions are required. The intent of these generic event descriptions is to illustrate the adequacy of the current BWR ECCS design and to support the position that no modifications are required on the basis of any safety considerations.
Section 3.2 identifies the points in the transient events where inappropriate operator intervention and errors have the potential for leading to inadequate core cooling. These conditions are reviewed and it is concluded that in no case does the probability for error warrant any ECCS control logic change.
Furthermore, the safety margins incorporated in the BWR design provide considerable time between the point at which the operator should (but does not) take action and the time at which core cooling would be jeopardized.
Typical BWR data is provided in Appendix 3.
Revision 22 - July 1981 1
An important point of dasign philceophy ic involved in the discussionc hrasented in this memorendum. Control of E n cafety systems will always involve a combination of automatic and manual cetions; the issue raised by I
t this NUREG-0737 Item is simply where cud how to define the boundary between these two control methods. Tne current GE ECCS designs are based on the approach that automatic system initiation is required during the short term phase of any incident but that longer term system control can and should depend upon the manual actions of the plant operating staff.
Intuitively, it might appear that additional ECCS automation would be purely beneficial since this would supposedly provide added protection against operator errors and omissions. However, these perceived benefits of extended system automation must be measured against the very real penalties of increased system complexity, reduced system reliability and restricted operator flexibility for dealing with unanticipated events.
These considerations are not amenable to precise quantification and I control system design decisions must of necessity involve judgements as to relative importance of these competing influences. GE and the BWR Owners' Group believes the current BWR low pressure ECCS logie design has considered all of these factors and represents a balanced solution.
GE and the BWR Owners' believe that the current BWR 5/6 High Pressure Core '
Spray (EPCS) system is fully adequate and no design changes are required on a basis of any safety considerations. However, there are relatively straightforward HPCS design modifications that would automate the restart of EPCS on low level following its trip by the operator similar to the BPCI logic. This change which would enhance overall plant safety is described in Appendix A of this memorandum.
- 2. GENERAL ELECTRIC ECCS DESIGN PHILOSOPHY This section provides an overview discussion of the generic GE ECCS design philosophy and design practices as they govern ECCS initiation and operator control of these systems. ECCS control systems must satisfy multiple system design requirements and the information presented in this Section and Section 3 is intended to demonstrate that the current ECCS controls are based on a balanced consideration of these multiple requirements.
Revision 22 - July 1981
2.1 LOCA Sicosir Eigh drywall pressure
- sud low recctor vnter level ** are the key accident related paremeters that govern operation of the BWR ECC syste=s. Tne occurrence of either or both of these signals is taken as en indicction that c Ioss of Coolant Accident (LOCA) has occurred.
l This combination provides diversity of initiating signals but it is l important to note that the control system hardware does not l discriminate between signals generated by the drywell pressure sensors and those produced by the reactor water level instruments. i Either or both of these sensed variables can produce a LOCA signal input to the control circuitry.*** The latter does not treat {
the signals separately and there is currently no way for the control hardware to recognize which parameter is indicating a LOCA condition exists.
This is a significant design feature because it means system logic reset cannot be accomplished until both of these LOCA signals have cleared: and an ECC system cannot be returned to its true standby mode until the logic circuits have been reset. With the current I
{
design, automatic restart of any ECC system will occur once it has been placed in the standby condition and an initiation signal recurs.
l As discussed below, there are in practice many BWR accident sequences where one or both of the ECCS initiation signals will persist for long periods of tiae. This characteristic complicatc. any scheme to provide the type of system restart proposed by the NRC.
- Typically 2 psig.
- Actual setpoints are plant and system dependent. All setpoints are above the top of the active core.
- Common LOCA logic is developed within each redundant ECCS division, so the core spray and LPCS controla receive the same signal at the same time.
Revision 22 - Jr.ty *,f81
The lcng tsrm post-LOCA transient is good exc=ple of the significancs of the combinad drywall pressure cud reactor water level LOCA siguc1 input to the BWR ECCS. For all but the largest breaks, reflooding of the core vill occur relatively soon af ter the ECCS have been cute =:tically started by the high dryvell pressure cud /or low reactor water level signals. However, the high drywell pressure condition may persist for extended periods following the accident and the
~
continued presence of this LOCA signal vill prevent ECCS logic reset and thus prevent return of these systems to their standby mode.
Control system modifications to provide automatic restart on low reactor water level would have to be based on logic that recognizes the possibility of a continuously present drywell pressure signal.
The possibility for the drywell pressure signal not being present would also have to be included in the logic; longer term post-LOCA l
containment pressure conditions are sensitive to factors as break ,
i size, break location, type of ECCS equipment operating, etc. and l pressures both above and below the 2 psig value could occur depending l l
upon plant conditions.
In summary, the diversity of initiation signals is an important ,
design philosophy that has had a major influence on the current BWR I ECCS control system design. However, the BWR LOCA performance is such that one or more ECCS initiation signals can persist for extended periods of time. Any scheme to provide ECCS automatic restart capabilities would have to be complex in order to deal with this possibility. The added safety benefits of an automatic restart design must be balanced against the decreased reliability of the system brought about by the additional control system complexities required to implement the change.
1 Sections 2.3, 2.6 and 2.7 provide further discussion of this point.
1 i
I Revision 22 - July 1981 l
l
2.2 Autoestic Svetee Initistion 8
- Immadictely following c LOCA thct produces either high drywall pressure or low reactor water level, all BWR ECCS will automatically start. Injection of emergency cooling water into the reactor will occur vnen recctor pressure ic vithin the design range of each particular system. This design feature would not be influenced by any plant modification to provide ECCS automatic restart capability.
Annunciators are set off by the initiating condition and are subsequently acknowledged by the plant operators. The audible alarm is silenced by the operator after he has acknowledged the conditions and determined his required action but the panel light persists until the originating condition disappears. Reoccurrence of the originating condition would cause a new audible alarm and alert the
! plant operators to the need to reactivate any secured pumps and restore reactor water level. These Laportant control room annunciation / alarm features of the typical BWR together with the BWR reactor water level indicators will provide information that will ensure that the control room staff is continuously aware of the reactor water level esadition and will undertake all the necessary safety actions in a timely manner. .
2.3 Automstic System Termination The low pressure emergency systems do not stop automatically in the event either the drywell pressure or the reactor water level signals return to non-LOCA conditions. See Paragraph 2.4 for high water 1r.el trip of the EPCS system.
Revision 22 - July 1981
In sont plcats, high-high esntninnsnt syste= pressures will cnuse o i e portion of tha LPCI syste= to cuto=cticc11y reclign to the containment spray or vetvell spray mode of operation. (Some time delay is provided to allow reactor water level recovery). This decign fecture it intended to enhance the ability of tne pressure suppression containment system to accomodate steam bypass of the dryvell/vetvell vent system. Reoccurrance of the LPCI autostart signal would create conflicting simultaneous automatic signals which would have to be resolved by a priority logic and its attendant complications.
2.4 System Termination on High Level In general, flow from the High Pressure Core Spray (HPCS) system is terminated when a high reactor water level condition occurs l (typically refe red to as Level 8). The intent of this control feature is to prevent unnecessary flooding of the reactor vessel and steamlines. Termination of HPCS injection can occur either automatically or by operator action. In the event of the former, the l
HPCS system will restart automatically if and when reactor water level decreases from the high level trip point to the low level -
initiation setpoint.
~8- Revision 22 - Julv 1981
Dep2nding upon the circu= stances involved, cuto=atic rettert may cr gay not occur f olleving operator ter=ination of the EPC5 syste=.
(See Secion 2.5 for additional discussion.) It should be noted that the Reactor Core Isolation Cooling (RCIC) system is also available for hign prescure recctor water makeup duty and cca be considered t diverse backup for the HFCS. (See Note 1) 2.5 Operator Termination The reactor operators can, at any time, stop any BWR ECCS system even if a LOCA signal is present. This manual override option is deliberate and is considered by General Electric to be an important safety feature of the BWR ECCS network. This feature provides the plant operators with flexibility for dealing with unforseen but l credible conditions requiring a particular system to be . hut down.
Examples would be equipment difficulties involving gross seal leakage, breaks in ECCS piping, failed ECCS pump motors, load shedding for other post-LOCA operations etc. General Electric strongly believes that any design changes which restrict this operator flexibility would not be beneficial and would not lead to improved plant safety. Because the reactor water level is directly ,
measured in the BWR and the water level is a primary parameter in the l operator guidelines, operator action is a highly reliable means of reinitiating low pressure ECCS if needed to assure adequate core cooling. It is believed the overall system reliability is higher if flexibility is included for operator action as compared to a system which cannot be overridden if a LOCA signal is present.
(NOTE 1: The BWR/6 HPCS control logic currently includes a high dryvell pressure override of the high level flow termination signal, i.e., if a high dryvell pressure signal is present, the HPCS system vill not terminate on high level and will flood the reactor and main steamlines. General Electric believes overall plant safety would be improved if this override feature were re=oved and is currently reviewing such a chenge with the NRC staff.)
C-Revision 22 - July 1981
Depsoding upsn tha reseter condition, operctor ter=instian of a BWR
, . ECCS can be achievad in several vcyc. Tipure 1 is a sche =s:ic l
diagram which illustrates these options for typical low pres sure !
l rystems. The sche =atic in Figure 2 illustrates the logic f er the l l
C.~n/5 EPCS cystem. Tne key points to noce crc:
- 1. If properly secured and returned to the standby mode, all ECCS j vill automatically reinitiate if a LOCA signal re-occurs.
Standby status can be acheived when all previous LOCA signals have cleared and the sytem logic has been reset. Correct operating procedure would be for the operator to attempt to return all ECCS to their standby mode any time a system is being secured; only when conditions such as the continued presence of a LOCA signal prevent this operation would a system be stopped and left in a non-standby mode.
- 2. If a LOCA signal persists, system flow can be terminated but the system cannot be returned to standby status. A typical ECCS system logic permits the operator to override the incoming automatic start logic (from the persistent LOCA signal) by use of ,
either the "stop" position of the pump manual switch or the "close" position of the system injection valve. Momentary contact of either switch actuates logic elements which block the incoming automatic initiation signal. Once blocked, the automatic signal no longer controls pump or valve action and any subsequent system operation vill be dependent upon manual operator actions.
- 3. An improperly secured system (eg: an injection valve closed but system nct returned to standby mode) will not automatically restart if a LOCA signal reoccurs.
l i
Revision 22 - July 1981
~'
~ - - - _ _
i l l OPERATOR TER!!INATION OF BF l EMEP.GE!!CY CCP.E CCDLINS SYSTEE1:
f, SCHEMATIC SH0h'ING TYPICAL OPTIO"I l
OPERATOR DECIDES TO STOP AN ECCS EC .
m <g hh
- OE PRESENT IS LIKELY FOR MOST ACCIDENT lE5 < SITUATIONS Sd5
- WO ~
5E5" x S
} __
V SYSTEM FLOW STOPFED BY D Y OPERATOR CLOSING INJECTION Eo SYSTEM FLOW STOPPED.
OPERATOR CLOSI~NG INJECTION VALVE VALVE AND/OR STOPPING PUMP ,
LOGIC RESET. SYSTEtt 3< PLACED IN STANDBY MODE AND/OR STOPPING PUMP. OPERATOR y DOES NOT FOLLOW GOOD OPERATING e SYSTEM CANNOT BE PLACED IN 5 PRACTICE AND DOES STANDBY MODE 8 NOT RESET THE 5YSTEM LOGIC
~
\ __ _
YES NO h L'ILL AUTO RESTART OCCUR IF A a LOW LEVEL SIGNAL RE-0CCURS?
um e5 E;5 cm
- 0PERATOR RESPONDING TO EITHER A HALFUNCTIONING SYSTEM OR A NEED TO OTHER SAFETY RELATED FUNCTIONS (EG: ESTABLISH SUPPRESSION POOL CO FIGURE 1
-ll- Revision 22 - July 1981 I
I e s yC
- O"
,,,; u 6 *Ci m' ,
hwa e=w i
& C a NWO w
J r cc z-o 3 w :e >D C tr >UC o ce -
O E 'E 6- w >'"
EW cZ et >= M cc m
== w l Wl LaJ Zm ww w>Z c6 m -
l i
l > cc ow
- I w J c6 J at Em EC CW W e-. cc w
+- M :D t e: an 3 O.=
oe ;
3 aC m J >=
uw an J u cf EJ O cc W Q aC >-
C wW J cb >= 6 cc w i >= 6- > et cb sn l
U att w z k- W J >=
eC zJ *-eO C E wE LaJ > *= !
cc cc = E cg z z.e-D.= U wC CC w an >= C = -.3 C.-
Z >=== >- w elC E C 6- i.
C U= C c2 C O bW i
- est ce c w m ,,J z - an ;
= LaJ C C c6 LaJ cf E cc .z
>= QCE E -* et
- Ow llD C
- O = cc 2 C >= u **
u >-
- u wQCCm N E >= att c6 J C z >- O aC a==
- O .,J O O W C at in g,aJ.
s e== ,J CC >=>= e t cr == 5 r
'- at "s.5c6 c6 .
.c = w ;
z ** ac P- ~
en
~ 6- A
- EE C so wm z cK u ;
w 6- >--
ac N aut
- cc 3.-
O=
c6 we x e m e--
m <=.-- -mz w mm u r z .: >- <wZ -
CL cc cc 6-z C .m w m in J, .u
--- W w: e- >- :
in we -w s .ce cacc ce ce >- z ce
& ce >- z z e- .o r -
cm e @ z* LaJ +-
wom E
f .o owm J> ,
3
=
m w c6 U>-
- n. wa ce m "r >- ~- s u =
P- . o- .o
,s,, = - >
o . _ . _ _ -
w ~
>- I.
u o m
< m >-
<E- w =
m
< usz =>
o ew 7 o co zm 6- 2 ow =c :
o - =: ce o, w Z m c6 haJ 6 >
c6 w omJ v
oS-
--o -
l Sn1V15 SNOI13V E01YH3d0 Sn1Y151EV1538 01(W "lVHDIS V30'l i l
Revision 22 - July 1981 l
2 .C- Locc Tere Control E*7. e=crgency syste= cesign ic based on the assc=ption that 1 cog tern control of the reactor vill be co=pletely dependent upon operator cetions. Thic long standing design philosophy has been consistently cualice to rc cter centrol folleving both non-LOCt. trencient evente (such as turbine trip) and also to the complete spectrum of credible loss of coolant accidents. A good example of this philosophy is the complete manual control _of the multiple operations required to I
establish the long term post-LOCA containment cooling functions.
Post-LOCA containment cooling is a key safety function since it prevents containment overpressurization and is thus required to support long term cooling of the core.
Providing purely manual control of the long term BWR transients is based on the thesis that the operator will ensure continued core cooling. This manual approach is considered superior to providing the very complex equipment and controls that would be necessary for I comprehensive automatic ECCS restart capabilities during these transients. !
i As an indication of the potential complexity of the control systems that would be required, the following are some of the major long-term transient considerations that would have to be accounted for.
l
- 1. In many cases, the station standby power sources do not have sufficient capacity to permit all emergency systems to run s imultaneous ly. The plant operators must establish priorities and make the necessary power assignment decisions. An example of l l
thi,s process would be the decision to shut down one or more of l the multiple ECCS in order to provide power to the emergency service water pumps. This is clearly an appropriate action for the operators to take since the multiple ECCS will be providing redundant core cooling and the essential service water syste=
must be activated if the containment cooling and pressure control functions are to be established.
1 l
l Revision 22 - July 1981 l
/.ny scheme to auta=ctier.lle restart the ECCS in a vassel a a injection mode vould hcvc to recognize and account for ::er.
other essential post-LO'J. activities as well as recogni t.
unavailable or failed systems and equipment..
- 2. For many plants, operator action is required to ensure acequate ECCS pump Net Positive Suction Head (NPSH) during events
'nvolving i elevated suppression pool temperatures. In most cases, automatic ECCS system initiation does not involve.any system flow control. Consequently the system vill operate at the maximum flow rate as vessel pressure reaches dryvell pressure. This operating mode is usually referred to as the run out condition and it involves the most severe NPSH requirement at the pu=p suction. NPSH conditions can (in some cases) lead to pu=p cavitation as the suppression pool water temperature increases.
These undesirable NPSH situations are avoided by the plant operator manually adjusting the system flow rate to design values. Again, this aspect of design vould have to be accounted for in any scheme to provide auto-reinitiation capability.
- 3. Many BWR transient and accident events involve significant release of reactor system energy to the suppression pool which increases the pool temperature and containment pressure.
Control of these temperature / pressure conditions is achieved by manually placing the LPC1/RHR system in the suppression pool cooling mode. This LPCI/RHR mode, in conjunction with emergency service water system operation, permits rejection of the excess suppression pool energy to the station ultimate best sink. Much of the equipment used for this cooling function is also used for the LPCI ECCS mode of the RER system. Any scheme to provide automatic initiation of the ECCS system would either hsve to bypass the LPCI system after it has been assigned to the suppression pool cooling function or automatically realign the equipment to the LPCI mode.
-la;- p.ision 22 - July 1981
i' Consideration of the second option provides a good exs=ple of the many orseticci difficulties escociated vita rectrocctive modification of EWR ECCS systems. Auta=ctic realignment of the CHR sycte: fre= the suppression pool cooling mode to the LPCI mode veulc nave to recognize the "as-built" characteristics of the hardware involved. For example, the typical RER pool return )
i line valve is a 12 - 18 inch valve which would require 90 seconds to close whereas the LPCI injection line is a 12 - 24 inch valve which would open in 24 seconds. This represents a 3:1 valve closure period mis-match and any simultaneous signal to realign the RER system would result in a significant period of time during which the RER pump would be supplying flow to both .
flow paths. The RER pumps are not designed for the excess duty associated with this mode of operation: inadequate pump NPSH, pump motor overloading and auxiliary power source overloading are potential problems that would have to be addressed. Clearly, these types of hardware problems are not insurmountable but would have to be adsressed as part of any rectroactive ECCS modifiction l program.* The intent of this discussion of potential difficulties is not to suggest that rectroactive ECCS system logic changes are impossible but rather to highlight the non-trival hardware changes that may accompany any control system logic redefinitions.
- Additional logic to avoid the valve timing mismatch requires additional LPCI valve permissives and so adds to the probability of failure.
l l
l 1
Revision 22 - July 1981 n m -- -
2.7 Tt?, Geo=etiv Consideratient That Iencet Svs t e= Lori- ;
Ine EUh core and interncic configurction cre such tbct certain dasign beris break locations and sizes do not permit complete post-LOCA '
j refloodinr of the core. For jet pump plants, very large ruptures in l tue enternci recirculc: ton cyste= pipe allov the ECCS to reflood the :
reactor vessel only to the elevation of the jet pump suct' ion plane.
This elevation is at approximately 2/3 of the core height. Bovever ,
i the actual water level inside the shroud is considerably higher due !
to the existence of voids. For non-jet pump plants large recirculation line breaks do not permit full reflooding of the core. !
Adequate core cooling is achieved under these conditions for either ;
1 reactor type but the reactor water level can never be restored to the i ECCS initiation level. ,
l i
This characteristic complicates any scheme to provide automatic reinitiation of the ECC systems on low water level. For large breaks ;
in jet pump plants, inadequate core cooling would probably have to be l defined so as to be based on the 2/3 core height level. This revised l definition would have to be in addition to the current initiation l level which is conservatively identified as a water. ;
elevation shaza the core. It is not clear what comparab'le l alternative signal could be used in the case in the non-jet pump ;
plants. However, it is believed that the minimal need for (and benefits of) providing automatic ECCS reinitiation for large BWR recirculation line breaks does not justify the penalties associated with the significantly more complicated control system that would be j required. In summary, the current ECCS logic is well suited to the l BWR geometry characterisites and no changes are required on the basis l l
of the inadequacies in the current design.
r l
l l
t .
/
Revision 22 - July 1981
- 3. TTPICA1 t?D'TS INVOLVINC TCCC It!?I!?IV i e 3.1 Evert b2 c erie: 5. e-Typically cualyzed IVT. LOCA cud non-IDCA sysnts are discussed in this Section of the me=orcade=; the events have been treated generically.
In ecch ccre tac cc nc:is it oceed on interactions between the LOC 1.
signal and the actions the plant operator can or must take to ensure safe plant conditions. The event descriptions are based on current ECCS control system logic.
The following events have been selected as representative BWR transients:
- 1. A design basis recirculation line break which will not permit reflooding of the core above the 2/3 core elevation. This accident is included as a base case to illustrate the reasons for the existing system logic.
- 2. A email break not involving significant loss of reactor water inventory. This accident will lead to high drywell pressure but not a low reactor water level ECCS initiation signal.
- 3. An intermediate size loss of coolant accident that involves some core uncovery but with a subsequent reflooding of the reactor by the ECCS.
- 4. An upset transient that produces a momentary reactor water reduction and thus RPCS initiation on low water level but no high drywell pressure LOCA signal.
Tables 1 through 4 show the major sequence of events for these four transients.
I Revision 22 - July 1981
~
__m_m________
c _ _ _ _ _ _ _ _ _ _ _ . _ _ _ - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - -
TYPICAL NT TRANSIENTS C/.EE I : DESIGi; I!.SIF EECIECULATIO: LINE Enr_'
SEOUENCE OF EVENTS
- Break occurs
- High dryvell pressure signal These signals will persist
- Low reactor water level signal indefinitely and cannot be reset.
- All ECCS start and inject water into the vessel automatically
- Core heat-up terminated, all ECCS running, core flooded to 2/3 height. In some cases , part of the LPCI flow may automatically be diverted to containment or vetvell spray.
END OF SHORT TERM BLOWDOWN PEASE OF ACCIDENT r2 '- Multiple operator actions to establish long term post-LOCA core and DDS containment cooling. Actions include some ECCS termination, standby Kver pendint on ) reassignments, emergency service water startup, actuation of suppression erntor pool cooling, pump throttling to assure adequate NPSH, elimination of tiens j unnecessary ECCS pump operation so as to minimize pump heat input to the suppression pool etc.
Revision 22 - July 1981
CASE 2: SMALL BREAK NOT INVOLVING SIGNIFICANT LOSS OF REACTOR INVENTORY (BWR 5/6)
SEQUENCE OF EVENTS
- Break occurs
- High drywell pressure signal - signal will persist indefinitely
- No low reactor water level
- All ECCS start automatically (Iow pressure systems will not inject because of high reactor pressure) s
- EPCS Injectic,u g 0-4
- EPCS flow terminates auto- - Operator observes increasing natically on high level reactor water level and (Level 8) (assuming deletion of terminates EPCS by stopping high drywell pressure inhibit pump or closing injection l valve. This action precludes I for BWR/6) subsequent automatic initiation on lov level
- EPCS auto restarts on - Subsequent EPCS restart initial level (Level 2) requires operator action.
Because of persistent high
- Continuous automatic drywell pressure, system reactor water level control logic cannot be reset and system returned to standby END OF SHORT TERM PRASE OF EVEE tore 9- Multiple operator actions to inititate orderly shutdown of reactor.
tooling Depending upon equipment availability, heat rejection will be to ma.in dependent ( condenser, suppression pool, or normal shutdown path. , Considerations will sapen f be to establish core and containment cooling, assure adequate power supply cperator distribution, start emergency service water pumps, throttle pumps to assure cetions ,
adequate NPSE, etc.
l l
l
-19 Revision 22 - July 1981
TYPICAL BVR TRANSIENTS s e CASE 3: INTERMEDIATE LOSS OF COOLANT ACCIDENT SEOUENCE OF EVENTS
- Break occurs l - High dryvell pressure signal. (This signal vill persist indefinitely)
- Low reactor water level signal. (Level vill be recovered at some point in the accident)
- All ECC systems start automatically
- Core uncovery/heatup transient terminated. All ECCS running, reactor vessel flooded. In some cases, part of the LPCI flow may be automatically dive-: ad to containment spray.
END OF SHORT TERM PRASE OF ACCIDENT bro '
ling opcndant (- Multiple operator actions essentially same as those identified in Table 1 (pon f for the Design Basis Accident (DBA)
$srctor
\ctions
( s .
l l
l Revision 22 - July 1981
"TFICAL BUR TRANSIENTS CASE 4: UPSET TRANSIENT (BWR 5/6)
SEOUENCE OF EVENTS l
Upset event
- Iow reactor water level signal occurs (either due to loss of feedvater or because of momentary level reduction due to void collapse). High drywell pressure does not occur.
- High pressure system starts and injects l - Reactor water level increasing N Op7 RPCS flow terminates - EPCS flow terminated by automatically on high level operator. Logic cleared, system returned to standby mode EPCS auto restarts when -
HPCS auto restart if initiation level reached initiation level reached Continuous automatic reactor -
Repeat of cycle. Continuous level control automatic reactor level control E D OF SHORT TERM PHASE OF EVENT
- Multiple operator actions essentially the same as those identified in Table 2 Revision 22 - July 1981 War ,one 4 gmM $ e -
--+e'e m a w -e -w-g --
.g.em- += e asye w -e -ee-ewe
be summ rized as fo11cvc:
Is it possible that the plcat aparators enuld stop on ICC systec c: c time and in a m:nner that vould, unless the syste= ic manually restarted, lead to inadequate core cooling? If this is the case, and since there is a remote chance the operator may not restart the system, restart should be made automatic.
The simple response to this position is that the current BWR ECCS design does indeed permit the plant operators to terminate system operation in a way that would eventually jeopardize cooling of the core assuming the operator ignors the water level instrumentation and procedures. However, a review of the particular circumstances that i
would have to be involved leads to the conclusion that this is not necessarily an unacceptable situation which must be immediately remedied by providing additional ECCS automation. To support this position, the typical generic events described in Table I through 4 l have been subjected to the following questions.
(
- What operator actions are required? l l
- What deleterious operator actions are possible?
P l - Could the deleterious operator actions lead to degraded core
! I cooling? -
- Is an ECCS logic design change required to protect against the possible operator errors?
i i
Table 5 summarizes the response to these questions for the four i typical generic BWR transients described in Section 3.1.
f A review of Table 5 shows that the current ECCS control logic coupled :
I with reasonabale operator actions provides adequate core cooling j throughout the four typical events presented. However; there are ;
three general circumstances where it is possible (but not probable) l for operator errors to produce conditions that could potentially lead j to degraded core cooling. These conditions are: _
t i
1 22- Revision 22 - July 19E1 '
l
- - - * * ~"
_ .-r ----.y
- ',_-.---m-- - , - - - - w. - m-- p -,
.m...
. - -. . . . ,p
cutomatically initicted. In general, cuta= tic restart will not s . cecur bsecuse tbn initiating sigunis (high dryvell pressure and J
low vater level) vill etill be present cod vill preclude the system logic reset. The ECCS logic design which permits operator intervention is ba sed on a legitimate assumption that the i j
operators are not likely to prematurely terminate ECCS flow and jeopardize the core cooling process. In actual practice, one of their highest priority activities will be to assess the situation to assure all emergency systems have started correctly and attempt to start any that may not have. The alternative to providing this operator flexibility would be to design the system l so that any termination attempt by the operators would be overridden. This is not considered good design practice since it provides no flexibility for the operator to deal with l unanticipated situations in which overall plant safety may be increased if a malfunctioning ECCS system can be shut down. An example of the latter would be to secure a system that has gross seal leakage that could potentially flood an ECCS compartment and deplete pool water.
- 2. A second general circumstance during which errors and omissions could potentially lead to degraded core cooling conditions would be a f ailure of the operators to adequately consider core cooling requirements during the long term period. During this longer term phase, the plant operators are manually setting up the auxiliary systems to support 2ventual termination of the incident. In the event of degraded core cooling, automatic ECCS initiation is unlikely to occur because the systems will not be in a true standby mode. Consequently, adequate core cooling is dependent upon correct operator actions.
i Revision 22 - July 1981
.I
~~*m & e - - ~ . . . .. . . . . _ _, _
occurrence of high fuel clad te=peratures. (Sae Appendix B) The g- . cparctor must take asnual control of all eystems during this period c::,6 i: is not ecucidered credible that ha vould provide inadequate cooling to the core. As discussed in Table 5, the alternative would be to provide the complex logic necessary to automaticaly restart certain ECCS. This would involve a major escalation of control system logic complexity and the benefits of added protection against unlikely operator error do not appear to compare favorably with the penalties of increased control system complexity, decreased system reliability and the loss of operator flexibility in dealing with unanticipated events.
- 3. During upset transients and small breaks, the highest reactor operator priority with respect to control of water level vill be to avoid overfilling the vessel and flooding the main steam l
lines. These events will initiate the HPCS and the control logic is capable of automatically maintaining the reactor water level within the HPCS level control range (i.e. between the high level trip elevation and the lov level system initiation setpoint).
However, it is highly desirable for the plant operators to ,
intervene in this automatic process and assume manual reactor water level control. The key incentive is to prevent the water level from reaching Level 8 since in addition to the' HPCS, both the feedwater system (if operating) and the RCIC will be tripped on high level. Consequently, it is probable that for the types of events described in Tables 2 and 4, the plant operators will intervene f airly early and assume manual HPCS control. Under normal circumstances, good operating practice will result in the i
system being returned to a standby condition anytime system i operation is terminsted. Automatic restart on low reactor water level will then occur.
Revision 22 - July 1981 b -
._._7,._. .r ._. . ._ _ ___ _
a->ug N1r'&Rftrvtrvt+p e tm. alfuuygustrwstraAnstsw utur wximrus - ---
the cparator iciling to reinitiato the EPCS cyste: veuld tot 6 +
eccur occcere eventuclly the 1.D5 inicictics icyc1 v:uld bc reached. ' Ants would result in reactor blowdown cuc core flooding by the isv pressure ECCS. However, the availability of level I
' data coupled with operator training that has stressed the central j importance of adequate water level vill ensure appropriate and timely operator control of the HPCS during transients and small break accidents.
This conclusion is further reinforced when it is remembered that during a transient event, at least one half hour of .gzIg reactor makeup flow conditions can be permitted to exist before clad temperatures approaching 2200 F vill occur. (See Appendix B)
NOTE: The High Pressure Core Spray (HPCS) system currently restarts automatically if the Level 2 initiation signal reoccurs and the system is in the fully automatic mode or the system had previously been returned to standby conditions. Our evaluation of Item II.K.3.21 has considered the potential benefits of modifying the EPCS logic to extend automatic restart on Level 2 following manual termination. (See 2.4 and 2.5) This logic is already included in the HPCI system design. It has been concluded that such HPCS changes are not required by plant safety considerations. However, the changes that would provide this capability appear to be relatively straightforward and may provide additional safety margin. The recomumended changes are described in Appendix A.
-2 5- Revision 22 - July 1981 l
. - .. n . . . ..., __ _
a t(7]IR ED 15 A OE5tpl CHAtlGE REQUIRE 0 ,
CPleAT04 P05518tt O(LETERIOUS COULO (A) LFAO TO TO re0TECT AGAINST (A) C' "'T5 D(GRADED Cose. C00tlNG_
OPfRATOR5 ACTION 5 (A) l E Ytri _ C0~DITir L _ ACTIONS rene Operator could conceivably Tes, If sufficient No. Water level esintenance Oreretor mould t e re g i I, t7A SMrt tern is espasf red during operator tions that a less of cool blorhwn Intervene and terminate syste=s were stopped
[ f13=. Systees would not training and reinforced ty accident had rre rred. I p>sse of credible that :
- uld s .
accid-nt astomatically restart. the Ecergency Frncedure (togic cannot be Guidelines sufficient FCrs to cause
- cleared because Inttetton core coo 1 H . 'r~entle?
signals are present) ovearide is mit H desi J See 3ection 2.5 f Redesign of tl- ICCS coat-Long tern Multiple " Core cooling could be fes. If sufffctent Re. It is reasonable to I, C'1 actions re- interrupted by operator systems are stopped assume the operator util to provide aute tic rest post-LOCA follow procedures and certate ICC5 ould reqstr core and quired. See actions which vloiste cmpilcetton of centrol s Table I guidelines and pro- accospilsh all long ters contalement core and contalswent cooling This expended Ir-It vr:1d cooling c edures. Automa tic recognize and acrovat for functions settsfactortly.
sntes restart would not Estended tjee periods are multiple const.feretions i occur because high t
drywell and low water evellable. Water level does in Table I and Section 2.
level signals are con- not recover above 2/3 core pool cooling fucction, 18
! by power sources. rv'p l'F tlnuously present and heights however op to 20 preclude logic reset minutes is evallebte before wster require- ets etc).
aero ECC5 flow would cause benefits of er'el protect i escessive fuel heat-op. See operator error h est bl i Appendia 8 penelltles of f rcreased i 8 system ceplenity (and t 8
rate) and loss of "rers' lbility in d I'm eith v ev ents 3
2,5rs11 HFC5 bis rene, other premature teretnetton of No. rensinder of ECC5 Mo. Low water level is probability of c* retor t'
! then to monitor HPCS flow. Systes cannot network would automett- ennunicated and alenmed in th? HPCS flow and ello-fog i f!r rd started auto-be returned to standby cally provfde cooling, control rooms there is a con- level to reach t's ADS.se estically and the situation iery low. Even if this o is injecting especially mode because LOCA signal It is probable the siderable period of tjee late the reector water present and will not operator would manually trefore aero makeup flew would cooling te rn" - P-Mr 't peruf t logic reset re-Inftlate HPC5 flow, cause fu W heet-upt operator re?ctor vessel level. Systes RCIC is a backup training and the Emergency will automett.
y cally teruf nete procedure Guldelines orphisfre level control
< flow on high P level and re-start at low 3 $. level thttlation
,l O 3 value tJ IJ 2, Seell Sane as above Some as above As above but further fes, but not considered a Md. (See above) Probability of this serlo l
i I Break compounded by operator credible siteetton. pultiple operstar errors (
securing the low pressure Operator would continue above g systmas. None of the operator water level with g
e systems can be returned HPC5 and RCIC l *< to the full standby mode
- and would not restert I
$ entomatically m
" Revision 22 - July 1M2 T
i TABLE 5 .
- REQUIRED
- OPERATOR P0551BLE DELETERIOUS COUt0 (A) LEAD TO 15 A DESIGN CH4MGE REQUIRED ACTIONS OPERATOR 5 ACTlan5 (A) DEGRADtB CORE C00 TING TO PROTECT AGAlmST (a) t- 'tTS
[YtrlT ConDITIC1 4
Multiple ottions. Core cooling could be Tes. If sufficient No. It is reasonable to See cor*er's a - [ vent [
I 2. 5 ell Long ters assume the operator will term post * * = l*<
prask actions to required. See laterrvpted by operator operator error are made fnftfete Table 2 octions which violate follow procedures and orderly sh t- goldelines and procedures. eccomplish all11ong terg core doen to cold Autommetic system restert and contelnsent cooling would not occur because functions settsfactorfly. Es-r conittlons
' the continuously present tended time periods are high drywell pressure eveliable. (See Appendla B) prevents logic reset
- 1. Inter. Short terve eedlete blowdown phse greak of the accident Some discussten and conclustens as for the dea. No desf gn changes required.
- 3. Inter. Long term pediate post accident l
Break core and conteln.
ment cooling i
- 4. Upset Short tern None other then NPCS systems flow tersta. No, system will automett- No if the plert cr retor Transient responses, to montter the sted and systes returned celly restert on low action or 1r h correc l
Reettor witer situotton es- to standby mode. (Re- level terwinetes IITC5 flow.
l level risteg poclelly water gulres no initiation will respor' estr etic
'ar st- ?
l ev el . MPCS is slynel present low reacta.
h u cepeble of auto-l 9 settc stopping end starting l
j within its level control range
- 4. Upset S krt ters As above IFCS systes flow termin- Adeguate core cooling No. An enilkely operator i Tran9fant response, sted by staple pump will eventually require error is involved. Also. RCIC
! Reactor riter stoPPege.or lajection volte operator action. MpCS system would be evellable as a
- 1evel rising closure. System not re- will not aute restert backup. See consent on Ites 2.
turned to standby mode and A05 inttletion will Estended ttee periods evettable.
require manuel action See Appendia R l 4. Urset tong ter- Some ceriments and conclusions as other l
Transient post incid nt long term transients f.e. adequate core
- recovery cooling dependent upon operator action.
8 Situation acceptable
]GP3$3A9".__?_1 ~ f
codificctions suggestad by the NRC in NUREG-0737 Item II.K.3.21 hcva b22n e e reviered. Thir revice has includad c consideration of all asnactc of EPCS, LPCL cod LPCi syste= operation which would be influenced oy any expanded automatic restart capability. It is concluded that the current I
system design is adequate and no design changes are required. This conclusion is based on a combination of factors that include: the comprehensive nature of BWR operator training, the esphasis placed in this training on reactor water level control, the Emergency Procedure Guidelines, the relatively long time the operator has to correct errors and the extent to which low reactor water level conditions are displayed and alarmed in the control room. The most important consideration is that l the benefits of providing enhanced automatic ECCS reinitiation do not justify the associated penalties of increased system complexity, reduced system reliability, restricted operator flexibility and the other ,
undesirable effects discussed in this memorandum.
In summary, General Electric and the BWR Owners' Group believe the current BWR low pressure ECCS design,when coupled with rigorous and continuous operating staf f training programs, represents the optimum approach to BWR safety. No modification of existing LPCI and low pressure core spray system need to be undertaken. Modification of the HPCS system to automate restart on lov level following manual trip, although not required for safety considerations, will lead to a net improvement in overall ECCS performance.
RO*tisic.7 22 - Jul'f '9e1
. . . . - - - - - . . n .- . - . . . - - - . .
Hish_ Pressure Core Sorav (FPCS) Svstee Modifiestier.-
'GE co d t he B'n't. Ovnsre' Group beve reviewed the currsnt EPCS syste= cud have concluded tact no cyctc= cc:ign encuges are required. however, cc:t additional saf ety margin may be added to the BWR design by making a relatively straighttorvard modification to the HPCS control logic to provide automatic restart of the system following manual termination of pump operation. The purpose of this Appendix is to conceptually describe this potential HPCS design change.
Summary Auto restart of HPCS af ter manual stop can be provided if a logic system can be developed which:
(1) Restarts the HPCS pump on Level 2 (2) Blocks high dryvell pressure restart, (3) Self clears if both auto signals disappear, and (4) Still allows injection valve closure or pump stop if absolutely essential for protection of the public.
Any such design should adhere to the applicable portions of IEEE 279-1971.
Revision 22 - July 1981
=m-4 4 . - . ... - - . * =%.*w+ e . .q.e. ~= ,%. . ..
reactor vetor levcl. Esch parcseter has four sanscrs csd c:alcgic trip units cr leur n itece: r t en in c cue-cut-of-two-tvice icgic scheme. The above 1cri: :. 4.ccccli;:. ene tnt cut::t ice to en Ok gate clong with tot cy s t e:.
level manual initiation signal. The output of the OR gate is a LOCA initiation signal which is sealed in. A reset switch permits release of the sec1 in. The assembled initiation signals are not sealed in so that they self-clear when the abnormal condition disappears.
Pronosed Modification The f eature being considered will reset the auto initiation signal, on level and block the continuing auto initiation signal based on high dryvell pressure. This will allow auto EPCS restart on lov level after operator stop of the pump. It does block auto restart on high dryvell pressure unless dryvell pressure decreases below the setpoint and again increases above the setpoint. A decrease in dryvell pressure below trip level vill remove all reset features and return HPCS logic to the original status. The HPCS pump is not stopped automatically by any reset. Pump stop still requires operator action.
Sys' tem isolation must still be possible with or without this modifiction.
l l
l
-3 0- Revision 22 - July 1981
...._. - . . . . _ _ _ _ _ __ _ _ _ _. __ ~ . - _ _ _ . - _ _ _ . _ . . - . ,
l
- s.
HPCS INITIATE CIRCUITS
)
LOCA 1
LOW HIGH MANUAL -- REACTOR DRYWELL INITIATE WATER PRESSURE o LEVEL J,
RESET r /
<a
- \
l RESET RESET o
- RESET O
\ !
t ,LOCA N '
/ ,
N 4 RESET -
\ -
r *
/
(ADDITIONA CIRCUITRY CONCEPTUAL DESIGN HPCS INITIATION CIRCUIT USING RELAY LOGIC (SOLID STATE LOGIC IS EQUALLY ADAPTABLE) l Revision 22 - July 1981 I
qa, e . %, , o o g e < . *me** *** *' '
-, --, - - , + -- ,
, Arydiccusced tu the body of this Ec=crendum, Gcneral Electric cud the Ownerc' t rou; u.11 eve :nc currcut ECC: control logic is fully adequate. This position is based on a ce=bination of factors one of which is the period of time '
available between the time at which the operator should (but does not) start en idle ECCS system and the time st which inadequate core cooling may begin.
As discussed below this can be a fairly long time period and the purpose of l this Appendix is to demonstrate this safety margin that is built into the BWE.
1 Assuming that af ter operator termination of a system, there is as source of reactor water level makeup at all and further assuming the core is initially at saturation temperature conditions, the following table summarizes the time between pump flow termination and the occurrence of 2200*F fuel clad '
temperatures.
Case Time to Reach 2200*F
- 1. Isolated - no break Boil off from Level I 30 minutes (Typically only a few feet above the top of the core)
- 2. Isolated - larme recirculation system break Boil off from top 15 to 20 minutes of jet pump i
l Revision 22 - July 1981 l
l l i i l
,, h6 g W 4-r%@ hew's s' W
- O*M- " *
- process resuB8c fHect7000Safs gosweEr mtsuts 63702F UGDUBtq3 uvus8EDIWnso save unecverv. Thic e. : ie representative of trcusients involving to rosetor o y e v:t c= c ce... c. :h: 16 c: noted tact Level 1 is a very low reactor levc; (one or two feet above the top of the active core) and the allowable period of aero reactor water make up is considerably extended if it is assumed to start with a higher reactor water level condition.
1 Case 2 is representative of a large recirculation line break in a jet pump plant. For this case, it was assumed that there was no water outside the shroud and that the collapsed water level inside the shroud is at the top of the jet pump. The swollen water level is actually somewhat higher.
The heat up times given in this Appendix are minimum estimates of typical BWR l values. Times would be longer if the events started with less than maximum expected core decay power and/or if the ECCS flow is terminated later in the transient. Availability of other makeup systems such as the control rod drive flow could significantly extend the time before core heat up would occur.
The above information clearly demonstrates that there is.a significant period of time available for the operator to recognize that he has inadvertently permitted the reactor water level to decrease and for him to take the necessary corrective action.
- Revision 22 - July 1981
-*Ar# er9 W u-mS D1 @W++4 & dew m9 egw__ g9, + g,p. ,y, ..g , . ,,
Pcrticip: ting Utilities o m EUREG-0737 II.E.3.21 l l
This report applies to the following plants, whose owners participated in the report's development.
a Boston Edison Pilgrim 1 Carolina Power & Light Brunswick 1 & 2 Comanonwealth Edison LaSalle 1 & 2, Dresden 1-3 Quad Cities 1,2 Georgia Power Hatch I & 2 Iowa Electric Light & Power Duane Arnold Niagara Mohawk Power Nine Mile Point 1 & 2 Nebraska Public Power District Cooper Northeast Utilities Millstone 1 Northern States Power Monticello Pacific Cas & Electric Buuboldt Bay 3 Philadelphia Electric Peach Bottom 2 & 3; Limerick 1 & 2 Power Authority of the State of New York Fitzpatrick Tennessee Valley Authority Browns Ferry 1-3, Eartsville 1-4, Phipps Bend 1 & 2 Detroit Edison Enrico Fermi 2 Long Island Lighting Shoreham Mississippi Power & Light Grand Gulf I & 2 Pennsylvania Power & Light Susquehanna 1 & 2 1?cshington Public Power Supply System Hanford 2 Cleveland Electric Illuminating Perry I & 2 Eoucton Li;;htin:: & Power Allens Creek Illinois Power Clinton Station 1 & 2 Public Service of Oklabo=c Black Fox 1 & 2 Vermont Tenkee nuclear Power Vermont Tankee 34- Revision 22 - July 1981 b -
9- sw-_er ene w ms W $43.4 g p 8h hwg 4 h 4OMW#* * "DO TM#O ** *" * - 9
l Arn .l.4 N o m MEMORANDUM FOR: Gus Lainas, Assistant Director for Safety Assessment, DL Thomas Novak, Assistant Director for Operating Reactors, DL Robert Tedesco, Assistant Director for Licensing, DL FROM: Themis P. Speis, Assistant Director for Reactor Safety, DSI SUBJECT; EVALUATION OF BWR OWNERS' GROUP GENERIC RESPONSE TO. .
ITEM II.K.3.21 0F NUREG-0737, " CORE SPRAY AND LOW PRESSURE
, COOLANT INJECTION SYSTEMS LOW LEVEL INITIATION" Plant Name: .
Multiplant Item F-50, see Attached List Responsible Branch: ,. OR Branch #2 Project Manager: V. Rooney DSI Branch Involved: RSB ReYdested Completion Date: March 31,1982 Status: Complete Enclosed is our evaluation of the BWR Owners' Group response to NUREG-0737 Item II.K.3.21. This evaluation is applicable to operating plants, OL ap-plications and CP applications. This item has ~been evaluated independently-
. on near-terp OL applications with SERs completed; however, the plant specific '
evaluations were contingent upon completion of this generic evaluation.
Therefore, the final SERs should be updated to reference this evaluation.
We agree with the Owners' Group position that logic modifications for LPCI and core spray (except for HPCS) are unwarranted. The Owners' Group did propose a modification to the HPCS logic (appitcable to BWR/5s and BWR/6s only; LaSalle will be the first operating BWR/5) which is simple and im-proves the safety function. The Owners' Group felt that the HPCS modifica-tion was beneficial but not required for safety. We agree with the Owners' Group assessment that the HPCS logic modification is beneficial and is a simple modification; therefor e, it should be implemented. This position on the HPCS logic is consistent with the positions included in the SERs for near-tenn Ols.
If you have any questions concerning this item, please contact Wayne Hodges on extension 27579.
orisin21 SI" d8 Tbcmis P. SP Themis P. Speis, Assistant Director for Reactor Safety Division of Systems Integration
))*
- l
.SEE PREVIOUS CONCURRENCE SHEETS
.c r > . RSB:DSI ADRS:DSI l
........cc1... Sle e .Ne x t. . Pa g e ..
..................... ..RSB : DS I
................... ..................... ..................... ..............i
=r> WHodges:cs* BSheron* TSpeis* l Lve) r 3N[ El :"Il.'"AddfeI "X27$7 E""'"" ""J"")'8 5f""f8
'T/i5/85*'"""
ac: w m iio.no m ac w o n o OFFIClAL RECORD COPY ' a c'*
- o-C e
e .
This SER applies to the following plants:
l w _ = . - . _
Boston Edison Pilgrim 1 Carolina Power & Light Erunswick 1.6 2 Co :nonves1th Edison LaSalle 1 & 2, Dresden 1-3 Quad Cities 1,2 c Georgia Power Hatch I & 2 Icwa Electric Light & Foser D.:ane Arnold 2
!!ia:; ara Mohevk Pewer !!ine Mile Point 1&2 ,']
!!etraska Pub 1S c Power District Cooper -
!?ortheast Utilities Hillstone 1
!!orthern States Power Monticello Pacific Cas & Electric Eusbbidt Eay 3 Philadelphia Electric Peach Bottom 2 & 3; Limerick 1 & 2 Power Authority of the State of !;ev Tork Fitzpatrick Tennessee Valley Authority Brovns Ferry 1-3, Eartsville 1-4, Phipps Bend 1 & 2
~
Detroit Edison Enrico Fermi 2 Long Island Lighting Shoreham Mississippi Power & Light Grand Gulf 1 & 2 Pennsylvania Power & Light Susquehanna 1 & 2 .
Washington Public Power Supply System Hanford 2 .
Cleveland Electric Illuminating Perry 1 & 2 -
Houston Lighting & Power Allens Creek Illinois Power Clinton Station 1 & 2 Public Service of Oklahoma Black Fox 1 & 2 Vermont Yankee Nuclear Power Vermont Yankee
. EVALUATION OF BWR OWNERS' GROUP
- cn GENERIC RESPONSE TO ITEM II.K.3.21 0F NUREG-0737, " CORE SPRAY AND LOW PRESSURE COOLANT INJECTION SYSTEM LOW LEVEL INITIATION Requirement as Stated in NUREG-0737 ~ ~
. L _
The core-spray and low-pressure, coolant-injection (HPCI) system flow may "
be stopped by the operator. These systems will not restart automatically on loss of water level if an initiation signal is still present. The core spray and LPCI system logic should be modified so that these systems will restart, if required, to assure adequate core cooling. Because this design modification affects several core-cooling modes u'nde'r accident conditions, a preliminary ..;
design should be submitted for staff review and approval prior to making the . ' 27' r - .
actual modification. .
~ Evaluation of Owners' Group Position ,
The intent of this requirement was to assure adequate water delivery to the core if an operator should manually terminate LPCI or core spray and subsequently fail to restart a system..if required. The BWR Owners' Group response to this position is given in 'a letter report to Darrell G. Eisenhut (NRC) from D. B. Waters (BWR Owners' Group), BWROG-80-12, Decimbe'r' 29J 1980[.__ , __ _1.. _1 The essence of the Owners' Group position is that automation of the restart of LPCI and core spray (or low pressure core spary) will result in a net decrease in safety because of the complexity of the logic required. Also automation .of the restart of HPCS would result in a net increase in safety, but is not required from safety considerations.
~
With regard to automatic rest' art of the HPCS after manual termination, ;
- we luve reviewed the logic modification proposed in Appendix A to the i
- reference Owners' Group submittal and we feel that the modification should be made on all BWRs with HPCS systems. The modification is simple and straight-forward and results in a safety improvement at little cost.
We concur with the Owners' Group that logic modifications to the LPCI and -
core spray systems (other than HPCS) are not warranted. The reasons we concur
! that no modifications are warranted are outlined in the paragraphs below.
High drywell pressure and low reactor water level are the key accident related parameters that govern operation of the BWR ECC systems. The occurrence of e either or both of these signals is take.n as an indication that a Loss of ,
Coolant Accident (LOCA) has occurred. This combination provides diversity of initiatins siVnals but the control system hardware does not discriminate -
between signals generated bytthe drywell pressure sensors and those produced by the reactor water level instruments. There are many accident sequences ,
for which one or both of the ECCS initiation signals will persist for long periods of time.
With the present logic, the reactor operators can, at any time, stop any BWR ECCS system even if a LOCA signal is present. This provides the plant
' operators with flexibility for dealing with unforseen but credible conditions requiring a particular system to be shut down. Examples would be equipment .
1 difficulties involving gross seal leakage, breaks in ECCS piping, failed ECCS pump motors and load shedding for other post LOCA operations. This flexibility would still be needed for the automated system but the automation would increase the complexibility of the required logic.
I I
. . - . . . . . . . . . . .. . - . A. .. ...
- Many*BWR transient and accident events involve significant release of reactor system energy to the suppression pool Which increases the pool temperature and containment pressure. Control of these temperature / pressure conditions is achieved by manually placing the LPCI/RHR system in the suppression pool cooling mode. This LPCI/RHR node, in conjunction with '
emergency service water system operation, permits rejection of the excess .
suppression pool energy to the station ultimate heat sink. Much of the cquipment used for this cooling function is also used for the LPCI ECCS mode of the RHR system. 'Any scheme to provide automatic restart of the ECCS system would either have to bypass the LPCI system after it has been assigned .
to the suppression pool cooling.fungtion or automatically realign the equip-ment to the LPCI mode.
. 1 --
t W 1
0 o
9 t 6
(
l
= l l
l l
.-.