ML20063P272
| ML20063P272 | |
| Person / Time | |
|---|---|
| Site: | LaSalle  |
| Issue date: | 10/04/1982 |
| From: | Schroeder C COMMONWEALTH EDISON CO. |
| To: | Schwencer A Office of Nuclear Reactor Regulation |
| References | |
| 5126N, NUDOCS 8210130241 | |
| Download: ML20063P272 (11) | |
Text
,
N Commonwealth Edison
/ One First N;.tional Plus Chicago, Ilhnois 4
I C~
' Address R: ply to: Post Offes Box 767 Chicago, lilinois 60690 October 4, 1982 Mr.
A. Schwencer, Chie f Licensing Branch #2 Division of Licensing U. S. Nuclear Regulatory Commission tashington, DC 20555
Subject:
LaSalle County Station, Units 1 & 2 Responses to NRC Questions on Multiple Control Systems Failures NRC Docket Nos. 50-373 and 50-374 Reference (a):
NRC letter o f July 6, 1982, Subj ec t,
" Request for Additional In formation",
from A. Schwencer to L.O.
DelGe o rg e.
Dear Mr. Schwencer The purpose of this letter is to respond to the questions in Reference (a).
NRC questions 031.290-031.296 deal with failure propogation from High Energy Line Breaks (HELB) on postulated non-safety power buses,
- non-safety control system, or non-safety sensors including instrument line failures.
Each question is answered within the licensing basis o f the plant.
Non-safety systems are those identified in FSAR Chapter 7.
The FSAR Chapter 15 results are confirmed as bounding.
Events that require operator action are addressed to demonstrate that all postulated non-safety system failures from HELB events also result in events boundec by the FSAR Chapter 15 analyses.
It was assumed that all safety systems are operable in the HELB environment because they are either already qualified or currently are being qualified for that environment.
The safe operation of LaSalle County Station has been addressed on the LaSalle docket via Tabs K and L of the "Ninety Day Report" for Environmental Qualification.
Please note l
that in the Ninety Day Report, no credit was taken for any non-safety systems.
The methodology for responding to each of the NRC questions is discussed below to explain the differences between these questions and j
the responses to NRC questions Q 31.288 and 031.289 (FSAR Amendment 60) gpreviouslysubmitted.
Questions 031.288 and 031.289 addressed each specific FSAR Chapter 15 event and assumed that all non-safety systems used in the event failed in the worst direction.
Question 031.290 examines the f ailure of non-safety control systems due to HELBs.
For Question 031.290, each of the 4 HELBs was examined assuming that for each event all exposed non-safety control l
systems fail in the worst direction.
The exposure environments are as follows:
(1) LOCA - all of drywell and primary containment for the short
'8210130241 821004 i PDR ADOCK 05000373 P
t S
J.
G. Keppler October 4, 1982 term and the suppression pool suction areas for long term; (2) Main Steam Line Break (MSLB) - steam tunnel only, (3) Feedwater Line (FWLB) -
Turbine Building only; and (4) Instrument Line Break - open area adjacent to the line break inside the Reactor Building or the entire ECCS cubicle if an inside line.
Even though each system was identified separately, ell.non-safety cGntrol systems exposed to the specific HELB are assumed to fail and the combined effects were considered.
The response to question 031.291 examined all higher level power sources-than MCC's.
Question 031.289 only covered power through the Motor Control Center (MCC) level.
The results from the examination o f higher power level failures were compared to the FSAR Chapter 15 Loss of AC Power Analysis.
Question 031.292 examined simultaneous malfunctions of non-safety control system resulting from sensor (including sensor impulse lines) or power source (including any higher level power sources) malfunctions.
Question 031.289 considered the effects of multiple control system failures due to commonality of power sources or sensors on each specific FSAR chapter 15 event.
The response to Question 031.292 addressed the simultaneous malfunctions of non-safety control systems and compared the results to the worst case FSAR Chapter 15 event for power losses.
Question 031.293 concerned the fact that the Turbine Trip Without Bypass event was not analyzed.
Ques tion s 031.288 and 031.289 addressed this event as having the same results as the Generator Load Rejection Without Bypass event.
(See pages Q31.288-22 and Q31-288.23 in FSAR Amendment 60).
The Turbine Trip and Generator Load Rejection events are the same for the questions dealing with non-safety control system impacts.
Question 031.295 asked whether all non-safety control systems and l
their support systems were analyzed.
Question s 031.288 discussed which l
non-safety control systems were analyzed.
The response to question 031.295 goes into more detail as to why the systems evaluated in 031.288 are sufficient.
l Question 031.296 required confirmation that the Chapter 15 events cither took credit for non-safety control systems functioning as designed or that such systems not function at all, whichever would produce the l
uorst case.
Ques tions 031.288 and 031.289 implicitly used the worst case I
for each non-safety control system.
The response to-Question 031.296 l
provides more detail as to why the approach used in the FSAR chapter is l
adequate.
l In conclusion, the responses to. Questions 031.290-031.296 demonstrate that no new bounding events are created by the multiple failure hypothesis and that the existing licensing basis for LaSalle County l
Station as identified in FSAR Chapter 15 is adequate.
l l
l l
J._G.
Keppler October 4, 1982 This information is being-provided to_you as a preliminary response.
Upon completion of your review and resolution of any 'further questions, Commonwealth Edison Company will include this in a revision to the FSAR.
If there are any further questions in this matter, please contact this office.
Enclosed for your use are one signed original and thirty-nine copies of this letter and the' enclosure.
Very truly yours, A
lof&BL C. W. Schroeder Nuclear Licensing Administrator Enclosure cc:
NRC Resident Inspector - LSCS 5126N l
i
E L ASALLE UNITS 1 -& 2 CONTROL SYSTEM FAILURES Q 031.290 Regarding control system failures due to high energy line breaks (HELB ), it appears that the methodology used was to fail each control system individually and then determine whether each individual failure adversely affected the accident analysis results for each Chapter 15 event.
Th e
-staff believes that an analysis of this type can only determine whether HELBs in conjunction with a single control system failure are bounded by the Chapter 15 accident analysis results.
We are concerned that HELBs can affect more than one control system.
For each HELB, all control systems which could potentially be affected by that break should be assumed to fail in the worst direction and the combined effects of these failures be evaluated.
If the consequences of these failures are bounded by the accident analysis, a positive statement to the ef fect should be provided.
( No te:
It may be possible to show that although a given type of break could af fect multiple control systems, that for any specific break location in that line, only one control system would be affected.)
Response
All HELB's identified in FSAR chapter 15 were analyzed to determine the corst case event assuming the failure of all af fected non-saf ety systems in the worst direction.
All safety systems are assumed to operate as delineated in the "Ninety Day Report".
The attached table lists a matrix of all non-safety control systems used in the HELB event.
A)
LOCA Inside Containment The initial break detection logic is accomplished using safety systems only.
These automatically initiate all accident mitigation including ECCS, containment isolation, turbine trip, recirc pump trip, and scram.
This accident mitigation ef fectively isolates the LOCA environment to the containment, and on a long term basis, areas where suppression pool suction is taken.
The licensing basis assumes a loss of all normal (non-emergency) power.
Therefore, all non-safety control systems without backup power will lose power, Even assuming spurious signals from non-safety pressure and for level instrumenta-tion, this would not affect the LOCA mitigation since all actions are automatic and initiated by safety grade instrumentation.
Failure o f feedwater control systems to trip will be beneficial in that more coolant would be provided for core coverage and flashing would be minimized.
As the primary containment is automatically isolated (including MSIV's), any spurious operation of the main turbine or condenser systems will not af fect the course of this event.
Systems outside containment such as the process cumputer which are not af fected by the LOCA will continue to operate.
Spurious operation o f the area or process radiation monitoring system would not affect the course of this event as the only harsh LOCA environment outside containment would occur long into the event only inside the ECCS cubicles.
Consequently, the accident analysis case is bounding.
_~
B)
Main Steam ~ Line. Break Outside Containment (MSLB)
The initial' break' detection logic is accomplished using safety systems only. :These automatically initiate all' accident ' mitigation including ECCS, containment isolation, turbine trip, recirc. pump trip, and_ scram'
.This. accident mitigation ef fectively : isolates the MSLB.envircnment toithe steam tunnel.
This - event,. like. LOC A, assumes a loss of normal-power which results in a loss of power.to all non-safety control' systems without backup power.
Failure ~ o f.the feedwater control system -to trip will be beneficial in-that more
-coolant will be provided for. core coverage.
The increase in. pool
?
temperatureudue to continued feedwater flow would'still be bounded by the ' LOC A case.
Since the-primary. system is automatically isolated (including MSIV's), any' spurious operation of the main turbine or condenser systems will= not a f fect the course _ o f-this event.
The condenser of f-gas system and turbine building. vent systems are not.
affected by the MSLB environment and consequently provides acceptable release paths consistent with current FSAR results.
Therefore, the accident analysis case is bounding.-
C)
Feedwater Line Break Outside Containment (FWLB)
The' initial break detection logic is accomplished using safety systems'only.
These automatically initiate all accident mitigation including ECCS, containment isolation, turbine trip, recirc. pump trip, and scram.
The feedwater check valves and containment isolation function (including MSIV's) isolate the FWLB environment to -
the turbine building.
For conservatism, the entire turbine building i
is assumed to be subject to the harsh environment caused bar the FWLB.. The main turbine and recirculation system _are tripped.b0r safety grade instrumentation and are thus unaffected by the FWLB environment.
A failure of the' feedwater system to trip would result in more water available for core coverage through the unaffected lines and a continued harsh steam,.h'umidity environment ^around the broken line.
However, this ha's no -effect on the safety related
~
accident mitigation functions.
Since thc re is no fuel damage and the i
containment is isolated, any. failure of the condenser off-gas system or turbine building vent system would not result in exceeding dose limits.
The area radiation monitoring system and process radiation monitoring systems outside the turbine building would be unaffected and the; turbine building' itself would be isolated.
Therefore, the accident analysis case is bounding.
1 D). Instrument Line Break An instrument line break is assumed to occur outside primary j
. containment.
All accident mitigation is operator initiated.
In order to maximize-the extent of the harsh environment, the break is assumed to occur in the open area of the reactor building, as opposed
'to occurring in one of the ECCS or RWCU equipment rooms.
This assump-tion results in eventual exposure to some degree of all equipment inside the reactor building and not in the main steam tunnel, the i
RWCU equipment room, or any of the ECCS equipment rooms.
Break detection is based or, comparison of several readings monitoring the E
~
._.__m,_
. same process variables, by a general increase in the area radiation monitor or area temperature monitor readings in the reactor building, or by the leak detection system.
Process variables can be sensed using safety grade instrumentation such as reactor water level or by comparison of all non-a ffected process variable sensors.
Thus a failure of all affected non-safety break detection logic would not af fect the course of the event.
All accident mitigation is operator initiated in that no safety systems are tripped.
Consequently, the operator will manually trip the turbine and the recirc pumps, initi-ate shutdown, initiate RHR pool cooling, and the SGTS if required.
Since there is no fuel damage and core coverage is maintained with at most operator initiation of RPIC or HPCS, this event does not threaten any safety limits.
Due to the redundancy.and physical separation in the design of the instrument racks' located in the reactor building, any instrument line break will affect only those instrument racks immediately adjacent to l'.
All other instrument racks will be unaffected.
Comparisons of readings will alert the operator both the location of the break and to the erroneous readings.
Thus this event is non-limiting.
If the instrument lire break is inside one of the ECCS cubicles, the HELB environment is limited to that room.
All equipment is assumed failed (both safety and non-safety) as well as that divisional diesel (see Ninety Day Report).
The redundant ECCS and all other safety and non-safety equipment outside the af fected cubicle are unaffected.
Thus this event is non-limiting.
Q 031.291 Those power sources whose failure or malfunction could lead to failure or malfunction of more than one control system were reviewed in part 2 to Question 031.289.
Did this review consider all higher level power sources such that the loss of the next higher level bus initiates an event that is l
already bounded by the Chapter 15 Loss of AC power analysis (e.g., was the loss of a 480V load center which supplies multiple 480V motor control centers considered)?
If not, the effects of failure or malfunction of these higher level power sources on multiple control systems should be analyzed.
If the consequences of these failures are bounded by the Chapter 15 transient (i.e., anticipated operational occurrence) analysis, a positive statement to that effect should be provided.
Response
An analysis was performed to determine the effect of malfunctions of more than one non-safety control system due to the loss of AC power and to find whether these events are bounded by the chapter 15 Loss of AC Power event.
For this analysis, all 480V AC non-ESS switchgear (load centers),
all the non-ESS 480V AC Motor Control Centers (MCC) and 120/208V non-ESS AC buses as well as those 480V AC non-ESS MCC's connected to 480V AC ESS switchgear (load centers) and 120/208V AC non-ESS buses connected to 480V AC ESS MCC were considered.
In the case of each 480V or 120/208V bus,
_4_
cach load connected to these buses was individually. examined regarding its function and interface and the effect of power loss on multiple control systems.
The effect on the control systems due to the loss of these AC power systems collectively was also examined.
It was determined by this analysis that af ter considering all higher level power sources, the loss of the next higher level bus initiated events that were bounded by the chapter 15 Loss of AC Power analysis.
Q. 031.292 It appears that the response to Q 031.289 (the response to this question was actually provided as Part B to Q 031.288) considers the effects of multiple control system failures due to commonality of power source or sensors on the analysis results for those events listed in Chapter 15 o f the FSAR.
This may go beyond the intent of the question.
The intent o f Q 031.289 is to determine whether all potential multiple control system failures resulting from power source or sensor (including sensor impulse lines)'
malfunctions or failures could result in consequences more severe than those considered in the Chapter 15 transient (i.e., anticipated operational occurrence) analysis (i.e.,
could these failures initiate an unanalyzed event).
Determine whether simultaneous malfunctions of control systems resulting from sensor (including sensor impulse lines) or power source (including any higher level power sources identified in the response to Question 0 31.291) malfunctions are bounded by the analyses in Chapter 15.
If so, a positive statement to that effect should De provided.
Response
Simultaneous malfunctions of non-safety control systems resulting from sensor, impulse line, or power supply malfunctions were analyzed.
1)
Common power sources All of the feedwater control system and approximately 80% of the recirculation flow control system have a 120V AC common power source, MCC 131A-2 compartment Fl.
Both systems, on power supply loss, fail in place and the feed pump turbines and recirc flow control valves maintain their position at the time of power loss.
Other common power sources do not cause any simultaneous failures of control systems.
2)
Common impulse lines Two of the three reactor pressure vessel level transmitters for feedwater cotrol (C34-N004B, N004C) have a common impulse sensing line.
A f ailure of the line will cause the transmitters to read low level.
If the control system is operating on the "4B" transmitter which now outputs a minimum level, the control systems will increase flow to the maximum.
Since 2 of the 3 level channels are no longer operating properly, there will be no high level trip of the feedwater pumps or the main turbine.
This does not result in any new event and is bounded by the existing chapter 15 events.
There are no common impulse line malfunctions that could cause events not already bounded' by chapter 15 events.
., Q 031.293
-Why was the Turbine Trip Without Bypass evrat (FSAR Section 15.2.3A) not analyzed?
This is often the limiting Chapter 15 event for a BWR.
Provide a detailed response to Q 031.288 and Q 031.289 for this event.
- Response The Turbine Trip Without Bypass event (FSAR section 15.2.3A) is similar
~
to the Generator Load Rejection Without Bypass event (FSAR Section 15.2.2A).
The impact due to a.HELB are the same for each event since they are in the same area and both are affected.
Non-safety control system failures for either event result in the same consequences.
Therefore, Question 031.288 referred the Turbine Trip Event description to the Generator Load Rejection descriptions (see FSAR Amendment 60, pages Q31.288.22 and Q31.288.23).
Q 031.294 A recirculation flow control failure with increasing flow in conjunction with a feedwater flow control failure with increasing flow (caused by a line break adjacent to a motor control center) has been defined as the limiting Part A event in your response to Q 031.280.
It is stated that the MCPR remains within limits (1.03).
The staf f position is that the MCPR criterion is satisfied only if the MCPR remains greater than or equal to 1.06.
Therefore, provide the following additional information.
a.
Identify the line break (s) in question.
b.
For each break identified above, determine whether the consequences of the event are bounded by the Chapter 15
- analyses, c.
Specify the bounding event and demonstrate that the-criteria used (e.g., dose rates less than a small fraction of 10 CFR 100) are applicable for each event.
Response
The recirculation flow control failure with increasing flow in conjunction with a feedwater flow control failure with increasing flow was erroneously shown to have an MCPR of 1.03.
This was a typographical error.
The MCPR should be 1.08 which is the licensing basis for LaSalle Ccunty Station.
Q 031.295 Were all non-safety systems -(control systems) and their supporting systems analyzed (e.g., was the loss of control or instrument air and the failure of control system circuit cards, both of which would possibly. affect multiple control systems, considered)?
Another system which perhaps should be included in the anlaysis is the condenser vacuum system.
1 l
1 y
..,-.m
. Response All non-safety control sytems.that form the licensing basis of the plant ere identified in FSAR Chapter 7.7.
In response to Question 031.288 each non-safety control system that was given as part of the FSAR chapter 15 cvent mitigation was failed in its worst direction.
By assuming the corst case-failure of the non-safety control system, the support system did not require examination.
Commonality between non-safety sensors or non-safety power supplies was examined for each chapter event (Question
-031.289).
Based upon the assumed combined failures of all non-safety control systems used in each Chapter 15 event, plus the common mode failures due to common sensors or common power supplies, the conclusion is that the. results of failure in common support systems (non-safety) are bounded by the combined failures as assumed in Chapter 15 of the FSAR.
Because all non-safety control systems used for each Chapter 15 event cere failed plus coomon mode failures due to sensors or power supplies, this would be sufficient to provide justification that common mode support systems failures would be bounded.
The condenser vacuum systen is implicitly covered in that a f ailure would result in 'an MSIV closure.
This case is a milder subset of the MSIV closure case.
Q 031.296 Verify that the Chapter 15 analyses of Anticipated Operational Occurrences either assumed that control systems functioned as designed or did not function at all (i.e., are placed in manual), whichever results in the worst case event (i.e., was any credit taken for control systems in mitigating the effects of these transients).
Response
The Chapter 15 analysis of Anticipated Operational Occurrences assume oither non-safety control systems function as designed or do not function ct all.
For non-safety control system failures, the limiting chapter 15 case is the Loss of AC Power case (non-accident) or the LOCA which essumes a coincident loss of normal power.
In general the chapter 15 transients assume normal functioning of plant instrumentation and controls.
There are specific events that examine worst case non-safety control system failures:
Feedwater Controller Failure - maximum demand Loss of Feedwater Flow Pressure Regulator Failure - open Pressure Regulator Failure - closed Recirc. Flow Control Failure - decreasing flow Recirc. Flow Control Failure - increasing flow Generator Load Rejection Without Bypass Turbine Trip Without Bypass Loss of Condenser Vacuum Main Condenser Gas Treatment System Failure Malfunction of Turbine Gland Sealing System
~*
.. AJ1 of the -ab'ove cases assume a single non'-safety control system failure.
Responses to Questions 031.288, 031.289, 031.290, and 031.295 cddress the effects of multiple non-safety control systems failures.
Assuming all non-safety control systems fail results in a mild Loss of AC Power scenario which is analyzed and meets all safety limits.
5126N
. o g
l MATRIX OF NON-SAFETY CONTROL SYSTEMS AFFECTED BY HELB EVENTS LOCA MSBL FWLB Inst. Line Break Reactor Vessel Instrumentation and Controls X
Reactor Manual Control Systems X
Recirc Flow Control System X
Feedwater Control System X
X Pressure Regulator & Turbine Generator Controls X
X Neutron Monitoring System (Non-Sa fety Portion)
Process Computer System Reactor Water Cleanup System Area Radiation Monitoring System X
X Gaseous Radwaste Control System Liquid Radwaste Control System Spent Fuel Pool Cooling & Cleanup System Re fueling Interlocks System Process Radiation Monitoring System-X X
Leak Detection System X
5126N
>