Forwards Response to 830912 Request for Analysis Re Postulated Failure in Vessel Level Sensing Lines Common to Control & Protective Sys

ML20078C343
Person / Time
Site:	Fermi
Issue date:	09/23/1983
From:	Jens W DETROIT EDISON CO.
To:	Youngblood B Office of Nuclear Reactor Regulation
References
EF2-65-624, NUDOCS 8309270551
Download: ML20078C343 (5)
v • d • e

Text

.

4 Pr 5 2!

w,, cs,an, Detroit 2 Edison =000Secord A.enuear -

September 23, 1983 EF2 - 65,624 Director of Nuclear Reactor Regulation Attention: Mr. B. J. Youngblood, Chief Licensing Branch No. 1 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D. C. 20555

Dear Mr. Youngblood:

Reference:

(1) Enrico Fermi Atomic Power Plant, Unit 2 NRC Docket No. 50-341 (2) Letter, NRC to Detroit Edison, Same Subject, September 12, 1983

Subject:

Postulated Reactor Vessel Sensing Line Failures at the Fermi 2 Facility The analysis requested in the Reference (2) letter is attached. If you have any questions, please contact Mr. Keener Earle, (313) 586-4211.

Sincerely,

" p d' E nh cc: Mr. P. Byron + W 8- ->

Mr. M. D. Lynch Mr. M. Virgilio NUS-LIS 8309270551 830923 PDR ADOCK 05000341 ,

A PDR I

I

QUESTION Operating reactor experience indicates that a number of failures have occurred in BWR reactor vessel level reference sensing lines and that in most cases the failures have resulted in erroneously high reactor vessel level indication. For BWR's common reference sensing lines are used for feedwater control and as the basis for establishing vessel level channel trips for one or more of the protective functions (reactor scram, MSIV closure, RCIC, LPCI, ADS or HPCS initiation). Failures in such sensing lines, may cause reduction in feedwater flow and consequential delay in trip within the related protective channel.

If an additional failure, perhaps of electrical nature, is assumed in a protective channel not dependent on the failed sensing line, protective action may not occur or may be delayed long enough to result in unacceptable consequences.

This depends on the logic for combining channel trips to achieve protective actions.

Accordingly, provide your analysis for each case where a reactor vessel water level tap or sensing line failure, concurrent with an additional random single electrical failure, induces a trans-ient and precludes the automatic operation of reactor scram and/

or an engineered safety feature system. For each case identified and analyzed, demonstrate how the redundancy or diversity of the plant design provides for reactor scram or safety system operation within acceptable limits. Where manual action is required by the operators, discuss the instrumentation available to the operator and the time interval before the operator must take corrective action to preclude damage.

If the results of your analyses indicate that a modification of the protection system logic is required, protection system logic configurations which we find acceptable are described in SLI-8211.

RESPONSE

Fe rmi " Failure in Vessel Level Sensing Lines Common to Control And Protective Systems" A postulated break in an instrument line plus an additional failure is beyond the design basis for this plant; however, an assessment of plant response to this event is hereby provided.

I The instrument reference lines common to feedwater control and to protective system sensors have been identified for this plant.

An analysis was performed to determine the consequences of failures in such reference lines concurrent with additional single failures in protective channels not dependent on the failed sensing line.

In the highly unlikely scenario, the most severe reference line was assumed to fail such that all attached level instruments erroneously indicated high levels. Then, addi'.ional worse-case single failures were postulated in the circuits connected to the remaining reference line. The criteria for selection of the potential worst case combinations of reference line failure plus additional single failure was to determine those combinations, if any, which preclude automatic operation of a reactor procec-tion system (s) and/or engineered safety feature system (s), and which may require manual action by the operator to bring the reactor to a safe condition. Worst-case single division power supply loss was considered for ECCS and RCIC, but this is inde-pendent from other single failures which could affect RPS or MSIV closure, etc. (i.e., a power bus failure in RPS would fail

" safe" causing a trip of that channel).

The worst postulated failure path, from the various combinations, was found to be failure of Division I instrument reference line combined with a failure "high" of the B21-N091D level transmitter.

The immediate consequences of this failure combination are a feed-water trip and a turbine stop valve closure due to a false level 8 signal. The turbine bypass will continue to operate; however, the turbine trip will initiate a reactor scram. Further consequences of this postulated scenario are the failure of automatic HPCI and RCIC initiation at level 2, the loss of manual HPCI initiation capability, the failure of Recirculation Pump Trip (RPT) at level 2, and the failure of automatic ADS, LPCI, and Core Spray initia-tion at level 1.

As stated before, at the start of this induced transient the feed-water is tripped and the turbine is tripped, the latter causing initiation of the reactor scram. When water level decreases to level 4, a low water level alarm is initiated. A second low water level alarm is initiated when water level drops to level 3. As the water level drop passes through level 2, HPCI and RCIC do not automatically start. This is due to the failure of level transmitter B21-N091D.

HPCI is unavailable for manual start due to the false level 8 trip; however, RCIC can be manually initiated. It is assumed that the operator does not manually start RCIC (which he would be expected to do when feedwater is lost) until 10 minutes following reactor scram.

l Because of the failure of RPT at level 2, the recirculation pumps are running until tripped by operator action. For Fermi-2, a FW flow interlock causes the recirc pump MG set to run back to the minimum speed when FW flow drops below 20% NBR and water level is below level 4. Most likely, the performance of the recire pumps are that they will run back early and be tripped later by the operator (10 minutes after reactor i

scram). Basically, the effect of recirc flow is to keep more water inside the shroud. Since the SAFE code cannot simulate runback, two bounding caaes were simulated instead. The first case simulates an early RPT. If the boil-off rate is the same, this case would result in a lower minimum water level inside the shroud as opposed to the case with recirc runback.

The second case simulates a manual RPT at 10 minutes after scram.

Again, if the boil-off rate is the same, this case would result in a higher minimum water level inside the shroud as opposed to the case with recire runback. For the early RPT case the minimum water level inside the shroud is 5 ft above the top of the active fuel. For the manual RPT case it is 6 ft. above the top of the active fuel. Based on the argument stated above, it is judged that the minimum water level inside the shroud for realistic case with recirc runback is about 5 to 6 f t. above the top of the active fuel.

The MSIVs would close if sensed water level drops to level 1.

Following manual RCIC initiation at 10 minutes, water level stops decreasing and slowly starts increasing. No fuel failure would occur and the core remains covered at all times. Low pressure systems are also available, but are not necessary because RCIC has more than enough capacity to assure adequate water makeup and inventory control.

The evaluation of the above worst case scenario shows that the reactor system can withstand any reactor vessel level reference line break coupled with an additional worst single failure in a protective channel not dependent on the failed sensing line with-out compromising safety. This is assured by the following evaluations:

1. No part of the active fuel is uncovered at any time. This assures no fuel damage and no degredation of the critical power ratio (CPR), or reactivity release.

2. Both the vessel and the containment remain structurally sound throughout the postulated event. This provides secon-dary assurance that no reactivity can be released to the public.

3. The scenario postulated is a highly unlikely event (instru-ment line breakage with coincident random failure) and compounds it with worst-case conditions through the event.

9 It is noted, however, that the worst case failure combina-tion does result in the loss of automatic initiation of the ECCS and RCIC, and that manual operator action is required to mitigate the effects of the induced transient.

Failure scenarios that result in failure of the reactor to scram at low reactor water level 3 are always accompanied by reactor scram (due to Alternate Rod Insertion at level 2) and either HPCI or RCIC automatic initiation due to. low reactor water level 2 signals. Thus, an assumed failure in the level 3 scram circuits is less limiting (relative to required operator action) than the failures discussed above.

It is concluded from this assessment of a break in a vessel level sensing line common to control and protective systems plus an additional worst single failure in a protective channel not dependent on the failed sensing line that the resulting accident is less severe and bounded by the DBAs already analyzed in Chapter 15 of the FSAR.

i 4

i.

i l

4 r

i i

l l

l i I 4

v,- ,s,-,---, 7., . .,m,w,,,,m-, , - . - - , , . - ~ . - , . , , ,,,, .,,-,v ....-,..-,,y-, ,v., ,,,,r www w 1-r- - -,w*,-e-v--,-v~wwv ' mve -c w v-r