ML20083H642
| ML20083H642 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 01/04/1984 |
| From: | Mills L TENNESSEE VALLEY AUTHORITY |
| To: | Adensam E Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 GL-82-33, TAC-R00195, TAC-R00196, TAC-R195, TAC-R196, NUDOCS 8401090372 | |
| Download: ML20083H642 (20) | |
Text
.
' January 4, 1984 y
Dirutor of Nuclear Reactor Regulation _
Attention:
Ms. E. Adensam, Chief Licensing Branch No. 4' A-Division of Licensing U.S. Nuclear Regulatory Commission Washington, D.C. - - 20555
Dear Ms. Adensas:
s.
In the Matter of
)
Docket Nos. 50-327 Tennessee Valley Authority
)
50 -328 Please refer to sy letter to you dated April 15, 1983 which provided TVA's response to Generic Letter 82-33 (supplement 1 to NUREG-0737, Requirements for Emergency Response Capability) for the Sequoyah Nuclear Plant.
l The April 15, 1983 response committed TVA to provide a written safety analysis for the Safety Parameter Display System (SPDS) describing the basis on which se16cted parameters are sufficient to assess the safety status of each of the following identified functions for a wide range of events:
- 1) Reactivity control,
~ _
- 2) Reactor core cooling and heat removal from the primary system, t
.3) Reactor coolant system integrity, 14)- Radioactivity control, and
- 5) Containment The safety analysis for the Sequoyah Nuclear Plant SPDS is provided as
-Enclosure 1.
We are also providing an SPDS implementation plc.n consisting of our schedules for installation and operation of the SPDS (Enclosure 2) and a verification /validaticn plan (Enclosure 3).
c
'8401090372 840104' PDR ADOCK 05000327 F
PDR if
+
i i 1983-TVA SOW ANNIVERSARY k
An Equal Opportunity Employer
. Director of Nuclear Reactor Regulation January 4, 1984 If you have any questions concerning this matter, please get in touch with K. P. Parr at TTS 858-2685.
Very truly yours, TENNESSEE VALLEY AUTHORITY L. M. Mills, Manager Nuclear Licensing SwornJ nd subscribed before me this 4 day of %hs444W1984 Notary Publio Q
g My Commission Expires /-
'd Enclosures (3) cc:
U.S. Nuclear Regulatory Commission (Enclosures)
Region II Attn:
Mr. James P. O'Reilly Administrator 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30303 e
\\
\\
i f
h
a;
~ > '
b p
ENCLOSURE 1 l
SEQUOYAH NUCLEAR PLANT SAFETY PARAMETER DISPLAY SYSTEM (SPDS)
WRITTEN SAFETY ANALYSIS
[
h b
'I.
INTRODUCTION 3
.y
- Purpose - This SPDS safety analysis has been prepared to describe the basis on which the selected parameters are sufficient to assess the safety status of the critical safety E,
' functions for a wide range of events.
,;s s.
yi;}[( c Scope - This document responds to the SPDS requirements set forth i fl'9o in supplement 1 to NUREG-0737, item 4.2a, page 8, which
' nfy' states (in addition to'the requirement described above):
t a
. The minimum information to be provided shall be sufficient to provide information to plant operators about:
(1)
' Reactivity Control O
(ii)
Reactor core cooling and heat removal from the
- e.n primary system (iii) Reactor coolant system integrity I
(iv)
Radioactivity Control (v) ~
Containment conditions.
Organization - This safety analysis describes the " barrier concept"
- philosophy and how the satisfaction of certain " critical safety functions" which have been developed is sufficient to accomplish the
,7 goal of " defense in depth."
This document will discuss how the SPDS 1%
satisfies the "def4nse in depth" criterion, and that the parameters selected are sufficient to satisfy' the requirements of supplement 1 o
to NUREG-0737. l II.
PHILOSOPHY Y ".
TheBarrideConcept s
~
It has been long recognized that if the radioactive material in the K
core of a nuclear power reactor wers to be released to the
- environment, a serious threat to 'th'e health and safety of the general public could'readit.. Hence, a fundamental goal of nuclear safety has been and continues to be the prevention of uncontrolled releases of radioactive materials from nuclear power plants. In order to accomplish this goal, the concept of " defense in depth" was adopted from the very start. of the commercial development of nuclear energy.
" Defense -in depth" for nuclear power plant operation means the provision of multiple barriers to prevent the release of radioactive material.
- r__,___._._________--.-
g The barriers that are provided in every nuclear power plant installation consist, at the minimum, of the following:
p F
1.
The fuel matrix and fuel clad,
[
2.
The reactor coolant system (RCS) pressure boundary, 3
Containment, and m-g 4.
Distance.
I The first three of these are direct physical barriers to the P_
transport of radioactive materials and together provide the required
" defense in depth." The RCS pressure boundary blocks the transport of radionuclides that escape through the fuel rods themselves.
Containment blocks the release of radionuclides that pass through the h
7
~~
RCS pressure boundary and those few radionuclides that form outside the reactor coolant system. In its most general form, " containment" includes the main containment vessel, the boundaries of those systems which penetrate the main containment vessel (the steam and feedwater systems and various auxiliary systems), and the boundaries of the separate waste storage facilities (waste gas storage tanks, spent
=
fuel storage, and the like). Finally, by locating the plant in a y
remote area (the " distance barrier"), the threat to the general I
public of released radioactive material is mitigated by decay, dilution, and dispersion of the material in transit and, as a final mode of protecton, by providing a plan for evacuation of the 7
population in downwind areas.
The philosophy of " defense in depth" assumes that as long as the fuel
[
cladding, RCS pressure boundary, and containment barriers remain intact, the nuclear power plant poses no threat to the health and safety of the general public; therefore, the nuclear safety goal of nuclear power plant operations is to ensurc that as many as possible b
h of the three physical barriers remain intact at all times and under all circumstances that may exist.
E Critical Safety Functions - For each of the barriers, there is a set of fbnctions which must be performed on a continuing basis if the 7
barrier is to remain intact or if its integrity is to be restored. '
c The full set of functions that must be performed in order to fully p
safeguard the general public from possible consequences of nuclear power plant operation is referred to as the complete set of " critical safety functions."
7 The relationship between the physical barrier and the critical safety functions which protect them is shown in table 1.
For the purposes of developing an SPDS for conteol room personnel, T
only the three physical barriers need to be considered. The Z
protection of the " distance" barrier is assumed to be inclusive in 5
the site emergency plan. The control systems, augmented by trained E
operators responding to annunciator alarms and backed by technical HFb specifications, serve to ensure that small departures from preferred operating conditions are rectified before any challenge to the critical safety function (s) develops. The set of critical safety
.c l
functions that is sufficient to protect the three physical barriers r_
are, in order of importance:
3
-e y
?
q
]
+v a
1.
Maintenance of Suberiticality 2.
Maintenance of Core Cooling 3.
Maintenance of Heat Sink 4.
Maintenance of Reactor Coolant System Integrity S.
Maintenance of Containment Integrity 6.
Control of Reactor Coolant Inventory Table 1 shows that these six safety functions are more than adequate to protect the " defense in depth" physical barriers. Table 2 shows that the critical safety functions are sufficient to satisfy the requirements of supplement 1 to NUREG-0737.
III.
PARAMETERS The aspects of each critical safety function (listed in table 3) must be monitored to ensure that the protection provided by the critical safety functions remains intact.
Specific parameters were selected which monitor the aspects (listed in table 3) of each of the critical safety functions thereby maintaining the greatest possible number of barriers to the release of radiation to the public (see table 4).
The parameters listed in table 4 are sufficient to determine the status of each critical safety function.
IV.
CONCLUSION These six critical safety functions are sufficient to satisfy the
" defense in depth" concept. They are also sufficient to assess the safety status of the five conditions or functions listed as SPDS requirements in supplement 1 to NUREG-0737. The parameters selected as inputs to the SPDS are sufficient to satisfy the critical safety functions; therefore, the parameters selected are sufficient to assess the safety status as required by supplement 1 to NUREG-0737 for a wide range' of events which include symptoms of severe accidents.
k A
4
TABLE 1 RELATIONSHIP OF CRITICAL SAFETY FUNCTIONS TO PHYSICAL BARRIERS BARRIERS Fuel Ma t trix RCS Contain-and Fuel Pressure ment Critical Safety Functions Cladding Boundary Vessel Suberiticality (S)
X Core Cooling (C)
X Heat Sink (H)
,X X
RCS In.egrity (F)
X Containment Integrity (Z)
X RCS Inventory (1)
X X
4 1
w e
l e
l 9
e g
4
... ~,
,,m.-
- - - +
r,
.e TABLE 2 SUFFICIENCY OF CRITICAL SAFETY FUNCTIONS TO MEET REQUIREMENTS OF SUPPLEMENT 1 TO NUREC-0737 Requirements listed in Supplement 1 to NUREC_0737
. Critical Safety Functions Reactivity Control' Suberiticality Reactor Core Cooling and heat removal.from-Core Cooling Heat Sink the primary system RCS Inventory kaat.cor Coolat.t Sy s i.em Integrity RCS Integrity Radioactivity Control All 6 critical safety functions Containment Containment Integrity O
O O
e e
l
. 4
TABLE 3 Critical Safety Function Aspects Suberiticality Minimize energy release in the fuel by ensuring only decay heat is being added to the reactor coolant system.
Core Cooling Provide adequate heat removal from the fuel by ensuring proper thermodynamic conditions for heat transfer thereby preventing the release of radioactivity from the fuel to the reactor coolant system.
Heat Sink Provide adequate heat removal fecn the fuel by ensuring proper thermodynamic conditions for heat transfer to secondary side thereby preventing an unacceptable energy accumulation within the reactor coolant system.
Integrity Prevent overpressurization of the reactor coolant system thereby protecting the integrity of the ' reactor pressure vessel.
Containment Prevent the overpressurization of the containment vessel and monitor the radiation release paths thereby ensuring the integrity of the containment structure.
In the more general sense of containment, the radiation release paths must be monitored to prevent the uncontrolled release of radiation to the environment.
Inventory Provide adequate reactor coolant system -
~
inventory fo" effective heat removal and pressure control.
j TABLE 4
~
PARAMETERS SUFFICIENT TO ASSESS SAFETY STATUS OF CRITICAL SAFETY FUNCTIONS Critical Safety Function Parameters Maintenance of Suberiticality Nuclear flux-power range, intermediate range startup rate, and source range startup rates Maintenance of Core Cooling -
Core exit temperature RCS Subcooling (RCS temperature and pressure)
Reactor vessel level Maintenance of Heat Sink Steam generator pressure Steam generator level Feedwater flow Maintenance of RCS Integrity RCS temperature RCS pressure Maintenance of Containment Containment pressure Integrity-Containment su=p level Containment radiation -
Shield building radiation Auxiliary building radiation Steam generator blowdown radiation Condenser vacuum exhaust radiation Maintenance of RCS Inventory Pressurizer level Reactor vessel level e
9 a
9 r
_____.______.-_______m.__._m__.
ENCLOSURE 2 SEQUOYAH NUCLEAR PLANT
~-
SAFETY PARAMETER DISPLAY SYSTEM (SPDS)
IMPLEMENTATION SCHEDULES TVA will iristall the SPDS/ technical support center (TSC) computer system hardware before startup following the second refueling outage for each unit. The SPDS, including computer systems software, will be operable, verified, and validated with operators trained no later than September 1985 for unit 1 and October 1985 for unit 2.
t g.
ENCLOSURE 3 a
SEQUOYAH NUCLEAR PLANT
{
SPDS VERIFICATION AND VALIDATION PROGRAM A.
General l
As out. lined in the December 16, 1983, letter from L. M. Mills to E. Adensam, TVA is experiencing problems with the vendor-supplied software.. This document outlines the conceptual plan by which Sequoyah's SPDS will be verified and validated and is based upon NSAC 39, " Verification and Validation for Safety Parameter Display Systens."
We are actively pursuing resolution of our software problems. Based on the resolution reached, the verification and validation (V&V) plan may require a revision which in turn would be submitted to NRC.
The objectives, methods of verification and validation (V&V), personnel and documentation to support the program will be discussed. It is intended that this will be an ongoing program; therefore, if significant modifications are made to SPDS, a similar V&V will be conducted. In addition, changes may be made to this V&V program as dictated from experience..
B.
Objectives The verification / validation process will include the following:
1..
System requirements review 2.
Hardware / software verification review 3
Validation tests, 4.
Field verification tests, and 5.
Final report.
C.
Responsibilities The Division of Nuclear Power (NUC PR) will be responsible for the V&V program. A reviewer or review team will be responsible for verifying that the criteria of each objective are met and that discrepancies are documented.
D.
Method of Verification / Validation To ensure each objective is met, the V&V will be performed as follows:
1.
System Requirements Review This objective will be met by performing a tabletop review of the SPDS to ensure the system will satisfy the functional requirements. The reviewer (s) shall be familiar with plant equipment, operations, technical requirements, operator knowledge level, emergency operating procedures, and human factors.
Additionally, the reviewer (s) should not include implementation personnel.
. 2.
Hardware / Software Verification Review This objective will be met by performing a tabletop review of the SPDS hardware and software to ensure the correct implementation of the system requirements. The reviewer (s) should be familiar with the computer system hardware and software.
3 Validation Tests to conform that the System Satisfies the Functional Requirements This objective will be met by performing static tests of the system performance. The reviewer (s) should be familiar with the computer system and the functional requirements. This testing will demonstrate that the hardware and software function acceptably.
This testing will be performed using static simulated data to ensure that the SPDS performs as intended.
4.
Field Verification Tests This objective will be met by performing testing after system installation to ensure that the system was installed properly.
The reviewer (s) shall be familiar with the computer system and the functional requirements. Field verification will consist of ensuring that each input signal is properly connected and that the signal range is consistent with the design.
5.
Final Reoort A final report documenting the SPDS V&V requirements and how they were met will be prepared.
E.
Discrecancy Detection The purpose of the V&V program is to ensure the SPDS aids the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether corrective actions by operators to avoid a degraded core are required. A revieder or review team will be assigned to address each objective listed above.
It will be the responsibility of the reviewer or review team to ensure that the criteria of the objectives are met and discrepancies are identified and corrected when appropriate.
F.
Discrepancy Resolution When a discrepancy is identified, a resolution will be developed. A solution will be written on the appropriate disposition.
G.
Documentation The discrepancies including their disposition will be maintained for the life cycle of the system. Existing division procedures will be utilized for system configuration management.
l
.