ML20088A824

From kanterella
Jump to navigation Jump to search
Proposed Tech Specs Re Reactor Protective Sys/Esf & Auxiliary Feedwater Initiation Channel Bypass Conditions
ML20088A824
Person / Time
Site: Fort Calhoun Omaha Public Power District icon.png
Issue date: 04/06/1984
From:
OMAHA PUBLIC POWER DISTRICT
To:
Shared Package
ML20088A821 List:
References
NUDOCS 8404130170
Download: ML20088A824 (18)
v  d  e


Text

.

2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and Control Systems Applicability Applies to plant instrumentation systems.

Objective To delineate the conditions of the plant instrumentation and control systems necessary to assure reactor safety.

Specifications The operability of the plant instrument and control systems shall be in accordance with Tables 2-2 through 2-5.

(1) In the event the number of channels of a particular system in service falls one below the total number of installed channels, the inoperable channel shall be placed in either the bypassed or tripped condition within one hour if the channel is equipped with a key operated bypass switch, and eight hours if jumpers or blocks must be installed in the control circuitry.

The inoperable channel may be bypassed for up to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of discovering loss of operability; however, if the inoperability is determined to be the result of malfunctioning RTDs or nuclear detectors sup-plying signals to the high power level, thermal mar-gin / low pressurizer pressure, and axial power distri-bution channels, these channels may be bypassed for up to 7 days from time of discovering loss of operabili-ty. If the inoperable channel is not restored to oper-able status after the allowable time for bypass, it shall be placed in the. tripped position or, in the case of malfunctioning RTDs or linear power nuclear de-tectors, the reactor shall be placed in hot shutdown within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If active maintenance and/or surveil-lance testing is being performed to return a channel to active service or to establish operability, the channel may be. bypassed during the period of active maintenance and/or surveillance. testing. This specifi-cation applies to the high rate trip-wide range log channel.when the plant is at or above 10-4% power and is operating below 15% .f rated power.

(2) In the event the number of channels-of a particular system in service falls.to the limits given in the column entitled " Minimum Operable Channels", one of the inoperable. channels must be pleced in the tripped position or low level actuation permissive position Amendment No. 8, 20, 54, 65 2-65 ATTACHMENT A P,_ ,

1 2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and control systems (Continued) for the auxiliary feedwater system within one hour, if the channel is equipped with a bypass switch, and with-in eight hours if jumpers or blocks are required. If the channel has not been restored to operaole status after 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of discovering loss of oper-ability, the reactor shall be placed in a hot shutdown condition within the following 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; however, oper-ation can continue without containment ventilation iso-lation signals available if the containment venti-lation isolation valves are closed. If after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from time of initiating a hot shutdown procedure the inoperable engineered safety features or isolation functions channel has not been restored to operable status, the reactor shall be placed in a cold shutdown condition within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This specifi-cation applies to the high rate trip-wide range log channel when the plant is at or above 10-4% power and is operating below 15% of rated power.

(3) In the event the number of channels of a particular system in service falls below the limits given in the columns entitled " Minimum Operable Channels" or " Mini-mum Degree of Redundancy", except as conditioned by the column entitled " Permissible Bypass Conditions",

the reactor shall be placed in a hot shutdown condi-

-tion within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; however, operation can continue without containment ventilation isolation signals available if the ventilation isolation valves are closed. If minimum conditions for-engineered safety features or isolation functions are not met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from time of discovering loss of operability, the reactor shall be placed in a cold shutdown condi-tion within the following 24' hours. If the number of operable high rate trip-wide range log channels falls below that given in the column entitled " Minimum Oper- ,

, able Channels" 'in Table 2-2 and the reactor is at or above 10-4% power and at or below 15% of rated power, reactor critical operation shall be discontinued and the plant placed.in an operational mode allowing re-pair of the inoperable channels before startup or're-actor critical operation may proceed.

If, during power operati on, the rod block function of the secondary CEA position indication system and rod block' circuit are inoperable for more than'24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, or the plant computer PDIL alarm, CEA group deviation alarm and the CEA sequencing function are inoperable-for more than 48._ hours, the CEAs shall be withdrawn

.and maintained :t fully withdrawn and the control rod drive system me,de switch shall be maintained-in'the off position except-when manual motion of CEA Group 4

, 'is required.tol control axial power. distribution.

2-65a

2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and control systems (Continued, Basis During plant operation, the complete instrumentation syatems will normally be in service. Reactor safety is providea by the reactor protection system, which automatically initiates appropriate action to prevent exceeding established limite.

Safety is not compromised, however, by continuing operation with certain instrumentation channels out of service since provisions were made for this in the plant design. This specification outlines limiting conditions for operation necessary to preserve the effectiveness of the reactor con-trol and protection system when any one or more of the chan-nels are out of service.

All reactor protection and almost all engineered safety feature channels are supplied with sufficient redundancy to provide the capability for channel test at power, except for backup channels such as derived circuits in engineered safe-guards control system.

When one of the four channels is taken out of service for maintenance, the protective system logic can be changed to a two-out-of-three coincidence for a reactor trip by bypassing the removed channel. If the bypass is not affected, the out-of-service channel (Power Removed) assumes a tripped condi-tion (exccot high rate-of-change of power, high power level and high pressurizer pressure),(1) which results in a one-out-of-three channel logic. If in the 2 of 4 logic system of the reactor protective system one channel is bypassed and a second channel manually placed in a tripped condition, the resulting logie is 1 of 2. At rated power, the minimum oper-able high-power level channels is 3 in order to provide ade-quate power tilt detection. If only 2 channels are operable, the reactor power level is reduced t o 7 0's rated power which protects the reactor from possibly exceeding design peaking factors due to undetected flux tilts and from exceeding dropped CEA peaking factors.

All engineered safety features are initiated by 2-out-of-4 logic matrices except containment high radiation which oper-ates on a 1-out-of-5 basis.

The engineered safety features system provides a 2 of 4 logic on the signals used to actuate the equipment connected to each of the two emergency diesel generator units.

The rod block system auton.atically inhibits all CEA motion in the event a Limiting Condition for Operation (LCO) on CEA in-sertion, CEA deviation, CEA overlap or CEA sequencing is ap-proached. The installation of the rod block system ensures that no single failure in the control element drive control Amendment No. d, 16,-h$, 87, 43 2-66

-2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and Control Systems (Continued) system (other than a dropped CEA) can cause the CEA's to move such that the CEA insertion, deviation, sequencing or overlap limits are exceeded. Accordingly, with the rod block system installed, anly the dropped CEA event is considered an AOO and factored into the derivation of the Limiting Safety System Settings and Limiting Conditions for Operation. With the rod block function out-of-service several additional CEA deviation events must be considered as AOO's. Analysis of these incidents indicates that the single CEA withdrawal in-cident is the most limiting of these events. An analysis of the~at-power single CEA withdrawal incident was performed for Fort Calhoun for various initial Group 4 insertions, and it has been concluded that the Limiting Conditions for Operation (LCO) and Limiting Safety System Settings (LSSS) are valid for a Group 4 insertion of less than or equal to 15%.

References (1) USAR, Section 7.2.7.1

2-6Ga "mb

TABLE 2-2 Instrument Operating Requirements for Reactor Protective System i Test, Minimum Minimun. Permissible Ma i n tenatice ,

Operable Degree of Bypass & Inoperable '

No. Functional Unit Channels Redundancy Condition Bypass 1 Manual (Trip Buttons) 1 None None N/A 2 High Power Level 2(b)(c) 1(c) Thermal Power (e)(f)

Input Bypass-ed Below 10-4%

of Rated Power (a)(d) 3 Thermal Margin / Low 2(b) 1 Below 10-4% (e)(f)

Pressurizer Pressure of Rated Power (a)(d) 4 High Pressurizer 2(b) 1 None (e)

Pressure 5 Low R.C. Flow' 2(b) 1 Below 10-4% (e) of Rated Power (a)(d) 6- Low Steam Generator 2/ Steam 1/ Steam None (e)

Water Level Gen (b) Gen 2/ Steam 1/ Steam Below 550 (e)

~

7 Low Steam Generator i Pressure Gen (b) Gen psia (a)(d) 8- Containment-High 2(b) 1 During Leak (e)

Pressure Test

}

9 Axial Power Dis- 2(b)(c) 1(c) Below 15% of .(e)(f) tribution Power 10 High Rate Trip-Wide 2(b) 1 Below 10-4% (e) {

Range Log Channels and Above 15%

of Rated Power (a) 11 ~ Loss of-Load 2(b) 1 Below 15% of (e)

Rated Power a Bypass automatically removed.

b- .If minimum 1 operable channel conditions are reached, one' inoperable channel must be placed in the tripped condition within one hour-from the' time of discovery of loss of operability. The' remaining channel may;befbypassed for 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> and, if aniinoperable channel is not re-

~

turned-to operable status within this time frame, a. unit shutdown. .

must?be initiated. . (See' Specification (2) and exception associated with the high rate trip-wide range: log channel.)

L l Amendment No. 60i Y 2-67

TABLE 2-2 (Continued) c If two channels are inoperable, load shall be reduced to 70% or less of rated power.

d For low power physics testing this trip may be bypassed up to 10-l%

of rated power.

e If one channel becomes inoperable, that channel may be bypassed for 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of discovery of loss of operability. If not re-turned to operable status within this time frame, the channel must be placed in the tripped condition. (See Specification (1) and associated exceptions.)

f If the inoperable channel is determined to be caused by malfunction-ing RTD's or nuclear detectors, the channel may be bypassed for up to 7 days from time of discovery of loss of operability. If not re-turned to operable status within this time frame, the unit must be placed in hot shutdown within the following 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

2-67a 4

TABLE 2-3 Instrument Operating Requirements for Engineered Safety Features Test, Minimum Minimum Permissible Maintenance, Operable Degree of Bypass & Inoperable <

No. Functional Unit Channels Redundancy Conditions Bypass 1 Safety-Injection A Manual 1 None None N/A B High containment Pressure A 2(a)(d) 1 During Leak (f)

B 2(a)(d) Test C Pressurizer Low /

Low Pressure A 2(a)(d) 1 Reactor Cool- (f)

B 2(a)(d) 1 ant Pressure Less Than 1700 psia (b) 2 Containment Spray A Manual 1 None None N/A B High Containment Pressure A 2( )(c)(d) 1 During Leak (f)

B- 2(a)(c)(d) 1 Test C Pressurizer Low /

Low A 2(a)(c)(d) 1 Reactor Cool- (f)

B 2(a)(c)(d) 1 ant Pressure Less Than 1700 psia (b) 3 Recirculation A-, Manual 1 None None N/A B SIRW Tank Low Level.A. 2(a)(d) 1 None (f)

B 2(a)(d) 4 Emergency Off-Site Power Trip

'A Manual 1(e) None. .None N/A Bf Emergency. Bus Low Volt-age (Each Bus)

- Loss-of Voltage 2(d) 1 . Reactor Cool 1(f)

Degraded Voltage 2(a)(d) 1- ant Temper-ature Less Than 300'F' Amendmen t No. di,- 65 ~2-68

TABLE 2-3 (Continued)

Test, Minimum Minimum Permissible Maintenance, Operable Degree of Bypass & Inoperable No. Functional Unit Channels Redundancy Conditions Bypass 5 Auxiliary Feedwater A Manual 1 None None N/A B Auto. Initiation A Operating B Modes 3, 4,

- Steam Generator Low 2(a)(d) 1 (h)

Level

- Steam Generator Low 3(a)(g) 1 (i)

Pressure

- Steam Generator Dif. 3(a)(g) 1 (i) ferential Pressure a A and B actuation circuits each have 4 channels.

b Auto removal of bypass above 1700 psia.

c Coincident high containment pressure and pressurizer pressure low signals required for initiation of containment spray.

d If minimum operable channel condi tions are reached, one inoperable channel must be placed in the tripped condition or low level actu-ation position.for auxiliary feedwater system within eight hours from the time of discovery of loss of operability. The remaining inoperable channel may be bypassed for 48. hours and, if an inoper-able channel is not returned to operable status within this time frame, a unit shutdown must be initiated [see Specification (2)].

e Control switch on incoming breaker.

f If one channel becomes inoperable, that channel must be placed in the tripped or bypassed condition within eight hours from time of discovery of-loss of operability. If bypassed and that channel'is not returned to operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of dis-covery of loss of operability, that chanr.cl must be placed in the tripped condition within the following eight hours. (See Specifi-cation (1) and exception associated with maintenance.)

g .Three channels required because bypass or failure results in auxi-liary feedwater actuation block ~in the affected channel.

h If one channel becomes inoperable, that channel must be placed in the actuation or bypassed condition within eight hours from time of discovery of loss of operability. If bypassed and that channel is not returned to operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of dis-covery of loss of operability, the channel must be placed in the low level actuatien permissive condition within the following eight hours. .(See Specification (1) and exception ~' associated with maintenance.) .

Amendment No. 65 2-68a

TABLE 2-3 (Continued) i If the channel becomes inoperable, that channel must be placed in the bypassed condition within eight hours from time of discovery of loss of operability. If the channel is not returned to operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from time of discovery of loss of operabili-

-ty, one of the eight channels may continue to be placed in the by-passed condition provided the Plant Review Committee has reviewed and documented the judgment concerning prolonged operation in bypass of-the defective channel. The channel shall be returned to operable status no later than during the next cold shutdown. If one of the four channels on one steam generator is in prolonged bypass and a channel,on the other steam generator becomes inoperable, the second inoperable channel must be placed in bypass within eight hours from time of discovery of loss of operability. If one of the inoperable channels i's'not-returned to operable status within seven days from the time of discovery of. the second loss of operability, the unit must be placed in hot shutdown within the following 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

A t

1 F

'l

? .-

,s l -

2-68b.

~

- _ . . _ L.

1 . .

- % -s

\, \ TABLE 2-4 Instrume'nt Operation Conditions for Isolation Functions

~'

  • Test, Minimum Minimum Fermissible Maintenance,

, Opera l)le Degree of Bypass & Inoperable "ho. . Functional Unit Channels ,Redund&ncy Conditions Bypass l-4 ., l ., Containment Isolation '

A' 4 Manual 1

  • None None N/A

%$ f B

\ ": Containment High 3 \ Miessure A 2(a)(e) 1 During Leak (f)

} ,' ' s' ,B

- 2(a)'(e) 1 Test tN. cst '

.~  %

C' Frehs'uri=er Low / >

  • Low A s

/

2(a)(e) 2(a)(e) 1 Reactor Cool- (f)

_,< B' y s 1 ant Pressure

'gh\

^ Less Than 1700

('N psia (b) t

2. Steam Line Isolation N~

A ' Manual. l None None N/A B Steam Generator Low Pressure A 2/ Steam 1./ Steam Steam Gener- (f)

Gen (e) Gen ator Pressure B 2/ Steam 1/ Steam Less Than 550

-Gen (e) Gen psia (c) i' '3e Ventilation Isolation

'A- Manual 1 None None .N/A

, ;BL -Con'tainment High-Radiation A 2(d) None If Contain-B 2(d)- ment Venti-lation Iso-

'lation Valves

'Are Closed i LA and_B' circuits each-have 4-channels.

.b- ' Auto removal;of bypass:above 1700 psia.

c Autofremoval of bypass above 550 psia.-

d JL and B circuits are both actuated by any one .of the five VIAS'ini-tiating' channels; RM-050, RM-051, RM-050, RM-061, or'RM-062;-how -

=ever, only RM-050 and RM-051 are required for containment venti-lation-isolation..

2-69

TABLE 2-4 (Continued) e If minimum operable channel conditions are reached, one inoperable channel must be placed in the tripped condition within eight hours from the time of discovery of loss of operability. The remaining in-operable channel may be bypassed for 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from the time of dis-covery of loss of_ operability and, if an inoperable channel is not returned to operable status within this time frame, a unit shutdown must he initiated [see Specification (2)].

f . If one' channel becomes inoperable, that channel musst be placed in the tripped or bypassed condition within eight hours from the time of discovery of loss of operability. If bypassed and that channel is not returned to operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from the time of discovery of' loss of operability, that channel must be placed in the tripped condition within the following eight hours. (See Specifi-cation (1) and exception associated with maintenance.)

P 4

r-

" - 2-69a; P

L_ ._

. . - l DISCUSSION AND SIGNIFTCANT HAZARDS CONSIDERATIONS FOR PROPOSED CHANGES INVOLVING THE BYPASSING OF ALL CHANNELS EXCEPT AUXILIARY FEEDWATER INITIATION CHANNELS The proposed changes to the Fort Calhoun Station's (FCS) Technical Specifications impose additional limitations on the inoperability of Reactor Protective System (RPS) and Engineered Safety Features (ESP) instrumentation and initiation channels. The purpose of these changes is to provide additional assurance that the RPS and ESF systems are available to perform intended functions in the event of a plant trip or accident.

The existing FCS Technical Specifications permit a single channel of a RPS or ESF system, employing two-out-of-four logic, to be by-passed indefinitely. A time limit of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for all channels ex-cept those channels which are inoperable due to failure of an RTD ce nuclear detector is proposed. This 48-hour time limit is con-sistent with the intent of the Standard Technical Specifications which have been approved by the Nuclear Regulatory Commission.

For those channels which are made inoperable due to a failure of an RTD or nuclear detector, a time limit for permissible bypass has been set at 7 days. The District believes this longer time limit is justified since the failure of these components occurs in-frequently and the RPS and ESF systems are designed with suffi-cient redundancy to ensure proper performance of their intended

-function with one channel inoperable. Since the repair of a failed RTD or nuclear detector will require the plant to be placed in a hot shutdown condition, the time limit proposed will permit appropriate planning and scheduling. The proposed Technical Speci- -

fications also require that if the allowed time limit.for bypass is' reached and a channel is not returned to an operational condi-tion, the channel must either be placed in a trip condition or the plant must be placed in a hot shutdown condition within the follow-ing 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. One exception to this requirement is as follows:

If maintenance is actively being performed on the'affected channel to restore-that channel. to operability or its surveillance testing

-is actively being performed to allow that channel to be restored to operability, the bypass of_that channel can be continued past the 48-hour time limit. The District believes a time limit of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to place the reactor in hot shu tdown is . satis f acto ry, since a sufficient amount of system redundancy is _ still available. ~The 12-hour time limit is consistent with similar time limits in the FCS Technical Specifications concerning limiting. conditions for operation of safeguards equipment.

-In$ keeping.with1the requirements' set forth in the S tandard -Techni-

, cal Specifications, the' District has. proposed a time limit for

~

placing an' inoperable channel ~in the. bypassed or tripped condition

'of one hour from-the time of discovery. This one-hour. limitation-applies.only to those channels which can be bypassed by a key iswitch'.

ATTACHMENT B

=a .

E. ___1

Certain channels of the ESF at the FCS require the installation of jumpers or blocks in order to accomplish a circuit bypass, since the channels are not equipped with key operated bypass switches.

Therefore, bypassing these circuits within one hour is not always possible, since properly trained off-duty personnel may have to respond, review drawings and procedures, and obtain necessary ap-proval for installing jumpers or blocks and then accomplish the action to implement the bypass. Experience has demonstrated that an 8-hour period is an appropriate time to accomplish this bypass.

When the inoperable channel has been repaired and the jumper or block is removed, testing is performed on that channel to ensure operability. The use of jumpers or blocks to bypass an ESF chan-nel at the FCS is quite infrequent (2 to 3 times per year). Their use is governed by FCS standing Order 0-25, " Electric Jumpers Con-trol". This procedure assures the proper control of jumpers and blocks via the following: (1) requires that a maintenance order for the installation of the jumper or block is properly prepared and authorized; (2) requires that no jumpers or blocks be in-stalled which would violate the FCS Cperating License; (3) re-quires the maintenance of a jumper log which is maintained and controlled by the Shift Supervisor: (4) requires prior Plant Re-view Committee and Shift Supervisor permission be obtained before installing a jumper or block and that Shif t Supervisor permission be obtained prior to removing a jumper or block; (5) requires an independent verification of jumper or block removal; (6) requires a monthly audit of all existing jumpers and blocks by the Super-visor - I&C and Electrical Field Maintenance or his designated alternate; and (7) requires and sets forth a procedure for proper tagging or tag removal of all jumpers and blocks. Each jumper or block requires an individual tag. The status of a jumpered or bypassed channel will be indicated in the control room by placing a " Hold for Inspection" sticker on the appropriate indicator (s)

(i.e., dial, recorder, etc.). In addition to Standing Order 0-25, it should be noted that jumpers and blocks are not and will not be used for routine surveillance testing of the systems governed by this proposed Technical Specification.

The proposed Technical Specifications also set forth actions to be taken in the event a number of channels of a particular system in service reach or fall below the indicated number of " Minimum Oper-able Channels", as specified in the existing FCS Technical Speci-fications. If the number of channels of a particular RPS or ESP system falls to these limits, one of the inoperable channels must be placed in the~ trip condition within one hour, if the channel is equipped with a switch, and within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, if jumpers or blocks are required. If the number of channels of a particular system in service falls _below the limits given in the columns titled-" Mini-mum Operable Channels" or " Minimum Degree of Redundanci"; the re-actor shall be placed'in a hot shutdown condition withi. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

If the minimum conditions are'not met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in a cold shutdown within the next 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This requirement.is consistent with these set forth in the Standard Technical Specifications.

The proposed Technical Specifications require the unit be in hot shutdown rather than cold shutdown within the specified time frame if an inoperable channel is not restored to operable status due to malfunctioning RTD's or linear power nuclear detectors. Whenever the reactor is in the hot shutdown condition, as defined by the Technical Specifications, the reactor power, as measured by wide range logarithmic power channels using excore neutron detectors, will be less than 10-4% of rated power. Therefore, the functional units (high power level, thermal margin / low pressure, axial power distribution, and high rate trip-wide range log channels) that re-ceive signals from the RTD's and/or nuclear detectors are bypassed in the hot shutdown mode per Table 2-2 of the Technical Specifi-cations and the unit need not be placed in ccid shutdown.

As per 10 CFR 50.92, the following significant hazards consider-ations have been made:

(1) These changes do not involve a significant increase in the probability or consequence of an accident previously evalu-ated because it establishes specific time limitations on the bypassing of systems which could previously be bypassed in-definitely. The design of the affected systems or the ability of these systems to perform their intended srfoty functions has not been altered. The only change has been to impose more stringent time limitations for the ineperability

~

of'these systems. These more stringent time limitaticns will not increase the probability or consequence of a pro-viously evaluated accident.

(2). These proposed changes will not create the possibility of a new or different kind of accident from any accident pre-viously evaluated. As stated above, the only change con-stitutes an administrative ~ control imposing additional time restrictions upon the inoperability of safety systems and, therefore, will not' create a new or-different kind of'ac-cident.

(3) 'The proposed changes to-the Technical Specifications 1do not' involve a significant reduction -in the margin of safety. By.

imposing more stringent bypass requirements on-the RPS'and -

ESF systems and making no changes or alterations in the-ability of these1 systems ~ to perform their intended

' functions,;the margin ofisafety will not be. reduced.

s

  1. 1 5' ~

Z

~

e 4

DISCUSSION AND SIGNIFICANT HAZARDS CONSIDEPATIONS FOR PROPOSED CHANGES INVOLVING AUXILIARY FEEDWATER INITIATION CHANNEL BYPASS The steam generator low preesure and steam generator differential pressure channels of the auxiliary feedwater (AFW) automatic initi-ation circuitry are used to detect and prevent delivery of AFW to a " faulted" steam generator. Upon cnannel failure, the channel can be placed in a " low level actuation permissive" condition (i.e., if a low level signal occurs, the channel will provide a

" feed" signal to the decision matrix) or a " low level actuation prevention" or bypassed condition (i.e., if a low level signal occurs, the channel will provide a "do not feed" signal to the decision matrix). Placing the channel in the " low level actuation prevention" condition provides a two->m -of-three matrix logic for AFW actuation for that steam generatoc, while placing the channel in the " low level actuation permissive" condition provides a one-out-of-three matrix logic for AFW actuation (both cases assume the presence of valid low level signals). This later case has the possibility of feeding a faulted steam generator with a concurrent single failure to the AFW actuation circuit.

The bypass philosophy chosen by the District is to place one chan-nel of the four steam generators and/or steam generator differ-ential pressures on one of the steam generators in the " low level actuation prevention" or bypass condition for a prolonged time period until the next cold shutdown. If a failure occurs in the four channels on the steam generator without a previously bypassed channel, a channel must be fixed within seven days or the unit must be placed in hot shg.tdown. The essence of this requirement is that the unit is allowed to operate for a prolonged period of time with a two-out-of-three logic for the automatic AFW actuation circuitry of one steam generator and a two-out-of-four logic for the automatic AFW actuation circuitry of the second steam gener-ator. The unit may operate for seven days with a two-out-of-three logic in both steam generators. If a second channel fails on a steam generator with a previously bypassed channel, the minimum operable channels fall below the operability limits given in the Technical Specifications and the requirements of Specification (3) in Section 2_15 must be met.

The design basis events for the automatic AFW actuation circuitry are the feedline break event, the loss of main feedwater event, and the steamline break event. Each event is discussed with re-spect to the prolonged bypass of a single steam generator low pressure and steam generator differential pressure channel (i.e.,

failure of one prescure transmitter).

The feedline break analysis assuraes the steam generator blows down in the liquid phase through a hole equivalent to the diameter'of

~

the main feedwater iine. This event is the most severe loss of heat removal accident analyzed for the FCS. The AFW system is re-

. quired to provide water to-the " intact" steam generator and not to feed the " faulted" steam generator. If the bypassed channe1 is on

the " intact" steam generator, the actuation logic must work in a two-out-of-three logic to ensure the AFW is actuated to prevent primary system ovorpressurization for the feedline break analysis.

Two additional failures would have to occur such that the AFW system would fail to feed the " intact" steam generator. If the bypassed channel was on the " faulted" steam generator, two addi-tional failures would be necessary such that the AFW system would feed this generator. In both cases, two additional failures are necessary for system failure. In addition, the feeding of a

" faulted" steam generator would not invalidate the feedline break analysis. The AFW lines at the FCS enter the steam generators through separate nozzles above the U-tubes and are not connected to the main feedwater lines. The main feedwater line aad feed ring are located above the top of the U-tubes. If the AFW system incorrectly feeds the " faulted" steam generator, the water would reach the tube sheath and would exit in the form of steam through the " fractured" main feedwater line. Therefore, heat remova l capability would be maintained. Also, the feedline break analysis assumes no credit for any trips associated with the " faulted" steam generator. If credit was taken, a much longer time period would be available for AFW actuation to the " intact" steam gener-ator and the severity of the accident would be greatly reduced.

The AFW actuation circuit must prevent the AFW system from feeding the " faulted" steam generator during the steamline break accident.

The actuation circuit would also initiate APW to the " intact" steam generator, but at a much later time in the accident such that manual actuation could be depended upon. If the bypassed channel is located in the " faulted" steam generator, two addi-tional failures must occur such that the AFW would feed a faulted steam generator which is the same situation that occurs in the case of the two-out-of-four logic. Therefore, no degradation of safety margin occurs with-one channel bypassed for the steamline break accident. During the seven day interval ~when two AFW actu-ation circuit pressure sensing channels on one steam generator may be bypassed, the failure of one instrument bus in conjunction with a steamline break could allow AFW to be fed to a " faulted" steam

. generator. During'this event, it is assumed that the " runout" flow of 350 gpm per pump is fed to the faulted steam generator.

The District has previously confirmed that the worst single failure during a steamline break is the failure of a reverse flow steam check valve.- This single failure bounded the failure of the main-feed isolation valve; although, the failure of a main feed-water isolation valve is.no. longer censidered in the steamline break analysis because two isolation.valvas in each feedline are now closed.by a main feedwater isolation signal. The assumed feed-water 1 flow.to the'" faulted" generator for steamline break analyses with'a main feedwater isolation valve failure was 793 gpm. -Tnis is greater than the 700 gpm " runout" flow.of both APW pumps and, therefore,-the previous steaaline break analysis with a main feed '

~

water line.. isolation valve' failure " bounds" a steamline break.with a' failure of the AFW actuation circuitry.- Since the current steam-line break analysis assumes the'more severe single failure of the

failure of a reverse flow steamline check valve, the current steam-line break analysis is valid for a single failure which results in AFW actuation.

The AFW actuation circuit must feed the steam generators in the loss of main feedwater event which may be caused by any number of initiators, including loss of offsite power. However, it is only necessary for the AFW system to feed one steam generator to pre-vent exceeding any of the specified acceptable fuel design limits which are the acceptance criteria for this event. If AFW is initi-ated to one steam generator, more than sufficient time exists to manually re-establish feedwater to the other steam generators.

Since one steam generator will always have an operable two-out-of-four logic circuit, there is no degradation of safety margin for the loss of main feedwater event.

. The proposed Technical Specifications require the unit to be placed in hot shutdown within the specified time frame if one pressure transmitter is inoperable on each steam generator. The unit need not be placed in cold shutdoun because there is suffi-cient time for the operator to restore feedwater to the steam generators in the event feedwater is lost to the steam generators when the unit is in the hot shutdown mode. Calculations show that the time to steam generator dryout is 20.5 minutes following a trip from full power on low steam generator level and 34.2 minutea following a trip from full power where the steam generator level is being maintained at its nominal operating level. Since steam

. generator water level in the hot shutdown mode is the same as the level at full power and since much of the decay heat would have already been removed from the core during the ' normal process of placing the. unit 11n the hot shutdown mode, the time to steam generator dryout for_the hot shutdown mode would be substantially longer. Therefore, it is concluded that the time available to the operator to-restore feedwater to the steam generators when the unit is in the hot shutdown mode is greater than that recommended in Draft ANSI Standard M660.

As per 10 CPR 50.92, the following significant hazards consider-ations have been made:

(1) These. changes do not involve a signifi.: ant. increase in the probability or consequence of an accident previously evalu-ated because it_-establishes specific time limitations on the bypassing of. systems which could previously-be bypassed in-

" definitely. The design of the affected systems or the ability of these systuas- to perform their. intended safety functions has not been altered. The'only change has-been to

' impose more' stringent time' limitations for the inoperability of these systems. These'more stringent time limitations will not increase the. probability or consequence of a pre-viously evaluated accident.

L

'l (2) -These proposed changes will not create the possibility of a new or different kind of accident from any accident pre-viously evaluated. As stated above, the only change con-stitutes en administrative control imposing additional time restrictions upon the inoperability of safety systems and, therefore, will not create a new or different kind of ac-cident.

(3) The proposed changes to the Technical Specifications do not involve a significant-reduction in the margin of safety. By imposing more stringent bypass requirements on the RPS and ESF systems and making no changes or alterations in the ability of these systems to perform their intended functions, the margin of safety will not be reduced.

c i

a 4

4 b

i

')m v w.

m n

a.- l

__

Retrieved from "https://kanterella.com/w/index.php?title=ML20088A824&oldid=2801846"