ML20091Q394
| ML20091Q394 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 02/29/1984 |
| From: | Blackburn T WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20091Q387 | List: |
| References | |
| NUDOCS 8406140016 | |
| Download: ML20091Q394 (37) | |
Text
6 BEAVER VALLEY UNIT 2 FAILURE OF FEEDWATER CONTROL CHANNEL USED FOR PROTECTION T. A. Blackburn February 1984
/
Approved: b
./ . 1. Little, Manager
( ansient Analysis Westinghouse Eiectric Corporation Nuclear Energy Systems P.O. Box 355 Pittsburgn, Pennsylvania 15230-
~
8406140016 840608 PDR ADOCK 05000412 A PDR ,,
TABLE OF CONTENTS Secti on . Titl e =
'l.0 Purpose of Analysis 2.0- Background 3.0 Description of the Event 4.0' Transient Results 5.0 Conclusions 6.0 References nm.. s I
i
l LIST OF TABLES l Table . Title 1 Initial Conditions 2
Time Sequence of Events for a Feedwater Control Malfunction With Reactor Trip
- 3. Time Sequence of Events for a Feedwater Control-Malfunction Without a Reactor Trip 4
Time Sequence of Alarms and Annunciators for a Feedwater Control. Malfunction With a Reactor Trip 5
Time Sequence of Alarms and Annunciators for a Feedwater Control Malfunction Without a Reactor Trip ii
LIST OF FIGURES Figure Title 1
Steam Generator 1 Level Logic 2
Steam Generator 1 Initiating Event 3
Steam Generator 1 Case 1 Single Active Failure 4' Steam Generator 1 Case 2 Single Active Failure 5 Feedwater Control Malfunction Nuclear Power and Core Heat Flux versus Time No Reactor Trip (Beginning of Core Life)
.6 Feedwater Control Malfunctin RCS Average Temperature, Delta T and Pressurizer Pressure versus Time No Reactor Trip (Beginning of Core Life) 7
' Feedwater Control Malfunctin Steam Generator Secondary Side Volume and DN8 Ratio versus Time No Reactor Trip (Beginning of Core Life) l 8 Feedwater Control Malfunction Nuclear Power and Core Heat Flux versus Time No Reactor Trip (End of Core Life)
~
9 Feedwater Control Malfunction RCS Average Temperature, l
Delta T and Pressurizer Pressure versus Time No Reactor Trip-(End of Core Life) 10 Feedwater Control Malfunction Steam Generator Secondary L
i Side Volume and DNB Ratio versus Time No Reactor Trip 6
l (End of Core Life) l l
11 Feedwater Control Malfunction Nuclear Power and Core l
Heat Flux versus Time Reactor Trip on Lo-Lo Steam l Generator Level (Beginning of Core Life)
~
LIST OF FIGURES (Cont)
Figure Title 12 Feedwater Control Malfunction RCS Average Temperature Delta T and Pressurizer Pressure versus Time Reactor Trip Lo-Lo Steam Generator Level (Beginning of Core Life) 13 Feedwater Control Malfunction Steam Generator Secondary Side Volume and DNB Ratio versus Time Reactor Trip on Lo-Lo Steam Generator Level (Beginning of Core Life) 14 Feedwater Control Malfunction Nuclear Power and Core Heat Flux versus Time Reactor Trip on Lo-Lo Steam Generator Level (End of Core Life)
Feedwater Control Malfunction RCS Average Temperature, 15 Delta T and Pressurizer Pressure versus Time Reactor Trip on Lo-Lo Steam Generator Level (End of Core Life) 16 Feedwater Control Malfunction Steam Generator Secondary Side Volume and DNB Ratio versus Time Reactor Trip on Lo-Lo Steam Generator Level (End of Core Life) iv
- 1.O PURPOSE OF ANALYSIS The Instrumentation and Control Systems Branch of the United States Nuclear Regulatory Comission has questioned Beaver Valley Power Station Unit 2 in regards to feedwater isolation. More specifically, the issue has been raised of strictly-applying single failure criteria to two out of three hi-hi steam generator water level logic for feedwater isolation.
The purpose of this analysis is to justify the adequacy of the current design. This report describes the expected transient performance of Beaver Valley Unit 2 for several postulated scenarios. It demonstrates that no unacceptable consequences occur.
S'S99!22887- - ..
2.0 BACXGROUND_
A safety analysis of Feedwater System Malfunction Causing an Increase in Feedwater Flow is presented in the Beaver Valley Unit 2 Final Safety Analysis Report. It demonstrates that the Departure from Nucleate Boiling (DN8) design basis is met for that accident. Therefore, DNB is not a safety concern here.
It should be pointed out that one of the assumptions in the FSAR analysis is feedwater isolation on a hi-hi steam generator level signal. However, the DN8 ratio (DNBR) reached its minimum and had begun to increase prior to feedwater isolation. Therefore, even without taking credit for the hi-hi level signal, the ONB design basis would have been met.
The single random failure requirement of IEEE-279 stipulates that where a random failure can result in a control system action that produces a plant condition requiring protective action, and simultaneously prevents the proper action of a protection chanel designed to protect against that plant condition, the remaining redundant channels shall be capable of protecting the plant even when degraded by a second random failure. As regards the steam generator level signal, if the transmitter in the level ehannel used for control . purposes fails in such a way as to cause high feedwater flow (and increasing level), a subsequent failure in one of the two remaining channels might prevent the actuation of feedwater isolation.
Feedwater isolation is normally actuated by a hi-hi steam generator water level signal in any one of the three steam generators. In each steam i
generator, hi-hi level signal is based upon receiving the indication in 2 out of 3 channels.
l- 2 of the 3 steam generator Figure 1 will facilitate the following discussion.
L water level channels in each steam generator have bistables for each of the following three functions: lo-lo steam generator water level reactor trip, low steam generator water level signal for low feedwater flow reactor trip, t
' and hi-hi steam generator water level turbine trip and feedwater isolation.
The third channel replaces low steam generator water level signal with input i
to the appropriate feedwater control valve.
__ __ _ - _ ?
F l
The following scenario has been postulated. If for some reason the transmitter is this third channel were to f ail low, the feedwater control valve would begin to open, to keep the steam generator water level near its setpoint. Strictly applying the single active failure criteria (failure in one;of the other two SG water level channels), the hi-hi steam generator water
. level signal could not be generated in that loop. Only one channel is available to indicate water level above hi-hi, but 2 are needed for the logic. Thus this function, hi-hi steam generator water level turbine trip and feedwater isolation which was assumed in the FSAR, is not available.
However, if one considers the actual performance of the plant and the other
~
protective functions, ifcin'Wd m6nitfatef a tMt^the event has no unacceptable consequences.
4
i
' 3.0 DESCRlPT10N OF EVENT This excessive feedwater flow transient is initiated by a feedwater control T hi s f ail ure . It is exacerbated by a subsequent protective system f ailure.
f ailure precludes the actuation of the function, feedwater isolation on hi-hi steam generator level, which is assumed in the Final Safety Analysis Report.
l Figure 12 displays the logic of the level signals in steam generator 1 (used as an. example). Four functions are provided:
lo-lo level reactor trip, low
-level for low feedwater reactor tri p and hi-hi level turbine trip and feedwater isolation, protective functions, and feedwater control, a control function. Each protective function requires two out of three bistables
~ actuated to perfom. (Low level .must be in coincdence with steam flow / feed flow mismatch, but requires only one out of two channels). A dedicated It continuously indicates position, channel .is used in feedwater control .
rather than a range.
The transmitter in Figure 2 shows the same logic after the initiati.ng event.
channel III f alls low. A lo-lc level signal is generated in that channel; hi-hi 1evel is not. .The Feedwater Control System tel1s the valve to open. .
Figures -3 and 4 take this one step further - the. single active failure is incorporated. Figure 3 assumes that the failure causes another channel to Therefore a second lo-lo signal is believe its -level is also at the bottom.
generated and the reactor is tripped. This is the first case to be analyzed.
! Figure 4 assumes that the failure restrains channel I from generating any signal. The third channel (II) will operate properly above nominal (single f ailure. already assumed) . However, no other channels will be able to indicate level above the hi-hi setpoint.. Channel I has no signal and Channel III indicates below lo-lo level . Therefore, ne'e " tre three protective face case, L
, functions will be actuated. T hi s i s t J.*
f i-4 e awwaar6wseNE _ . _ _ - _ _ _ .._- _ .__. ---__ _ __ _ _ _ _
If the f ailure were to produce a hi-hi level signal in that channel, turbine trip and feedwater isolation would occur when the level in the third (unf aulted) channel reaches the hi-hi level setpoint. This is consistent with the FSAR analysis.
The excessive heat removal due to a feedwater system malfunction transient is analyzed by using the detailed digital computer code LOFTRAN (Burnett 1972).
This code simulates a multi-loop system, the neutron kinetics, the pressurizer, pressurizer relief and safety valves, pressurizer spray, steam generator, and steam generator safety valves. The code computes pertinent plant variables including temperatures, pressures, and power level.
A control system malfunction'is assumed to cause a feedwater control valve to open fully. Two cases are analyzed as follows:
~1. ' Opening of one feedwater control valve with the reactor at full power.
Re. actor trip is generated 10-10 steam generator water level in 2 out of 3 c hannel s. (One channel failing low initiates the transient; the second channel f ailing low is the single active failure.)
- 2. Accidental opening of one feedwater control valve with the reactor at full power without consideration of reactor trip.
Each of these cases is analyzed for both beginning of life and end of life core conditions.
The following assumptions have been made:
-1. One indicated steam generator water level signal used for control is assumed to fail in such a way as to indicate zero level and demand full feedwater flow.
- 2. Feedwater flow rate is automatically controlled tnrough the Steam Generator Level Control System using indicated steam flow, feedwater flow, steam generator water level and a programmed level setpoint.
l
- 3. Steam flow at-its full load value until turbine trip (one second after reactor trip).
i f 4 The Pressurizer Pressure Control System functions nomally.
- 5. The Steam Dump Control System functions.
- 6. No credit is taken for the heat capacity of the RCS and steam generator thick metal in attenuating the resulting plant cooldown.
- 7. Feedwater isolation on hi-hi steam generator water level signal is
' defeated.
The feedwater flow is isolated after reactor trip by ~ a low T signal 8.
in two out of three loops.
- 9. Initial operating conditions are assumed at values consistent with steady-state operation. Refer to Table 1.
No other reactor control systems or engineered safety feature (ESF) systems are required to function. The reactor protection system (RPS) will function No to trip the reactor due to overpower or over temperature conditions.
single active failure will prevent operation of the RPS.
6-
. i 4.0 TRANSIENT RESULTS The steam generator The' first case analyzed proceeds in the following manner.
This causes the control
-level transmitter used for level control fails low.
system to open the feedwater control valve in an attempt to restore level to its programmed valve. Also, the failed transmitter generates a 10-10 level reactor trip signal in that channel.
A subsequent single active failure cf a second level channel produces 10-10 A reactor trip is and 1ow 1evel . signals in one-of the other two channels.
generated on a 2 out of 3 coincidence of lo-lo steam generator level (Figure 3).
At this point, reactor trip initiates turbine trip and the Steam Dump Control System is-actuated to reduce primary temperature to the no-load valve.
The increasing saturation pressure and decreasing temperature in the steam generator due to reduced heat transfer causes the secondary side steam
. generator mixture to collapse. This " shrink" results in a reduced mixture volume and level of the steam generator secondary side.
When' the average RCS temperature in two out of three loops reaches the low set point (no load plus 7'F) in coincidence with the' P-4 pennissive T,yg This prevents (trf pped reactor) all feedwater control valves begin to close.
furthe,* addition of main feedwater.
Transient results (Figures 5 through 10) sPow the nuclear power, core heat flux, average RCS temperature, loop delta T, pressurizer pressure, steam The steam generator water generator water volume and DN8 ratio for this case.
level . reaches-a peak of only. 40 percent of the narrow range span which is less than the initial value. Therefore, the steam generator will not overfill.
Table 2 presents a sequence of events for this transient.
t The second case is initiated exactly as the first case is. However, i ts subsequent single failure is assumed to be a failure of the transmitter at its 4
The purpose of this previous value. -Reactor trip does not occur (Figure 4).
case is to detennine the amount of time available for the operator to terminate this event prior to overfill.
7
l This transient has a ,very minor impact upon the plant. The only parameter that'significantly changes is-steam generator water volume, which slowly and steadily increases. !
1 Transient results (Figures 11 through 16) show the nuclear power, core heat flux,' average RCS temperature, loop delta T, pressurizer pressure, steam generator water volume, and DNB ratio. The steam generator water volume does not exceed the capacity of the secondary side, 5760 cubic feet, within the first ten minutes.
From Figures 13 and 16, one can see that approximately ten minutes are available for the operator to isolate feedwater before steam generator overfill could . occur. Table 5 contains a listing of alanns and annunciators which would actuate as a result of this transient.
Considering that this 'is not a complex transient and is very easily diagnosed and is often a standard malfunction used in reactor operator training courses, it is apparent that this ten minute time span for operator action is 2 sufficient. This assumption is entirely consistent with those made in other safety analyses in the Beaver Valley Unit 2 FSAR.
a
1
5.0 CONCLUSION
S i
The analysis presented in the Beaver Valley Unit 2 FSAR has demonstrated that there is adequate core protection against DN8 for excessive feedwater flow transients.
In addition, these analyses have shown that, when one considers the transient response including the actuation of other protective functions, the protection and can' trol systems design of Beaver Valley Unit 2 provides adequate protection against excessive feedwater flow transients from a steam generator overfill . viewpoi nt, e
k
e
6.0 REFERENCES
Burnett, T. W. T., et al 1972. LOFTRAN Code description. WCAP-7907, June, 1972. Also supplementary infomation-in letter from T. M. Anderson, NS-TMA-1802, May 26, 1978 and NS-TMA-1824, June 16,1978.
Beaver Valley Power Station Unit 2, Final Safety Analysis Report.
..w= . s>w e o me,.m, S
M
TABLE 1 INITIAL CONDITIONS
-Core Power, MWt 2660 Themal Design F1ow, GPM 265500 R'eactor Coolant Average Temperature, *F 576.2 Reactor Coolant System Pressure, psia - 2250 3
Steam Generators Secondary Side' Volume, f t 3420 e
-- --r- -.,, - --- _ , . ..,..., , , , , , , _ _ , . _ , _ . , _ _ _ _ _ _ _ _ _ _ _ _ _
h TABLE 2 TIME SEQUENCE OF EVENTS FOR A FEEDWATER CONTROL MALFUNCTION WITH REACTOR TRIP Accident Event Time (sec) 0
- 1. Beginning of Life Feedwater Control Valve
. Core Conditions begins to open, loop 1 Lo-lo SG level reactor trip 0 0
Minimum DNBR occurs Turbine trip on reactor trip 1 7
Low T,yg reached, loops 1 and 3 14 Feedwater control valves fully closed O
- 2. End of Life Core Feedwater Control Valve Conditions begins to open, loop 1 Lo-lo SG level . reactor trip 0
-0 Minimum DN8R occurs Turbine trip on reactor trip 1 8
Low T,,9 reached, loops 1 and 3 15 Feedwater control valves fully closed 56500:10/022884 12, - - ._ _ - _ . _ _ _ . _ _ _
TABLE 3 TIME SEQUENCE OF EVENTS FOR A FEEDWATER CONTROL MALFUNCTION WITHOUT REACTOR TRIP Accident Event Time (sec)
O
- 1. "Beginning of Lif e Feedwater Control Valve Core Conditions begins to open, loop 1 Minimum DNBR occurs 0 Hi-hi SG level reached, loop 1 143 Water reaches top of SG, loop 1 >600 O
- 2. End of Life Core Feedwater Control ~ Val ve Conditions ; begins to open, loop 1 Minimum DNBR occurs 0 i
Hi-M SG level reached, loop 1 146 Water reaches top of SG, loop 1 >600 13
TABLE 4 TIE SEQUENCE OF ALARMS AND ANNUNCIATORS FOR A FEEDWATER CONTROL MALFUNCTION WITH REACTOR TRIP l
Accident- Event Time (sec)
Sistable 474 A 0
~1. . Beginning of Life Bistable 476 A 0 Core Conditions Channel 474, lo-lo SG 1evel 0 Channel 476, lo-lo SG 1evel 0 Reactor tripped 0 Low level deviation alann 0 Steam dump valves open 2 i nterlock 7 Low T, Feedwater Control Yalves 14 L
fully closed 0
- 2. End of Life Core 81 stable 474 A 0
Conditions Sistable 476 A Channel 474, lo-lo SG 1evel O Channel 476, ~1o-10 SG 1evel 0 Reactor tripped 0 0
Low lewl deviation alann Steam dump valves open 2 l 8 Low T, _i nterlock 15 e Feedwater Control Valves fully closed l
I i.
I TLA
TABLE 5 TIME SEQUENCE OF ALARMS AND ANNUNCIATORS FOR A FEEDWATER CONTROL MALFUNCTION WITHOUT REACTOR TRIP Event Time (sec)
A ccident Bistable 476 A 0
- 1. .Beginning of Life Channel 476, lo lo SG 1evel 0 Core Conditions 0
Low level deviation alarm 9
Feedwater Control Valve fully open, loop 1 4
Channel 475, hi-hi SG 1evel 143 Bistable 475C 143 0
2 .~ End of Life Core Bistable 476 A Channel 476, lo-lo SG 1evel 0 Conditions 0
Low level deviation alarm 9
Feedwater Control . Valve fully 'open, loop 1 Channel 475, hi-hi SE level 146 146 Bistable 475C l
l
[
L ..
l 56500:1D/022884 7 15
III
[D II 8
(fM f
I
,h - . ~ j- }
t l[
, l ,l, 41 2/3 2/3 steam generator steam generator hi-hi level lo-lo level
~
reactor trip ' ~~~'~~feedwa ta r~t satation--
turbine trip steam flow / feed flow feedwater control mismatch q reacto'r trip t
FIGURE 1 STEAM GENERATOR 1 LEVEL LOGIC i
c:
I [LT yyy
' 476 l '
/ /hk
,A k -
j ,
_a______J #
i i i i l t i i il,r t 3- "
2/3 2/3 I
-. steam generator hi-hi level !
10-10 level I M t*" IS I'* "
1 steam flow / feed flow feedwater control - - - - - -
valve open
' mismatch q reactor trip Level transmitter 476 fails low, causing. the FCV to open fully, the lo-lo t level signal to be sent and the hi-hi signal to be withheld.
l FIGURE 2 STEAM GEt1ERATOR 1 It1ITIATI.1G EVEtJT 17
1 III W II
'f75/
S' I l .
t
-b 8 /k -
A M d- !
kg==- f_1_y____J l t
. I L_, i,
' 2/3 :.
2/3 .- , 9 t I I
I i
--' ~
steam generator steam generator l hi-hi level l lo-lo level i l
j reactor trip feedwater isolation turbine trip- g I
steam flow / feed flow- feedwater control - -
valve open mismatch q i v
reactor trip Level cransmitter 474 fails low, sending out 10-10 and low level sionals and withholding the hi-hi signal. Reactor trip on 10-10 level -is qenerated.
FIGURE 3 STEAM GENERATOR 1 CASE 1 SINGLE ACTIVE FAILURE 4
18
' LT
'M475
.7
' 476 yyy
-274 ,
v i
l k ,k
/7 k - -
A
-. __ _ _ J
' ; g .= = - , _ h .-.
i i
, i
- m i 1 ,_. _.
L -- , j !, ,
+- ,
' 2/3 ;
2/3 I
- 6 i I steam generator steam generator lo-lo level ) hi-hi level i l
j reactor trip / fee h ter isolation [
turbine trip g I
steam flow / feed flow feedwater control valve.open mismatch q reactdr trip Channel (14 fatis as is, thereby generating no signals.
FIGURE 4 STEAM GENERATOR 1 CASE 2 SINGLE ACTIVE FAILURE 1
I 19 i
8133 1 1.2 j j j l l i l 1.0 -
3 zZ w 3 0.8 ' -
30 22 a:
< 8 0.6 w2
'o S5 0.4 '-
ZN e
w
~
0.2 '-
0 -
1.2 1.0 -
3 4
x2 33 0.8 - -
wg Ew wo 0.6 - -
22
' xS o G 0.4 - -
u<m s
~ 0.2 -
t i I I I I i 0
100 125 150 175 200
! 0 25 50 75 TIME (sec)
Figure 5. Feedwater Control Malfunction Nuclear Power and Core Heat Flux versus Time Reactor Trio on Lo Lo Steam Generator Level (Beginning of Core Life) l So
8133-2 y l l l l l I l 3 580 l- l m 570 - -
2 560 - -
w _
l
- C 550 -
w_o i 540 -
m y 530 -
m 520 -
O E 510 80 70 -
1 60 - -
k 50 - -
Q 40 - -
U 30 - -
z 20 -
10 0
2300 y 2200
, 2100 Eg 5 2000 Wf N-e 1900 -
3
= 1800 -
E l l l I I I !
l 1700 0 25 50 75 100 125 150 175 200
- TIME (sec)
Figure 6. Feedwater Control Malfunction RCS Average Temoerature, .1T and Pressuri:er Pressure Versus Time Reactor Tno on*Lo Lo Steam Generator Level (Beginning of Care Lifet 2I
8133-3 i
6000 i , i , , 6 e
. . . 6
~
n W
5 5000 -
w 2
S O
um -
x o 3000 -
+
x w
2000 -
o 2
< 1000 m
0 4.0 3.5 -
- 3.0 - -
x e
$ 2.5 - -
2.0 l
1.5 100 125 150 175 200 0 25 50 75
' TIME (sec) l Figure 7. Feedwater Control Malfunction Steam Generator Secondary Sioe l
l Volume and ONB Ration Versus Time Reactor Trio on Lo Lo Steam Generator Level (Beginning of Core Life) l l
l I
22 i
8133-4 i.2 j ; j j j l i
1.0 -
U 5 I - 0.8 -
30 22 e 0.6 w2 JO
$5 0.4 '-
2N
=
m
~
0.2 -
k 0
1.2 1.0 -
3 4
x2 33 0.8 -
a
- Z
$ 0.6 - -
I w
$h 0.4 - -
- O<
E w
~
0.2 --
I I J l I I I O
100 125 150 175 200 O 25 50 75 i
TIME (sec) l l
l Figure 8. Feedwater Control Malfunction Nuclear Power and Core Heat Flux Versus Time Reactor Trio on Lo-Lo Steam Generator Levet (End of Core Life)
. _ _ . _ . . _ . _ _ _ _ _ _ - - _ _ _ _ . . - - -___-.23..--_---.---------------------------.--
8133-5 5'
I I I I I I I 580 -
l 570 w~o" c
gy 560 - -
WE 550 - -
<s em 5= - -
c a.
- 3w 530 -
520 -
510 80 70 -
1 60 - --
.C 50 - -
5 = - -
8 30 - -
m 20 -
10 -
0 2300 y 2200 2
m.
2100 -
m a 2000 m .s N $ 1900 m
3 1800 -
E
$ 1700 -
1600 0 25 50 75 100 125 150 175 200 TIME (sec)
Figure 9. Feedwater Control Malfunction RCS Average Temperature, .1T and Pressurizer Pressure Versus Time Reactor Trio on Lo Lo Steam Generator Level (End of Core Lifel
- _-- 24 _ . . _ _ _ _ _ . . _ _ . _
8133-6 6000 i i i i i i i . .
$ 5000 -
w 2
3 a 4000 -
O 2
0 3000 -
E x
w 2 2000 -
w C
1 g 1000 -
m 0
5.0 4.5 -
4.0 -
O P 3.5 --
z
@ 3.0 Q
2.5 ' -
2.0 -
1.5 75 100 125 150 175 200 0 25 50 TIME (sec)
Figure 10. Feedwater Control Malfunction Steam Generator Secondary Side Volume and DNB Ration Versus Time Reactor Trip on L .Lo Steam Generator Level (End of Core Lifel 25
d 8133-7 1.2 i l l 1.0
~3 mZ w3 0.8 -
3: 0.6 w2
'O h 0.4 -
m w
~
0.2 -
0 1.2 1.0 3
0.8 -
"3 d$ 0.6 -
- 2 C S o 0.4 -
~
0.2 -
l l l l !
0 0 100 200 20 @0 500 W TIME (sec)
Figure 11. Feedwater Control Malfunction Nuclear Power and Core Heat Fiux Versus Time No Reactor Trio (Beginning of Core Liter
, 26
i 8133-8 i l
5"
- I I I I I 3 580
$ 570 -
a.
2 560 -
o_ 560 -
c 4 540 -
z
$ 530 -
ro 520 -
U
- 510 80 70 -
60 -
C o_ 50 -
't 40 -
U 30 -
z 20 -
10 0
2300 m
2200 -
. w i f _ 2100 -
.2 x$
N 2000 -
is
- D W -
1900 m
a.
l l l l I 1800 100 200 300 400 500 600 0
TIME (sec)
Figure 12. Feedwater Control Malfunction RCS Average Temoerature.1T and Pressurizer Pressure Versus Time No Reactor Trip (Beginning of Core Lifel 27
j 8133-9 i
1 6000 , i i i ,
l
)
i
, 4 6 w 5000 -
2 3
a 4000 -
3 5(3000 Q -
5e z
$ 2000 -
2 N 1000 -
vs 0
4.0 3.5 -
h3.0 4
m a
$ 2.5 -
2.0 -
I I l l 1.5 500 600 100 200 300 400 0
TIME (sec)
Figure 13. Feedwater Control Malfunction Steam Generator Secondary Side Volume and ONB Ratio Versus Time No Reactor Trio (Beginning of Core Life) 2n
8133 10 l l l l l 1.0 2
mz w- 0.8 -
33 2b zg 0.6 -
Wz "o
{< 0.4 -
z w
0.2 -
0 . . _ . . . _ _ _ , . . . , . . _ . , , _ _ _ _ _ _ . _ . _ . .
1.2 1.0 xz 3 0.8 -
u.
W I$ 0.6 -
2 xS 0.4 o$ -
x w
~
0.2 -
0 0 100 200 300 400 EO 600 TIME (sec)
Figure 14 Feedwater Control Malfunction Nuclear Power and Core Heat Flux Versus Time No Reactor Trio it..d of Core Life)
M
I 8133 1 t
- I l l l l 580 wo 570 -
c-w3 560 -
550 -
< +<
M5 540 -
I 530 -
w
+
520 -
510 80 70 -
80 -
~
m -
o_ 50 E 40 -
U 30 -
e 20 -
10 -
0 2300 m
m 2200 m -
E w
f _ 2100 -
z .s .
m3 2000 - a. ,
3 o -r Qw 1900 -
f 1800 0 100 200 300 400 500 600 TIME (sec)
Figure 15. Feedwater Cor .rol Malfunction RCS Average Temoerature, AT and Pressurizer Pressure Versus Time No Reactor Trio (End at Core Lster 30
- 7.
- 8133 12 t
i I I I I 5000 -
e C
WW 4000 -
$5 5g 3000 -
eo 2"
6 2000 -
G bg 1000 -
0 4.0 3.5 -
3.0 -
h z
2.5 -
2.0 -
l l
l 1.5 100 200 300 400 500 600 0
TIME (sec)
Figure 16. Feedwater Control Malfunction Steam Generator Secondary Side I Volume and DN8 Ration Versus Time No Reactor Trio
! (End of Core t.ifel I
i i
31
L 1
e
. o.
i ATTACHMENT 2 KesNnse to ICSB Licensing Position No. 2 on l Power Lockout for Motor-Operated Valves j The staf f position on this issue states that the Duquesne Light Company (D!f) proposed design modification (adding indicating lights - that illuminate when power is available in the - normally de-energized circuit) does not meet the single failure criterion of IEEE-S*ID-279.
DI4 has reviewed this . issue including the staf f's position to add an inter- i lock from "4 2" to "4 2od and "4 2c" and concluded that IEEE-S'ID-27 9 is met by j the existing des ign. Paragraph 4.2 of IEEE-S'ID-27 9 states in part , "any
. single failure within the protect ion sys tem shall not pr event prope r pr ot ec-i t ion act ion ~ at the system level when required." This criteria is met by.the l existing . design. Rese valves are a passive safety feature in that an actua-
, - tion sir.tal2 is not required to perform their protective action. For example ,
t the'ced. leg. accumulator isolation valves are normally open with the plant operating ~and ' the control circuit is locked out via banana plug lockout jacks located .on the main control board. Thus , no pr ot ect ive act io n is r eq ui r ed to
-l move the valves to the position required to perform their safety function.
The ' following - features provide as surance the valves remain open during normal
. operation and - that - they will be open if required by the safety inj ect ion system:
- 1. Although the valves are normally open, the valves automat ic ally receive an "open" signal upon initiation of safety injection.
'2. We' valves. automatically receive a "b lo ck" signal in the "c los e"
. circuit upon' initiation of safety injection.
- 3. Redundant valve position indication is provided and available on the main control board (stem mounted limit switches . and motor' ope rator limit switches)' powered from separate power supplies .
An alarm is . initiated - in the control ronn' wh'en' the valve le aves the
~
4.
fully open position and will repe at every 30 minutes if the valve remains ' open. In ad di t ion , a safety inj ect ion sys tem-inope rab le alarm is provided.
-5. %e svalve' position . is verified by the ope rato r at le as t ' eve ry .12.
- hours.
3;, 6.1%e valve contro11 circuit has power lockout jacks . that -are removed whe n . . the reactor is at ' operating pr es sur e in orde r. - to pr eve nt inadvertent closure ~ of . the valves .
.o