ML20101S684
| ML20101S684 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 01/31/1985 |
| From: | ALABAMA POWER CO. |
| To: | |
| Shared Package | |
| ML19269A987 | List: |
| References | |
| NUDOCS 8502050589 | |
| Download: ML20101S684 (91) | |
Text
.
ATTACHMENT 2 b
SAFETY ANALYSIS BACKGROUND FOR FARLEY UNITS 1 & 2 CRITICAL SAFETY FUNCTION STATUS TREE MONITORING SYSTEM JANUARY, 1985 F
A b O M 348 '
PDR ,
Table of Contents
- 1. Introduction 1.1. Barriers to Radiation Release 1 e 1.2 Critical Safety Functions 2 1.3 Implementation of the Critical 4 Safety Function Concept
- 2. Description 8 2.1 Status Tree Format 8 2.2 Definition of Priorities 9 2.3 Status Tree Usage 13
- 3. References 15
- 4. Appendices 16 Background Information For Critical Safety Function Status Trees:
CSF-0.1, Subcriticality CSF-0.2, Core Cooling CSF-0.3, Heat Sink CSF-0.4, Integrity CSF-0.5, containment CSF-0.6, Inventory
(
e
- 1. INTRODUCTION The Farley Critical Safety Function Status Tree Monitoring System provides an
- explicit, systematic mechanism for evsluating the plant safety state in terms of Critical Safety Function status. It is based on the Westinghouse Owner's Group Emergency Response Guideline Program (Ref.1 & 2). The relationship
- between Critical Safety Functions and the three physical barriers against radiation release to the environment is presente1 in the following subsections.
?
i 1.1 Barriers to Radiation Release i
It has long been recognized that if the radioactive material in the reactor core of a nuclear power plant were to be released to the environment a serious threat to the health and safety of the general public could result. Hence, a l fundamental goal of _ nuclear safety is the prevention of uncontrolled releases of radioactive materials from nuclear power plants. In order to accomplish this goal the concept of " defense in depth," which translates into providing multiple barriers to the release of the radioactive material, was adopted at the start of the comercial development of nuclear energy as a cornerstone of nuclear safety.
l The barriers that are provided in every nuclear power plant consist, at the minimum, of:
o Fuel matrix and fuel clad o Reactor coolant system pressure boundary o Containment o Distance l
The first three barriers are direct physical barriers to the transport of l radioactive materials and together provide the required " defense in depth."
The reactor coolant system pressure boundary blocks the transport of radionuclides that escape through the fuel rod barriers and those that are produced outside of the fuel rods themselves. Containment blocks the release of radionuclides that pass through the reactor coolant system pressure boundary and those few radionuclides that form outside the reactor coolant system. Finally, by situating the plant in a remote location the threat to
[
i 82208:10/010284 1 l
the general public of released radioactive material is mitigated by decay, dilution and dispersion of the material in transit and, as a final means of protection, by providing time for evacuation of the population in downwind areas.
As long as the fuel matrix / cladding, reactor coolant system pressure boundary and containment barriers are intact in a nuclear power plant, that plant poses no threat to the health and safety of the general public. Should one or more l of the barriers be faulted, the threat to the general public increases. If all barriers are lost, the threat becomes significant and external emergency f actions may be called for. Therefore, the goal of nuclear power plant
! operation, in terms of nuclear safety, is ensuring that as many as possible of the three physical barriers remain intact at all times and under all conditions and/or circumstances that may exist.
1.2 Critical Safety Functions For each of the barriers there is a set of functions that must be maintained on a continuing basis if the barrier is to remain intact. The full set of functions that must be maintained in order to fully safeguard the general public from possible consequences of a nuclear power plant accident is comonly referred to as the set of safety functions. There are a variety of methods available for identifying the components of a set of safety functions and, as a result, the tabulations of safety functions that are developed f requently appear to dif fer among themselves. In reality, the differences are usually semantic. The actual physical processes which must occur if the l barriers are to be kept intact are the same, regardless of the method of analyzing the processes or the naming of the safety functions. A second point to be considered in comparing sets of safety functions is that a specific set may be intended only for a specific limited application and so may not include certain safety functions that would be included in a more general set. The only point of issue in comparing various sets of safety functions having a comon scope is whether each of the sets is complete within that comon scope.
82208:10/010284 2
For purposes of developing symptom-based function-related restoration strategies for the operator, only the fuel matrix / cladding, reactor coolant system pressure boundary and containment vessel barriers need to be considered. The other components of the general containment barrier can be associated with the " distance" barrier and included within the scope of the Site Emergency Plan. The scope of application is also limited to emergency f operations in which the reactor is intended to be shut down. That is, nornal power operations are excluded from the scope of the set of safety functions needed to address emergency transients. A set of safety functions that is sufficient for the fuel matrix / cladding, reactor coolant system pressure boundary and containment vessel barriers in a plant that is intended to be shut down consists of:
o Maintenance of SUBCRITICALITY o Maintenance of CORE COOLING o Maintenance of a HEAT SINK o Maintenance of Reactor Coolant System INTEGRITY o Maintenance of CONTAINMENT Integrity o Control of Reactor Coolant INVENTORY This safety function set is defined as the Critical Safety Functions. These Critical Safety Functions are associated with the barriers in the following manner:
Barrier Critical Safety Function Fuel Matrix Maintenance of SUBCRITICALITY and (minimize energy production in the Fuel Clad fuel)
Maintenance of CORE COOLING (provide adequate reactor coolant for heat removal from the fuel)
Maintenance of a HEAT SINK (provide adequate secondary coolant for heat removal from the fuel) 82208:1D/010284 3
, . .. . ~~ . - . . . - -- . .- . --_ _-
f Barrier Critical Safety Function Control of Reactor Coolant INVENTORY (maintain enough reactor coolant for effective heat removal and pressure control)
< Reactor Coolant Maintenance of a HEAT SINK System Pressure (provide adequate heat removal from Boundary the RCS) b Maintenance of Reactor Coolant System INTEGRITY (prevent failure of RCS)
Control of Reactor Coolant INVENTORY l (prevent flooding and loss of pressure ;
control)
~
t
, Containment Vessel -
Maintenance of CONTAINNENT Integrity (prevent failure of containment vessel) "
Situations can arise in which the integrity of a barrier is lost and cannot be
- 4 restored even though all Critical Safety Functions are satisfied. The classic
! double-ended guillotine break of reactor coolant system piping constitutes an irrevocable failure of the reactor coolant system pressure boundary barrier.
In this situation the reactor coolant system pressure boundary barrier is recognized fto be failed, and all available resources are directed toward !
minimizing further degradation of the failed barrier and keeping the fuel matrix / cladding barrier and the containment barrier intact. A correlation of the Farley Critical Safety Functions to the functional criteria in NUREG 0737 p Supplement.1 is provided at Table 1.
f
( 1.3 Implementation of the Critical Safety Function Concept l
The means provided for maintaining the Critical Safety Functions, and thereby the integrity of the barriers, vary with both the particular set of conditions
- that may exist and the likelihood that that set of conditions will exist. The designlof the plant is such that under nornal operating conditions (which
- represents by far the most likely set of conditions) all Critical Safety Functions in a full, complete set are continuously satisfied with ample margin. The NSSS control systems, augmented by trained operator response to annunciator alarms and backed by the plant Technical Specifications, serve to 82208:10/010284 4
I A
TABLE 1 FARLEY STATUS TREE VARIABLES MAPPED INTO SAFETY FUNCTIONS OF NUREG-0737 SUPPLEMENT 1 i
Reactivity Control ,
Subcriticality Tree l s'ower Range Intermediate range startup rate l Source range startup rate '
Reactor Core Cooling & Heat Removal from the Primary System Core Cooling Tree RCS pressure Core exit temperature Heat Sink Tree Steam Generator Pressure Steam Generator Narrow Range level Auxiliary feedwater flow Integrity Tree RCS pressure Cold leg temperature RCS temperature Reactor Coolant System Inventory Inventory Tree Pressurizer level Upper head temperature Radioactivity Control Containment Tree Containment radiation Containment Conditions Containment Tree Containment Pressure Containment sump level Containment radiation l
l 82208:10/010284 5
i L
ensure that small departures from preferred operating conditions are rectified before any challenge to the Critical Safety Functions develops. Under other circumstances, which are much less likely to occur and are usually contingent on equipment functional failures, the Plant Protection Systems automatically act to block potential challenges to the Critical Safety Functions and to reinforce the protection of the fuel rod and reactor coolant system pressure boundary barriers. Specifically, the protection system:
o stops nuclear power generation by initiating a reactor trip o stabilizes reactor coolant temperature, pressure and inventory by initiating a turbine trip, main feed isolation and steamline isolation, as appropriate o ensures the availability of a secondary heat sink by starting auxiliary feedwater flow and enabling the condenser dump system o prevents overpressurization in the primary and secondary systems by (passively) opening the pressurizer and steamline safety valves, if necessary Operator action is required only to ensure that the automatic protection systems are functioning as intended and, depending on the actual cause of the reactor trip, to initiate recovery operations.
In those rare, but potentially hazardous, situations in which either a barrier has failed (a loss of coolant accident or a steam generator tube rupture) or an essential function is jeopardized or lost (a secondary system break or a station blackoutu for example) the Engineered Safeguards System is activated to insure that Critical Safety Functions are maintained to protect the surviving barriers. The Engineered Safeguards System duplicates all of the safety functions provided by the Plant Protection System and broadens the barrier protection processes by automatically:
o starting the emergency diesel generators o initiating safety injection o isolating all nonessential containment penetrations o actuating containment spray, if appropriate 82208:10/010284 6
Concurrently, trained operator response is invoked through the Farley Optimal Recovery Procedures (Emergency Event, Emergency Specific and Emergency Contingency) to verify that the automatic systems are functioning, to identify the accident, to restore or replace lost essential functions and, when appropriate, to restore the plant to operating conditions as expeditiously as possible.
However, for the multiple event / multiple failure scenarios that go beyond tne design basis of the Engineered Safeguards System and the scope of the Optimal Recovery Procedures, the operator is provided with a means of directly
, monitoring the Critical Safety Functions and with guidance for restoring any Critical Safety Function which might be in jeopardy. In this way, an additional, and last line of defense is established against the potential release of radioactive materials to the environment because of barrier failure.
The means of monitoring any Critical Safety Function has been reduced to the checking of an appropriate set of plant parameters. These parameters are then compared with previously selected reference values in a logical array called a Status Tree. The combination of parameters existing at any time defines a unique path through the tree, and also a unique " status" of the respective Critical Safety Function. If the " status" of the respective Critical Safety Function is other than " satisfied", the operator is directed to an appropriate Function Restoration Procedura for instructions intended to restore the Critical Safety Function to a satisfactory status.
A detailed description of the Critical Safety Function Status Trees as a set is presented in the following section.
82208:1D/010284 7
2.
~
DESCRIPTION l
Each Farley Status Tree consists of a series of binary decision points that check conditions in the plant relative to fixed, reference criteria. The decision points require it only to be known whether a condition does or does not exist, or if a certain process parameter limit is exceeded or not exceeded. ,
Examples: Is Source Range (NIS) Energized?
Is Power Range (NIS) Less than 5%?
Each possible response at a decision point leads on to either another decision point or a terminus. A terminus summarizes the Critical Safety Function status for the particular combination of decisions leading to it. Each terminus consists of a color-coded symbol representing the degree of challenge
!. to that Critical Safety Function. The line extending from the last decision
- point to the terminus is also color and line-coded to convey 15e same -
information. Immediately adjacent to each terminus is an instruction which directs the operator to the appropriate Function Restoration Procedure (FRP) '
if.the Critical Safety Function is not completely satisfied.
2.1 Status Tree Format The plant parameters that define the state of each Critical Safety Function are identified on the associated Status Tree. Typically, only a few i
parameters are required to identify the status of a Critical Safety Function.
This limited set of parameters must be evaluated in a systematic manner to
. determine the Critical Safety Function status. A branching structure inherent in a decision or event tree is the logical vehicle to structure the systematic
. evaluation of plant parameters that determine the status of a Critical Safety .
Function. -Each Status Tree has a single entry point and several exit points (termini) depending on the parameters that define the Critical Safety Function status. Each pass through a Status Tree can produce only one exit point based on the values of the parameters in the Status Tree.
I i
82208:10/010284 8
i 2.2 Definition of Priorities In addition to identifying the safety state of the plant, the Status Trees also provide a vehicle to prioritize verator response to Critical Safety j Function challenges. When Critical Safety Functions are challenged, multiple h challenges may exist requiring additional guidance to structure operator function-related restoration. This additional guidance is provided by g prioritizing all potential challenges to Critical Safety Functions. This g predefined prioritization is accomplished by prioritizing the Critical Safety }
Functions (i.e., specifying the order in which the Status Trees are monitored) $
and prioritizing the termini of the Status Trees. -
Prioritization of the Critical Safety Functions is based directly on the a
barrier concept f rom which they are developed. Since the first barrier to fission product release is the fuel matrix / cladding, the Critical Safety Functions related to this barrier are given the highest priority. Challenges j C
to this barrier can come from inside and outside the barrier. The internal challenge comes from excessive core heat production resulting from fission
-j-power production (normal decay heat production is considered in safeguards i systems design). Core heat production in excess of safeguard systems core d heat removal capability is the most severe challenge to the fuel 7 matrix / cladding barrier. If the core is at power, the energy production represents a potential additional significant challenge to the other barriers 5 which may also be challenged or failed. Consequently, SUBCRITICALITY is the h highest priority Critical Safety Function. The external challenges to the j
fuel matrix / cladding barrier come from inadequate decay heat removal due to j either inadequate reactor coolant or secondary coolant. Even though the j reactor core is shut down, f ailure to remove the thermal energy f rom decay 3 heat production can rapidly lead to sufficiently high core temperatures to d fail the first barrier. CORE COOLING and HEAT SINK are the second and third _
priority, respectively, Critical Safety Functions. }
3 The second barrier to fission product release is the reactor coolant system -
pressure boundary. Although challenges can again come from inside and 5 outside, only the internal threats are considered in prioritizing Critical f Safety Functions since only they can be addressed by the operator. Potential i
-3 i
1 82208:10/010385 9
e internal threats due to excessive core heat production and inadequate core heat removal are addressed through the SUBCRITICALITY, CORE COOLING and HEAT SINK Critical Safety Functions. The remaining internal threat to reactor coolant system pressure boundary results from a reactor vessel pressurized thermal shock condition or a cold overpressure condition. Such a challenge can result f rom thermal stresses acting on a radiation embrittled reactor vessel in a low temperature reactor coolant condition or f rom a high pressure with low wall temperatures. Reactor Coolant System INTEGRITY is therefore the fourth priority Critical Safety Function.
The third barrier, Containment, is analogous to the second barrier in that only internal threats are considered in prioritizing Critical Safety Functions. CONTAINMENT is the fifth priority Critical Safety Function.
The sixth priority Critical Safety Function is Reactor Coolant INVENTORY.
This Critical Safety Function is actually a subset of the CORE COOLING Critical Safety Function but is considered separately to facilitate Status Tree construction and prioritization of challenges. This Critical Safety Function addresses situations wherein reactor coolant inventory is adequate to satisfy the CORE COOLING Critical Safety Function but not within nominal operational limits. The challenges associated with the Reactor Coolant INVENTORY Critical Safety Function are the lowest priority of all Critical Safety Function challenges.
The prioritization of Critical Safety Functions based on the barriers to fission product release results in the following order:
1 SUBCRITICALITY (S) 2 CORE COOLING (C) 3 HEAT SINK (H) 4 INTEGRITY (P) 5 CONTAINMENT (Z) 6 INVENTORY (I) 82208:10/010284 10
,e i- Having prioritizedIthe Critical Safety Functions, the challenges must be prioritized within each Critical Safety Function and between Critical Safety Functions. Since each pass through a Status Tree produces a single terminus (exit) based on the status of the Critical Safety Function, the termini can be prioritized based on the severity of the challenge. Four status conditions (i.e., jeopardy, severe challenge, not satisfied and satisfied) are defined to permit each condition to be prioritized with respect to other Critical Safety Function conditions. Furthermore, for each Status Tree the parameter decision points 'are arranged so that parameter decisions that indicate jeopardy are generally situated early in the Status Tree followed successively by decision points that indicate severe challenges, not satisfied and satisfied i conditions. This permits relatively comparable conditions (e.g., two severe 4
challenge conditions) within a Status Tree to be prioritized by the arrangement of decision points in the tree structure. ,
{ As indicated previously, the prioritization discussed above is expressed by colored line codings and terminus symbols. The color coding is used as a I
mechanism to immediately inform the operator that a Critical Safety Function is being challenged and to indicate the relative severity of the challenge.
l The relationship between priority and color, is shown in Table 2. The priorities of each Status Tree terminus (representing some plant condition)
, have been evaluated against each other so that all internal priorities are consistent.
The action which an operator takes in response to a Critical Safety Function
- i. challenge is related to the severity of that challenge. Each terminus symbol which is agt. GREEN is annotated with the instruction "GO TO FRP-X.Y," the appropriate Function Restoration Procedure. "X" is the alphabetical code for the respective Critical Safety Function (as given above), and "Y" is the procedure number. Each of the RED priorities is assigned the first procedure number; for example, the Function Restoration Procedure for an inadequate core cooling condition (RED priority on Core Cooling (C) Status Tree) is depicted as FRP-C.1.
In summary, the priority of operator action is fixed by the physical
- arrangement of the trees. Each tree contains multiple termini, each of which '
. represents a possible current status of that Critical Safety Function. Each 82208:10/010284 11
TABLE 2 STATUS TREE PRIORITY 10E*1TIFICATION Color Status / Response Red The critical safety function is under
.ieopardv; immediate operator action is
. , , a! s , required.
Orange The critical safety function is under
, a severe challence; prompt operator action is i
required.
~2 Yellow The critical safety function condition is 4 -
not satisfied. Operator action may be taken.
i Green The critical safety function is satisfied.
No operator action is needed.
i 82208:10/010284 12
~
terminus (and preceding branch) is color coded, reflecting the urgency of that condition regarding operator action, and each also refers to the appropriate guidelines to be used.
For the entire set of trees, priority of operator action is given by the following:
l
- 1) REOs (Jeopardy), in tree order
- 2) ORANGES (Severe challenge), in tree order
- 3) YELLOWS (Not Satisfied), in tree order As an example, a RED condition for Core Cooling is of higher priority than a RED condition for Containment (order of trees). However, the RED condition for Containment is of higher priority than any ORANGE condition (order of colors).
2.2 Status Tree Usaae The predefined and prioritized Status Trees provide the mechanism that coordinates event-related recovery and function-related restoration. The Farley Emergency Operating Procedure's " rules of usage" require the operator to start Status Tree monitoring when the symptoms of a transient leading to reactor trip or safety injection initiation result in transition out of procedure EEP-0, REACTOR TRIP OR SAFETY INJECTION, or when so instructed in procedure EEP-0. Since an event-related diagnosis is expected shortly after entering EEP-0, the Critical Safety Function Status Trees are monitored soon af ter the reactor trip or safety injection. However, if the operator does not make a transition out of EEP-0 due to lack of appropriate symptoms, EEP-0 gives explicit instruction to monitor the Status Trees while remaining in
, EEP-0. Placement of this instruction after the verification of automatic actions and the diagnostic sequence is due to various reasons. Verification of automatic actions ensures that plant equipment is operating properly.
These steps are performed prior to monitoring the Status Trees since the proper operation of the safeguards equipment is the first means of preventing or correcting any challenges to the Critical Safety Functions. The diagnostic sequence can be performed fairly quickly and any transition to another Optimal 82208:10/010284 13
I Recovery Procedure would require that the Critical Safety Function Status
+
Trees be monitored. Hence, the step to explicitly monitor the Status Trees in EEP-0 follows these actions. In addition, jeopardy to any Critical Safety Function due to equipment failure is addressed by explicit transitions out of the immediate action steps in EEP-0.
Once the Status Trees are being monitored, the following " rules of usage' '
apply:
o The Status Trees are monitored in order of Critical Safety Function priority.
o If jeopardy is diagnosed, the operator stops optimal recovery and initiates function restoration to restore the Critical Safety Function under extreme challenge, o If a severe challenge is diagnosed, the operator continues to check the status of all Critical Safety Functions. The operator then stops optimal recovery and initiates function restoration to restore the highest priority Critical Safety Function under severe challenge.
o If a not satisfied condition is diagnosed, the operator continues monitoring the Status Trees. It is the operator's prerogative to continue optimal recovery or to initiate function restoration to restore the affected Critical Safety Function.
o During function restoration to address jeopardy or a severe challenge, if a higher priority challenge is diagnosed, the operator terminates on-going response and initiates function restoration to address the higher priority Critical Safety Function challenge.
82208:10/010284 14
- 3. REFERENCES
- 1. J. J. Sheppard, Chairman, Westinghouse Owners Group, to Hugh L. Thompson Jr., Director, Division of Human Factors Safety, U.S. Nuclear Regulatory Commission, Transmittal of Emergency Response Guidelines Revision 1, OG-111, November 30, 1983.
- 2. J. J. Sheppard, Chairman, Westinghouse Owners Group, to Hugh L. Thompson Jr., Director, Division of Human Factors Safety, U.S. Nuclear Regulatory Commission, Transmittal of Emeroency Response Guidelines Revision 1.
Backaround Documents, OG-123, May 4,1984.
82208:10/010385 15
- 4. APPENDICES f
Background Information For Critical Safety Function Status Trees:
CSF-0.1, Subcriticality 9 pp.
CSF-0.2, Core Cooling 9 pp.
CSF-0.3, Heat Sink 10 pp.
CSF-0.4, Integrity 18 pp.
CSF-0.5, Containment 8 pp.
CSF-0.6, Inventory 8 pp.
I i
j' l
.82208:1D/010385' 16
x BACKGROUND INFORMATION FOR CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.1 SUBCRITICALITY I
82208:1D/010385
- l. INTRODUCTION The Status Tree CSF-0.1, SUBCRITICALITY, provides a systematic method to determine the status of the Subtriticality Critical Safety Function. This tree requires no operator action other than monitoring a limited set of plant parameters and comparing them to reference values within the tree, s
This tree represents the highest priority Critical Safety Function and, as such, is always entered first anytime tree monitoring is initiated. The tree can direct operators to either of two Function Restoration Procedures.
i 1
82208:10/010385
l S* W) ) g $9 as !!i nas as is! J II gE 3 3 El I an<. E.sl n sc e E -
a g -
2 g- E 5
80 8ss 1!!Ih 1111
' i a e EE 3
'3 sn . Eli I
s E I
e ,
h.
h
- 2. DESCRIPTICN Since this tree is monitoring the reactivity state of the core, the parameters being evaluated are those characterizing neutron (leakage) flux behavior as measured by the excore nuclear instrumentation system (NIS). An adequately
- shutdown core typically exhibits a randomly fluctuating count rate on the l Source Range instruments. For the purpose of this tree, the core is j considered adequately shutdown (subtriticality satisfied) whenever the level of subcritical multiplication is steady or decreasing in the Source Range l -(zero or negative Startup Rate).
i l
l i
l 82208:10/010284 3
t
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS This section provides a detailed discussion of the Status Tree CSF-0.1, SUBCRITICALITY.
The block description tables contained in this section are comprised of a one-page (or more) description of each individual decision block on the Status Tree.
l l
l l
l l
L l
l l
82208:10/010284 4
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.1 BLOCK DECISION: Power Range Less Than 5%
PURPOSE: To determine if nuclear power is significant BASIS:
Following a reactor trip, nuclear power promptly trops to only a few percent of nominal, and then decays away to a level some 8 d'! cades less. Decay heat levels resulting from radioactive fission product decay are never more than a few percent of nominal power and also decrease in time. Safeguards heat removal systems are sized to remove only decay heat and not significant core power. The 5% level was chosen because it is clearly readable on the power range meters.
Nuclear power above 5%, in a core supposed to be shutdown, is considered jeopardy to to the fuel clad /matric barrier and a RED priority is warranted. The appropriate procedure for function restoration is FRP-S.1, RESPONSE TO NUCLEAR POWER GENERATION /ATWS.
INSTRUMENTATION:
Power range ~ excore detector channels 82208:10/010284 5
f
\
~
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.1 BLOCK DECISION: Intermediate Range SUR Zero Or Negative i l
l PURPOSE: To determine the behavior of neutron flux on the intermediate range channels ,
l SASIS: l At this point, power range flux has been determined to be not significant, so no extreme challenge exists. However, a positive stTrtup rate (SUR) in the intermediate range will shortly lead to power product;on if operator action is not taken, since no inherent feedback mechanisms exist below the point of adding heat. A positive SUR is considered a sev;re chalisnge to the Safety Function and an ORANGE priority is warranted. The appropriate procedure for function response is FRP-S.1, RESPONSE TG NUCLEAR POWER GENEKATION/ATWS.
INSTRUMENTATION:
Intermediate range excore detector channels with SUR meters I
l l
L l
l l
l I
I I
i l
8220B:1D/010284 6
)
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.1 BLOCK DECISION: Source Range Energized PURPOSE: To determine if high voltage is applied to the source range detectors BASIS:
This decision point is used to determine if further evaluation should be directed at the source range flux behavior, or back at the intermediate range channel indications.
INSTRUMENTATION:
Source range excore detector indication l
l i-l ut i-l-
82208:10/010284 7 i -
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.1
. BLOCK DECISION: Intermediate Range SUR More Negative Than - 0.2 DPM PURPOSE: To determine the rate of decay of intermediate range flux BASIS:
Normally, following reactor trip, intermediate range flux decays at a constant
-0.3 DPM. A rate of decrease less negative than -0.2 DPM (e.g., -0.1 DPM) is considered to represent a not satisfied condition and a YELLOW priority is warranted. The appropriate procedure for function restoration is FRP-S.2, RESPONSE TO LOSS OF CORE SHUTDOWN. If the rate of decrease is less negative than -0.2 DPM, then the CSF is satisfied.
INSTRUMENTATION:
Intermediate range excore detectors channels with SUR meters L
l 82208:10/010284 8
l BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.1 BLOCK DECISION: Source Range SUR Zero Or Negative PURPOSE: To check for adequate indication of subtriticality BASIS:
Normally,. following reactor trip, neutron flux decreases into the source range and stays there. Typically source range count rate fluctuates, and does not exhibit any sustained increasing trend. Such a trend, as indicated by a positive SUR, is considered a not satisfied condition and a YELLOW priority is warranted. The appropriate procedure for function restoration is FRP-S.2, RESPONSE TO LOSS OF CORE SHUTDOWN. If source range SUR is zero or negative the CSF is satisfied.
l INSTRUMENTATION:
Source range excore detector with SUR meters i
l l
l I
l-l 82208:10/010284 9
BACKGROUND INFORMATION FOR l
CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.2 CORE COOLING l
6 82208:10/010284
4
- 1. INTRODUCTION The Status Tree CSF-0.2 CORE COOLING, provides a systematic method to determine the status of the Core Cooling Critical Safety Function. This tree requires no operator action other than monitoring a limited set of plant parameters and comparing them to reference values within the tree.
This tree represents the second highest priority Critical Safety Function, and as such, is always entered directly after the SUBCRITICALITY tree. This tree can direct the operator to any of three separate Function Restoration Procedures.
3
.i i
i 82208:1D/010284 1
L
- 3 ! ,, a 4 m: 4 B4 B B EN B E3 ? B3
, et>
- El11.-
l r r 81
- sisi a e EEN HEI g" "
8 9RBJ E
e e a 5h*h
! k. kil .- sh!&
- n a n bb HER
- 2. DESCRIPTION This tree monitors the state of core fuel clad heat removal based on RCS pressure and core exit temperature. The Critical Safety Function is considered to be satisfied if subcooling is indicated at the core exit.
The most serious challenge to the Critical Safet,' Function is an indication of s
Inadequate Core Cooling (ICC). An inadequate core cooling condition is defined as a high-temperature state in the core which has exceeded design basis accident acceptance criteria and where operator action is needed to prevent core damage from occurring. Extensive analysis of design basis events (e.g., small and large LOCA) have been performed and safeguard systems have been appropriately designed (e.g., SI and AFW flow systems) to ensure that no unacceptable level of core damage will occur for design basis events. If equipment failure or multiple events occur and result in the design basis fassumptions being exceeded, it is possible that conditions can exceed those predicted in design basis analysis. However, if the operator has a symptom indicating that this is occurring, actions can be taken to use alternative methods to attempt to restore core cooling. The use of these actions is intended to be minimized since they are extraordinary and beyond the original design basis of the equipment (e.g., RCP restart under highly voided RCS conditions) or could lead to challenging other Critical Safety Functions (e.g., pressurized thernal shock from rapid SG depressurization). The symptom of inadequate core cooling has been defined in this tree using core exit thermocouples. It indicates jeopardy to the fuel clad / matrix-barrier to radioactivity release and a RED priority is warranted.
If an inadequate core ' cooling condition has not been reached, but a degraded core cooling. condition as defined in this tree exists, then there are still operator actions to be taken to respond to the challenge. In most' cases similiar actions are already provided in the Optimal Recovery Procedures, but they are repeated in the Function Restoration Procedures to ensure that the proper priority is given to these actions.
82208:1D/010284 3
Therefore, any condition symptomatic of either an inadequate or degraded core cooling condition has been given a RED or ORANGE priority indicating jeopardy or a severe challenge to the safety function. If RCS subcooling is not indicated, then the RCS may be saturated. Since this is not a normal condition for core cooling and may be due to inadequate RCS inventory, possibly requiring SI flow, the function is considered to be not satisfied and a YELLOW priority is warranted. Saturated conditions in the RCS are expected during some events and, if SI is operational, adequate core cooling should be maintained.
8220B:1D/010284 4 g- ------- - w - ----- - -
- - - ' - , w
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS This section provides a detailed discussion of the Status Tree CSF-0.2, CORE COOLING.
, The block description tables contained in this section are comprised of a one-page (or more) description of each individual decision block on the Status Tree.
3 82208:10/010284 5
]
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.2 BLOCK DESCRIPTION: Core Exit TCs Less Than 1200*F PURPOSE: To determine if inadequate core cooling has been reached BAlli:
Analysis of inadequate core cooling scenarios (Reference 1) shows that core exit temperature greater than 1200*F is a satisfactory criterion for basing extreme operator action. At least 5 thermocouples should be reading greater than 1200*F. Five has been chosen to allow for thermocouples failing high. This temperature indicates that most liquid inventory has already been removed from the RCS and that core decay heat is superheating steam in the core. Jeopardy to the fuel matrix / clad barrier is imminent and a RED priority is warranted. The appropriate procedure for functional response is FRP-C.1, RESPONSE TO INADEQUATE CORE COOLING. If' core exit thermocouples are less than 1200*F, then subsequent blocks check for severe, not satisfied or satisfied conditions for the safety function.
INSTRUMENTATION:
Core exit thermocouples temperature indication 82208:1D/010284 6
Bl.0CK DESCRIPTION TABLE FOR STATUS TREE CSF-0.2 BLOCK DESCRIPTION: RCS Subcooling Greater Than 23*F
[189'F for adverse containment]*
PURPOSE: To determine if core exit subcooling is being maintained and SI flow not required I
BASIS: 1 If core exit subcooling is not indicated, then SI flow should be maintained to the RCS to provide inventory make-up and the Core Cooling Critical Safety i Function is not satisfied. A subsequent block checks for a degraded core cooling condition. If RCS subcooling is indicated, then the Critical Safety Function is satisfied.
INSTRUMENTATION:
o Core exit thermocouples temperature indication o RCS. pressure indication
- Farley Unit 1 to use' 189'F, Unit 2 to use 223*F. Plant modifications are planned that will reduce the adverse containment values to approximately 78'F for each unit.
82208:10/010284 7
1
\
l l
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.2 BLOCK DESCRIPTION: Core Exit TCs Less Than 700'F PURPOSE: To determine if degraded core cooling has been reached i
BASIS:
If at least five core exit thermocouples indicate greater than 700'F, superheat at the core exit is indicated and a degraded core cooling condition has been reached. If core exit thermocouples indicate less than 700*F, then a degraded core cooling condition dens not exist, but since subcooling was not indicated in the previous block a not satisfied condition is warranted and FRP-C.3, RESPONSE TO SATURATED CORE COOLING is the appropriate procedure for functional response.
INSTRUMENTATION:
Core' exit thermocouples temperature indication I
i.
I l
l, l
i l
l 82208:10/010284 8' I
- 4. REFERENCES
- 1) C.M. Thompson, et. al., Inadeauate Core Coolina Studies of Scenarios With Feedwater Available. Using the NOTRUMP Computer Code, Westinghouse Electric Corporation, WCAP-9754, Non-Proprietary, WCAP-9753, Proprietary, June 1980.
1 1
l l
82208:10/010284 9
1 1
BACKGROUND INFORMATION FOR CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.3 HEAT SINK 82208:10/010284 L
- l. INTRODUCTION The Status Tree CSF-0.3, HEAT SINK, provides a systematic method to determine the status of the HEAT SINK Critical Safety Function. This tree reqaires no operator action other than monitoring a limited set of plant parameters and comparing them to reference values within the tree.
This tree represents the third highest priority Critical Safety Function, and as such, is always entered directly af ter the CORE COOLING tree. The tree can direct the operator to any of five separate Function Restoration Procedures. ,
(a f
~,e
-( I-82208:lD/010284 1
i """"""""Y E
8 8 8 8 =
h2 $h $h 5h 5h E
$g EE R IER E5 B E3 & BE
- as...
a B s
v h
- Igg lisngs e
- s<-.
a E 1 2 O
bh as<hN
.a .M als .e m
i e E g G
F **
! !!!! lisi I
a B s$
58 ri i $25 fils s -9
~
=
3 .,- 4 8Es Miji.
B y
o gig l8E as <-
E s 9 -
4*sl e a ,
i lillls
- 2. DESCRIPTION This tree monitors the state of secondary heat sink and integrity based on SG 1evel, feed flow and SG pressure. The Critical Safety Function is considered to be satisfied if all SG levels and pressures are within the normal range.
The most serious challenge to the Critical Safety Function is an indication of loss of secondary heat sink. A loss of secondary heat sink occurs if decay heat removal is needed through the SGs and all feed flow capability is lost.
Feed flow must be reestablished or an alternative heat removal mode (e.g.,
bleed and feed) must be established to prevent core uncovery and eventually an inadequate core cooling condition. Since this is jeopardy to the fuel clad / matrix barrier to radioactivity release, immediate operator action is required and a RED priority is warranted. The loss of secondary heat sink condition is the only RED priority included on this tree. There are no ORANGE priority conditions on this tree. A not satisfied condition, YELLOW, on this tree can be reached if: 1) any SG pressure is above the highest SG safety valve setpoint; 2) any SG level is higher than SG high-high feedwater isolation setpoint; 3) any SG pressure is above the lowest SG safety valve setpoint; and 4) any SG level is below the narrow range.
These conditions do not result in any jeopardy or severe challenge to a barrier to radioactivity release since they only indicate SG levels out of the normal range in some SGs, or potential challenges to secondary integrity.
l f
L 1
l l'
82208:10/010284 3
.- .. _. . - . . . - _ . = . _ - - - . - - _ - , . - . . - _ - , . . . _-. -.
\
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS This section provides a detailed discussion of the Status Tree CSF-0.3, HEAT SINK.
The block description tables contained in this section are comprised of a one-page.(or more) description of each individual decision block on the Status Tree.
82208:10/010284 4
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3 BLOCK DECISION: Narrow Range Level In At least One SG Greater Than 6%
[34% for adverse containment]
PURPOSE: To determine if at least one SG has level sufficient for maintenance of a heat sink SASIS:
A level in the narrow range in any SG, including a ruptured SG, is sufficient to ensure an adequate secondary inventory for a secondary heat sink. If level is not in the narrow range, the operation of the feed system will determine whether a loss of secondary heat sink is imminent.
INSTRUMENTATION:
SG narrow range level indication 82208:1D/010284 5
s l
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3 BLOCK DECISION: Total Feedwater Flow To SGs Greater Than 377 GPM PURPOSE: To determine in the absence of SG level whether feed flow is sufficient to establish secondary heat sink 8 ASIS:
Total feedwater flow of greater than 377 gpm ensures that, in the absence of narrow range level in any SG, the capability of feedwater to restore level and maintain a secondary heat sink is available. If not, then jeopardy to heat sink is insninent and a RED priority is warranted. The appropriate procedure for functional response is FRP-H.1, RESPONSE TO LOSS OF SECONDARY HEAT SINK.
INSTRUMENTATION:
Aux feed flow indication 82208:10/010284- 6
8 LOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3
-8 LOCK DECISION: Pressure In All SGs Less Than 1129 PSIG PURPOSE: To determine if any SG pressure is above SG design limits BASIS:
.In the event that pressure in any SG is greater than the highest steamline safety valve setpoint, then the SG design limit may be exceeded and integrity may be challenged. Also, there is no flow path in use removing energy from that SG.
The heat sink function is not satisfied and a YELLOW priority is warranted. The appropriate procedure for functional response is FRP-H.2, RESPONSE TO STEAM GENERATOR OVERPRESSURE.
INSTRUMENTATION:
SG pressure indication i
l t
l l
82208:10/010284 7
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3 BLOCK DECISION: Narrow Range-Level In All SGs Less Than 75%
PURPOSE: To determine if any SG is approaching an overfill condition
- RAlli
~ An overfeed due to excess feed flow or a steam generator tube rupture may lead to a high level in an SG. This block checks all SGs to ensure identification since i it may cause unwanted atmospheric releases or challenge SG integrity. Note that although the level in the affected SG may reach the top of the narrow range span, significant volume still exists before the steam generator fills with water. The heat sink function is not satisfied and a YELLOW priority is warranted. The appropriate procedure for functional response is FRP-H.3, RESPONSE TO STEAM GENERATOR HIGH LEVEL.
INSTRUMENTATION:
SG narrow range level indication L
l l
r i
L.
82208:1D/010284 8
. - . - . _ . - - . .. . ~ .
\
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3 BLOCK DECISION: Pressure In All SGs Less Than 1075 PSIG PURPOSE: To determine if any SG safety valves are open BASIS:
If any SG safety valve is open, then a unisolatable heat removal path is being used. A better path is to use steam dump to condenser or SG PORVs which are controllable and isolatable. Also, condenser steam dump will not release steam to the atmosphere. The heat sink function is not satisfied and a YELLOW priority is warranted. The appropriate guideline for functional response is FRP-H.4, RESPONSE TO LOSS OF NORMAL STEAM RELEASE CAPABILITIES.
INSTRUMENTATION:
SG pressure indication I'
82208:10/010284 L 9
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.3 BLOCK DECISION: Narrow Range Level In All SGs Greater Than 6%
[34% for adverse containment]
PURPOSE: To determine if all SGs have level and inventory in the normal range BASIS:
Feedwater should be maintained until all SGs are in the narrow range unless a faulted SG is identified. Narrow range level is reestablished in all SGs to maintain symmetric cooling of the RCS. If any level is low, the heat sink function is not satisfied and a YELLOW priority is warranted. The appropriate procedure for functional response is FRP-H.5, RESPONSE TO STEAM GENERATOR LOW LEVEL.
' INSTRUMENTATION:
SG narrow range level indication 82208:10/010284 10
BACKGROUND INFORMATION FOR CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.4 INTEGRITY 82208:10/010284
- 1. INTRODUCTION The Status Tree CSF-0.4, INTEGRITY, provides a systematic method to determine the status of the Integrity Critical Safety Function. This tree requires no operator action other than monitoring a limited set of plant parameters and comparing them to reference values within the tree.
This tree represents the fourth highest priority Critical Safety Function, and as such, is always entered directly af ter the HEAT SINK tree. The tree can direct operators to either of two Function Restoration Procedures.
This tree is unique among all the Critical Safety Function Status Trees in that all the reference values against which current plant parameters are compared do not appear explicitly at the branch points. Rather, one reference value is a curve separating operating reaions in pressure-temperature space.
Since each reactor vessel is unique in material properties, weld composition, and power history, a plant specific curve has been constructed and included with the Status Tree for use. The main concern of the INTEGRITY Status Tree is the reactor vessel wall and its ability to maintain integrity when subjected to a rapid cooling or rapid pressurization transient. As the thick wa11ed vessel ages, it tends to lose its ductility due to radiation embrittlement, and its nil-ductility temperature, that temperature at which it i begins to exhibit brittle behavior, increases. Operators are trained to be aware of the brittle fracture concern, and are required by Technical Specifications to limit heatup and cooldown rates to conservatively limit thermal stresses below a critical yield stress to prevent a postulated vessel wall flaw from growing and possibly failing the vessel. Operators are also
, trained to maintain RCS pressure and temperature within Technical Specification limits to address both thermal shock and cold overpressure concerns.
82208:1D/010284 1
I-
- ~ . 8 l-! I!$ R$$ a$ !!$ E! $. sl g!
D RI dS p ,, ,, ppp 5 5 85<55l.u d<5Elau E $
9 $ -
85 s dS,,,
l l "
Rs lileg s 8 -
Eg dS ,,,,
lEiiil E<=v $@g'$5 d5 l.3 0l $-
l5,5Bl 5
a E s E -
cre .3
, eensi e gg -@igl3 s l2 = g *e. .-
E <ani QEl dggg3 E0 c
-v
' I a E a 0 -
d 0 !!! i li..o lils<.ni u
d a y lllls!!
- 2. DESCRIPTION l
The intent of the Integrity Critical Safety Function Status Tree is to define symptoms that indicate a challenge is occurring to the Integrity Critical Safety Function, and to prioritize operator action required to address this challenge. Challenges are defined for two types of plant transients. The first concern is transients that result in rapid and severe RCS cooldown that could lead to challenging vessel integrity (i.e., pressurized thermal shock).
The other concern is transients that occur while the RCS is relatively cold and a rapid pressure increase occurs (i.e., cold overpressure). The following
-subsections contain discussions of how the limits on the Integrity Status Tree l were determined for each of these concerns.
3.
l 2.1 Pressurized Therwel Shock i
s The first action level to be defined is one based on a limit that indicates
, that jeopardy to vessel integrity due to thermal shock may be occurring. This limit has been defined as Limit A on the Integrity Status Tree.
Using fracture mechanics analysis techniques and an assumed fluid temperature transient, the minimum pressure at a given temperature required to initiate a i
flaw, called the allowable pressure, can be calculated and used as a basis for the definition of Integrity action levels.
In order to be compatible with the intent of Critical Safety Function Status ,
Trees, Limit A is required to be time independent. Since the severity of a thermal shock is dependent on the rate of RCS cooldown, a method is needed to conservatively eliminate rate dependence from the limit calculations. This is l
i done by assuming a step decrease '(or infinite rate drop) in fluid temperature L in order to bound all possible cooldown rates.
The method used to calculate a Limit A curve is to use, in an allowable pressure calculation, a step temperature transient assumed to start at a downcomer wall and fluid temperature of 550*F, with fluid temperature then dropping to a lower specified constant temperature. Figure 1 provides a 1
~
3 ,
- 82208:10/010284 j
\
, s representation of some' example temperature transients. Figure 2 presents an
-example allowable pressure calculation result for one such temperature transient. For each final temperature assumed, a different allowable pressure curve is generated. A series of minimum allowable pressures, each corresponding to a given final temperature assumption, is then used to generate a curve which is called the " Step Cooldown Crack Initiation Limit" as shown on Figure 3.
4
-Also; included on Figure 3 is a curve called the " Isothermal Wall Crack i Initiation Limit" which is an allowable pressure curve assuming a constant steady-state through-wall temperature. Rather than the very extreme situation i resulting from the step temperature decrease transient which places the maximum thermally-induced tensile stress on the vessel inner wall, temperature I stress for the steady state through-wall temperature case is nearly zero. But material _ fracture toughness, or its resistance to flaw growth at low
-temperature, is low enough so that excessive pressure alone is calculated to cause flaw initiation. For thick-walled vessels, it has been found that this l- curve is more limiting at high pressure than the " Step Cooldown Crack Initiation Limit". Therefore, Limit A has been defined-as the. lower bound of the " Step Cooldown Crack Initiation Limit" and the " Isothermal Wall Crack
. Initiation Limit".
Limit A is then conservatively defined as the' pressure-temperature boundary of a region within which a flaw may grow and which is independent of the time i history of the transient. If conditions remain to the right of Limit A, no l growth of a flaw will occur. If conditions are to the left of this limit the potential for flaw growth exists and appropriate operator action should be taken to reduce the probability.that an existing flaw will propagate through the vessel wall provided that jeopardy to a higher priority Critical Safety Function is not also occurring. Since jeopardy to the vessel integrity barrier ,is occurring, a RED _ priority is warranted.
The instrument indications-to be used in monitoring Limit A are RCS pressure ,
and RCS cold leg temperature. RCS pressure and cold leg temperature are the best available indicat 'ans of downcomer pressure and fluid temperature.
e 82208:10/010284 4
1 sr T .o
- Figure 1. BASIS FOR DEVELOPMENT OF .
- C, RACK INITIATION CURVE
- Cold Leg i Temperature ( F) i .
550
^
Pressures decrease with
! y, increasing radiation damage to vessel (RTNDT i)
(Critical Pressure = A psig)
(Critical Pressure = B psig)
I (critical Pressure = C psig) 9g _
s 9
j Time +
j _ _ _
1 sr ze 1
Figure 2. EX-AMPLE ALLOWABLE PRESSURE CURVE I
1 i
1 i
i i . Minimum
^ Allowable l
i Pressure j
Pressure Allowable Pressure l
t I
i x
a
? Time >
i l
a&2 0003083 004 .
l i
- w =
i m,
0.4 l Figure 3. EXAMPLE CURVE SHOWING STEP
! COOLDOWN CRACK INITIATION LIMIT l Safety Valve Set Pressure
{ plus accumulation l
~ ^
l !
i l Pressure
/ l4-Full i
Isothermal Wall Crack
/ Repressurization Limit Initiation [ l Limit g/ .
i Step Cooldown Crack l # I z
l initiation Limit
$ 5 l l Temperature +
1 I
i i
i The region to the right of the intersection of the " Isothermal Wall Crack Initiation Limit" and the RCS safety valve pressure setpoint plus 3 percent accumulation (2560 psig) is a f ull repressurization area. In this area a flaw will not grow at any pressure up to the safety valve setpoint and complete operating flexibility with respect to pressure can be allowed. In permitting I -this flexibility it is assumed that at least one of the installed code safety j
valves operates to limit RCS pressure, if necessary.
! The region to the right of Limit A and to the left of the " Full
- Repressurization Limit" line (Figure 3) is an area where a flaw will be
- j. ' calculated to grow if a large cooldown rate has occurred and pressure increases above Limit A even if temperature has been stabilized. Since pressure can' rise in some cases rather quickly, increased operator awareness of.RCS pressure is warranted in this region. This region is defined as a severe challenge and an ORANGE priority is warranted. In order to warn the operator of the approach to a more severe Integrity limit, a temperature region has been defined for a not satisfied function condition. The size of this region is 30"F since analysis has shown that cooldown restrictions other thain normal Technical Specification cooldown limits are necessary at 30"F above the ORANGE priority boundary.
2.2 Cold Overpressure The Integrity limits for cold overpressure are based on the temperature at which the Cold Overpressure Protection System is placed in service. If RCS pressure is less than the cold overpressure limit then the function is satisfied. If RCS pressure is above the cold overpressure limit and cold leg temperature is above temperature T1 (i.e., the ORANGE priority boundary) then vessel, integrity will not be challenged, even with full repressurization,
- i. since the " Isothermal Wall Crack Initiation Limit" will not be exceeded (see Figure 3). The function is considered not satisfied and a YELLOW priority is warranted.
R If the RCS pressure is greater than the cold overpressure limit, and cold leg
< temperature is less than T1, then continued pressure increase could violate t the " Isothermal Wall Crack Initiation Limit" and a flaw may initiate.
!i Therefore, prompt operator action is required to address a severe challenge to the function and an ORANGE priority is warranted.
82208:1D/010284 8
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS This section provides a detailed discussion of the Status Tree CSF-0.4, INTEGRITY.
The block description tables contained in this section are comprised of a one-page (or more) description of each individual decision block on the Status Tree. ^
I I
i 82208:10/010284 9
\
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4
-BLOCK OECISION: Temperature decrease in all cold legs less than 100*F in last 60 minutes
- PURPOSE: To determine if a cold leg cooldown in excess of normal cooldown limits has occurred BASIS:
l If the temperature decrease in any cold leg has exceeded 100*F in the previous
! 60 minutes, then there is a potential concern for thermal shock. If not, then no other checks on rate-dependent limits are necessary. The only concern remaining is cold overpressure which will be checked in subsequent blocks. If the temperature decrease has exceeded 100*F in the previous 60 minutes, the degree of cooldown must be assessed before a thermal shock concern can be identified. This is checked in subsequent blocks.
INSTRUMENTATION:
o RCS cold leg temperatures indication o RCS cold leg temperature trend indication B2208:1D/010284 10
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 i
BLOCK OECISION: All RCS pressure-cold leg temperature points to right of Limit A PURPOSE: To determine if limits indicating a potential thermal shock have been exceeded BASIS:
The objective of Limit A is to provide a limit that indicates a potential thermal shock condition exists if it is exceeded. The basis of this limit is to prevent growth of a flaw that could conservatively be present in the vessel -
wall. The method used to calculate this limit is described in the DESCRIPTION section of this document. If Limit A has been exceeded, then operator action is necessary to limit further RCS temperature decreases or RCS pressure increases. A RED priority is warranted since jeopardy to the function is occurring and _ FRP-P.1, RESPONSE TO IMMINENT PRESSURIZED THERMAL SHOCK CONDITION, is the appropriate procedure for functional response.
If Limit A has not been exceeded, then additional checks are made in subsequent blocks to determine if a less severe thermal shock condition exists.
INSTRUMENTATION:
o RCS pressure indication o RCS cold leg temperatures indication 82208:10/010284 11
1 l .
00'00E s
\ I 00'052 N 3 N
N N
t l 00*002 C
- w w
l 00 051 g l 4 l RE w
t l E w
. gg 0000i;
. w d
aC g o
t$
E o
u 000'05 i.
l 0*0 8
l
- l i
8 v, $ I 8 e.
- = an O N
- (015 d) 38n553Wd 5311
^
< 12
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 BLOCK DECISION: RCS temperature greater than 310*F PURPOSE: To determine if RCS temperature is less than where the Cold Overpressure Protection System should be in service BASIS:
In order to determine if cold overpressure is a concern, a check is made on whether RCS temperature has decreased to below the temperature at which the Cold Overpressure Protection System should be placed in service. Subsequent blocks check if a cold overpressure condition exists.
INSTRUMENTATION:
RCS temperature indication 82208:10/010284 13
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 BLOCK DECISION: All RCS cold leg temperatures greater than 266*F L
PURPOSE: To determine if RCS conditions have reached an imminent thernal shock condition where full repressurization should not be allowed BASIS:
The region between Limit A and 266*F 1, where a flaw is not calculated to grow, but where Limit A may be quickly exceeded if repressurization occurs.
If any cold leg temperature is less than 266*F, then operator action is necessary to minimize further RCS temperature decreases and RCS pressure increases. An ORANGE priority is warranted since a severe challenge to the
, function exists and FRP-P.1, RESPONSE TO IMMINENT PRESSURIZED THERMAL SHOCK CONDITION, is the appropriate procedure for functional response. If all cold leg temperatures are greater than 266*F, then a subsequent block checks for a less severe thermal shock condition.
INSTRUMENTATION:
RCS cold leg temperatures indication 82208:1D/010284 14
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 l BLOCK DECISION: RCS pressure less than 450 psig PURPOSE: To determine if cold overpressurization limit has been exceeded BASIS:
If the cold overpressure protection system should be in service and RCS
! pressure exceeds cold overpressure limits, then action may be necessary to minimize or decrease RCS pressure. The priority of action will be determined in subsequent blocks. If RCS pressure has not exceeded the cold overpressure limit, then the Integrity Critical Safety Function is satisfied.
INSTRUMENTATION:
RCS pressure indication 82208:10/010284 15
1
\ l BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 4
BLOCK DECISION: All RCS cold leg temperatures greater than 296*F l PURPOSE: To determine if RCS conditions are within limits where a thernal shock condition would be anticipated BM11:
If'any cold leg temperature is less than 296*F, then conditions are close to the point where jeopardy or a severe challenge to an Integrity limit will l exist. The temperature region between 296*F and 266*F is intended to allow time for operator action to try to prevent entering a region of imminent thermal shock. It has also been defined because cooldown limits more restrictive than the Technical Specification normal cooldown curves are required to safely achieve cold shutdown conditions. For these reasons the function is not satisfied and a YELLOW priority is warranted. The appropriate procedure for functional response is FRP-P.2, RESPONSE TO ANTICIPATED PRESSURIZED THERMAL SHOCK CONDITION. If all RCS cold leg temperatures are greater than 296*F, then the Integrity Critical Safety Function is satisfied.
INSTRUMENTATION:
RCS cold leg temperatures indication l
[
l l
P 82208:1D/010284 16
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.4 BLOCK DECISION: All RCS cold leg temperatures greater than 266*F PURPOSE: To determine if full repressurization is allowed for a cold overpressure condition BASIS:
If cold leg temperature in any RCS cold leg is less than 266*F and RCS pressure is greater than the cold overpressure limit, then a severe challenge to'the function exists and operator action is necessary to limit RCS pressure. An ORANGE priority is warranted and FRP-P.1, RESPONSE TO IMMINENT PRESSURIZED THERMAL SH0CK CONDITION, is the appropriate procedure for functional response.
If all RCS cold leg temperatures are greater than 266*F, then ever, though the cold overpressure limit has been exceeded (previous block), there is no jeopardy or a severe challenge to vessel integrity, even at very high pressure. A YELLOW priority is warranted, however, since the function is not satisfied and FRP-P.2, RESPONSE TO ANTICIPATED PRESSURIZE 0 THERMAL SHOCK CONDITION, is the appropriate procedure for functional response.
INSTRUMENTATION:
RCS cold leg temperatures indication i
82208:10/010284 17
- 4. REFERENCES
- 1) Report from Westinghouse Electric Corporation, Nuclear Technology Division, to the Westinghouse Dwners Group, Summary of Evaluations Related to Reactor Vessel Intearity, May 1982.
- 2) Letter from R. A. Muench to L'estinghouse Dwners Group Representatives and Analyt.is Subcommittee Members, Calculation of Operatina and NTOL Vessel RT NDT Values, WOG-82-290, December 31, 1982.
l l.
l
'82208:10/010284 18
f BACKGROUND INFORMATION FOR CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.5 CONTAINMENT 82208:10/310284
i D ** $ $
U g N
II E5 sN if E glj gj sii al Be g IlIlg
. a
> e 50' NIe e iei n
im o l
9 e l
Y h50 Isl i!E
. a .
lll1
i
- 1. INTRODUCTION The Status Tree CSF-0.5, CONTAINMENT, provides a systematic method to determine the status of the Containment Critical Safety Function. This tree requires no operator action other than monitoring a limited set of plant parameters and comparing them to reference values within the tree.
This tree represents the fifth Critical Safety Function and is always entered directly after the INTEGRITY STATUS tree. The tree can direct operators to )
either of three Function Restoration Procedures.
. l l
i l
8220B:10/010284 1
\
- 2. DESCRIPTION The intent of the Containment Safety Function is to maintain containment integrity since this represents the third and final barrier against
-radioactivity release. In order to evaluate the status of this Critical Safety Function, the tree evaluates several possible challenges to containment
. integrity or essential equipment inside containment and directs the operator to an appropriate procedure for function restoration. The function is satisfied if containment pressure is below the 27 psig, containment level is less than flood level and containment radiation level is below 2 R/HR.
i i
l.
i 82208:10/010284 3
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS The block description tables contained in this section are comprised of a one-page (or more) description of each individual decision block on the Status Tree.
The Block Description Tables for the Status Tree CSF-0.5, CONTAINMENT, are presented on the following pages.
t l
i 82208:10/010284 4
)
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.5 BLOCK DECISION: Containment Pressure Less Than 54 PSIG PURPOSE: To evaluate if pressure in containment is less than design pressure BASIS:
If containment pressure is greater than design pressure, jeopardy to the containment barrier exists. The challenge does not necessarily come from the ,
pressure alone, but rather from the potential pressure spike which could result from a hydrogen ignition. The total pressure could then potentially exceed the strength of containment. Also, above containment design pressure, leakage may exceed design basis limits. It is expected that containment pressure suppression equipment should be able to maintain pressure below design pressure. If not, then operator action is necessary to check containment functions and a RED priority is warranted. The appropriate procedure for function restoration is FRP-Z.1, RESPONSE TO HIGH CONTAINMENT PRESSURE.
INSTRUMENTATION:
Containment pressure indication 82208:1D/010284 5
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.5 BLOCK DECISION: Containment Pressure Less Than 27 PSIG PURPOSE: To determine if the pressure in containment is less than spray pressure setpoint BASIS:
At a pressure below design pressure, it is unlikely that even a hydrogen ignition could result in sufficient overpressure to fail containment. Pressure above 27 psig indicates a significant energy release to containment and merits prompt operator action to ensure operation of containment pressure suppression equipment
- and performance of Phase B isolation, and an ORANGE priority is warranted. The appropriate procedure for function restoration is FRP-Z.1, RESPONSE TO HIGH CONTAINMENT PRESSURE.
INSTRUMENTATION:
Containment pressure indication 82208:10/010284 6
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.5 BLOCK OECISION: Containment Sump Level Less Than 7.0 ft PURPOSE: To determine if containment is flooded BASIS:
High energy line breaks could result in a large volume of water being pumped into containment. As the water level rises, it might threaten the availability of equipment required for long term cooling of the core and/or containment. Such a high water level is considered a severe challenge to the containment barrier and an ORANGE priority is warranted. The appropriate procedure for function restoration is FRP-Z.2, RESPONSE TO CONTAINMENT FLOODING.
INSTRUMENTATION:
Containment sump level (including wide range level up to flood level) indication l
l l
l r
82208:10/010284 7 L
BLOCK OESCRIPTION TABLE FOR STATUS TREE CSF-0.5 BLOCK DECISION: Containment Radiation Less Than 2 R/HR PURPOSE: To determine if containment building radiation is less than 2 R/HR BASIS: ,
.Normally, containment building radiation levels are fairly low and constant.
However, during an accident, significant radioactivity may be released into the
. containment atmosphere. In-containment systems are available to filter and scrub the contaminants from the atmosphere, and radiation alone does not represent a threat to containnent integrity. This is considered a not satisfied condition and a YELLOW priori.ty is warranted. The appropriate procedure for function restoration is FRP-Z.3, RESPONSE TO HIGH CONTAINMENT RADIATION. If containment radiation is less than 2 R/HR, then the function is satisfied.
INSTRUMENTATION:
Containment building radiation monitor 4
l l
l l
l 82208:1D/010284 8
\
BACKGROUND INFORMATION FOR CRITICAL SAFETY FUNCTION STATUS TREE CSF-0.6 INVENTORY
- 82208
- 10/010284
- 1. INTRODUCTION The Status Tree CSF-0.6, INVENTORY, provides a systematic method to determine the status of the Inventory Critical Safety Function. This tree requires no operator action other than monitoring a limited set of current plant parameters and comparing them to reference values within the tree.
This tree represents the sixth and lowest priority Critical Safety Function, and as ..ch, is always entered directly af ter the CONTAINMENT tree. This tree can direct the operator to any of three separate Function Restoration Procedures.
\
1 1
82208i1D/010294 1
I 55 ; !:
na s si:n 3g
)
I-ll.!
e E IE
- i. llE . ,b m
1 51 E e
A n
R s IIl=i I.sl 8 8
)
8 E
IlIl
- 2. ' DESCRIPTION The Inventory Critical Saf ety Function (CSF) is concerned with the maintenance of pressurizer level in the norum1 operating range (above the letdown isolation setpoint and above the PRZR heaters, but below the high level reactor trip setpoint) and having subcooling in the reactor vessel upper head (no voids in the vessel). Other aspects of RCS inventory necessary to neintain adequate core cooling have been integrated into the Core Cooling CSF Status Tree since they are more directly related to core cooling and are of higher priority than this Critical Safety Function. This tree contains no priority higher than YELLOW, indicating a not satisfied CSF.
If the PRZR level is above the high level reactor trip setpoint then excess inventory is indicated in the RCS. If this condition continues RCS pressure control may be difficult and a PRZR PORV or a safety valve may be opened, especially if the RCS is water solid. Therefore, guidance for restoration of level is provided in FRP-1.1, RESPONSE TO HIGH PRESSURIZER LEVEL. This procedure is applicable if SI is not in operation. Since this condition will not result in jeopardy or a severe challenge to any of the barriers to radioactivity release, it is defined as a not satisfied Inventory condition and a YELLOW priority is warranted.
If PRZR level is less than the letdown isolation setpoint, then normal PRZR pressure and level control will not be available since letdown will be isolated and PRZR heaters will not energize. Guidance for restoration of PRZR level is provided in FRP-1.2, RESPONSE TO LOW PRESSURIZER LEVEL. This guidance is applicable if S1 is not in operation and may lead to operation of SI pumps if charging flow is not able to restore level. Since the low PRZR level condition will not result in jeopardy or a severe challenge to any of the barriers to radioactivity release, it is defined as a,not satisfied Inventory condition and a YELLOW priority is warranted.
l 02208:10/010284 3 1
If PRZR level is on span, but subcooling is not indicated in the reactor vessel upper head, then voids in the vessel may contribute to difficulty in controlling PRZR pressure and level. Guidance for restoration of reactor vessel upper head subcooling is provided in FRP-I.3. RESPONSE TO VOIDS IN REACTOR VESSEL. This guidance is applicable if SI is not in operation. Since this condition will not result in jeopardy or a severe challenge to any of the barriers to radioactivity release, it is defined as a not satisfied Inventory condition and a YELLOW priority is warranted.
If PRZR level is in the narrow range and subcooling is indicated in the reactor vessel upper head RCS inventory necessary for normal pressure and level control is available and the CSF is satisfied.
f 82208:10/010284 4
- 3. DETAILED DESCRIPTION OF STATUS TREE BLOCKS The block description tables contained in this section are compri:ed of a one-page (or more) description of each individual decision block on the Status Tree.
The Block Description Tables for Status Tree CSF-0.6, INVENTORY are presented on the following pages.
82208:10/010284 5 j
A BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.6 BLOCK DECISION: Pressurizer Level Less Than 92%
PURPOSE: To determine if pressurizer level is above the normal operating range BASIS:
This decision point allows proper resolution of the actual inventory condition in subsequent decision blocks. If pressurizer level is above the normal operating range due to excess inventory the condition is considered not satisfied and a YELLOW priority is warranted. The appropriate procedure for functior, restoration is FRP-I.1, RESPONSE TO HIGH PRESSURIZER LEVEL.
INSTRUMENTATION:
Pressurizer level indication 82208:10/010284 6
BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.6 BLOCK DECISION: Pressurizer Level Greater Than 15%
PURPOSE: To determine if pressurizer level is below the normal operating range 3A}J.S.:
This block is entered after having determined that pressurizer level is not high. If level is also not low, then the pressurizer inventory is considered satisfactory and a further question is asked about upper head temperature. If pressurizer level is not greater than 925, then the problem is one of low inventory, with or without voids in the vessel. The condition is considered a not satisfied condition and a YELLOW priority is warranted. The Core Cooling Status Tree checks for jeopardy or severe challenges to Inventory that also challenge the Core Cooling CSF. The appropriate procedure for function restoration is FRP-1.2, RESPONSE TO L0tt PRESSURIZER LEVEL.
INSTRUMENTATION:
Pressurizer level indication 0
4t200:10/010284 7
l BLOCK DESCRIPTION TABLE FOR STATUS TREE CSF-0.6 BLOCK DECISION: Upper Head Subcooling Greater than 23*F (189'F for adverse containment]* )
PURPOSE: To determine if voids exist in the reactor vessel upper head l BASIS:
Having determined that pressurizer level is normal, the remaining inventory question relates to water level in the reactor vessel. Upper head subcooling is used to determine if a steam void is present in the reactor vessel upper head.
The presence of an upper head void does not, in itself, represent a challenge to the Inventory Critical Safety Function. It is considered.a not satisfied condition and a YELLOW priority is warranted. The appropriate procedure for function restoration is FRP-I.3, RESPONSE TO VOIDS IN THE REACTOR VESSEL.
INSTRUMENTATION:
Upper head thermocouple temperature indication
- Farley Unit 1 to use 189'F, Unit 2 to use 223'F. Plant modifications are planned that will reduce the adverse containment values to approximately 78'F for each unit.
82208:10/010284 8
y: - - -
' , Y[I .
ENCLbSURE AW-83-9 AFFIDAVIT COMMONWEALTH 0F PENNSYLVANIA:
ss COUNTY OF ALLEGHENY:
Before me,'the . undersigned authority, personally appeared Robert A. Wiesemann, who, being by me duly sworn according to law, deposes and says that he is authorized to execute this Affidavit on behalf of Westinghouse Electric Corporation (" Westinghouse") and that the averments of fact set forth in this Affidavit are true and correct to the best of his know1 edge, information,.and belief:
/./4.dubits Robert A. Wiesemann, Manager Regulatory and Legis1ative Affairs Sworn to and subscribed, before me this c/7 day of 0tsu, Mil 1983.
/ , i Notary Public PAultTil stDNSEA ISTA2Y PU8UC IdOR!,0(YlLL1 Mto, AtitGNINT COUNff Mt COMIN$$10M 11PtAt$ MARCH 10.19M Nembet.Pennspreen Associaties of Notaties b m.m m_. a
e ,.
N AW-83-9 0
(1) I am Manager, Regulatory and Legislative Affairs, in the Nuclear Techno-logy Division, of Westinghouse Electric Corporation and as such, I have
, been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in connection with nuclear power. plant licensing or rule-making proceedings, and an authorized to apply for its withholding on beha'1f of the Westinghouse Water Reactor Divisions.
(2) I am making this Affidavit in confomance with the provisions of 10CFR Section 2.790 of the Commission's regulations and in conjunction with the Westinghouse application for withholding accompanying this Affidavit.
(3) I have personal knowledge of the criteria and procedures utilized by Westinghause Nuclear Energy Systems in designating infomation as a trade secret, privileged or as confidential commercial or financial infomation.
(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.790 of the Copmission's regulations, the following is furnished for consideration by the Commission in detemining whether the infomation sought to be with-held from public disclosure should be withheld.
(i) The infomation sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.
(11) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public. Wes ti ng-house has a rational basis for detemining the types of infomation customarily held in confidence by it and, in that connection, utilizes a system to detemine when and whether to hole certain types of infomation in confidence. The application of that system and the substance of that system constitutes Westinghouse policy and provides the rational basis required.
., ( -
AW-83-9 y
Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in >
'the 1 css of an existing or potential competitive advantage, as follows: .
(a) The infcrmation reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.
(b)' It consists of supporting data, including test data, relative to
- . a process (or component, structure, tool, method, etc.), the application of.which data secures a competitive economic advan-tage, e.g. , by optimization or improved marketability.
(c ) Its use by a competitor would reduce his expenditure of resour-ces or improve his competitive position in the design, manufac-
~
ture, shipment, insta11a't,f on, 'as:urance of quality, or licensing
, a similar product.
(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers. .
(e) It reveals aspects of past, present, or future Westinghouse or custo'mer funded development plans and programs of potential .
commercial value to Westinghouse.
(f) It contains patentable ideas, for which patent protection may be desi rable.
N 0 v
6 - u_. y , ; .. r.oQ e
AW-83-9
- ha (g) It is not the property of Westinghouse, but must be treated as
- proprietary by Westinghouse according to agreements 'with the owner. .
There are soun.d policy reasons behind the Westinghouse system which include the following:
(a) ~ The use of information by Westinghouse gives Westinghouse a competit'ive advantage over its competitors. It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.
~
(b) It is information which is marketable in many ways. The extent to which such information is available to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.
(c) 'Use by our competitor would put Westinghouse at a competitive disadvantage by reducing ,his expenditure of resourtes at our expense.
(d) Each component of proprietary information pertinent to a parti-cular competitive advantage is potentially as valuable as the total competitive advantage. If competitors acquire componants of proprietary information, any one component may be the key to i
the entire puzzle, thereby depriving Westinghouse of a competi-tive advantage.
(e) Unrestricted disclosure would jeopardize the position of promi-nence of Westinghouse in the world market, and thereby give a market advantage to the ccmpetition in those countries.
O b
ie _ _ . _ _ ____J
M.. .
T; *.
. ;. ~ g .
, ,y - ls
- AW-83-9 '
( ;,.. ..
(f) The Westinghouse capacity to invest corporate assets .in research f[_ 'and development dehends upon the success in obtaining and main-f; - -
taining 'a competitive advantage.
T. .
(iii) The infomation is being transmitted to the Commission in confidence
. -and, under the provisions of 10CFR Section 2.790, it is to be received in confidence by the Commission.
f(iv) The infomation sought to be protected is not available in public sources to the best of our knowledge and belief.
(v) -The proprietary infomation sought to be withheld in this submittal is that which is appropriately marked in.the Design Basis, Funutional Requirements, and Appendices of the Verif.ication und Ya11dation Process documents for the Safety Parameter Display System. The proprietary infomation as submitted is expected so be applicable in ,
licens'a and applicant submittals in response to certain NRC require-ments for justification of upgrades of Emergency. Response Capabili-ties.
The subject infomation could only be duplicated hiy competitors if they were to invest time and effort equivalent to that invested by Westinghouse provided they' have the requisite taTent and experie_nce.
Public oisclosure of this infomation is likely tto cause substantial ham to the competitive position of Westinghouse because it would simplify design and evaluation tasks without requiiring a commensurate
!, investment of time and effort.
'Further the deponent sayeth not.
- i eY
,