ML20114F561

From kanterella
Jump to navigation Jump to search
Evaluation of Defense-in-Depth & Diversity in ABB-C-E Nuplex 80+ Advanced Control Complex for Sys 80+ Std Design
ML20114F561
Person / Time
Site: 05200002
Issue date: 09/30/1992
From:
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
To:
Shared Package
ML20114F560 List:
References
ALWR-IC-DCTR-31, NUDOCS 9210130178
Download: ML20114F561 (108)
v  d  e


Text

- . - - . . .

-TS2-(PCM10)/Ir 1

, j I

I EVALUATION OF DEFElGE-IN-DEPTH AND' DIVERSITY IN-THE ABB-CE NVPLEX 80+

ADVANCED CONTROL COMPLEX FOR THE -)

SYSTEM 80+* STANDARD DESIGN ALWR-IC-DCTR-31

-This document is the property of ABB Combustion Engineering Nuclear Power, Windsor, Connecticut and is to be used only for the purposes of the agreement-with ABB Combustion Engineering Nuclear Power pursuant to which it is furnished.

September 1992 C

9210130178 920929 PDR ADOCK 05200002 A- PDR j

TS2(PCM19)/lr.i' _.

TABLE OF CONTENTS 1

1K11on Jitle - Paa e__t{p2 _

l.0 JNTRODUCTION 1 I

1.1 PUP. POSE AND BACKGROUND 1 1.2

SUMMARY

2

1.3 CONCLUSION

S 4 l

2.0 SCOPE OF THE ASSESSMENT 12 -

2.1 ITEMS IN SCOPE 12. j 2.2 ITEMS NOT IN SCOPE 15 l 2.3 BASES OF THE EVALUATION 16 l l

3.0 DESCRIPTION

OF THE DESIGN APPROACH FOR DIVERSITY AND l I

REFENSE-IN-DEPTH 18 4.0 -EVALUATION OF EVEN_IS 22 4.1 INCREASE IN HEAT REMOVAL BY THE SECONDARY SYSTEM 23 4.1.1 Decrease in Feedwater Temnerature 24 4.1.2 Increase in Feedwater Flow 25 4.1.3 Increase-in Main Steam Flow 26 4.1.4 Inadvertent Openina of Steam Generator Relief or Safety Valve 27 4.1.5 Steam Pinina Failures Inside and Outside Containment 28 4.2 DECREASE IN HEAT REMOVAL BY THE SECONDARY SYSTEM 36 4.2.1 Loss of External load 37-4.2.2 Turbine Trio 40 4.2.3 Loss of Cqndenser Vacuum 41 4.2.4 Main Steam Isolation Valve Closure 44 4.2.5 Steam Pressure Reaulator Failure 45

-i-

. . = . - + .

TS2(PCM19)/Ir 11 TABLE OF CONTENTS (Continued)~

I J

Section Title Pace No. '

4.2.C Lnit of Non-Emeraency AC Power to the Station Auxiliaries 46 .,

4.2.7 Loss of Normal FW Flow 47-4.2.8 Feedwater System Pipe Breaks 50 4.3 DECREASE IN RC FLOW 55 4.3,1 Total loss of RC Flow 56 4.3.2 Flow Controller Malfunction 60-4.3.3 Sinale RCP Shaft Seizure 61-4.3.4 RCP Shaft Break 64-4.4 REACTIVITY AND POWER DISTRIBUTION ANOMAlltS 65 4.4.1 Uncontrolled Control Element Assembly Withdrawal from Subcritical or low Power Conditions 66 4.4.2 Uncontrolled Control Element Assembly Withdrawal at Power 68 4.4.3 Sinale Control Element Assembly Dron 69 4.4.4 Startuo of an Inactive Reactor Coolant Pumo 70 4.4.5 Flow Controller Malfunction 72 4.4.6 Inadvertent Deboration 73 4.4.7 Inadvertent loadina of a Fuel Assembly into-the Inoroner Position 75 4.4.8 [ontrol Element Assembly E.iection 76 4.5 INCREASE IN RCS INVENTORY 79 4.5.1 Inadvertent Operation of the ECCS 79 4.5.2 CVCS Malfunction - Pressurizer level Control Systga 81 4.6 DECREASE IN RCS INVENTORY -82 4.6.1 Inadvertent Openina of a Pressurizer Safetv/ Relief Vah ' 83

-ii-

3 TS2(PCM19)/lriii TABLE OF CONTENTS (Continued)

Section Title Paae No.

4.6.2 Double Ended Break of a letdown Line Outside

, Containment 83 4.6.3 Steam Generator Tube Ruoture -87 4.6.4 Radioloaical Conseauences of Main Steam Line Failure Outside Containment -92 4.6.5 Loss-of-Cp ' ant Accident 93 4.7 RADI0 ACTIVE MATERIAL RELEASE FROM A SUBSYSTEM OR COMPONENT 99 4.7.1 Badioactive Gas Waste System Failure 99 4.7.i Radioactive Liould Waste System Failure 99 4.7.3 Postulated Radioactive Releases Due to liauid -

Containino Tank Failures 99 4.7.4 Fuel Handlina Accident 100 4.7.5 Spent Fuel Cask Drop Accident 101 REFERENCES- 102 ACRONYM DEFINITIONS 103_

l i

l l

~-

L I

L iii- ,

l l

TS2(PCM19)/lr1

1.0 INTRODUCTION

1.1 PURPOSE AND BSCKGROUND A meeting was held on March 2, 1992 between C-E and USNRC I&C branch representatives to' discuss issues relating to tr 'ystem 80+ I&C design (Reference 1). A primary concern of h aC for.

digital I&C systems is the~ difficulty in demonstrating that-there-is no potential for a common mode failure of systems or channels which use the same software. If defense against common mode failures is not sufficiently addressed in a control system design,.

then there is potential that sen a failure could disable multiple functions in the protection system controls. Although ABB-CE can demonstrate that the relative simplicity of the protection system software in NUPLEX 80+ and design characteristics such as deterministic performance,' as well as the extensive verification and validation applied to the design- assure high reliability and essentially preclude any common mode software error, there appears to be no method currently established in the industry to prove that such an error will not occur. NRC stated that an analysis will be required to demonstrate that the NUPLEX 80+ approach to address the potential for common mode failures is acceptable.

This defense-in-depth analysis is not currently a formal licensing requirement,.but is being requested by the staff to support certification.

This evaluation is intended to support resolution.of the NRC staff' request. The approach to address this concern presented here, is to demonstrate the' defense-in-depth characteristics desianed into the.NUPLEX 80+ control complex which minimize the impact of such a failure, if it is postulated to occur in spite of.all precautions. ,

i For most circumstances, the postulated failure would have no effect on the plant control functions being performed. In l-l L

~1- j

]

TS2(PCM19)/lr'2- o addition to providing isolstion between the-protecticn systems and  !

normal process controls in 'the NVPLEX 80&_ design, the protection system software used in the Plant Protection System (PPS)~and the Engineered Safety Features Component Control System (ESF-CCS) l (Type 1 software) is diverse from that used in the Process-CCS and the Alternate Protection System (Type 2), As a result, a common l mode failure in the PPS or the'ESF-CCS has no effect on normal l plant control functions. Independent success paths are provided in the Type 1 and Type 2 systems which are sufficient to achieve-the critical safety functions for the most probable plant events.

For example, the Alternate Protection System provides an independent path for initiating reactor trip and emergency <

feedwater flow. The purpose of this analysis:is to show the extent that these defense-in-depth characteristics of the NVPLEX 80+ design minimize the potential iroact of a postulated common mode software failure on achieving critical plant safety functions in the response to plant events. A qualitative assessment _is provided of the capability of NVPLEX 80+ to respond to each of the event initiators of CESSAR-DC Chapter 15 with the assumption that a pre-existing common-mode-failure prevents all automatic responses of both the PPS and the ESF-CCS. In addition, subsequent manual operation of the protection system via the ESF -

CCS interface is also precluded. The evaluation also assumes the Discrete Indication and Alarm System (DIAS) is not valid for use by the operator in diagnosing and following the event, since DIAS is not specified as requiring diverse technolos,y diverse from the RPS and ESF-CCS.

1.2

SUMMARY

l This analysis assesses the capability of the NUPLEX 80+ design to respond to the event initiators in Chapter 15 of CESSAR-DC, with.a postulated common mode software failure of the protection system controls. The failure is postulated to cause a pre-existing fault i

-g-

TS2(PCM19)/lr 3 L

which prevents all automatic actions by the systems using Type 1 softwere and prevents all manual control of protection systems through interfaces which use Type 1 software. The PPS, ESF-CCS-and DIAS are identified as the systems which use Type 1 software in the current NVPLEX 80+ design. The analysis applies best estimate assumptions for control system actions and plant responses via independent success paths provided principally by the Alternate Protection System (APS), Process-CCS, Power Control System, operator action and the hardwired manual reactor trip.

Based on NRC input, the analysts does not postulate the occurrence L of a control system single failure in combination with the common l

mode failure and the Chapter 15 event initiator. Best estimate l performance is assumed for normal control syst- .ctions. A- i reasonable operator response is assumed, for exm:ple, manual initiation of a reactor trip in 10 minutes if appropriate indications of the need are available.

For each Chapter 15 event initiator, an assessment is provided l which 1) identifies the c<tical functions to be addressed in responding to the event, 2) identifies the implications of the postulated common mode failure on the NVPLEX 80+ response to the event and 3) identifies the method of coping with the failure using independent success paths to support the affected critical l functions. Areas in which further analysis is being considered.to support the conclusions are identified. For some low frequency events, potential modifications to the NUPLEX 80+ design are identified for providing coping methods for some critical functions if the Type I systems are assumed to be totally unavailable. These are summarized in the report conclusions.

l l

I L

l 1

i L. -

TS2(PCM19)/1r 4-

1.3 CONCLUSION

S .

An appraisal of the coping methods available in NUPLEX 80+ to respond to plant events with the postulated common mode software failure is provided in Table 1.3-1 for each of the Chapter 15 event initiators. The table also identifies the frequency category typically assigned to these events, per Reference 4. As shown in the table, coping methods involving automatic normal controls, the APS and reasonable operator action are sufficient to result in a best estimate transient that is no more severe than that determined in the Chapter 15 analysis for all events in the

" Moderate Frequency" category.

The table indicates some events in the lower frequency " Limiting' Fault" category, for which alternate means would be beneficial-in achieving a critical function if the response is to be provided entirely independent of system using Type 1 software. These.

modifications and the associated events are summarized in Table 1.3-2. It can be seen that two of the modifications identified would only be needed to provide an alternate means of responding >

to a postulated LOCA. The probability of a LOCA should be considered further with regard to the need for' including LOCA as a.

basis for '.'ck-up systems to defend against a software design l error. These are each discussed-in more detail in the following text.

l Areas in which further analysis may be needed to verify the.

qualitative assessment are identified in Table l.3-1 and l_ . summarized in Table 1.3-3.

I

q

_ TS2(PCM19)/lr 5 1.3.1 Modification of APS' +o Initiate Reactor Trin on Low RCS Pressurg The current design of the APS provides for initiation of a' reactor-trip on high pressurizer pressure. As shown in Table 1.3-2, a modification to also trip on low pressurizer press se au,'d benefit the response for three limiting fault events as well as one event in the infrequent category.

1.3.2 Alternate'Feedwater Actuation System (AFAS)

The CESSAR-DC description of the AFAS des'ign indicates that the AFAS sends isolated signals to the ESF-CCS to actuate the emergency feedwater pumps and valves. This documentation error should be changed, and CESSAR-DC modified accordingly, such that the AFAS actuates the emergency feedwater components without reliance on the ESF-CCS. (This evaluation was done on the basis of the design so modified, not the design as it'is currently a described in CESSAR-DC). Means should be considered for an MCR AFAS interface to allow operator control of EFW components for RCS heat removal and control of SG Level.

1.3.3 Automatic Main Steam Line Isolation Valve (MSIV) Closure (and

'I Manual Oneninal Provision of an alternate means for initiating automatic MSIV closure would primarily benefit the response to a Main Steam Line Break (LF1).__A rapid automatic _ closure of MSIV's is needed to limit containment pressure during this event. In addition, this would_ benefit the response for.a feed-line break or ' steam generator-tube rupture. The additional provision of manual opening capability would allow use of the main condenser for cooldowns via the unaffected steam generator.

m ._ %

(TS2(PCM19)/lr6=

1.3.4 Automatic Initiation of Containment Sorays and Safety In.iection Provision of alternate means for automatic initiation of containment sprays would benefit the response to a main steam line-break (LF1) or a large break LOCA (LF3). Automatic initiation'of safety injection is needed only for response to a LOCA,-which is-in the lowest frequency category (LF3).

1.3.5 Manual Closure of Letdown Isolation atd Containment isolation YALY11 Alternate means to close at least one letdown line isolation valve will. benefit the response to a le;down line break (Lil).

Alternate means to manually initiate closure of containment-isolation values would benefit the response. for a LOCA (LF3),

j i

i l

u l

l'

.- . .- ,- . .. .- - -._ - .- -- ~ .- - . . -

If3.JN17.J12

- TABLE 1.3 1 (page 1 of 3)

ApreA! SAL-OF COPING MEldODS FOR COSON MODE SOFTWARE FAILURE FREQUE NCT EVENT INIf f ATOR CATE00ef ArPRAISAt OF COPING METHODS (Note 1) 1.1 ' DECR FW TEIP MF Automatic normal controls provide adequate response. (See Note 2.)

1.2 INCR FW FLal NF a e e a a m , j 1

l 1.3 INCR STEAM FLOW MF Autcmatic normat controls + Operator action in 30 minutes to reduce turbine.

load or trip turbine.

1.4 luADV STEM DUw MF Automatic normal controls + Operator action in 30 etrutes to reduce turbine .1 Load. -

1.5 MAIN STFt1 Llht LF1 modify APS for Low Pressure Trip

  • Evaluation of resulting power excursion.

UtEAr. Alternate heans for rapid MSIV closure (8 seconds).

Alternate means for rapid initiation of contairvnent sprays (74 seconds).

Local control of ADvs, and SCS components, or recover connon mode failure.

2.1 LOSS EXTERNAL L0r MF Automatic normat controts provide adequate response.

2.2 TURBINE TRIP MF * " " " " " .

2.3 LOSS CONDENSER VAC MF Automatic normal contrats provide Mequate response in the short term, then the operator has several hours to either rocc<er condenser vacutan or 65utdown the plant using termal cetrole for_ recover tP* conmon mode f ailure).

2.4 MSlv CL0 suite MF Automatic normal controts provide adequate response in the short term, then the operator has several hours to either reoFen the MSIV or shutdown the plant -

talng normal control 6 (or recover the conmon mode failure).

2.5 t/A 2.6 LOSS OF AC MF Addressed in evaluation of 3.1 LOSS OFFSITE POWER.

2.7 LOSS NORMAL FEED MF Automatic normat controls and the APS provide adeeJt4' response.-

2.8 FEtD PIPE BREAKS LF1 APS provides reactor trip and emergency feed. Alternate means for manual MSIV closure needed to isolate the teak and theretyr stop dwping to the contalrownt.

. Note 1 MF = Moderate Frequency, I = Infrequent, LF e Limiting Fault.

Note 2: Adequate Response .e The described coping method results in a transient that (s is enveloped by the corresponding Chapter 15 analysis.

I I,

l

4 T O JN17.J12 TABLE 1.3 1 (page 2 of 3)

FRf0VENCY Ev!WT. IN"l ATC* CATECooY APPp4ftAl of COPING Wi @ t 3.1 LO'.. OFFSITE PCWER MF Assure that MG sets lose power; Or verify that the APS trip at 2400 psia enintains DNBA margin cbring RCP coastdom.

Evaluate that the 10 minute start of Alternate AC is adewate for providing emergency feed or start @ feed.

Local control of ADVa, ard $CS copponents.

3.2 N/A (8 W )

3.3 RCP $ HAFT SEl2VRE LF1 Evaluation of DNBA margin with 3 RCPa at futt power, or nodify the APS to trip on Low reactor coolant flow, (or analyze time for marcat action to keep fuel damage within 10CFR100 release limits).

kormat automatic controls maintain other fLF*tions.

3.4 RCP SMAFT BAEAC LF1 same as 3.3 RCP SHAFT SEl2VRE except that the DNDA evaluation may be more timiting.

4.1 LACONTROLLED CEA MF Automatic normal contruts and the APS provide adequate response.

  • LOW P0uER 4.2 LMCONTROLLED CEA 1 Automatic normat controts and the APS provide adequate response.

AT POWER 4.3 SINCLE CEh DROP MF Automatic normat controls provide adequate response.

Operator action using normal controls & indications can increase margins.

4.4 STARTUP OF MF Automatic normal controls provide adequate response.

INACT!W RCP 4.5 m/A 4.6 INADVERTENT MF Automatic normal courols and operator action (to terminate dilution in 38 DE80RAi! Cal minutes) provide ade@ ate response.

As a backup, the APS provides an autanatic reactor trip.

4.7 IMPaaPER LOADInc LF1 Automatic normal controle provide adequate response.

CF FUEL ASST 4.8 CEA EJECTION LF2 Automatic normat controls ard the APS provide adequate control of reactivity and heat removal.

The leak is sufficiently smatt to allow time for tocol control of $1 corponents if needed.

Contalrrnent sprays and isolation can aLso be performed using Local centrol of corponents.

(Further evaluatimp may be needed to demenstrate these conclusions.)

1*3*C17.J12

-TABLE 1.3 1 (pape 3 6' 3)

FREQUENCY EVENT IkITIATOR CATE GORY #DPRAISAL OF COPlhG HEfMOS 5.1 luADvtRTEuf sls kF Automatic normal controts provide adequate response.

ACTUATION 5.2 PLCS MLFUNCTIO4 M Autcrnatic normat controls + cperator action in 45 miristes provide adequate respmse.

6.1 In%IRTEMT PRZR I RELIEF VLV OPEWikG 6.2 LEfDG/4 Likt BREAK LF1 Autccatic nomal controls + alternate seans for the operator to close at least one letdown isolation valve within 15 minutes.

6.3 5fEAM CENERATOR LFi Autonatic rnemat controts +

TUSE RUPTURE ( operate seti- . trip reactor in 15 minutes, pI modify the APs to trip on low pressuruer pressure).

Alternate seans for annual initiation of MSIV closure, Irvfividually for each steam generator.

6.4 N/A (suR) 6.$ LOCA LF3 Modify APS to trip reactor on tow pressuriter pressure.

Alternate neans for rapid initiation of at least 2 $1 trains (20 seconds for L.B. LOCA, 50 seconds for S.B. LOCA).

Use of local control of containment isolation valves to limit radictogical release.

Attemate peans for r* altiation of contalment sprays (4 minutes for L.B. LOCA).

l l

t I

l' l

l e - , - -,,e

-11AB JN17.J12

-:TARLE 1.3 2 -

NUPLEX 80+ MODIFICATIONS TO BE CCNSIDERED F0ft COPlhG Wl1H CO*0N MODE FAILtM (

EVENT FREQUENCY ,

MODIFICATIONS FOR CON 51DERATION DENTf5) ADDRESSED CATEGoeY

1) Automatic AP$ trip on low Fort 1.$ Main Steam Line Break
  • LF1

. pressuriger pr essure. 6.1 Inadvertent Opening Of Pressurizer Relief I.

valve 6.5 LOCA - LF3

  • Also Beneficial Fors 6.3 SG1R - Eliminates the need for operator - LF1 -

inittation of manual trip in 15 minutes.

2) Atternate means for autenatic For: 1.5 Main Steam L{ne Break ( 8 secords ) - LF1 MsIV closure.

~

Also tereficial F~-t 2,8 Main Feed Line Break Eliminates need - LF1 for alternate seans for manual closure.

6.3 Steam Ger+rator Tube Rupture Eliminttes LF1L need for alternate seans for marwal closure.

3) Alternate means for autonatic For 1.5 Main steam Lire Break ( 74 secords ) LF1-contairment spray initiation. 6.5 Large Break LOCA-( 4 minutes ) ;Lf3
4) Alternate means for marual fort 6.2 Letdown Line areak ( 15 minutes ). LF1--

closure of (at.least erw)

Letdown isolation valve.

5) Atternate means for rapid For 6.5 LOCA .LF3L initiation of $1 traine, l
6) Alternate means for manually. May Be Needed Fort 6.$ LOCA LF3 l Initiating containment isolation.

1 s

)

L .

J l.

l ,

1 l

L l:

m . .. _ __ _ . . _ . . .. .. _. . . - . .. _ . .

n-

,  : 1.*C JN11.J12.

TA8LE 1.3 3-.

FutTHER EVALUATIONS To BE CON 110ERED FOR DEMONSTRATING COPING METH00$ -

EVENT TREQUENCY

- EALUAfl0NS TO BE CONSIDERED EVENTft) ADDRESSED CATEGORT.  ;

1) Analysis of the capabtLity of the APS trip on .For: 1.5 Main steam Lire Break ' LF1 tow pressurlier pressure to mitigate a power excursion cbring an excess coottre event.
2) Evaluation of eether the 10 minute start et 3.1 - Loss of Of fsite Power Fors MF Alternate AC is adequate for providing feed flow (via emergency or start @ feed system) when other AC power mavailable.
3) Analysis of DNBR margin at full power with Fors 3.3 RCP Shaft $eizure "LF1 primary coolant flow provided ty 3 RCPs. 3.4. RCP Shaft Break.. 'LF1 Alternatsty, inetysis to demonstrate .  !

that fuet darage is adequately limited if a reactor tr ip is initiated senvalty.

s G

4 V

T

}

l c-

. u ..w-: x - .~+ - , , . ., wr. ., . - , , _ , _ . . . , . -- , r. - . . . - ,

TS2(PCM19)/lr12 2.0 SCOPE OF THE ASSESSMENT 2.1 ITEMS IN SCOPE-This evaluation reviews the defense in depth capability of the NUPLEX 80* design to provide means of mitigating CESSAR Chapters 15 and 6 events with an assumed common mode software failure of the RPS and ESF-CCS.

1. The common mode software failure is postulated to be pre-existing when the plant disturbance occurs and to prevent both the RPS and the ESF-CCS from providing any actuation or control (automatic or manual) of their associated safety equipment.

As a result, the following safety system actuations are not initiated by the RPS or ESF-CCS (except for the event initiators caused by MSIV Closure,.Section-4.2.4, and Inadvertant SI Actuation, Section 4.5.1):

Reactor Trip Safety Injection Actuation Containment Isolation Actuation Containment Spray Actuation-Main Steam Isolation Emergency Feedwater Actuation Also, the following systems can not be actuated from the MCR through the ESF-CCS as a result of the postulated failure.

Atmospheric Dump Valves l

Safety Depressurization System

Shutdown Cooling System Component Cooling Water (safety-grade portions) l TS2(PCM19)/lr13 Service Water (safety-grade portions).

HVAC (safety-grade portions)

Emergency Diesel Generators RPS and ESF-CCS data passed to the Data Processing System (DPS) is not assumed'io be valid, although the DPS display and alarm information from other-sources including the P-CCS and PCS is valid.

In add' on, it is postulated that the Discrete Indication-and Alarm System (DIAS) is affected by the common-mode failure, since DIAS is not currently specified as using a diverse technology from that of the RPS and ESF-CCS. DIAS drives alarm windows and discrete indicators for key variables and components. The DPS is redundant to DIAS in-providing this information to the operator.

2. With the postulated failure, the NUPLEX 80+ systems which remain available to the operator for mitigating plant events-from the MCR are as follows:

P

a. The Process Component Control System; which includes:

- Alternate Reactor Trip Signal (ARTS)

Steam Bypass Control . System (SBCS)

Main Feedwater Control Pressurizer Level Control.

Pressurizer Pressure Control-and provides interface for control of the following l systems:

L Chemical and Volume Control System Reactor Coolant System (RCS)

L.

l-l TS2(PCM19)/1r 14 l

Main Steam System feedwater System Condensate System Waste Management System Cooling Water Systems (non-safety portions)

HVAC Systen (non-safety portions)

Turbine Generator Auxiliaries Electrical uistribution Gystems Gas Turbine Generator b, The Power Control System, which includes:

Megawatt Demand Setter (MDS)

Reactor Power Cutback System (RPCS)

Reactor Regulation Control Element Assembly Motien 0:ntrol CEDM Power Control

c. The Manual Reactor Trip provided in the Main Control Room and at the Remote Shutdown Panel. This trip goes directly to the Reactor Trip Switchgear and is not part of the Plant Protection System.

d, Indication , I: splays, and Alarms provided by the Data Processing System (DPS).

The focus of the evaluation is upon actions that can be taken from the Main Control Room via a, b and c above, However, manual actions that can be taken locally may be also included in some cases 'o provide a more complete icture of the levels of defense which remain available.

i

TS2(PCM19)/lr15 2.2 ITEMS NOT IN SCOPE 2.2.1 This assessment does not examine the diversity and distribution of all event-mitigating features within the control (Process Component Control System), reactor trip (Reactor Protective System), and engineered rifety features (Engineered Safety features Component Control System) systems. This has been covered by:

1. C-E Standard Safety Analysis Report (CESSAR):  !

Chapter 6 -

Engineered Safety Feature: (

Chapter 7 -

Instrumentation and Controls Chapter 8 -

Electrical Sys'. ems Chapter 9 -

Auxiliary Systems  :

Chapter 10 - Steam and Power Conversion Systems Chapter 15 - Safety Analyses Chapter 18 - Han Machine Interface

2. NRC Requests for Additional Information (RAl's), and C-E Responses:

420.6 420.25 420.38 420.7 420.26 420.51 420.12 420.28 420.52 420.-13 420.32 420.56 420.17 420.33 420.23 (?0.37 These RAl's and responses address Defense-in-Depth and Diversity.

2.2.2 This evaluation does not examine the possibility a- .:ause of the pot.tulated common-mode- ft.ilure described in 2.' 2.3.1. 'In '

~15-

.m ~ . . _ -. ._ _ _ . . - _ . . _ _ . _ . . .

TS2(PCM19)/lrid l this particular regard, this evaluation may thus be considered ,

dissimilar from References 2 and 3, which mechanistically predict

  • a number of ways in which common-mode failures can ext:t in the designs that were examined.

i 2.2.3 Once an available success path is identified in the evaluation,

, others are not necessarily identified. Therefore, not all success paths that could be considered as a part of a level of defense are '

examined.

2.3 BASES FOR THE EVALVAT10!1 2.3.1 A pre-existing common-mode software failure (CMF) of the RPS 1.e postilated, such that Reactor Protection System Trips listed in f CESSAR-DC Table 15.0-2 do not actuate. Concurrently, a pre-existing common-mode failure of the ESF-CCS is postulated, such that equipment actuated and/or controlled through the ESF-CCS does "

not actuate. The failure to actuate includes both automatic and-manual actuation.

2.3.2 The ESF-CCS CMF is assumed to not preclude the Alternate-Feedwater Actuatior. Signal (AFAS) actuation of Emergency Feedwater System pumps and valves being initiated on low steam generator level.

The CESSAR-DC description (7.7.1.1.11, and Figure 7.3-Ic), which-currently describes the AFAS sending isolated signals to the-ESF-CCS to actuate emergency feedwater components, will be modified accordingly to reflect a design which actuates the emergency feedwater system without reliance on the ESF-CCS.

2.3.3 This evaluation is done mainly on the-events-(or combination of events) described in CESSAR-DC Chapters 15 and 6 as=" limiting" (for an event type) and presented in' Chapters.15 and 6 in analytical detail. This evaluation ; iso includes examination of some non-limiting event types to determine if the bases and

TS2(PCM19)/1r17 l

assumptions of thi evaluation may in some way cause them to be more adverse than the previously determined " limiting" event l within an event type.

l 2.3.4 The single failure for each evaluated event is encompassed by 2.3.1 and 2.3.2. The singic failures listed in CESSAR-DC Table 15.0-4 are therefore agi assumed to also occur. Per CESSAR-DC Section 15.0.1.4, this table includes low probability dependent  !

failures (e.g., loss of offsite power following turbine trip) and )

independent pre. existing failures (e.g., failure of an emergency l feedwaterpump). Interactive control system failures more )

limiting than those listed in Table 15.0-4 are also.not assumed to occur in this evaluation. For this evaluation, high probability dependent, adverse occurrences Ar_q assumed to occur (e.g., loss of  ;

main feedwater pumps following a loss of electrical power, where loss of power is an initiating event), as done in Chapter 15.

2.3.5 P-CCS and PCS control systems are assumed to be in the automatic mode and to respond as designed unless the control system or a controlled component within the plant system is the event initiator.

2.3.6 Initial conditions for the event, and for Alternate Protection System trip and actuations, are assumed at their nominal values.

TS2(PCM19)/1r18

3.0 DESCRIPTION

Of lilE DESIGN APPROACil TOR DIVERSITY AND DEFENSE-IN-Ilf. Ell!

The Nuplex 80+ approach for diversity and defense-in-depth involves multiple means to achieve a high confidence in the  ;

hardware and software reliability, to provide a robust capability to limit the effects of a hardware or software fault, and to provide means for the plant staff to cope with events concurrent-with such faults in the unlikely event they occur.

A. Eliminate Predictable Common Mode Failures (CMF's)

Predictabic CHF's are avoided through Seismic and Electro-Magnetic Interference (EMI) qualification, Aging Analyses, and geographic separation of equipment into separate zones ,

for liVAC, fire, and security.

B. 01sian for flich Reliability to Reduce CMF Potential for SAf.bfirk C-E employs a defense in depth approach to eliminate common mode software errors as a concern for the Nuplex 80+-  ;

instrumentation and control systems. This approach is-summarized as follows:

Deterministic Desian - The algorithm execution in the Nuplex 80+ control and protection systems is deterministic. This means that all data is updated en a continuous cycle and all programs execute on a continuous basis, without interrupts.

This approach makes the software easier to design, verify ,

and validate. The potential for hidden errors is significantly lower than in other designs which include multi-tasking, event based execution, event based data communication, or interrupts. None of these non-

1 TS2(PCM19)/1r19 deterministic features exists in the Huplex 80+ control and protection systems.

Simplicity I

RPS and ESF actuation functions are accomplished with  ;

programmable logic controls (PLC's), which are widely used, i simple, proven digital devices that utilize ladder 'iogic without branching, interrupts or other complex features.  ;

Programming and testing PLC's to accomplish the required functions is easily understood and verified.

Field Proven Product 1 - Operating system software for Nuplex 80+ 1&C systems is selected with three (3) years minimum of field experience in similar applicatior.s. These products ,

are mature and, therefore, judged to be free of infant design errors, y_erification and Validation - For custom software generated by C-E, a comprehensive V&V program is employed, including ,

independent document review and independent test. C-E has been using this approach to produce reliable, qualified Class IE CPC software for more than fifteen (15) years.

Application software is subjected to a documented, rigorous V&V program. Independence is maintained between software development and verification personnel. Utility-Owner configuration controls are also imposed throughout the software life eye'1. Tho'V&V program minimizes th'e potential for introduction of common mode software errors during the design phase and during commissioned lifa of the system.

TS2(PCM19)/1r 20 Seamentation - Within all Nuplex 80+ systems, including the PPS, ESF-CCS, and Process-CCS, functions are divided into separate processors. Segmentation within each PPS channel ensures that two different trip functions are available in two separate processors for each design basis event.

Similarly, within ESF-CCS Trains A and B, ESFAS functions such as SIAS and EFAS are distributed to separate control processors. Within the Process-CCS critical plant control functions, such as inventory control, heat removal, etc.,

are distributed to separate control processors. The potential for simultaneous errors in these multiple processors is minimized, since functional diversity is a

utilized and since software execution is asynchronous.

Diversity - Diversity offers the final defense against common mode failures. All critical safety functions, such as reactivity control, inventory control and heat removal, can be controlled by both the control systems and the protection systems. These systems are functionally diverse, as are the fluid / mechanical systems they control. In addition, to correspond with the hardware diversity of these fluid / mechanical systems, C-E employs both hardware and software diversity between control and protection I&C systems to eliminate the potential for common mode failures.

This diversity exists in all software based aspects of these systems, including processors, multiplexors, communication networks and MMI devices. This same diversity philosophy is applied between DIAS and DPS to ensure availability'of control room information.

l I

TS2(PCM19)/1r21 C. [ytluate Defense-in-C alh t 1

Nuclear industry studies of I&C systems have shown [

mechanistic ways in which individual common mode faults or sneak-paths can con. promise portions of the lines of defense for plant events. These studies have not verified that all such potential faults or paths have been evaluated.

The basis for the evaluation documented herein is that CHF's (however slight their potential, and independent of however ,

many evaluations of how they may occur are done) can be i postulated to occur. As a result, the remaining diverse.

lines of defense outside the postulated failure must be adequate to deal with plant events.

I 1

L-i k

l:

  • L

= . - . - . - - - - - _ + . . - _

TS2(PCM19)/1r22 4

4.0 EVALUATION OF EVENTS This evaluation is focused primarily on event initiators as described in CESSAR Chapters 15 and 6. Since this evaluation is  ;

largely based on comparison to these Chaptors, the reader is referred to them for background material on identification of the events and causes, sequence of events and system operation, and analysis of effects and causes; however, note that Section' 2.3 includes several bases for this evaluation that differ from Chapter 15.  ;

Events are evaluated in terms of r.aintenance or restoration of critical functions for reactivity control, core beat removal, RCS heat removal, RCS inventory control, RCS pressure control, containment isolation, and containment environment. Where any of these critical functions are not discussed in the evaluation, the ,

event is not expected to result in a threat to those critical functions. For selected evunts, tables of key critical functions and success paths are provided to assist in describing the level of defense.

P

TS2(PCM19)/ir23 4.1 INCREASE IN HEAT REH0 VAL BY THE SECONDARY SYSTEM For this class of events, one or more of the following will be present (* - alarmed)

a. Loud noise indicative of a high energy steam line break,
b. Decreasing RCS average temperature (*)
c. Increase in feedwater flow (until isolated)
d. Increase in steam flow (until isolated), increase (*) in contain 4ent temperature, pressure, humidity, and sump level
e. Valve-open position iiidications for turbine bypass valve or atmospheric dump valve.
f. Decrease in feedwater temperature, sJ
g. Trip of high pressure feedwater heater drain tank pump (*)

Increase in turbine control valve position indication.

~

h.

i. Decreasing RCS pressure (*)

4

j. Increasing Reactor Power (*)
k. Decreasing Steam Generator Pressure (*)

t l

TS2(PCM19)/1r 24 4.1.1 Decrease in Feedwater Temoerature A decrease in feedwater temperature can result from a loss of feedwater-heating, such as from trip of the high pressure r feedwater heater drain tank pump. The maximum feedwater

  • temperature decrease due to a failure in the main feedwater system is 400*F.

The feedwater temperature decrease causes a decrease in RCS temperatures, an increase in reactor power due to a negative moderator coefficient, and a decrease in reactor coolant system and steam generator pressures. Plant control systems (reactor  :

regulating, pressurizer pressure, pressurizer levol, and steam generator level) would act to stabilize the processes and restore -

parameters towards their normal control bands. Alarms are initiated for low pressurizer pressure, low steam gene.'ator pressure, and high linear power, if the perturbation is sufficient to exceed normal _ control regions.

The effects of this event on the RCS temperature decrease are less than for the Inadvertant Opening of a Steam Generator Atmospheric Dump Valve-(IOSGADV)-(4.1.4), as is the resultant decrease-in DNBR.

CONCLUSIONS No reactor trip or ESF operation is required for this event; the event consequences are bounded by the IOSGADV event (Section 4.1.4). There is no_ impact on the defense-in-depth and diversity l .. in the current design.

i

eq' TS2(PCH19)/1r25  :

4.1.2 Increase in Feedwatat_ Flow An increase in feedwater flow is caused by the further opening of .

a feedwater control valve or an incretse in the feedwater pump i

speed. The maximum increase at full power is less than 40% above nominal for the main feedwater system. Similar to the Decrease in feedwater Temperature (4.1.1), the effects of an increase in i feedwater flow are less severe than the 10SGADV ovent (Section 4.1.4). Refer tn Section 4.1.1 for discussion of the effects of this event.

CONCLUSIONS No reactor trip or ESF actuation is required for this event; the event consequences are bounded by the 10SGA0V event (4.1.4).

There is no impact on the defense-in-depth and diversity in the current design.

d

2. . - ,=_. _ _ .;._.._._..._,_..

s i TS2(PCM19)/lr 26 l 4.1.3 Increased Main Steam Flow -

This event may be caused by an inadvertent increased opening of the turbine control valvts, eitleer through operator error or a turbine control system fault. The resulting flow increase is no more than 11% r are than the nominal full powe. steam flow rate.

Events caused by opening of a turbine bypass valve or atmospheric dump valve are discussed separately in Section 4.1.4. ,

Similar to the Increase in Feedwater Flow (Section 4.1.2) and -

- Decrease in Feedwater Temperature (Section 4.1.1), the effects'of-an increase in main steam flow are less severe than the IOSGADV event (Section 4.1.4).

CONCLUSIONS No reactor trip or FSF actuation is required for this event,.the event consequences are bounded by the 10SGADV event (4.1.4).

There is no impact on the dafense-in-depth and diversity in the current design.

I l

p L

l-I l

.....r.. .. _ , - . _ . , - - .- - . . , - , -s, - _ , _ . . . .. _ ~ , - ,__, , , - - , . - , . ,.. , ,

IS2(PCM19)/lr27 4.1.4 Inadvertant Onenina of a Steam Generator Relief or Safety Vilve An atmospheric dump valve (ADV) or a turbine bypass valve may be inadvertently opened by the operator or may open due to a failure of the control system which operates the valve. A steam generator safety valve will remain open only as a result of a valve failure.

The opening of any of these valves will result in similar consequences because they relieve steam at the same maximum flow rate (less than or equal to 11% of full power turbine flow rate).

The inadvertent opening of a steam generator atmospheric hmp valve (10SGADV) is presented here to illustrate these events.

The ADV opening increases heat removal by the steam generators, causing cooldown of the RCS. With a negative moderator coefficient, core power begins to increase above its initial nominal value. The control systems for pressurizar pressure, pressurizer level, reactor regulating, and steam generator level respond to the changing conditions to retard the change of process variables from their nominal values.

RFAC11VITY CONTROL The Reactor Regulating System (RRS) uses inputs from reactor neutron flux (power), turbine load (usually first stage turbine pressure) and coo'lant temperatures to adjust reactor coolant U temperature and follow turbine load changes within established limits. For this event, the RRS would maintain reactor power and RCS average temperature at or near their initial valde.

Chan0cs in reactor power, CEA position, and RCS temperatures would be indicated and alarmed. For the purposes of this evaluation, it is assumed the operstor manually _ trips the reactor at 30 minutes into the event.

TS2(PCM19)/1r 28 After the reactor is tripped, the open ADV would cause a cooldown below the normal no-load RCS temperatures. However, the added reactivity (with a negative moderator coefficient) is not expected {

to cause a rccurn to criticality.

RCS HEAT REMOVAL After the reactor (and as a result, the turbine) is tripped-at 30 min, the steam bypass control system (SBCS) may open turbine bypass valves to relieve any excess steam flow and pressure caused by the reactor power decreasing more slowly than the steam flow to the turbine. The open ADV would tend to reduce the amount of time, if any, that_the turbine bypass valves were opened by the SBCS, and would negate the need for the turbine bypass valves to remain open for decay heat and RCP heat removal. Main feedwater remains available for RCS heat rcmoval.

At 20 minutes after the reactor and turbine trip it is assumed ,

that the ADV is msnually shut. This can be done local to the ADV or turbine bypass valve with a handwheel. .The operator would then control SG pressure with the SDCS to restore SG pressure and RCS temperature to nominal no-load conditions.

CONCLUSIONS The event can be mitigated without automatic reactor trip or'ESF-- 1 CCS actuation. Manual action to trip the reactor and to locally close the ADV is assumed here to be 30 minutes and 50 minutes, respectively,-into the event, which were also assumed in'the CESSAR Chapter.15 analysis. Defense-in-depth and diversity in the current design are not affected.

Although 50 minutes for ADV closure was assumed, some longer time to close the valve would als be expected to be acceptable.

C p . - - -.m + ~

. -- ,.,, ,.-,.,--...nw .

v. , . - . . , , - . . ,

. , . , , _ , . _ , , , .ee- ,. , , - - , . - e - -- . . , .

TS2(PCM19)/1r 29 i l

l 1

l l

However, means via the Process-CCS controls in the MCR should be  ;

considered for closure of ADV's.

4.1.5 Steam Pine Failure. Inside or Outside of Containment A large steam leak will cause exces> cooling of the RCS, thercby initiating a power excursion which would require a reactor trip.

Is.olation of the leak is necessary to regain control of heat removal . The emergency feedwater system has sufficient condensate supply to support dumping steam to the atmosphere when using the -

secondary system for continued heat removal. If the leak is  ;

insida the containment, then containment heat removal is needed to limit containment pressure.

REACTIVITY CON 1ROL Calculations indicate that at nominal conditions a large steam line leak can release steam at a rate equivalent to 200% of the total nominal full power steam flow. The resulting decrease in the primary coolant temperature-due to the excess heat removal would result in a power excursion. As shown in the CESSAR-DC analysis, whether at full power or zero power,-a reactor trip is '

needed to introduce sufficient negative reactivity to compensate >

for the reduced coolant temperature.  ;

r Note also that RCS Heat S moval, below, also affects reactivity-control.

Jenlication: of the Common Mode Failure and Method of Conino The assumed c"tection system failure precludes the automatic PPS reactor trip which would occur on variable overpower,. low steam generator-pressure or high containment pressure, depending or. the initial plant condition and the size and-location of the leak.

29-

_. . . , , _ .__ , _ . _ . _ _ , ~ . . , - _ _ _ _ - , ,

TS2(PCM19)/1r30 Since RCS pressure would be decreasing, the automatic APS trip on i high preseurizer pressure would also not occur. The turbfne protection system would initiate an automatic turbine trip, to which the Reactor Power Cutback System would respond by dropping 1 ,

or 2 CEA subgroups, initiating a rapid power reduction. Although I this response would help to mitigate the power excursion, a -

reactor trip is necessary to introduce sufficient negative  ;

reactivity to compensate for the reduced coolant temperature. 1 Although the severity of the event would be expected to have a high certainty of prompting operator action to manually trip the reactor if an automatic trip did not occur, an automatic low pressure APS trip would be an effective back-up to the PPS and should be considered.

Potential Resolution for Uncertainties further evaluation may be needed to demonstrate that an APS trip ca low pressurizer pressure is adequate to terminate the initial power excursion.

RCS HEAT REMOVAL (Initial)

The excess heat removal must be controlled in order to limit the reduction in coolant temperature (and also maintain reactivity ,

control). Although isolation of feed supply to the steam generatars would reduce the total heat removal through the leak, excess heat removal would continue as the inventory in the steam generators is boiled off through the leak. Therefore, the leak flow must be restricted as soon as possible in order to provide an immediate decrease in-the excess heat removal.

A cross header connects the main steam lines from the two steam generators. Prior tc closing the MSIVs, steam is dumped through the leak from both steam generators. If the leak is downstream of

-Y,f = , e-v,__ __----,-r--.rw --

v-,,ee ,. , . .eu,---m-,, ww,---.r- ,- ,-+wev-w-

TS2(PCM19)/1r31 l

the HSIVs, then closure of the MSIVs will stop the leak flow and end the cooldown. If the leak is upstream of one of the MSIVs, then closing the MSIVs will not entirely stop the leak flow, but would reduce it, since steam would subsequently bo supplied to the ,

leak by only one stea' line on one steam generator. The other  ;

steam generator, referred to as " unaffected", would subsequently be isolated from the leak and would no longer contribute to the excess cooling transient. Therefore, excess heat removal would either be terminated or reduced by the HSIV closure. ,

for the affected steam generator with a steam leak upstream of an MSIV, the operatnr can manually close the feed to that_ steam generator. This isolation of the feed supply to the steam generator will isolate the leak and terminate excess cooling when 1 steam generator boils dry. The operator can also reduce heat removal in the affected steam generator by tripping the RCPs in the associated coolant legs.

Jmplications of the Commonjigde failure and Method of Copina The assumed protection system failure precludes an autematic PPS actuation of the main steam isolaticti alves (MSIVs) and main feed isolation valves. Automat; initiation of MSly closure on l u steam generator pressure by the APS would provide the necessary rapid reduction in staam flow through the leak and should be censidered for the APS.

Indications for SG lovel and RCS temperature would be in DPS CRT-displays for the ot.<rator to determine the need to isolate feed flow to;the af fected steam generator. The normal feed supply could be isolated via the nornal controls for the feed water '

regulating valves. Means should be considered for an MCR AFAS interf&ce to allow operator control of EfW componenti for RCS heat removal and control of SG 1evel.

L TS2(PCM19)/1r32 The operator is normally involved in monitoring the plant and tripping RCPs as needed to mitigate overcooling. DPS indications would be available in the control room to monitor the RCS temperature and other appropriate parameters and to control the  ;

RCPs. The assumed common mode failure of the safety system j software would not affect the associated indications or control interfaces.

Potential Resolution for Uncertaintin Further evaluation should be considered to determine the appropriate alternate means to be implemented for controlling the HSIVs. Options include use of control interfaces to the air "

supply if a pneumatic valve design is implemented, or to the power supply to the pumps which would be used for a hydraulic valve design.

Further'evaluction is needed to demonstrate that the alternato means of closing the MSIVs in combination with operator actions.to isolate the feed supply and trip appropriate RCPs would result in a surficiently rapid isolation to limit overco911ng of the reactor core, such that a return to pewer would be adequately mitigated.

RCS INVENTORY CONTROL Excess heat removal can result in a decrease in effective RCS inventory due to coslant shrinkage as temperature decreases. If isolation of the feed flow to the affected steam generator is delayed, then safety injection flow may be needed to maintain level in the reactor vessel above the top of the hot icg.

l 1

L l'

L - - - - -

TS2(PCM19)/1r33 Imolications of the Common Mode failure and Method of Cooina The assumed common code software failure precludes automatic actuation of the safety injection flow. However, operator action to isolate the feed flow and trip the RCPs (as described above) should limit the excess heat removal such that inventory control would be adequately maintained by the normal response of the CVCS.

Potential Resolution of Uncertainties further evaluation is needed to demonstrate that the operators action to isolate the feed flow to the affected steam generator would limit the excess cooling of the RCS such that the charging pumps would be able to adequately maintain the RCS inventory.

CONTAINMENT ENVIRONMENT CONTROL A large ste .a leak intide the containment will cause a rapid increase in temperature and pressure within the containment due to steam from the steam generator upstream of the leak. The MSIVs need to be closed rapidly (in approximately 8 seconds) to limit passage of steam from the other steam generator and the steam header through the leak and thereby limit the peak containment pressure and temperature. The containment sprays must be initiatt.d rapidly (spray flow in approximately 74 seconds) to limit the peak containment pressure and temperature. t

(

1molications of the Common Mcde Failure and Method of Conina The postulated ccmmon mode software failure precludes automatic actuation of the containment spray and generation of the MSIS by-the PPS. For lorge steam line breaks inside the containment, an alternate means of initiating containment spray and main-steam isolation would be needed.

m TS2(PCM19)/1r34 Egtential Resolution of Uncertaintirs Further evaluation is needed to determine if the potential probability for the postulated common mo4 failure of the protection system software coincident with a large steam lir.e break is sufficient to justify development of alternate :,eans for rapid initiation of main a'eam isolation and containment sprays.

RCS HEAT REMOVAL (POST-ISOLATION)

After the leak is isolated, the intact portions of the secondary -

system can be used for continued heat removal.

If the leak is downstream of the main steam isolation valves, then both steam generators can be used for 'leat removal. After the MSIVs are closed, steam release through the main steam safety valves would maintain heat removal. The local manual control (handwheels) of atmospheric dump valves would be used to control secondary pressure. Feedwater would be provided by the Emergency-Feedwater System.

if the leak is upstream of tue main steam _ isolation valves, then the same paths are used for heat removal but only through the unaffected steam generator.

Imolications of the Common Mode failure and Method af 02Rin9 The postulated common mode software failure precludes control of the. atmospheric dump valves via the ESF-CCS interface in the control room. However, local control can be used _to operate _ these valves.

As described above, the Emergency Feedwater System would have been actuated automatically by the APS,

TS2(PCM19)/1r35 I

CONCLUSIONS The potential probability for the postulated CHF coincident with a .

large steam line break should be evaluated. Pending the results I

of that evaluation, the fol!owing concle sions apply.

A low pressure APS reactor trir should be considered and evaluated. An APS a: tion for MS1V closure on low SG pressure should also be considered and evaluated. The effects and timing of operator action to isolate emergency feed and trip RCP's to limit undercooling shculd be evaluated.

-1 b

r i

?

, . .. - . - - . - .. , ,. .~

TS2(PCM19)/lr36 4.2 DECREASE IN llEAT REMOVAL BY THE SECONDARY SYSTEM For this class of events, any one or more of the following may be present (* = alarmed):

a. Decreasing steam generator water level (*)
b. Increasing steam generator pressure (*)
c. Main feedwater pump trip (*)
d. Low main feedwater flow (possible high flow for a feedwater - ,

line break)

e. Low main .1edwater pump suction pressure (*)
f. Loss of offsite power conditions (one or more of):

Transformer status (*)

Breaker status (';

Diesel generator Auto-start RCP f rouble (*)

Condenser vacuum (*)

Low RCS flow indications I

g. Station Blackout conditions (one or more of):

Loss of control room lighting Equipment " uncontrollable" status _ indications Tripped breaker indications on 13.8-and 4.16 kv buses

(*)

Items listed in f. above 6

-- _ _ - _ - - _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ - _ ._- - _ _-_-____-_-_ ~

152(PCM19)/1r37 4.2.1 Loss of External load -(Table 4.2.1)

The loss of external load event is caused by the disconnection of .

the turbine-generator from the electrical distribution grid. This l results in a turbine-generation runbacks to " house" load  !

(approximately 5%) via turbine control valves reducing steam flow '

from the steam generators to the turbine.

REACTIVITY CONTROL Since steem flow-to the turbine is reduced, reactor power must be quickly reduced to limit RCS and steam generator heatup and. ,

pressure increase.

Jrplication of the Common Mode Failure and Method of Conino .

The postulated failure precludes an automatic RPS reactor trip on high pressurizer pressure.

The SBCS and RPCS accommodate the load rejection without necessitt. ting reactor trip, by automatically bringing the NSSS to a stable reduced power level. Upon sensing the rapid decrease in steam flow, the SBCS provides a power cutback demand signal to the RPCS, resulting in the simultaneous dropping of one or more pre-selected groups'of full strength CEA's into the core such that a reat.cor trip is not required.

RCS HEAT REMOVAL Continued secondary heat removal is required to limit' the.

temperature and pressure excursion of the primary coolant.

T52(PCM19)/1r38 Jrplications of the Common Mode failure and Method of CoplD9 The SBLS and RPCS control actions automatically bring the RCS to a stable reduced power level. Ihn SBCS can continue to be used for RCS heat removal and cooldown until the Shutdown Cooling System is engaged.

The main feedwater system would continue to be available via normal controls. The normal automatic plant responses for control of RCS heat removal would be unaffected by the postulated common-modo failure.

CONCLUSIONS No reactor trip or ESF-CCS controlled components for this event are required for event mitigation and there.is no impact on diversity or defense-in depth in the current design.

I i

i l TS2(PCM19)/lr 33 l

t TABLE 4.2.1-LOSS OF EXTERNAL LOAD ~,frt Key Success Paths Nominally Available and Usable in Current Design Under.sFhiled Ch.15 Key Critical functions Ch.15 Analysis " PPS/ESF-CCS Conditions 1f Success Paths From MCR, or By Manual Local l

Automatic Action

! Reactivity Control Reactor Trip on High - RPCS drop of - Reactor Trip l Pressurizer Pressura selected CEA's Breakers (at the l breakers)

- ARTS Reactor Trip

- Safety Injection (high pressurizer (via Motor Control pressure) Centers)

- Manual Insertion of CEA's

- CVCS Boration l Core Heat Removal Natural Circulation Forced Circulation RCS Heat feedwater - Mairt Feedwater - Main Feedwater - Emergency Feedwater l Removal (via Motor-1 - Emergency feedwater Control I on Low SG Level Centers)

(AFAS)

Steam - SG Safety Valves - SBCS (initial and - Atmospheric Dump (initial) cooldown) Valves (manual hand

- SBCS (cooldown) - SG Safety Valves wheel) l (initial) l - Atmospheric Dump l Valves (cooldown) l 1

l 1

-TS2(PCM19)/1r40 I 4.2.2 Turbine Trio.

A turbine trip may result fi .m a number of conditions which cause ,

the turbine-generator 6 rip system to initiate a turbine trip  ;

signal, causing closure of the turbine stop valves and control valves. In contrast to the loss of Load (4.2.1), for which the turbine-generator runs back to about 5% and supplies. unit AC power, the turbine trip events results in unit power being supplied by off-site power.

In other respects, this event is offcetively the same as the 4.2.1 ,

Loss of Load event, and is therefor's not examined further here. .

s i

., , _ . _ _ . _ - . . _ _ . . - __ __ _.. _ _ . . . . _. ._ ~ . - . .

TS2(PCM19)/lr41 4.2.3 Loss of Condenst.r_hcuum (Table 4.2.3)

A loss of condenser vacuum may occur due to the failure of the circulating water system to supply cooling water, failure of the main condenser evacuation system to remove noncondensible gases, or excessive air in-leakage. The turbine is assumed to trip immediately on low condenser vacuum coincident with the cause for the loss of condenser vacuum.

REACTIVITY CONTROL Since the turbine has tripped reactor power.must be quickly reduced to limit the RCS and steam generator heatup and pressure increase.

Imolications of the Commun Mode Failure and Method of Cooina The postulated failure precludes an automatic reactor trip on high pressurizer pressure.

The RPCS would receive a signal from the SBCS so reduce reactor power by simultaneous drop of one or more preselected full strength CEA groups into the reactor core, such that a reactor trip is not required.

In addition, the Alternate Reactor Trip System would trip the reactor in the event RCS pressure rose to the_ trip setpoint.

RCS HEAT REMOVAL Continued secondary heat removal limits the temperature and pressure _ excursion of the primary coolant and assists in mitigating the approach to fuel limits.

x

?

TS2(PCM19)/lr42-

]mplicAtion of the Common Mo(q_f ai'ure had Method of Conina The SBCS is interlocked such that low condenser vacuum prevents the steam bypass valves from opening. However, the secondary.

safety valves will open if necessary to 'imit the secondary pressure increase and provide a heat sink for the fiS. Local manual control of Atmospheric Dump Valves is also available.

The RPCS will have reduced reactor power, such that RCS temperature and pressure would stabilize at a point consistent with transferral of RC'S energy to the steam generators relieving 3 steam at the SG safety valve setpoint, Main feedwater continues to be available from the condensate storage tanks, and the AFAS will actuate Emergency Feedwater if steam generator level reaches the AFAS setpoint. The emergency feedwater +arage is sufficient for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> at hot standby conditions, T.* atcr would begin restoration of condenser vacuum. The oper..or can manualiy trip the reactor or reduce power by a controlled CEA insertion.

CONCLUSIONS No 'eacter trip or ESF-CCS controlled components are required for event mitigation, and there is no impact on diversity or defense-in-depth in the current design,

'TS2(PCM19)/lr 43.

TABLE 4.2.3 LOSS OF CGNDENSER VACUUM I Key Success Paths Nominally Available and Usable in Current Design Under Failed Ch. 15 Key Critical Functions Ch. 15 Analysis PPS/ESF-CCS Conditions Success Paths From MCR, or Ry Manual Local Automatic '

Action Reactivity Control Reactor Trip on High -RPCSdrop[ - Reactor Trip Pressurizer Pressure selected CEA 2 Breakers (at the breakers)

- ARTS Reactor Trip - Safety Injection (high pressurizer (via Motor Control pressure) Centers)

- Manual Inser~ ion of CEA's

- CVCS Boratior.

Core Heat Removal Natural Circulation Forced Circulati $~"

RCS Heat Feedwater - Emergency Feedwater - Meir Feedwater - 17ergency Feedwater Removal' on Low SG Level (via Motor

- Emergency Feedwater Control-on Low SG l.evel Centers)

(AFAS) ,_

Steam - SG Safety Valves - SG Safety Valves - Atmospheric Dump (initial) (initial) Valves (manual hand wheel)

- Atmospheric Dump l Valves (cooldown)

TS2(PCM19)/1r44 4.2.4 Bain Steam Isolation Vaive Closure

-The Main Steam Isolation Valve (MSIV) closure event 'is -initiated by the closure of all MSIV's due to a spurious closure signal.

The rapid decrease in steam flow and steam pressure at the turbine would cause an immediate turbine runback due to turbine-generator throttle pressure limiter action (see Section 4.1.4 for description).

The effects of this event is essentially the same as the loss ~ of Condenser Vacuum (Section 4.2.3) for the following reasons:

1. A turbine trip signal is generated in'both cases.
2. For t'oth cases, SBCS would sense a rapid steam flow reduction and send a signal to the RPCS to reduce reactor power.

r

3. For both cases, the SBCS could not relieve steam from the steam generator to the condenser.
4. Main feedwater remains available in both cases.

Like the loss of condenser vacuum event, the RCS temperature and pressure stabilizes at a point consistent with a RPCS-induced.

reactor power redt.: tion (from which the operator manually trips the reactor or inserts CEA's).

CONCLUSIONS No reactor trip or ESF-CCS controlled components are required for-event mitigation, and there is no impact on diversity or defense-in-depth in the current design.

m

TS2(PCM19)/lr45

4. 2. 5' Steam Pressure Reculator Failurq.

This event does not apply to the System 80+ design.

It is included in the event listing of tt ' evaluation to provide event order and section numbering consistent with CESSAR-DC Chapter 15 (which also lists but does not evaluate, this event).

1 TS2(PCM19)/1r46.

[

4.2.6 Loss of Non-Emeroency AC Power to the Station- Auxiliaries The loss of non-emergency AC power to the station auxiliaries may result from either a _ complete' loss of the external grid or a loss of the on-site AC distribution system.

For the purposes of this evaluation, this event is equivalent to 4.3.1 Total loss of Reactor Coolant Flow. Please refer to Section-4.3.1 for an evaluation of this event.

l L

L

! I

.. - - . . . . . . ~

TS2(PCM19)/l_r 47-4.2.7 Loss of Normal Feedwater Flow (Table 4.2.7)

The loss of normal feedwater flow may be initiated by losing one or both main feedwater pumps or by a spurious signal being generated by the feedwatcr control system, resulting in a closure of the feedwater control _ valves. This'causes decreasing water level and increasing pressure and temperature in the steam generators. The RCS pressure and temperature also rise.

REACTIVITY CONTROL l

The postulated RPS failure precludes a reactor trip on high pressurizer pressure or low steam generator level. If the feedwater control valves closure were the initiator, the ARTS would generate a reactor trip on high pressurizer pressure. If the bss of feedwater were due to loss of both main feedwater ptmps, the RPCS would reduce eactor power, mitigating the initial RCS pressure and temperature increase. Because the RPCS function-is derigned to compensate for the loss of one but not both main feedwater pumps, the reactor power and turbine load after the RPCS action would be in the range of 50% to 60% of full power. Steam L generator water ievel would continue to decrease, since emergency ll feedwater flow not sufficient for steam flows in this-range. As

! pressurizer pressure increased,.the ARTS would generate a reactor trip on high pressurizer pressure.

RCS HEAT REMOVAL Emergency _feedwater flow is automatically int .ated by the AFATon -

low steam generator water level assuring suf ficient steam generator inventory for core decay heat removal.

An ARTS reactor trip would lead to a turbine trip via-loss of pow-ar to the CEDMCS. The resulting steam flow decrease-leads to l

TS2(PCM19)/lr48 SBCS action to open turbine. bypass valve:; to relieve excess SG pressure and_ stabilize the NSSS_ at hot no -load conditions.

CONCLUSIONS Reactor trip is provided by the ARTS high pressurizer pressure trip if required. No ESF-CCS controlled components are required for event mitigation. There is no irpact on diversity or defense-in-depth in the current design. -

.TS2(PCM19)/lr 49 1

TABLE 4.2.7 LOSS OF NORMAL FEEDWATER FLOW Key Success Paths Nominalli Available and Usable in Current Design Under Failed Ch.15 Key Critical . Functions Ch.15 Analysis PPS/ESF-CCS Conditions Success Paths From MCR, or By Manual Local Automatic Action Reactivity Control Reactor Trip on High - Manual Reactor Trip - Reactor Trip Pressurizer Pressure Creakers (at the or on Low Sg level - RPCS drops CEA's if breakers)

FW Pump Trip

- ARTS Reactor Trip - Safety Injection (high pressurizer- (via Motor Control pressure) if FW Centers) valve closure

- Manual Insertion of CEA's

- CVCS Boration Core Heat Removal Natural Circulation Forced Circulation RCS Heat Feedwater - Emergency Feedwater - - Emergency FW on Low - Emergency Feedwater Removal' on low SG Level SG Level (AFAS) (via Motor ,

Control Centers)

Steam - SG Safety Valves - SCBS (iritial and

' (initial) cooldewn)

- SBCS (cooldown)

- SG Safety Valves (initial)

_ - ~ -

TS2(PCM19)/lr 50 4.2.8 Eeedwater Syslem Pioe Breaks (Table 4.2.b)

The feedwater line break is initiated by a breach of the main feedwater system piping. for the purposes of this evaluation, it assumed that the break is downstream of- the feedwater line reverse

  • flow check valves that are located between the steam generator feedwater nozzles and the containment penetrations. This results in the blowdown of one (the " ruptured") steam ' generator, while the other (" intact") steam gaerator incurs blowdown up until MSIV

-closure. Breaks upstream of the check _ valves result in a loss of main feedwater (see Section 4.2.7), but neither of t steam generators blow down.

Feedline breaks causing SG blowdown can induce either an RCS heatup or cooldown, depending upon the ruptured SG beat transfer characteristics and the enthalpy of the blowdown flow. For the purposes of this evaluation, like the Chapter 15-evaluation, it is assumed that an RCS heatup results. The results of a RCS cooldown '

due to an SG rupture ara covered by Section 4.1.5, Steam. Piping failures.

The feedwater line break also depletes the normal supply of

. condensate and the steam generator _ inventory, necessitating that main feedwater or emergency feedwater be fed to the intact steam generator to limit the RCS heatup.

The functional objectives for responding to a feedline break, and the associated success path options available if a common mode failure of the PPS and E-CCS is assumed,- are as follows:

i 9

l TS2(PCM19)/lr 51 REACTIVITY CONTROL Decreasing core heat generation reduces the steam generator inventory and condensate lost through the leak prior to the leak's isolation. It also decreases the demand for subsequent heat removal and the amount of RCS heatup.

Imnlication of the Common Mode Failure and Method of Copina The postulated PPS failure precludes an automatic PPS reactor trip on high pressurizer pressure or low SG level. The ARTS would provide a Reactor Trip on High Pressurizer Pressure at a setpoint u of approximately 2420 psia, which could be expected to occur within 40 sec, based on the RCS pressure rise shown in CESSAR 15.2.8.

RCS HEAT REMOVAL Isolation of the leak limits the. loss of steam generator inventory and the loss of condensate, thus extending the amount of time to re-establish main feedwater or provide emergency feedwater. These steps are necessary in-order to limit RCS heatup.

Imolications of the Common Mode Failure and Method of CoDinQ The postulated ESF-CCS. failure precludes an automatic actuation of MSIV closure on low steam generator pressure or high containment pressure.

Indications (and alarms) noted in Section 4.0 show a secondary system leak'may be occurring. Further, the ARTS has shut the plant down, rather than a RPS trip, which should have been the "first-out" reason for the plant trip. Failure of the MSIV's to shut indicates the E-CCS has not actuated. The nature and

TS2(PCM19)/lrL52 location of the secondary leak may not'be apparent to the operator with certainty._.However, upon determining steam generator isolation is needed and that the protection system had not accomplished it, the operator would initiate closure of MSIV's by alternate means (see Potential Resolution for Uncertainties).

Following MSIV closure, the steam generator pressure response.

should indicate the extent to which the leak had been isolated from the steam generators. If the pressure in one steam generator does not recover, heat removal can be accomplished with the other, intact steam generator either by_ use of the Main Steam Safety Valves; or by opening the MSIV on the intact SC and using the turbine bypass system and the main condenser; or through use of the ADV for the intact SG.

Potential __ Resolution for Uncertainties Provision of means should be evaluated for manually and/or automatically (low SG Pressure) initiating direct closure of the-MSIV's, via the Process-CCS controls in the control room. Means should also be evaluated for manually opening the MSIV's, to allcw use of the main condenser for cooldown via the turbine bypass valves.

RCS HEAT REMOVAL If the feedwater leak were up:tream of-the feedline check valves, steam generator blowdown would not- result. If sufficient tain feedwater is not available to the steam generators, emergency feedwater would be required. If the feedline break were downstream of- the feedwater line check valves, emergency feedwater could be used to supply the intact SG. Emergency feedwater would be actuated to the intact SG on low SG level.

TS2(PCM19)/lr 53 Emergency feedwater to the ruptured SG is assumed to flow out the-feedline break along with the fluid blowdown from the SG, With the MSIV's closed, ste m can be taken from the steam generators through the main steam safety valves of the' steam generators or via the ADV's. Use of the turbine bypass system would require reopening the MSIV on the unaffected SG.

C0t4CLUSI0f1S MSIV closure is an important component activation fsr this event-to reduce loss of SG Invcntory and to assist in differentiating the ruptured SG from the intact SG. Opening the MSIV is_necessary to use turbine bypass valves for plant no-load SG pressure control and cooldown. Evaluation of MCR means for MSIV control via the Process-CCS should be done. Further evaluation of the radiological release versus time to isolate the affected SG also may be required for outside-containment breaks; as is evaluation of non-safety containment cooling (to limit containment pressure rise) vs. time to isolate the affected SG for inside-containment breaks.

~

t TS2(PCM19)/lr'54 TABtE 4.2.8 FEEDWATER SYSTEM PIPE BREAK

' Key Succ .Iss Paths Nominally Available and -

Usable in Currant Design Under Failed Ch.15 Key Critical Functions Ch. 15 Analysis PPS/ESF-CCS Conditions Success Paths From MCR, or By Manual Local Automatic Action Reactivity Control Reactor Trip on High - Manual Reactor Trip - Reactor Trip Pressu szer Pressure Breakers (at the

- ARTS Reactor Trip breakers)

- Manual Insertion of - Safety Injection CEA's (via Motor Control Centers)

- CVCS Boration Core Heat- Removal Natural Circulation Forced Circulation RCS Heat Feedwater - Emergency Feedwater - Emergency FW on Low - Emergency Feedwater Removal on Low SG Level SG Level (AFAS) (via Motor Control

- Main Feedwater (for Centers) small breaks upstream of check valves) ,

Steam - SG Safety Valves - SG Safety Valves - Atmospheric Dump (initial)  : Valves (handwheel)

- SBCS (cooldown)

- M3IV Closure on Low - Steam Bypass - MSIV Closure SG Pressure Contral System (locally isolate (Isolate Intact SG and bleed air from from Affected SG) valve pneumatic operator) l' e

TS2(PCM19)/1r'55 1.3 DECREASE IN REACT 0'R COOLANT. FLOW For this class of events, one or more of the following will be present.(* - alarmed)

a. Decreased RCS flow (*)-
b. Increasing RCS average temperature (*)
c. _ Increasing RCS pressure (*) 4
d. Increasing Pressurizer Level (*)
e. See also 4.2.a through 4.2.g.

l f'

i

TS2(PCM19)/lr.56 4.3.1 Total- Loss of Reactor Coolant Flow This event is caused by the simultaneous loss of_ power to the 13,8 f KV electrical buses supplying the Reactor Coclant-Pumps. The only credible failure that can result in the simultanecus loss of power to these buses is a complete loss of offsite power to'the unit main and auxiliary transformers that would also result in a turbine-generator trip and loss of normal electrical power to station equipment.

REACTIVITY CONTROL Rapid reactor power reduction is necessary to limit RCS heatup and pressure increase as a result of the turbine trip.

Im.11.LcitUons of the CMFa)_]igliod t of Cooina loss of power to the 4.16 kv non-sefety buses would result in a loss of power to the motor-generator sets that provide power to the Control Element Drive Mechanisms, such that the CEA's fall into the reactor core by Cravity. In addition, the turbine-generator trip would result in a Reactor Power Cutback' signal being initiated for selected banks of CEA's to be dropped.

The drop of the CEA's would be expected occur eeveral seconds into the transient, because (1) the CEA motnr-gener...e sets include flywheels, and (2) the turbine-generator -(T/G) trip.and. RPCS sensing of the T/G trip would require a brief time for completion.-

An additional line of defense is the ARTS reactor trip on high pressurizer pressure at a nominal value of 2420 psia.

... . .. . . . _ . ~ -- -. _.

'TS2(PCM19)/lr 57 CORE HEAT REMOVAL Core heat removal is achieved by natural circulation, prior _to which the DNBR decreases during RCP coastdown.

Implications of the CMF. and Method of Conino The postulated failure precludes a reactor trip on low RCP speed.

The loss of reactor coolant flow rapidly decreases the DNBR ratio prior to the core power reduction resulting from the CEA drop, at which point the DNBR reaches its minimum value. For this evaluation, it is concluded the ONBR may go somewnat below the .:

specified acceptable fuel design limit DNBR of 1.24. This is because (1) the CEA drop initiation time could be somewhat longer than the CESSAR-DC Chapter 15 analysis (Low RCP speed trip at 0.85 sec; CEA's start dropping at 1.95 sec.), _ttt (2) this evaluation assumes nominal initial conditions, and Chapter 15 assumes all initial conditions are at their extreme adverse values.

Potential Resolution of Uncertainties Quantitative evaluation of the DNBR transient for this event is needed to determine if, or how many, fuel pins-experience a DNBR' if less than 1.24. However, it is- qualitatively concluded ti.at the number of such pins wauld be relatively small such that'the resulting radiological consequences wuld be expecte v > be well-within the 10 CFR 100 guidelines.

RCS HEAT REMOVAL Heat removal is achieved through the steam generators; using primary coolant natural circulation until the RCS is cooled dwn '

to shutdown cooling entry conditions.

i

TS2(PCM19)/lr 58 J_mplications of the CMF. and Method of Copino -

The loss of power rest 4 in loss of the main feedwater system and-turbine bypass valves ; interlocked closed on high condenser vacuum resulting from loss of circulating water pumps). Steam relief would be through the SG safety valves. The AFAS would initiate a signal for emorgency feedwater actuation on low SG level; however, the postulated ESF-CCS failure precludes the load-shed and subsequent automatic connection of safety loads (sequenced) on to the 4.16 kv safety buses. Operator action would be required to load the emergency feedwater pumps and any other requireJ tcupunents on to the-safety busses. The emergency diesel-generators automatically start on loss of (ww to the safety.

buses.

At ten minutes into the event, the Alternate.AC Source would restore power automatically to the 4.16 kv permanent non-safety buses and auto-seqcence non-safety loads on to those buses. Those.

include instrument air compressors: charging pumps, and non-essential chillers, among other components.

Prior to operator establishment of emergency feedwater to the steam generators, steam generator inventory would be reduced as steam is relieved through the main steam safety valves at-approximately'1200 psia (and 567"F). Cooldown can be effected by use of handwheels on the atmospheric dump valves, once emergency feedwater has been established.

It is qualitatively estimated that the' steam generators would boil dry in 15 to 30 minutes without the addition of emergency feedwater.- Prict to that time the pressurizer may: fill with water. If that did not occur, the pressurizer would be expected q to fill with water shortly after the SG boil-out as RCS l temperatures rise more rapidly, a

i I

TS2(NCM19)/1r59 Potentijl Resolution of Uncertainties A quant.itative evaluation should be done to determine RCS heatup and pressure effects for various operator. action times to establish emergency feedwater.

CONCLUSIONS

't is recommended that the quantitative analyses described above-be dona to determine (1) best estimate DNBR reduction, and (21 'CS iteatup effects for various assumed operator action times to- -

establish emergency feedwater. It is qualitatively concluded that-DNBR, RCS heatup (for operator action tiues up to 30 minutes), and steam releases can be shown to result in consequences within 10CfR100 guidelines. No impact on the design for defense-in-depth and diversity is expected.

l-l l

1 -sg.

,,  :?

TS2(PCM19)/lr 60-4 4.1 % Flow Controller Malfunction Causina Flow Coastdown-This event does not apply _ to the System 80' design. It is included in the event listing of this evaluation to provide event order and section numbering consistent with the CESSAR-DC Chapter 15 (which also lists, but does not evaluate, this event).-

-l 1

=-

L

TS2(PCM19)/lr 61 4.3.3 Sinale RCP Shaft SeiruCg With the seizure of a single RCP shaft, the remaining 3 RCPs are expected to maintain the coolant flow rate through the reactor somewhat above 75% of the nominal flow rate. At the reduced flow rate, the calculated DNBR will be reduced from the nominal value of approximately 2.1 to a lower value which may approach the minimum DNBR specified acceptable fuel design limit of 1.2.4. A reactor trip with continued operation of the remaining 3 RCPs will .-

increase the DNBR margin. The objective in responding to the event is to trip the reactor to maintain margin relative to the .

DNBR criteria and to continue heat removal using the remaining RCPs and normd secondary systems until .

4 The functional objectives for responding to this event, and the associated success path options available if a common mode failure of the protection system controls is assumed, are evaluated below.

REACTIVITY CONTROL As described above, following the RCP shaft seizure, a rapid

~

shutdown increases the margin relative to the DNBR criteria.

imglications of the Common Mode Failure and Method of Conina The postulated protection system failure precludes an automatic RPS reacter trip, which would ordinarily occur upon detection of low reactor coolant flow or low RCP speed. The RCS pressure would rise but, with pressurizer pressure control, may not change-sufficiently to initiate an APS trip on high pressurizer pressure.

RCS temperatures would increase, and the Reactor Regulating System would respond by inserting CEA's to maintain RCS average temperature at its programmed value. This would mitigate the DNBR decrease.

I I

TS2(PCM19)/lr62 14 Sufficient indications would be available via the normal. control systems for the operator to determine the need to take manual action. These include RCP alarms and RCS flow indication, revealing the failure of one RCP, and lack of indication that.CEAs had reached bottom positio.is revealing the lack of a reactor trip and therefore a safety system failure. With such indications, it is reasonable that the operator would manually initiate a reactor trip in a timely manner.

Potential Resolution for Uncertainties 6

An analysis %h needed to quantitatively determine margin to 10 CFR 100 release ligi ) for various times for operator action to actuate a reactor trip, with a seized shaft in one RCP and 3'RCPs operating. The results of the analysis would be evaluated to determine if the manual reactor trip is a sufficient line of defense, or as an oxample alternative, if the APS should include a reactor trip on low RCS flow.

CORE HEAT REMOVAL Continued operation .of the remaining 3 RCPs provides sufficient coolant flow through the reactor for_ post-trip core heat removal.

Imolications of the Common Mode Failure and Method of Cooina Operation of the non-failed RCP's is not affected by the postulated common mode software failure. No additional means of coping is needed beyond that provided by-the normal control systems.

TS2(PCM19)/lr 63 RCS HEAT REMOVAL Throughout the event, secondary heat removal is provided by the norma. & sater supply and steam dump to the condenser via the turbine bypass.

JInolications of the Common Mode Failure and Method of Cooino A turbine trip will automatically follow the reactor trip. The Steam Bypass Control System which is implemented in the Process-CCS will automatically initiate and control steam dump to the condenser. Normal controls will maintain the feedwater supply.

These responses would not be affected by the assumed common mode software failure. No additional means of coping is needed beyond ,

that provided by the normal control systems.

CONCLUSIONS A quantitative evaluation of operator times to initiate a reactor trip for this eventdbNcEIn3ed) = depending--epa =theresults-of that-evaheth APS modifications (such as a low RCS flow trip) may be appropriate for an added level of defense. However, because the steam-bypass control system is available to limit steam releases, it is expected that results of radiological effects would be within the 10 CFR 100 guidelines.

k TS2(PCM19)/lr64 4.3.4 Sinole RCP Shaft Break The characteristics of the RCP shaft break are very similar to those of the shaft seizure event. The difference is that with a sheared shaft the impeller may rotate in reverse, allowing some-of-the flow provided by the 3 RCPs to bypass the reactor core. As a result, the total-flow provided to the reactor core by the 3 RCPs, subsequent to the shaft break will be somewhat less than 75% of the nominal valua. This will result in a greater decrease in DNBR than in the case of the shaft-seizure event. Otherwise, this event is the same as the RCP shaft seizure.

The functional objectives for responding to this event, and the associated success path options available with the assumed common mode failure of the protection system controls, are the same as identified for the RCP shaft seizure event. Refer to Event 4.3.3 for the detailed discussion of the implications of the common mode-failure and .the methods of coping, potential uncertainties resolution and conclusions and recommendations.

i

'l 1

TS2(PCMI9)/1r.65-

=4.4 REACTIVITY AND POWER DISTRIBUTION ANOMALIES For this class of events any one or more of the following may be-present (* - alarmed):

a. Change in core power
b. Increasing pressurizer pressure (*)
c. Increasing pressurizer level (*)
d. Increasing RCS temperatures (*)
e. Decrease in COLSS core power limit
f. Increase in COLSS azimuthal tilt (*)

9 Increase in.COLSS ASI magnitude (*)

l

'TS2(PCM19)/lr66 4,4.1 IJncontrolled CEA Withdrawal from Suberitical or low Power (Anditioni The uncontrolled sequential withdrawal of CEA's from subcritical:

or low power conditions adds reactivity to-the reactor core, causing both core power and core heat flux to increase together

.with corresponding increases in reactor. coolant temperatures-and pressure.

-REACTIVITY CONTROL The rapid pressure increase would lead to an ARTS reactor trip on high pressurizer pressure (2420 psia). Prior to that time, the operator could choose to trip the reactor based on indications of:

rapioly rising reactor-power rapidly rising-RCS pressure rapidly rising RCS temperature CEA withdrawal inoication Imnlications of the Common Mode Failure and Meth'od of Cooino The assumed common mode failure of the safety systems would:have no effect on achieving this goal.

RCS HEAT REMOVAL The steam bypass control system and condenser enable a controlled post-trip cooldown of the RCS to hot no-load conditions. -Main steam safety valves would not be expected to' lift nor would the ADV's be required to cooldown the plant. The. steam bypass control system and condenser would also enable the plant to be cooled i

I y

k TS2(PCM19)/Ir 67 down. Feedwater would be supplied from the Main Feedwater System taking suction -frem the condenser hotwell.

IMDlications of the Common Mode Failure and Method of Conina Tie assumed common mode failure of the safety systems would have no effect on achieving this goal.

CONCLUSIONS AND RECOMMENDATIONS The APS provides an alternate reactor trip signal on high pressurizer pressure, and no ESF-CCS controlled components are required for event mitigation. There'is no impact on diversity or defense-in-depth in the current design.

l i-u TS2(PCM19)/lr68 4.4.2 UNCONTROLLED CEA WITHDRAWAL AT POWER The evaluation of this event is essentiall/ similar_.to the Uncontrolled CEA Withdrawal from Subcritical or low Power-Conditions. The ARTS provides a reactor trip, plant control systems bring the NSSS to hot no-load conditions, and there-.is no impact on diversity or defense-in-depth in the current design.-

TS2(PCM19)/lr 69' 4.4.3 Sinale CEA Droo This event results from a CEDM holding coil failure or interruption of CEDM holding coil power.

REACTIVITY CONTROL The assumed RPS failure precludes a reactor trip on Low DNBR or High kw/ft. However, the Chapter 15 limiting case analysis shows specified acceptable fuel design limits are not e ceeded if no reactor trip occurs. Based on changes in RCS conditions, COLSS alarms, and CEDMCS CEA position indication, the reactor operator-may choose tc manually trip the reactor or manually insert CEA +

banks. Prior to operator action core power would return to near its initial value as a result of core feedback effects, with a higher core radial peaking factor.

RCS liEAT REMOVAL Plant controls systems (pressurizer pressure and level, main feedwater, SG level) woLld respond to the perturbation caused by:

tt- CEA drop, bringing controlled process parameters to near their  :

nominal values. Should the operator choose to initiate CEA insertion, normal use by the operator of the reactor regulating system can be effected in either automatic or~ manual modes.

CONCLUSIONS No RPS reactor trip or ESF-CCS controlled components are required for event mitigation, and there is no impact on diversity or defense-in-depth for the current design, i

p

l TS2(PCM19)/1r70 4.4.4 11.ar1Un SLt0_ln1011YL.ReAtisr_Csolant pumn 1he startup of an inactive reactor coolant pump is evaluated with respect to RCS pressure and fuel performance criteria. The event was evaluated during Modes 3 through 6 since plant operati;n with fewer than all four reactor coolant pumps is permitted only during those modes. The cases ennsidered were no more than one reaeter M coolant pump operating or two reactor coolant pumps opera'.ing in one loop (the other loop idle) to maximize the pressure increake. -

The RCp startup causcs a sudden surge of relatively cold or hot water to enter the core which may cause a core power or RCS pressure increase, for t%d" 3 and 4 the primary safety valves, main steam safety valves, and the ARTS High Pressure reactor trip maintain the RCS below 110% of design pressure. During Modes 5 and 6 when the shutdown cooling system is aligned overpressure protection is provided by the shutdown cooling system relief valves.

e With no more than one reactor c.oolant pump operating or two ,

reactor coolant pumps operating in one loop (the other loop idle),

~

the RCP startup may lead to an increase in RCS pressure, for Modes 3 and 4 the primary safety valves, main steam safety valves, and I,RIS High Pressure reactor t.'ip would maintein the RC4 below 110% of design pressure uring worst pressure transtents. During Modes 5 and 6 when thu shutdown coc'ing system is aligned, overpressure protection is provided by the shutdo.vn cooling syttem relief valves, b

Y

.76-

. . -._.. __ ._=__ . . _ _ _ _ ._ . _ . -___ . . _ _____ ....._.. _. _ - _ - . ._ ._ . . _.

TS2(PCM19)/lr71 CONCLUSIONS The maximum pressure within the RCS for this event will not exceed 110% design value. For Modes 3 and 4, the heat imbalance due to - ,

the RCP startup is less limiting than that caused by the CEA withdrawal event. In Modes 5 and 6, the capacity cf the shutdown cooline relief valves prevents the RCS pressure from e):ceeding the pressure and temperature limits for these. modes. Fuel damage

.would not be expected, as DNBR increases during the event. ,

1 d

1

.)

L 4

?

71-~

bg W ey emp < -m. p g p4 '-p -'T-g e- .h 4 m- g y g '. p,y -g y, = - w yyr ,,N ---4w-'TT'W- -'T [

TS2(PCM19)/Ir72 4.4.5 flow Controller Malfunction This event does not apply to the System 80+ design. The event is included-in the event listing to provide event ordering and section numbering consistent with CESSAR-DC Chapter 15 (which also lists, but does not' evaluate, this event). .

I j

1 I

f i

.I i

s

~

I

?

TS2(PCM19}/1r 73 h

4.4.6 Inadvertent Deboration i ini2 av M may be caused by improper operator action or by a i failure in the boric acid makeup flow path that reduces the flow  :

of corated water to the changing pump suction. Either cause can proouce a boron concentration that is below the concentration of ,

the reactor coolant. The resulting decrease in RCS boron concentration adds positive reactivity to the core.  ;

REACTIVITY CON 1ROL for Hodos 1 and 2 (Modo 1: K.,, 2 0.99, Thermal Pcwor > 5%,

T,,ogg 2 350*f; Mode 2: kg, y 0.90, Thermal Power s 5%, Teooi.nt 2 350*F), the deboration will cause an ARTS reactor trip on h*gh ,

pressurizer (2420 psia), and the subsequent rea:: tor scram will bring the core to suberitical conditions. for the remaining modes, the core is initially subcritical with the shutdown margin  ;

at the minimum value consistent with the Technical Specification limit for cold shutdown. i ImolicationLgf the Common Mode failure and Method of Cooina The ooerator is alerted to a decrease in the reactor coolant ,

system (RCS) boron concent_ ration.either through a high neutron flux alann on the startup flux channel, the reactor makeup water flow alarm, sampling, baronometer indications, or boric acid ficw .

rate. The operator turns off the charging pump and closes the letdown control valves in order to halt further dilution. At the maximum dilution rate, the operator has-38 minutes to terminate 3

dilution before the reactor core becomes-critical. Next, the '

operator increases the RCS boron concentration by _ implementing the emergency boration procedure for achieving cold shutdown boron concentration. -This can be done using the Chemical and Volume Control System (CVCS).

l j

TS2(PCM19)/lr.74 i

CONCLUSIONS The ARTS will trip the reactor (on high pressurizer pressure) for Modes 1 and 2. No ESF-CCS controlled components are required for ,

event mitigation. There is no impact on diversity or defense-in-depth in the current design.

?

4 h

6

+

i

)

'L a

4

. .. -- - - - . - .. - - . .- .- - - _ _ - . - - - . - _ - = - , _ _ , - . - . ,

TS2(PCM10)/lr 75 f

i 4.4.7 Inadvertent loadina of a fuel Assembiv into the Imoroper Position This event results from inadvertently interchanging two fuel f

assemblies, in violation of core loading procedures. The anomaly 1 would be expected to be revealed during low-power physics tests, or early in the fuel cycle checks of ex-core and incore detector '

readings. The net effect of the mis-loading would in any case be accommodated via planar radial peaking factor rneasurements being manually input to CPC and COLSF algorithms whose core operating limit and trip values, respectively, would include the effect of  ;

the improper load. There are no RPS trips of ESF-CCS controlled  ;

components required for this event, and no impact on diversity or. '

defense-in-depth for the Nuplex 80+ design.

I f

f r

b

TS2(PCM19)/Ir76 4.4.8 (ore Element Assemb1v Eiection f.able 4.4.8)

This event results from a circumferential rupture of the control element drive mechanism (CEDM) housing of the CEDM nozzle.

Ejection of a-CEA causes the core povSr to' rapidly increase because of the almost instantaneous addition of positive reactivity. Ilowever, the rapid increase in core power is terminated by a combination of Doppler feedback and delayed _

neutron effects.

REACTIVITY CONTROL for this evaluation, the postulated common-mode failure precludes the high power trip, and reactor trip uauld by ARTS as RCS pressure rapidly increases. The ARTS trip occurs at a nominal setpoint of 2420 psia, llowever, the rapid increase in core power is initially terminated by a combination of Dopper feedback and delayed neutron effects.

Imnlications of the Common Mode F_tilure and Method of Copina The rate of pressure. increase is sufficiently rapid such that the ARTS would cause reactor trip before the operator would assess the plant status.and initiate a reactor trip. In any event,-the assumed common mode failure of the safety systems would have no effect on achieving this goal.

RCS HEAT REMOVAL The steara bypass control system and condenser enable a controlled post-trip cooldown of the RCS to hot no-load conditions. Main steam safety valves would not be expected to lift nor would the ADV's be required to cool down ;% plant. The steam bypass

. ..--. -.. -.=_-._- - ._ . . _ _ . . - . . .-- . .

TS2(PCM19)/1r77 3

control system and condenser would enable the plant to be cooled down. ,

Feedwater would be supplied from the Main Feedwater system taking suction from the condenser hotwell.

Imnlications of the Common Mode failure and Methods of Copina The postulated common mode failure of the safety systems would have no effect-on achieving this goal.

CONTAINMENT ENVIRONMENT

^

The CEA ejection causes a small-break LOCA. The effects on containment and the means for event mitigation are covered by Section 4.6.5, loss-of-Coolant-Accident. -

CONTAINMENT ISOLATION  ;

The effects un containment iritegrity and the means for event mitigation are covered by Section 4.6.5, Loss-of-Coolant-Accident.

CONCLUSIONS it would be expected that a fraction of fuel rods experience DNBR for several seconds.- llowever, the sailability of the steam bypass control system prevents the lift:ng of secondary safety ,

valves and the radiological consequences of secondary steam ,

releases are expected to be within the guidelines of 10 CFR 100.

-- - . ,.- - . . _ . . . - . .- . . - - .-. . -, -.- n . ., . . . ,

TS2(PCM19)/lr 78 TABLE 4.4.8 CEA EJECTION Key Fuccess Paths Nominally Available and Usable In Ch. 15 Key Ch.15 Analysis Current Desion Under Failed PPS/ESF-CCS Conditions Critical Functions Success Paths Frore f1CR, or Automatic By Manual Local Action (MCR/ Automatic Failure)

Reactivity Control Reactor Trip on - Manual Reactor Trip - Reactor Trip Breakers Variable Overpower - ARTS Reactor Trip - Safety Injection

- Manual Insertion of CEA's

- CVCS Boration Core Heat Removal Natural Circulation Forced Circulation RCS Hui Removal - Main Steam Safety - Main Feedwater - Emergency Feedwater Valves - Steam Bypast Control System, (via MCC's)

- Emergency Feedwater and Condenser - Safety injection on Low SG Level - Main Steam Safety Valves (via MCC's) d I

l l I i

l c

TS2(PCHI9)/lr79 4.5 INCREASr 'll RCS If1VENTORY For this class of events, one or more of the following will be present (* alarmed):

a. Increasing pressurizer level (*)
b. Increasing pressurizer pressure (*)
c. Letdown valve minimum open position indication Increased charging flow d.
c. Safety Injection flow present
f. Safety Injection flow present
f. Safety-Injection pumps running
g. Safety Injection valves position - open 4.5.1 Inadvertent Operation of the ECCS The inadvertent operation of the Safety Injection System (SIS) is asst!med to actuate the 4 Safety Injection (SI) pumps and open the corresponding discharge valves. This operation occurs as a result of a spurious signal to the system or an operator error.

Inadvertent operation of the SIS is only of consequence when-it-occurs with RCS pressure below the SI pump shutoff head pressure.

Above that pressure there will be no injection of fluid into the RCS. Below the Si pump shutoff head pressuri: when the shutdown cooling system is isolated the SI flow will increase ~ RCS inventory and pressure until the pressure reache:; the pump shutoff head pressure.

Plant operation above the SI. pump shutoff head pressure wi11 not be impacted by the inadvertent operation of the SIS. Below the SI pump shutoff head pressure when the shutdown cooling system.is isolated, there will be an RCS inventory and pressure increase.

This increase will be terminated when the pressure rises __above the

\

TS2(PCM19)/lr 80 shutoff head pressure. Due to the pressure increase caused by this transient at low RCS temperatures, there is an approach to -

the brittle fracture limits of the RCS. However, CESSAR-DC ,

Chapter 15 concludes that brittle fracture limits will not be violated for this transient. Should the SIS inadvertently actuate during shutdown cooling operation,- the shutdown cooling r311ef valves will mitigate the pressure transient.

CONCLUSIONS _

No RPS trip function or ESF actuation is required to mitigate this event. There is no impact on defense-in-depth or diversity in the .

. current design.

152(PCM19)/lr81  ;

4.5.2 CVCS Malfunction - Pressurizer level Control System Malfunction This event results from an assumed pressurizer level controller- 5 fault which increases charging flow to its maxim"m rate and closes -!

the letdown control valve to its minimum open position. The resulting increase in reactor coolant system inventory causes an increased pressurizer level and pressure. The increased pres <ure

(

is raitigated by the pressurizer pressure control system, which  ;

would use pressurizer spray-to condense steam in the pressurize.

steam space that is being compressed by the rising water'1evel. ,

The increased charging flow would not have a significant effect on reactor power, RCS temperatures, or steam generator conditions. '

With the nominsi pressurizer steam space of 1200 cubic feet, and the net RCS inventory increase of 204 gal / min assumed in CESSAR- >

Chapter 15, the cperator would have over 30 minutes to terminate the spurious charging flow before the pressurizer fills with water. This can be accomplished by manual local action to open the charging pump electrical power breakers.

CONCLUSIONS .

Sufficient time exists for operator manual local opert.tiun to-terminate the spurious charging flow. No reactor trip or ESF '

actuation is required because of the. small effect on reactor core conditions. There is no effect on diversity or defense-in-depth in the current design.

- - . - . . . . ~ . - - . - . - . - - - - - - -.

TS2(PCM19)/lr 82 ,

4.6 DECREASE IN RCS INVENTORY ,

For this class of events, one or more of the following will be present (* = alarmed):

a. Decreasing pressurizer pressure (*)
b. Decreasing pressurizer level (*)
c. Increasing containment pressure (*)
d. Increasing containment temperature (*)
e. Increasing auxiliary building sump level (*)
f. Increasing Auxiliary Building temperature (*)

9 Increasing Auxiliary Building humidity (*)

h. increasing Auxiliary Building radiation (*)
1. Decreasing Letdown Line Pressure (*)
j. Lecreasing Volume Control Tank Level (*)
k. Inc ued Main Steam Line Activity (*)
1. Increased Containment Temperature, Humidity, Radiation (*) ,
m. Regenerative Heat Exr: hanger high exit temperature (*)'
n. Letdown Line low pressure alarm (*)
o. Air ejector !Igh activity (*)
p. Steam generator blowdown high activity (*)

t

._ .. . . _ _ _ _ . _ . .;...__... _ _ _ . . . . _ _ _ _ _ . ~ . . . . . . . ,.

TS2(PCM19)/lr 83 i

4.6.1 Inadvertant Openinn of a Pressurizer Safety / Relief Valve This event is non-limiting and is covered by the LOCA discussicn, Section 4.6.5.

4.6.2 Double-EndgL0reak of a_ L_etflown Line_ Outside Co0_tJLiDmg Reactor coolant could be reltased outside tl,e containment if a break or_ leak occurred in a letdown line, sample line, or instrument line is a location outside of the containment. Since the letdown iine is the largest of these, a doublo-ended creak of the letdown line, outside the containment and upstream of the letdown flow control valve has the largest potential for relcase-of reactor coolant cutside the containment.

The leak flow (t.;i to approximately 60 lbm/sec) is partially compensated by the charging flow of 90 gpm (12 lbm/sec).

Depending on the initial conditions assumed, the resulting loss of inventory will empty the pressurizer in 15 to'30 minutes.

Operator action to close the letdown line isolation valves will terminate the leak flow.

RCS INVENTORY CONTROL AND RA010 LOGICAL EMISSIONS CONTROL The following alarms would alert the operator immediately of the ,

event:

Regenerative Heat Exchanger high exit temperature alarm.

Letdown line low pressure alarm (downstream of the break).

A:few seconds later the following additional alarms would be -

triggered:

l Auxiliary building high radiaticn.

L

,- _ _ _ - _ ~ . . _ . .

TS%(M1)/1r 84 Auxiliary building high temperature and high humidity.

A pressurizer low level alarm shuld occur within one inute, and within a few minutes, alarms indicating a high sump level in the auxiliary building and a low level in the volume control tank would occur. Based on these alarms atd indication of a continued letdown flow with a continued decrease in pressurizer level, the operator would be able to determine the need and take appropriate action to manually close the tetdown isolation valves.

Jmplications of the Commo,. Mode Failure gnd Method of Coning Although the postulated common mode software failure precludes actuation of the above 61 arms by the Discrete Indication and Alarm System, they would still be alarmed by the Data Processing System CRTs. The operator should be able to determine the need to isolate the leak within perhaps 10 minutes.

The postulated common mode failure would preclude use of ESF-CCS to manually close the letdown isolation valves. Alternate means of closing at least one of the two valves (which are in series) would be needed to isolate the leak. Since the valves are pneumatic and fail closed, isolation of the air supply to one of the valves via the P-CCS is an option for consideration in the P-CCS design.

With appropriate control capability within the control room, the operator would be able to isolate the leak within 15 minutes of event initiation. This would limit the release of RC5 coolant outside of the containment to a vale. less than determined in the CESSAR-DC analysis ar,; termir <te the ioss of RCS inventory prior earliest time at which the pressurizer would empty.

l TS2(PCM19)/lr85 i

Potential _Pesolution of Uncertainties  ;

furth3r evaluation may be needed to determine the specific design for an alternate method f or closing the isolation valves.

1 REACTIVITY CONTROL, RCS INVCHTORY CONTROL, RCS PRESSURE CONTROL, I RCS HEAT REMOVAL i j

After isolating the leak, the operator would initiate a shutdown I with a manual reactor trip. The charging system would act to recover RCS inventory, manual control of the charging pump could-be used to prevent overfilling of the pressurizer. The normal controls would act to maintain pressurizer pressure. Heat removal-would be provided via the steam generators, using the normal feed - -)

and the steam bypass systeme.

x Implications of the_C9mmon Mode failure end Method of Cootng c r The postulated failure would not affect the control systen actions described above, except as follows.

T l

If the leak were not isolated prior. to emptying the pressurizer,

! then the pressuriter pressure would have decreased below the low '

pressurizer pressure setpoint for init:ating a reacter trip. The postulated failure would preclude initiation of an automatic trip ,

by the PPS. Sufficient indications would be available for the.

operator to determine the need to initiate a maneal reactor trip.

The APS iow pressurizer pressure reactor trip recommended for Main Steam Line Break and LOCA is an alternate means for reactor trip  !

in this case.  ?

t i

~ - _ _ . . .. -._ . - - ~ _ . ~ - - _ - - _ . _ - . -

TS2(PCM19)/lr36 i

)

e  !

i CONCLUSIONS i The postulated failure pret.ludes shutting letdown isolation values  !

via the EST-CCS; alternate means should be evaluated to-accomplish j this. The timing of the event is such that manual means appear to be adequate. Also, the rate of pressurizer inventory and pressure

-decrease warrants consideration of the addition of an APS low.

pressuriz2r pressure reactor trip; quantitatirrievaluation of the l event should be done to confirm this.

P 1

h A

l.

1.

l . . .- -_ _ . _ . - . - - - _ - - - - . _ -

TS2(PCM19)/1r 87 l

i j

4.6.3 Steam G.gnfrator Tube Ruoture RCS coolant leakage into the secondary system through the steam i generator tube rupture can result in radiological release to the l environment via the condenser air ejectors or steam relief to the-atmosphere. A large steam generator tube leak can also cause a depletion of reactor coolant inventory. For this evaluation, a double-ended guillntine break of a single steam generator tube is considered.

I The prircipal objectives in responding to a steam generator tube  ;

rupture are to maintain RCS inventory, limit radiological release to the environment, and to provide continued heat removal via the remaining inte:f. steam generator. The functional objectives for responding to this event, and the associated success path options available if a common mode failure of the protection system controls is postulated, are evaluated below.

XEACTIVITY CONTR01.

The sooner the reactor is tripped, the lest energy which must be removed and the ,ess potential for radiological release.

implications of the_ Common Mode Failure and Method of Copina t

1he postulated protection system failure precludes an automatic ,

RPS reactor trip. Since the leak would deplete RCS inventory, pressurizer level and pressure would decrease. (

for a double ended rupture of a steam generator tube, the loss of inventory through the leak (on the order of 50 lbm/sec) would be mitigated by the pressurizer icvel and pressure controls such that

~

the setp'oint for the RPS trip.(on thermal margin / low pressure) is not expected to be reached for approximately'15 minutes. Operator l:

I' L

.-, ,._ - . - . . ~ . - . - _ , . ,

- . _ . . - . _ , . . , - , _ - - . v-. -

l 152(PCM19)/Ir 88 action to manually initiate a reactor trip within this period would provide a response as prompt as that normally provided by the RPS. The operator would be able to observe the decrease of L pressurizer level and initiate a manual reactor trip within that period, foi smaller leaks, the loss of inventory would be more gradual and time to reach the RPS trip setpoint would be longer, effectively allowing a longer period for the or rator to observe the plant condition and take action. Therefore, the postulated common mode failure should not result in a significant delay in the reattor trip.

For a leak for which the Chemical Volume Control Syster can make up the leak flow, a RPS trip would not occur, and a '.ontrolled reactor shutdown would be performed. For such 1",aKs, the ass.me '

common mode failurs would have no effect on the reactivity control function.

Potential Resolution for Uncertainties Although the operator action to manually initiate a reactor trip is expected to be adequate to achieve a timely reactor trip for this event, an automatic trip via the APS on low (as well as high) pressurizer pressure should be evaluated.

RCS INVENTORY CONTR01.

As described above, a large stcam generator tube leak will cause a leak flow in excess of-the makety capacity from the CVCS. The objective of inventory control is to mitigate and recover inventory loss.from the RCS. For a large steam generator tube leak, this cequires decreasing RCS pressure to near the pressure t of the affected steam generator at a steam pressure below the setpoint of the main steam safety valves and providing charging-at

TS2(PCM19)/lr 89 flow to the RCS to compensate for coolant leaked to the steam generator.

Following the reactor trip, the pressurizer could empty as the RCS cools, and the RCS pressure may decrease to the saturtH on pressure of the hottest RCS coolant (i.e., 1724 psia for T-hot =

615 F). The Steam Bypass Control System will automatically control heat removal to bring the RCS to the no load temperature of 558 F, for which tsat - 1115 psia. RCS pressure will decrease 8

toward this value until the charging flow can match the leak flow.

If this occurs at a pressure above the main steam safety valve setpoint (1200 psia), then the charging flow will need to be throttled somewhat in order to reduce the leak flow rate.

knolications of the Common Mode Failure and Method of Conina The RPS failure would preclude actuation of the Safety injection System, and therefore injection by the safety injection pumps. As explained above, the safety injection pumps would need to be throttled to less than 1200 psia in order to isolate the leak.

The charging pump would be able to match the leak flow when tha RCS pro sure decreases to within 50 psia (approximately) of t.ie secondary pressure, terminating the loss of RCS inventory. The charging flow can be throttled if the RCS pressure begins to approach the 1200 psia setpoint of the main steam safety valves. .

Therefore, the capability of the normal control systems is judgeo to bc adequate to maintain RCS inventory control.

RADIOLOGICAL EMISSIONS CONTROL

.Papid isolation of the steam generator experiencing the tube i rupture limits the radiological release into the main steam

TS2(PCM19)/lr 90  ;

system, and therefore the amount of potential radiological release. Isolation of the affected steam generator is normally i initiated by the operatcr action, per the emergency procedures.

Jyltcations of the Common Mode f ailun and Method of Cooina All indications used by the operator to determine which stum generator needs to be isolated may not remain available with the postulated common mode software failure. Therefore radiation  ;

monitor inputs indicating an increase in activity levels in.the l steam generator main steam line should be considered for input-to the P-CCS from the APC, to indicate which steam generator is -

affected.

The postulated protection system failure precludes control of the MSIVs and MFIVs through the ESF-CCS interface. Alternate means of initiating MSIV closure should be evaluated. Feed flow to tha affected steam generator can be terminated using the normal controls for the feed water regulating valves.

RCS HEAT REMOVAL Continued heat removal through the intact steam generator allows RCS heat removal to be achieved with the RCS and secondary pressure below the safety valve setpoint, preventing release of steam through tha safety valves of the leaking steam generator.

Also, the operating procedures may call for .?ipping cne or more RCPs to control heat removal.

Imolications of the Common Mode Failure' and Method of Copina-The normal feed system'and the steam bypass control system and RCP contr s can be used for this functica and are not affected by the

_._ _ _ _ _ . __ . _ _ . . . . . . _ _ . _ _ . _ - _ _ _ . - - _ _ . - ~ _ _ _ . . _ .

t TS2(PCM19)/1r91 - ,

l i

assumed common mode softwaru failure. Appropriate monitoring [

information will also remain available.  !

CONCLUSIONS An automatic APS reactor trip on low pressurizer pressure should  !

be evaluated. Alternate means to shut HSIV's should be evaluated.-

Radiation monitor inputs from main steam lines should.be input to f the P-CCS as an alternate means to ensure the affected steam l generator is indicated with the postulated failure.

I w-8 5

'h "g

)

t b

91-

.m.. . . _ _ _ . . . _ - , _,.-_- _.. -

TS2(PCM19)!1r 92 4.6.4 Radioloaical Cpnig_quences _of Main Steam Line Failure Outside (Antainment This event (for a BWR) does not apply to the System 80+ design.

The event is included in the event listing to provide event ordering and section numbering consistent with CESSAR-DC Chapter

)

15 (which also, lists but does not evaluate, this event).

O

% b a

5

TS2(PCM19)/Ir93 i

4.6.5 Loss-of-Coolant Accident  ;

REACTIVITY CONTROL A reactor trip needs to be initiated promptly to limit the temperature excursion of the-fuel rods during blowdown and to limit the containment pressure peak. .

Imp _lications of the Common Mode Failure and Method of Conina PPS initiation of the reactor trip would be precluded by the postulated common mode software failure.

Since the pressurizer pressure would decrease during the LOCA, initiation of a reactor trip on high pressurizer pressure by the APS would also not occur. The APS modification should be considered to initiate a reactor trip on low pressurizer pressure would result in a prompt initiation of an automatic reactor trip.

CORE ilEAT REMOVAL, RCS INVENTORY CONTROL ,

For a large break LOCA, injection from at least 2 Si trains needs  ;

to be initiated within 20 or 30 seconds. For a small break LOCA, injection from at least 2 Si trains needs to be initiated within 50 seconds.

Note that a single SI train provides. sufficient injection for a small break leak, which includes the rupture of a DVI line. The .

need to actuate a second SI train for a small break LOCA addresses the possibility that the break may occur in a DVI line.

,_ _ _ _ , . _ _ . _ . . . . . _ _ _ , . _ _ . . - . _ . _ . _ _ _ _ . _ _ . . ~ . _ _ _ -

1 TS2(PCHI9)/1r94 h plications of the Common Mode failure and Method of Coning PPS initiation of a SIAS (on low pressurizer pressure or high containment pressure) would be precluded by the postulated common mode software failure. ,

The postulated failure also precludes control of the Safety Injection System through the ESF-CCS interface.

Potential Resolution of Uncertaintin further evaluation is needed to determine if the potential for a common mode failure of the protection system software coincident with a large break LOCA is sufficient to justify development of alternate means for initiation of Si flow.

RCS llEAT REMOVAL For large break LOCAs, heat removal is accomplishcd by beating the ,

si flow, which then escapes through the break into the containment. Injection from at least 2 SI trains :eds to be

~

initiated within 20 or 30 seconds.

for small break LOCAs, heat is removed through the steam generators, using natural circulation, which is implemented by providing feed flow and steam dump.

ImolicatiquLf L ib Sammon Mode Failure and Method of Copina For large break LOCAs:

As described above for RCS inventory control, the postulated failure precludes PPS initiation of a SIAS, and precludes control of the Safety injection System through the ESF-CCS interface.

TS2(PCM19)/lr95 for small break LOCAs:

The postulated failure would preclude initiation of a MSIS by the PPS, preventing automatic closure of the MSIVs and the MFIVs. As a result, heat removal can be accomplished through the steam generators using feed flow provided by the normal feed system and steam can be dumped through the turbine bypass.

Potential Resolution of Uncertainties -

for large break LOCAs:

As identified above, further evaluation is needed to determine if the potential for a common mode failure of the protection system software coincidant with a large break LOCA is sufficient to justify development of alternate means for initiation of Si flow.

For small break LOCAs:

Use of normal systems for feed supply and steam dump should provide an adequate path for heat removal.

CONTAINMENT ISOLATION Closure of the containment isolation valves limits the radiological release to the environment during the LOCA. The folicwing valves which are normaily open during power aaneration, are closed in response to a containment isolation signa, The CIAS can be initiated manually or by a SIAS.

s

TS2(PCM19)/Ir 96 f

Isolation Valve Location Actuator failure Type Position CCW Supply to letdown Heat Exchanger E Al CCW Return from Letdown Heat Exchanger E Al Combined CCW Drains from RCP HX's lA & IB E Al and Letdown HX Combined CCW Drains from RCP HX's 2A & 2B E Al Letdown to Purification System P C RDT Flow to RDPs P C Instrument Air Supply E C SG 1 Hot Leg sample E C SG 1 Downcomer Sample E C SG 2 Hot leg Sample E C SG 2 Downcomer Sample E C SG 1 Combined Blowdown E Al SG 2 Combined Blowdown E Al Containment Radiation Monitor (Inlet) E C Containment Radiation Monitor (Outlet) E C Reactor Drain Tank Gas Space to GWMS E Al E - Electric, P - Pneumatic C - Closed, Al - As is In addition, penetrations which provide an open path between the containment and the outside containment environment are isolated on high containment radiation as well as CIAS, Those which are normally open during power generation are:

Containment Sump Pump Discharge Line P Al Containment Ventilation Units' Condensate E Al Drain Header The CIAS also actuates the opening of the E Al valvcs controlling the Hydrogen Recombiner suction from and discharge to the containment.

TS2(PCM19)/lr 97 Isolation of each of the above penetrations is performed by a pair of valves, one inside and the other outside of the containment. .

All of these valves can be actuated via automatic initiation or remote manual initiation via the ESF-CCS interface in the control room or at the remote shutdown panel.

Implications of tt e Common Mode Failure and Method of Copina The pos+ulated common mode failure would preclude actuation of the CIAS by the SIAS (on low pressurizer pressure or high containment pressure). Valves that isolate penetrations providing an open ,

path between the containment and the outside-containment environment (isolated on high containment radiation, as well as CIAS) would not be isolated on high containment radiation, since that function is performed via the ESF-CCS.

Isolation can be performed via local manual controls.

Potential Resolution of Uncertainties Further evaluation may be needed to verify adequate radiological emissions control using local manual controls.

CONTAINMENT ENVIRONMENT CONTROL Initiation of containment spray flow (at the nozzles) within 4 -

minutes after a large break LOCA should adequately limit the pressure excursion.

Imolications of the Coemon Mode Failure and Method of Conino The postulated commu,,4 node software failure would preclude initiation- of the SIAS signal (on low pressurizer pressure or high containment pressure) to automatically start the containment spray

TS2(PCM19)/lr 98 gg  ; . nip s . It would also preclude the CSAS (on high containment pressure) which would oper the containmert spray header valves.

Control of Containment S 3, System com;'acnts via the ESF-CCS is also precluded. Alternate :neans would be needed to actuate the" 4;j. components to establish rs ay flow within 4 minutes.

>dy $

. Potential Resp.lution of_t)nertainties

_ Further evaluation may be needed to determine whether the _

potential for a common mode software failure concurrent with a i LdCA evi.nt is sufficient to justify development of an alternate means of initiating the containment sprays, t

CONCU ~ "NS further evaluation is r. cede 3 v. *he potential probability of a CMF of the PPS ccincident with a o ge breck LOCA is sufficient to justify development of alternate means for initiation of Si f!cw and Containment Spray. -

  • p.

k a

TS2(PCM19)/1r 99-4.7 RADI0 ACTIVE MATERIAL RELEASE FROM A-SVBSYSTEM OR COMP 0NENT 4.7.1 Radioactive Gas Waste System Failur.g This event has been deleted from tne Standard Review Plan, is not analyzed in CESSAR-DC Chapter 15, and is not examined in this -

evaluation.

4.7.2 Radioactive Liauid Waste System Leak or Failure ,

This event has been deleteJ from the Standard Review Plan, is' not analyzed in CESSAR-DC Chapter 15, and is not examined in this-evaluation.

4.7.3 Postulated Radioactive Releases Due to Liauid Containino Tank Failures The most limiting radioactive tank failure is the uncontrolled release of liquid from the Boric Acid Storage Tank (BAST), which ,

is part of the Chemical and _ Volume Control System (CVCS). This event as described in CESSAR-DCl Chapter 15 does not require g operation of the RPS or ESF-CCS, and is therefore n. cevaluated further here.

Va

n

~

TS2(PCH19)/lr100- ,

y-4.7.4 fuel flatidlino Accidsnt-The fuel-Handling' Accident results from the dropping of a single ,

fuel assembly during fuel handling. This event-ar described in CESSAR-DC Chapter 15 does not require operation cf the RPS or ESF-

  • CCS, and is ther afore not evale-+ed further here.

l'

-100-

?-

TS2(PCMis)/ir-101-4.7.5 Spent fuel Cask Drop Accident This event is evaluated in Chapter 15 with_ respect to the possibility of_ a drop of over 30 feet, or drop / trip-over onto 1 irradiated fuel. The event as described in CESSAR-DC does not-require operation of the RPS or ESF-CCS and is therefore not evaluated further here.

l

-101-

.i

'TS2(PCM19)/Ir102 BIf.IMD Cited

1. Summary of Meeting with C-E ilegarding C-E System 80' Design Certification for I&C, USNRC Letter, March 16, 1992.
2. A Defense-in-Depth and_ Diversity assessment of the GE ABWR Protection System, (Draf t), Lawrence Livermore %tianal Laboratory, Dec. 17, 1991, Version 2.
3. NUREG-0493, A Defense-in-Depth and Diversity Assessment of RESAR-414 Integrated Prntection System,
4. ANSI /ANS-51.1-1983, "American Material Standard, Nuclear Saftty Criteria for the Design of Stationary Pressurized Water Reactor Plants," ANS, April 29, 1983.

BACARt0Had

5. CEN-152, Rev. 03, CE Emergency Procedure Guidelines.

l

-102-

f i

. TS2(PCM19)/1r-103

[

ACRONYM DEFINITIONS

'ADV -

Atmospheric Dump Valve  !

-AFAS -

Alternate Feedwater Actuation Signal APC -

Auxiliary Process Cabinet

.J APS -

Alterncte Protection System ARTS -

Alternate Reactor Trip Signal ATWS -

Anticipated Transients Without Scram CCW -

Component Cooling Water CEA -

Control Element Assembly CESSAR-DC -

CE Standard Safety Analysis Report (Design Certification)

CIAS -

Containment Isolation Actuation Signal CMF -

Common Mode Failure CVCS -

Chera: cal and Volume Control System DIAS -

Discrete Indication and Alarm System DNBR -

Departure from Nucleate Boiling Ratio

. DPS -

Data Prc:essing System

~

' ESF-CCS -

Engineered Safety Features - Component Control-System -i

-GWMS -

Gaseous Waste Management System '

HX -

Heat Exchanger LOCA -

Loss of Coolant Accident MCC -

Motor Control Center MD5 -

Megawatt Demand Setter MCR- -

Main Control Room ,

MMI -

Man-Machine-Interface HSBV -

MSIV Bypass Valves MSIV -

Main Steam Isolation Valve

-MFIV -

Main feedwater Isolation Valves P-CCS --

Process Component Control System ICS -

Power Control _ System PPS Plant Protection System RCSE -

Reactor Cuiant System RCP- -

Reactor Coolant Pump RDP -

Reactor Drain Pump

-103-

.= .: . .,, ,- ,- . . , ,

'b

TS2(PClil9)/Ir 104 RDT -

Reactor Drain Tank RPCS -

Reactor Power Cutback System RPS -

P.eactor Protective System RSP -

Remote Shutdown Panel SBCS -

Steam Bypass Control System SDCS -

Shutdown Cooling System SG -

Steam Generator SIAS -

Safety Injection Actuation Signal SRP -

Standard Review Plan 9

a

-104-

- - . . ,,

Retrieved from "https://kanterella.com/w/index.php?title=ML20114F561&oldid=2809803"