ML20135G600
| ML20135G600 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 09/16/1985 |
| From: | SOUTH CAROLINA ELECTRIC & GAS CO. |
| To: | |
| Shared Package | |
| ML20135G592 | List: |
| References | |
| NUDOCS 8509190526 | |
| Download: ML20135G600 (7) | |
Text
.
SOUTH CAROLINA ELECTRIC AND GAS COMPANY VIRGIL C. SUMMER NUCLEAR STATION i
10CFR50 APPENDIX R COMPLIANCE REVIEW DISCUSSION OF PROPQSED CONTROL LOGIC CHANGE FOR THE STEAM GENERATOR POWER OPERATED RELIEF VALVES J
I
, to "05000395/LER-1985-022, :on 850824,reactor Trip Occurred on Steam Generator a lo-lo Level.Caused by Requirement to Maintain Min Values of Feedwater Flow & Temp During Startup.[[system" contains a listed "[" character as part of the property label and has therefore been classified as invalid. & Condensate Sys Evaluation Program Initiated|letter dated September 16, 1985]], from Mr. O. W. Dixon, Jr., Vice President, Nuclear Operations, SCE&G, to Mr. Harold R. Denton, Director, Office of Nuclear Reactor Regulation 8509190526 85091 PDR ADOCK O DR Page 1 of 7 F
{
l
TABLE OF CONTENTS SECTION TITLE PAGE
1.0 INTRODUCTION
1 2.0 DISCUSSION 1
2.1 Concern #A1 1
~
2.2 Concern #B1 2
2.3 Concern #B2 2
3.0 PROPOSED MODIFICATION 2
3.1 Concern #A1 2
3.2 Concern #B1 2
3.3 Concern #82 3
1 4.0 JUSTIFICATION FOR CONTINUED 3
OPERATION FIGURES j
Scheme I - Present Steam Generator PORV Control Scheme 11 - Proposed (Previously Accepted) Steam Generator PORV Control i
t i
l l
Page 2 of 7 I
i l
a.
PROPOSED CONTROL LOGIC CHANGE FOR THE STEAM GENERATOR POWER OPERATED RELIEF VALVES (PORVS)
(AUDIT REPORT ITEM 395/85-26-01, REF. 5.A (1) (b))
i
1.0 INTRODUCTION
As a result of the recent reanalysis for compliance with Appendix R, the steam generator PORVs at the Virgil C. Summer Nuclear Station were found vulnerable to spurious i
operation. A single hot short in the control circuitry of the valves may cause the valves to inadvertently open, resulting in uncontrolled cooling (overcooling) of the Reactor Coolant System (RCS). The present steam generator PORV control is shown as Scheme 1
[
(Attached).
i i
it should be noted that the present control logic of these valves is the result of a i
previous modification requested by the NRC in a letter to Mr. T. C. Nichols (Vice l
President Nuclear Operations, SCE&G), dated January 15,1981, Docket No. 50-395 (a i
copy of the letter is attached for reference). The staff expressed in the letter the concern i
j (item B-Position 9) that loss of Control Room control of the PORVs may degrade shutdown capability, and requested a logic change to enhance the availability of the l
system for automatic or remote control should " failure" occur on one of the safety related solenoids controlling the PORVs (solenoids 20A and 20B on the attached 4
schemes).
At the same time, the letter recognized that the original logic design met all applicable j
General Design Criteria, Regulatory Guides, and industry standards, and that the code safety valves are available for automatic venting (the concepts of " hot shorts" and f
i
" spurious actuation" were, of course, not considered at that time).
[
However, in a fire induced emergency shutdown, the following must be considered l
with regard to the main steam system during the phases of the shutdown.
l l
Phase A:
Initiate Shutdown l
During this phase, the PORVs must remain closed to prevent uncontrolled cooling (overcooling) of the reactor coolant system.
t Concern #A1: The PORVs must fail closed during this phase.
l i
I Phase B:
I During this phase, orderly cooling of the RCS requires that the PORVs be operated I
(modulated) to dump steam.
[
t Concern #B1: PORVs must be available for decay heat removal.
f l
Concern #B2: Unavailable PORVs must remain closed.
{
2.0 DISCUS $10N i
2.1 Concern #A1:
l PORV Postulated Failures fall into two categories:
i Page 3 of 7 l
1 i
1
,.c,..-.
~
A Category 1:
Traditional Failures a) Loss of instrument air b) Loss of electrical control power Category 2:
Appendix R Reanalysis Failures a) Fire induced hot shorts, e.g., spurious opening Category 1 failures of the PORVs were adequately handled by the control system, both before and after the alteration requested by the NRC as mentioned above. In both designs, the loss of air or loss of electrical signal results in the PORVs remaining
" dosed," which is the " safe" position.
However, as mentioned in Section 1.0 (introduction), Category 2 failures were not addressed at that time. Thus,as a result of the alteration, the system is vulnerable to
" hot shorts" that may, through inadvertent energization of solenoids 201 or 20-D, open the valve (see Scheme 1).
2.2 Concern #51 During Phase 8, the PORVs must be available for manual control or dosed. Venting of
]
one steam generator is suffident to provide decay heat removal. However, their operation from the Control Room cannot be assured.
j 2.3 Concern #52' Should a fire occur near one of the PORVs, access to the valve for manual operation may be impossible until the fire is extinguished.
l l
3.0 PROPOSED M001FICATION 3.1 Concern #A1:
It is proposed that the contori of solenoids 20 A and 20-8 be modified by returning to the original scheme as previously approved by the NRC staff, such that the PORV will fail j
dosed for either category of failure (see Scheme 11), in this configuration, fuses acting as l
power disconnects in the main control board and power disconnects to be provided (via j
MRF-20784)in the spreading room termination cabinets can be utilized to effect immediate dosure of the valve by causing both solenoids to vent (upon deepergitation), while preventing any single hot short from spuriously opening the valve. Two independent hot shorts need to be postulated in order to open the valve under disconnect conditions. However, this has been classified as an incredible failure per NRC guidance. Note that these valves do not form a Hi Lo boundary with the primary coolant system.
l Further, loss of air or electric power will still have the desired effect of valve closure.
i 3.2 Concern 451; Following dosure of the valves from the control room or spreading room via the above-mentioned disconnects, the valves will be operated manually as described in the FSAR Page 4 of 7 2
l
(Section 5.5.7.1.1.2). The fire emergency procedures (FEP 1.0) provide for timely and coordinated steam dump by assigned personnel.
3.3 Concern #82:
In the case of localized fire, the operators will, by disconnecting electric power, close the PORV affected and manually control steam dump from the remaining valve (s).
4.0 JUSTIFICATION FOR CONTINUED OPERATION Until the above modifications are completed, the automatic fire detection and/or suppression systems that are presently in place,in conjunction with the 2-hour roving Fire Watch that has been instituted, provide a high degree of confidence that a fire in any area of concern will be automatically or manually extinguished before any postulated hot shorts can occur.
in addition, as stated in our letter of May 29,1985 to Mr. H. R. Denton of the NRC, solenoids 20-1 and 20-D will be deliberately deenergized through power disconnects to force valve closure in the event of a fire.
Further assurance against spurious valve opening has been provided by the results of an in depth study of the PORV " positioner" unit, conducted subsequent to the May 29 letter. The study concluded that a " hot short" at solenoid 20-1 or 20-D can only cause the valve to modulate in response to the prevailing automatic or manual control input signals. Normally such signals call for " valve closed." Only a malfunction of the valves pneumatic / mechanical control system simultaneously with a selected hot short could cause valve opening. Individual hot shorts to the other solenoids have either no effect on the valve, or in fact, ensure valve closure.
Therefore, continued plant operation until completion of this modification presents no undue risk.
l t
L i
I l
h l
t l
{
h i
i Page 5 of 7
[
t 3
i
1 g
r
.=
tu 2
-g 9
1 A
>J i.-
o.2 LD
- 5
=
D
- H
=
=
o us O 2 s
$= : 5
.N[ V=-
E 5 6 u.1 l
5-
-r_
k s W - :a:
- C 5" o " 2 3" =
~
e00
'd o.
m2-v
=*
=
i d
T4}
3' I
O
=v, x
=-
[CdCA O
O lgI
' t 1,
E o
o ooy
=
24o,y 3-
- k 85 n J Wh<jJOg l
"E=" E l
j
= = = :s
~1 h
-NP t
i
~
4 $' N O.n 2
==O
O c m+
52
=
5 1
A
==
=
[__ - - -
h33uN
~
A su$$s?
1--
~
see 3 s@E
~2
~
' t a
m I
E k'
I 1 i
U
- 85i N
E I 'Al
- t ---*
r-
~
l i
==== =E
=
l 5:
I I
o o
o E
a O
N I
O O
O 1 '
v 4
N N
d li E
E i
C I
8 r--
-- = h
-' ~
- i i-l 9
i
=
a
=
u
=
1 s== =
4 4
4
.I i
=
E
=
- g===
1 r
d I
=
r r
~
l I
E5::
E g.
M _
S E
E E
i vNA T
9 Y
l i
l
.==
n,
=
1 I
I E
=
=
s s
s 1
I t
I e
=
H I
I
~
= a g
- =_
g
'L "
J_
I s.=
=EEE
=
=
~
u.1 l
ID-- =i i
i s
- =
T T
y l
r G
1 l
n2 l
=
- E 5
=.
E E
E Z
l
==.
=
=
=
=
i 1
lL-O.
s s
s O
e
__ a V
I
=
=
=
E 7
y
~
=
=
s
~
=
s a=
=
s :=::
e
=
=
=
=
a
=
=
O
=
7 7
7
=
1
=~
=
=
=
1
=
= ;;
=
I
!N b
5 Y
k
' t
?
=
=
=
'?
=
=.
=.
=.
E E
E l
Page 6 of 7
Q D
=
WY 2 3E
%W 3E 81 3< E oH d
u es
>g O
N g='
"E. o y
~
2 3
4 AWrA dO W
V
-g - =
Lu > 0 A
_T,
3 F. m g
u2 z: p d-r.--
=
a
=
02
-a
~A = 0 $ *="
u 18 OO
-g=e=
~
o
.w E
2 a
44s I;:
i.u
_)
g=-
i
=
l o u. e _s 2 v.
3-O r
2 _i o-3>
d "o o, o
s e
e-3 g0 y q) g e
s s.3 o
1--
o 2
nE
-- --Ge u.,<8ye m
- s ;So O
===-
-nw-a
- 5- =-
U
-g 1
- 3. O =.
5
,OOce yw o
oom 3
L.
x-e xssdS s
~J
- Ea
.gy30 e-25 "go.
og'ge
~
d O
a s 3 5 m =.
g
_g g ii a"
y_
I NJ -
t-3
-E
. r- =1
=
- Am '
I G.I 32g f I
I
=8 a
o o
~o I
s 8
0 1
5 8
g v
a
~
~
e l
.-.E i i i
o g
=
9 n
=
=
~
' LI i
=
[
O u 2
2 H
=
5
=
=
=g-w=E J
I 3
i m
I Ese: j i
_ vxJ
?
?
[
?
i w
v i
=.
y I
=*
I j
~ = /.1 _
< j l
1 9
_Y 9
Y s
1 1
1
.E== =
=
=
=
yI g
i i
=
e
=
=
=
<,.n 1
l
=
o 1
- 95. =.
l s 4
~
O I
E-*E 8
M-
^
=-
=
=
g=
t I
I I
I
=
n=
e
-=
g-tu
=
ed i g
,'=
E
=e.
=.
I E
E A
l I
v
=
=
=
=
=
i O
I A
L
=
e V
i
=
=
=
E y
a
~
=
E E
O
=
s a=
=
=
CL.
====-.
g
=
=
=
=
=
=
O c
=
v v
=
~
=. =.
-- I
-_~
=
=
=
i
~
= 5t 1
= j =j f.'
i
=
=
i T
T T
.i
=
=
=
=
N 9
9 9
[
6
'l
~
4 5
E E
l Page 7 of 7
\\
8 UNITED STATES y
,(4Ej NUCLEAR REGULATORY COMMISSION 1
- e. g W ASHING 10N. D. C. 20555
'A U
J N,
,, v.
%,..... /
s x
JAN 151981 Docket No. 50-395 s,
gGEIOg Mr. T. C. Nichols, Jr.
O RECEIVED $ \\
6' Vice President & Group Executive
?
Nuclear Operations
)
JAN 2 91981 P. O. Box 764 g
Columbus, South Carolina 29281 g
Dear Mr. Nichols:
SUMMARY
OF SITE VISIT AND REQbEST FOR ADDITIONAL INFORMATION
SUBJECT:
Members of the Instrumentation and Control Systems Branch, Power Systems Branch and Reactor Systems Branch conducted an audit drawing review and site visit at the Virgil C. Summer Nuclear Station on November 12-14, 1980.
'- summarizes the major points of the Instrumentation and Control Systems Branch ' review and identifies concerns and positions on design modifications which must be addressed.
We require that you respond to the nine positions identified in Enclosure 1 in order to complete our evaluation.
Sincerely,
- ELSc. w Robert L. Tedesco. Assistant Director for Licensing Division of Licensing
Enclosure:
As stated h
J N 2 61981 I g C Mce President &
Q Group cnecus;,,
&N optI* to "05000395/LER-1985-022, :on 850824,reactor Trip Occurred on Steam Generator a lo-lo Level.Caused by Requirement to Maintain Min Values of Feedwater Flow & Temp During Startup.[[system" contains a listed "[" character as part of the property label and has therefore been classified as invalid. & Condensate Sys Evaluation Program Initiated|letter dated September 16, 1985]] from Mr.
O. W. Dixon, Jr.,
Vice President Nucleat Operations, SCE&G, to Mr. Harold R.
Denton, Director,
((M ((j Office of Nuclear Reactor Regulation Page 1 of.17
1
,:s.
4 Et. CLOSURE 1 SUMNER STATION SITE VISIT SUN!ARY We conducted an audit drawing review and site visit at the Summer Nuclear Station to assure that the installation of safety related electrical and instrumentation system and equiprent were implenented in accordance with the design described in This review followed the format of Appendix 7-B the Final Safety Analysis P.eport.
The review also included the control features related to the operation of the SRP.
We also of the auxiliary feedvater system and the rain steam relief capat'ility.
discussed the open items in the draf t ICSB s,afety evaluation report input for the Cased nn our review of the centrol and protection system for the Summer Station.
auxiliary feedwater systen, we conclude that the applicant should address several Our concerns and implenent appropriate rodifi, ations to resolve these concerns.
c positions with regard to these concerns are as follows:
A.
Auxiliary Feedwater System 4
During the review of the Auxiliary Feedwater (AFW) System, we noted a numb 6r of concerns related to the control and protection aspects of the system design.
The following discussion of the design of the AFW system is orovided to clarify The two these concerns. Figure 1 is a simplified schenatic of the AFil system.
notor driven feed pumps (1 DFPs) supply a comon header with a scparate feed to The turbine driven feed puep (TCFP), likewise, supplies each steam generator.
a header, with a separate feed to each steam generator. A control valve is provided in each of the two separate feeds to each steam generator (e.g., IFV-3536 and 3531 for steam generator "A" in Figure 1). The control valves fulfill two safety functions. The first is to pemit manual control of auxiliary feed-water flow to maintain the desired steam generator level for safe shutdown.
The second is to remit nanual isolation of a steam generator on feed-water /
steam line breaks to protect the containnent fron over pressurization and to assure an adequate supply of auxiliary feedwater for the remaining steam generators for safe shutdown.
The air operated control valves are supplied air from the control-grade instruren-air system and fail open on the loss of instrucent air. Thus, on a loss of the non-safety instrunent air system, the safety function to regulate AFW flow can on be accomplished via local operation of the handwheels on the control valves or by cycling the MDFP and throttling the TOFP speed. With instrument air available, the regulation of AFV flow is dependent upon the availablility of electrical powe Page 2 of 17 i
i
~ b
T3 ATuC5 Petit 8
- f,. _ _ _w*4e I
yn_
M044 LICEND g
l Tuas mAfga i
i i,.P
,,EA,
'I' F.O.. F AIL OPEW "g
l
[ 3034 FC F All CLOSE3 3 38 1
I LO. LOCRf D OP EN h0V. MOTOR OPtR A1 ED VALVt leC - NORM ALLY CLC5f D g,
.. ST ATUS WDiCATton ON $151 CRT
- F0 H'20 I
10 Ht A0E R "C' TO MtactR'8*
l 3
4 0
TO NE ADER 'A' j
I l
g
)%FC
)%FC Q FC 6 p.A
..,,te i..
. 0,4a j.C
.,,0,.
FC
( _F C 3
l___J i _F C__j g
I g
--d ae2n -'
3 l
g ze2A r-
- P. A I
a7 37..
3 i
i
._.___s.__________,____
$ TEAM CENERATOR C STI AW CENERATOR 3 Sitad CthtRATORA L
103M 10393 10294 C
CONTaihath?
IMBC 1034A
,10386
~ _ _ _
a FC 9000C FC 10M4 FC 10093 LO LO LO LO LO LO 102CA 1C99A 102C6 10199 IC20C 1019C IFV F.C.
F0 F.C.
F.O.
F.C.
F.C.
33M 3531 2546 3541 1556 3551 LO LO LO LO LO LO i
- 1016A 1017A 10188 10175 1918C 10l?C o
LO LO i
LO 10218 teu la21A 1015e ClaA 10t4 C
LO gg3g
- gggy, 1M3A LO C2d TotFP 8
uctFP IMSS m RPP2tt 5A IPP21 A
- gpp, LO 10128
{1034A 1013A s,,0,..
- woV(NC) 5 100la 10llA
,.a 9u
.gcn r
300,.
M woV(NQ ll22A
- 1014 1002 r
3 1 e movi=Q 10as
. LO 1012 s
.,go,.0vi a
.. to
.,go,.0<~a iw icie i0rA
/N e
/\\
R6vEi n.
C.5 T.
..A iiR...C0 a
FIGURE l LF1 FL041CHEMATIC Page 3 of 17
, s..
to the valve controls. As in the case of loss of air, the control valves fail open on the loss of electrical power to the control systen. The control valves fed by the MDFPs are supplied power from a power source which is independent of the power source used to supply power to the control valves fed by the TDFP. Thus, a loss of an electrical power source would only prevent the capability to regulate ATW flow fron one of the two sources of AFW. The power source dependence for the autoratic initiation of the AFW system is such that a loss of an electrical power source sculd not prevent starting of the TDFP or one of the two PDFPs.
Therefore, a loss of an electrical power source which could cause the control valves, associated with either the F.0 fps or TDFP, to fail open, should not present a situation in which the safety function to regulate AFl! flow cannot For this event, termination of flow to the failed open control be maintained.
valves would require that the purp(s) associated with that water source be tripped. This capability exists for. the i'DFPs. For the TDFP, this capability The TDFP is started by opening valve IFV-2030, see is not straight fonvard.
This valve is centro 11ed by redundant de power sources, the failure Figure 1.
of either one cause the TDFP to start..These sane power sources are used as the two power sources which would cause one or the other sets of control valves to fail cpen. Thus, the only reans available to termin'te stean flow
' to the TDFP would be the closure of the isolation valves fror the two steap generators that feed the TDFP steam supply header. There are valves 2802A ~
and 2302B in Figure 1 and operate from separate essential 480 volt buses.
- With respect to the safety function of the AFW centrol valves to pemit isolation of a steam cenerator for feedwater/stean line breaks, a single channel systen is nrovided to autoratically close the AFW control valves en high AFW flow to a stear generator. Since this autonatic isolation does not satisfy the requirerents to be classified as a safety related system, i.e., it does not satisfy the single failure criterion, ranual isolation of the steam generators is the neans by which this safety function is acconplished. Nevertheless, the autonatic isolation features are a systen irportant to safety even though these do not satisfy all the requirerents of a safety-grade protection system. Fiqure 2 is the P81 drawing of the AFW system. The control valves fed from the PDFP header are closed on high flow that is ceasured by a flow elenent located down stream of the control valves (FE-3531 for steam gercrator A in Figure 2).
Page 4 of 17 I
i
)
1 i
i, i
io i
i
+
I
+
1 i
x
...W. ' ' N...-S y., s.
g.....................
r..J.*l... ! g<? h t [ht,,p.,.W'?
.s
.. n.n - -
Mb eh
.,r%,
b 4;.
c.!.
x u.m
., s.
-as t."h :
d I
r
~
- n. -- o e d.w,A.y " EiYA
'h
-4_.
\\..w. k.
y.
P
+g,. mq -
.e ~,--- @,-
9 sm s%.t...
b..
a.
T.T m $.
..s ~.
j ;*
g --
g ?.14_$.. w' -f h W-f
.:e.
W, " "@y2"" ' j p :-;s? +rd--
&d rK"
, c.
M',
a
, - - e r
S'c 13,- -Sl:
3 s.>...
e3.
eu e m. % r..
1;._
e.
a.--,.
- s. '..
.,, ~,
g t,
- e. k,,,,
- v.
Q T*'\\
6 e
- \\.J
- u. '
@ !, n,............... - - -.r'v..A.in,,' "_
c sr.
m....
- e
,S#
- - -O q) f **
V a.
r
.. ).s a :.-.m
-c" o e W ! c.l Ao b,~ _.
i a "-
- +y_ sr-A s
v,, Twil-
,- w,s-
.m n.
.w. e. : -- --~ &g A.
r.
e
=.w -
w.,, 1 v & w'.,.s_q,-*..
p3,e ;.,..
- c... ;
44 1,, 45 i.
--' ", 'f
-\\ 6N c.
+..
. c.
i
.. e m s. -,
\\ ar..*
n 3-_
.2.%.,.+u.2 n y
u A
,u ;
~ -
- .2..,.,<%.,,
+.........
i e -
m, e _ o. -
m
.w.,
. 1/_.o,
- u e'g-m.-
_.3. ;.wt.,.
Ehr..
- p. g. 4,
, u.. o
+9 3...
.o...,
-- y, s
. _..e....
,I
,_-=_9 u..
g(. _
m; yg,-- "-,
.g-y,:.
.g" g 3.;
Yli Ya gg.g f
r.
I.#.tr h
.,..e c"
i'
,- g
,r.
r,,. :
4.e.,
.. =..
@-@,..q?t,)=1*@!!_ h.....,,..
.'..'_~s~~-..'__J
+/.
C 3
m.. s
- i
. lJ.jh: #- 'g.-f,..r p
L y
6.. """ P&--EL " " " ' "
v.
.?
g tT ha%.a.-
v:q ;-- q; -.
- z. &
.g..
p. w
. w/>._.
x.
.a _.
+
Mir,r 4.y_
...-- s"t
...m
. A..
..,.w.7
- w t..
Q*.
---s.
1 I
l
.m'"ce=.u t t 4
2 Si,. 2 6
A
.. '. :- '** ',;ro
,-e.- >-- fp
-
- W -n.p- -) c
.u
,-/n*' \\ J.
-c 4.&
6 s
1, -.
s -,
n,.,
1 x
.g.'
g
_ ra a
- im mes
- 3.. q.,,
y"* Mr % :'.;s.o.,
~....
W-s1i.' a~._ /.-o --t,y. ur:1.,d.(c.'u"'t:I
- C*
d se. v -
- V w, u
g Y
i[i- @ O 5"
.o ra:
gE" D iN g
..g..
f'*
k'
- &f T
n :-%, f' 'I~
13 I#.
.w*%n lI* h~, a.....
c D
c % f(f., <~ : g,S- [~
.........v.,
-.p
<c.u
,Finr-.
s o a=o.
N
~
t 3@
r-
'- - E
'IO:r!.*
- h/N
- 'e.'m.!
- * %, t,i,.",d.W.....u..o.. s.c n (D
i...
.,m
.,a 9
u s - r.... " -
n I
EE l'~l b.V b
~
OCTOBE g.-...-.......e
,,e
<w -
=
& '* 'W " ' ' ' " " "
t
,...,p 1,
Page 5 of 17
_3 The control valves fed from the TDFP header are closed on high flow that is measured by a flow element located in the feed line to each stean generator (FE-3561 for steam generator A in Figure 2). A time delay is included in the isolation circuits such the high flow condition must exist for 30 seconds before isolation is initiated. The set points for isolation on high flow are 600 gpm In for the PDFP supply and 700 gpm for the total flow to the steam generator.
addition, a separate high flow alann is provided for each flow neasurement which is set at 50 gpm above the isolation set points. The autoratic isolation signal for the control valves actuates a three-way solenoid valve that connects anThis accunulator air supply to the valve diaphram to close the control valve.
The air accurulator is provided to assure the arrangement is shown in Figure 3.
availability of an air supply to close the valve, since the nomal air supply is from the non-safety grade instrument air system.
As previously noted, the electrical power for the two control. valves for each steam generator are provided from separate power sources. Thus, from a single failure view point, at least one of the two control valves would'be autonatically closed on a high flw con-di tio n.
For this event, termination of flow to a faulted steam generator would This require that the purp(s) associated with the other water source be tripped.
capability was discussed above.
During norral plant operation, the AFW control valves are raintained in the open position. The AFW system is used during plant startup until the main feedwater system is placed in operation. Two means are provided to assure that the AFW control valves are open on automatic initiation of the AFW The first consist of an alarm which tells the operator that the AFW sys tem.
control valves are not in the open position. As an additional precaution that this alarm will not be acknowledged and subsequently ignored, the alam in-corporates a reflash circuit that will reactivate the alarm once every hour.
These features are further enhanced in that the reflash circuits and the annunicator windows are powered from essential de power sources. The second means to assure that the valves are open is provided by using one of the two automatic AFW initiation output logic channels to provide a signal to open the control valves. This signal deenergizes the modulating solenoid valve, see Figure 3, and vents air from the valve diaphram causing the valve to The modulating solenoid is controlled by a 3-position selector switch open.
Page 6 of 17
(ig c.a.
[
VOLUME TAM 6 (FOR LOCATioM; FO O.
& SOPPORT SEE DWC1. B.80c).465 gg S
C ""J t MOM o uy4K-w
-l 4,.NPT 20 6 N ctgcm,;cgL 5;,nggfggg.
3
,3 o 1
]}"
[
h '
To m--ma m m ; ween l
CoMM.
S L^LONO!O%
[
/
1"o o l
+ PIPE w Aldo'ed.
Qufe' E <
(
V SM40t D h
G
~,
t
~
V#' d5 3,
1., M PT 5j NPrhl 5
2 N
i i
i 7
A coMM.
\\-f. PIPE
}
)OL/k%Od t
COMM.
5 CO L&J O 6 0 I
--5 MPT COMN.
i 3
VAvg
- z. N pr hi (TYP.
PLACE) i t
CON I
,f'
,f' "O.O.TO B E hg M
/h 'cp [T
- w
'.4 i.!
P i!
Roeit 1"o.O.TOBE >< '
j' s
ri y x.Sl c
1Six IGlx__
FOR TAG NO.
y.gg
~
~
i
.t.
E
-REGOLATOR(FORMISHED W/ VALVE)
FO R TAG MO.i 8
SET AT SS PSIG SEE CHART ii WOTES:
i -
E l..FOR PIPE M ATERI AL SHOWM oM THIS DWG, i
k REFER To PIPIMG SPECIFICATioM SP SSF44Gi-oo l'
7 LINE SPEC. PIPE 15 x TOBE 161x.
w I
m a
i m
4 i
o C-REFEREMCES.
l 4
w I i9 TOBE FITTiMG B/M RKf 5 S,
L f')
TU B E B/M RKf4 VALVE B/M RKf 90.
g O 3o2-085 EMERGENCY PEEDWATER(NOCI EAR) Flow D,lAGRAM.
~"
~^
~ ~ ~~~~
The switch positions are manual, auto, and on the main control board.
In the manual position, the nodulating solenoid valve is energized.
reset.
For this node of operation, the control valve position is controlled by a manual loading station on the control board.
In the auto position, the Since the r.odulating solenoid is deenergized and the control valve is open.
automatic initiation of the AFW system provides a signal to open the cor. trol valves, the reset position of the selector switch is needed to permit the nodulating solenoid to be reenergized following auto initiation such that manual control of AFW flow can be obtained.
ased on our review of this system, the following concerns and positionshave o
been identified.
The capabilty to manually isolate a steam generator for a feedwater/ steam 1.
line break is a safety function of the systen which in the short term should not rely upon ranual closure of the control valves using their local handwheels nor rely upon the availability of instrument air fron,
the ncn-safety class instrument air system. Further, the autonatic fea-tures which isolate the steam generators on high flew do not satisfy the recuirerent of a safety grade protection system to fulfill this safety function. While the autenatic closure of the control valves incorporates an accunulator to assure the availability of air source to effect closure, the reans by which the plant operator can close the valve is only by using r.anual loading station to position the valve to the closed limit and this is dependent upon the availability of the non-safety related instrument air systen.
Position 1:
The nanual closure capability for the AFW control valves should be modified to permit manual actuation of isolation solenoid valve from the control room to ef fect valve closure with a safety related air source.
The accumulator for the closure of the AFW control valve is isolated from the non-safety related instrument air system by a check valve (See Figure 3). The opera-tion of this check valve is essential for the availability of the air source to effect valve closure.
Page 8 of 17 4
w
~. Position 2:
The accumulator air system for the AFW control valves should be-modified to permit periodic testing of the operability of the accunulator system. The technical specification should include surveillance requirenents for the accumulator system and the operability of the manual valve closure canability of the control valves on a schedule consistent with that used for safety related valves.
The automatic features for isolation of the steam generator on high flow is a system important to the safety even though it does not satisfy all of the The design of this system requirenents of a safety related protection system.
does not provide the operator with any indication that a high f10.4 trip con-dition has occurred other than would be provided by the f act that the valve position lights would indicate that the control valve is closed.
Position 3:
L The automatic features for isolation of the steam generator should be modified to provide indication that control valve closure has been initiated on a high flow condition. This indication should be pro '
vided separately for each control valve, i.e., each isolation circuit.
The automatic features for isolation of the steam generators on high flow include The means used to ef fect a re-the provision to manually reset the trip circuit.
set is the selector switch which is used to reset the opening of the control vals Since the latter is a norral follow up on auto initiation of the AFW system.
action on initiation of the AFW system, care rust be taken by the operator inordt that this sace action is not taken to reset an automatic isolation of a steam generator on high flow.
Position 4:
The reset of the autoratic features for isolation of the steam generator on high flow should be modified so that it is inde-pendent of the reset to provide manual control of the AFW control valves following automatic AFW initiation. This modification need not include a separat2 reset for each valve so long as a separate reset is provided for the separate "A" and "B" logic circuits for all control valves.
The control of AFM flow is a feature which is provided at the reaote shutdown However, the autoratic AFW initiation circuit, which overrides the panels.
throttling control capability and opens the control valves, cannot be reset from the remote shutdown panels. Since auto initiation can be initiated on low steam generator level, the potential exist that this may occur.
9 Page 9 of 17
. Position 5:
The capability should be provided to permit a reset of auto initiation of the AFW system from the remote shutdown panels such that subsequent control of AFW flow can be achieved from this location.
The high flow alares associated with the detection of fe These alarms should function to alert the operator of of the AFV control valves.
As such conditions which are indicative of the potential existence line breaks.
they should have a setting which is indicative of an abnorpal amount of flov.' to.
the stean generator.
Position 6:
The set point for alarms actuated on high AFW flow should be icwered to a value which is indicative of an abnorral condition and should not be set at a value which exceeds that for which automatic action is taken. P.evised settings and their basis i
should be established and provided for our review.
With reguard to the capability to terminate AFW flow to a steam generatorrfor "l'a nual feedwater/ steam line breaks, the response to Question 211.59 states:
controls are provided in the control room for start and stop of the emergency feedwater pumps and for the control valves associated with the erergency feedwater The reans for detecting the faulted steam generator and isolating system.
energency feedwater to it recuires only the use of safety grede eouipment availab e following the break". Position 1 above addresses the deficiencies in the design of the control valves to satisfy this connitment. The design of the turbine The closure of driven feed pump controls also do not satisfy this cor.mitment.
the steam supply value for the turbine driven pump (IFY-2030 on Figure 1) is dependent on the availability of air from the non-safety related instrument air In addition, the redundant logic channels that control the operation system.
of this valve require the availability of electrical power to each channel to ef fect valve closure. A single failure, i.e., loss of a bus, which could prevent the capability to close the control valves to terminate AFW flow to a steam generator from the T0FP header, also fails open the valve for the TDFP steam supply. This precludes the capability to stcp the TDFP as a. eans to T
terminating flow to a faulted steam generator.
6 i
Page 10 of 17 i
L t
)
As' noted earlier in the discussion above, the isolatinn valves from the two steam generators that feed the TDFP steam supply header may afford a ceans to terninate steam flow to the TDFP. We do not find that this provides an acceptable alternative fcr the following reasons:
- 1) It is contrary to the commitment nade in response to Q 211.59.
- 2) The control circuits for isclating tre stean generators from the TDFP steam supply header are physically routed in two separation divisions, one of which is connon to tiose circuits which are the scurce of the problem (i.e., valves 25023 and IFV-3536, 3546, and 3556 are all in the same separation division).
- 3) The design of the controls for the TDFP steam supply value (IFV-2030) do not conforr. to the principles for design given in GDC-23 with respect to being able to stop the p ump.
L.
Position 7:
The design of the TDFP stean supply valve should be modified to perrit closure independent of the non-safety related instrurent air system.
If an air accuculator is used to satisfy this recuirerent, it should satisfy Positions 1 and 2 above. The control circuits for the valve should be rodified to assure that any single f ailure which could lead to conditions for which the safety function to close the valve ray be required, that failure shall nut preclude the capability to close the valve from the control roon. The design nodification shall satisfy the require-nents of GDC-23 with reguard to the capability to fulfilling the safety function to terrinate flow to a faulted steam generator.
The capability is provided at the renote shutdown panels to operate one of the two pilot solenoid valves that are associated with the redundant pro-tection syster channels for initiating the operation of the TDrP. He nce, if an automatic start condition had occurred, such action could not be everriden by the control systen capability available from the renote shut down nanel. The transfer switches for this control are irplerented in a ranner that the automatic start features, for this channel, are bypassed when the control is transferred to the remote shutdesn panel. There does not appear to be any basis for bypassing the automatic start feature for the TDFP, recogrizing that this control feature is only irplenented for one of the two channels of the controls for this valve. Further, the transfer schene for this control from the renote shutdown panel prevides Page 11 of 17
~
a separate fused power source for the centrol of the valve. Since power is recuired to stop the,TDFP with this control, the basis for havino the availability of a separate power source appears to be roct in that power nust be applied to both of the redundant pilot solenoid values in order to stop the TDFP and as previously noted only one channel can be 1:e can only cenclude that centro 11ed from the remete shutdown panel.
the design basis for the AFW system in general and its control capability from both the centrol roon and the remote shut down panel have not been established and implemented in a consistent and logical manner.
Position 8:
The design basis for the manual and autonatic control features of the AFW systen should be established and a discussion of the design of tFose features should be provided vhich confirms that the desien hasis has been satisfied. The design basis should clearly defire the safety related functional requirenents of the the AFW systen in centrast to those features which ray be desirable, The autoratic however, are not relied upon in the safety analysis.
features provide to isolate a steam generator on feedwater/ steam line breaks is an exarple of those which fall into the latter category.
t To the extent that the design basis is defined in Section 10.4.9.1 of the FSAR, it ray be referenced in the response. The design basis should address all manual actions required in order for the AFl! system to fulfill its safety functions and time limitation irgosed consistent The design with the plant safety analysis for completir.g such actions.
basis sSculd address the use of the AFW system in plant safety analysis for events under which it is controlled automatically, ranually fran the control room and by local manual control from the remote shutdo.vn panel.
g Steam Generator Atocspheric Relief Valves An atmospheric relief valve is provided on the main steam line for each steam Interlocks generator and is located upstream of the main stean stoo valves.
are provided in these valves, as well as all other stear durp valves, which prevent these valves from being opened. The protective action of these interlochs is provided to orevent over cooling which cculd result from failures within the control systen for these valves. The interlocks operates such that en deerergization of either or both of two redundant pilot solenoid valves, air is vented from the valve actuator and the valve cannot be opened. Thus, a single. failure in either of the protection system interlock channels, such as the loss of an instrurent bus, removes the capability to control stean generator l
I Page 12 of 17 i
T
' l In this event the stean generator safety pressure by the control system.
valves perform the safety function to pemit hot shutdovn conditions to be For cold shutdown, the handwheels on the atmspheric relief maintained.
valves permit a means by which steam generator pressure can be controlled for systen cooldown. General Design Criterion 23 addresses the failure riodes of the protection system in that they shall be designed to fail 4
into a safe state er into a state demonstrated to be acceptable on some other defined desien basis if conditions such as disconnection of the systen, loss of energy (e.g., electrical power, instruaent air) or post-ulated adverse envircnrent (e.g., extreme beat or cold, fire, pressure, steam, water, and radiation) are experienced. The failure modes of the design of the interlock satisfy this criteria from the standpoint of the safety function to prevent over cooling, however, it disregards the importance to safety of raintaining, the operational capability of the While it is recognized atmospheric relief valves to ef fect safe shutdown.
that the design of the controls for the atrospheric relief valves do not satisfy safety grade requirements, the associated interlocks, unnecessarily further reduces the availability of this system to effect safe shutdown.
In discussions of this concern with the applicant, he has indicated that the failure rode is dictated by the fact that the pilot solenoids cannot be -
qualified to operate in P.rsh environrents. In view of the fact that sore of the pilot solenoid valves involved with the auxiliary feedwater system as-discussed in "A" abcve, operate in an energized state to perfom their safety function and are subject to similar harsh environmental conditions leads us to conclude that such argunents in this regard are invalid.
Position 9:
The interlocks for the atmospheric relief valves should be codified such that a single failure in either protection system channel shall not preclude their availability for being used to effect safe shutdown.
Page 13 of 17
1
.~
h 10 -
Potential Design Deficiencies in Eypass, Override, and Reset Circuits C.
of Engineered Safety Features 13, 1980, the Office of Inspection and Enforcement issued Bulletin On March 80-06, " Engineered Safety Feature (ESF) Reset Controls", to address the concern that the use of reset pushbuttons alone could remit certain engineered safety feature conponer.ts to revert to the nomal state following safety system actuation. On F.ay 14,1980, we requested South Carolina Electric and Gas Both the Conpany to provide additicnal information related to this subject.
80-06 Bulletin and cur Pay 14, 1960 letter require that upon reset of an engineered safety feature actuation signal; all associated safety-related A design review at the equipnent should remain in its emergency riode.
scheratic diagran level was requested and Bulletin 80-06 further required confirr'atory testing of all engineered safety feature reset actions.
During the site visit, we performed an audit review on the canual override on control room ventilation isolation circuits. We noted that a manual switch can bypass both the radiation and the~ safety injection signals. This design is 14, 1980 letter. We noted not in confornance with the Criterion No.1 of our May that the applicant's response to Criterion !!o.1 is not valid for this circuit due to an apparent limited scope of review using this criterion. Ve request that the applicant review all engineered safety features control circuits with respect u deficiencies in bypass, override and reset of ESF actions. Any deviation from this criterion should be justified. We further request that a test be c6nducted to confirm the conclusion of this review as was required for operating plants by Bul etin 80-06.
D.
Discrepancy Fetween FSAR and the As-Cuilt Schenatic During our audit drawing review, we noted that in several cases the FSAR description or figure does not reflect the changes nade in the latest as-built schenatic diagrans. For exanple, the functional diagram figure 7.2-1, Sheet 8 does not shoyn' the current design of containrent isolation on high radiation. The FSAR should be updated to reflect the design changes that have subsequently been nade.
E.
Safety Evaluation Report - Open Items The draf t ICSB safety evaluation report input for the Surrer Nuclear Station was discussed. Ve indicated that the following items are still open. The applicant should provide additional infornation to pemit resolution of those items.
l Page 14 of 17 l
1.
Trip Setpoint and Margins A docunent to discuss in detail of the methodology used in detemining the setpoints and setpoint allowances (drift and calibration error) for RPS and ESF instrucentation should be submitted for our review. We will address the final resolution in the Technical Specification review stage.
2.
Field Audit for Separation of Electrical Equipment and Systems The results of the applicant's field audit should be submitted with a discussion of any corrective action taken and the need for further action if significant deficiencies are revealed in the audit process.
3.
Failure l' odes and Ef fects Analysis (Ff'EA) Interf ace Requirements The FSAR should address the compliance of Sunner Station design to interface requirenents in Westinghouse Topical Report WCAP-8584.
This report is referenced in the FSAR as the basis for satisfying the requirer.ent for the Failure !' odes and Ef fccts Analysis.
4 4.
IE Eulletin 79-27, Loss of Hon-Class IE Instrumentation and Control ~
Power Systen Bus During Operation Ve have not ccTpleted our review of the applicant's response dated October 31, 1980 to this hulletin. However, during our plant tour, we noticed that scoe of the alarr.s indicating a 1 css of a power source are anbiguous, e.g., (a) combined alarns on loss of Inverter 1, 2, and 7.
(b) loss of power on bus due to an open supply breaher is not alamed.
We expect to provide further conrents in the near future.
5.
Rer.ote Shutdovn Panel f*odifications l
(a) Final design documentation on remote shutdown panel rodification should be submitted for our review.
(b) During our audit drawing review, we noted that the pcwer source for control circuits operated from the renote shutdown panel are not totally independent from the power sources for centrol circuits operated from the nain control board.
In sene circuits the power feed is from the same fuse or circuit breaker used for both the remote shutdcun panel and the nain control board. We expect the final design will correct this descripancy, such tFat a fire in either the control room or spreading rooms will not jeopardize operation of the alternate shutdown capability from the remote shutdown panels. This requirement was stated in the fire protection j
safety evaluation report input prepared by the Chenical Enginccring j
Branch.
I Page 15 of 17
{
I
1
.12 -
6.
Post Accident l'on'itoring Instruments j
This is an open item which will' be resolved in part by the epplicant's response to !!UREG-0737. Further clarification will also F? rcvided by the issuance of Regulatory Guide 1.97, Cevision 2.
I&E Concerns on Separation Renuirements for Class IE Redundant Instrumentation F.
Cables Internal to the Process instrueents and Centrol Cabinets The applicant will provide a response to I&E on their iten 395/80-2-02 which addresses this subject. We request that a copy of this response be forwarded for our information.
6 Page 16 of 17 1
r
.c
, ypt :p Et1 CLOSURE 2 SUlttARY SITE VISIT (t10VEMBER 12, 13, 14, 1980)
LIST OF ATTEt! DEES IIRC Thonas Dunning Amira Gill Om Chopra Hulbert Li Jack Skolds (Resident Inspector - part time)
South Carolina Electric and Gas Company Ronald Clary Andy Wactor Ken Woodward C. A. Price
?!ancy Clark Gary Moffatt Al Koon Steve Cunningham Janes LaEorde Al Alvarez Page 17 of 17 4.'..
/w -