Rev 1 to Proposed Amend 152 to License DPR-54,clarifying Limiting Conditions of Operation & Surveillance Requirements for Emergency Feedwater Initiation & Control Sys.Description of Proposed Changes & Safety Analysis Encl

ML20205H690
Person / Time
Site:	Rancho Seco
Issue date:	03/26/1987
From:	Julie Ward SACRAMENTO MUNICIPAL UTILITY DISTRICT
To:	Miraglia F Office of Nuclear Reactor Regulation
Shared Package
ML20205H694	List: ML20205H690 ML20205H758
References
JEW-87-351, TAC-64359, NUDOCS 8704010133
Download: ML20205H690 (42)
v • d • e

Text

g)SMU-SACRAMENTO MUNICIPAL UTIUTY DISTRICT C P. O. Box 15830, Sacramento CA 95852-1830,(916) 452-3211 AN ELECTRIC SYSTEM SERVING THE HEART OF CALIFORNIA NAR 2 61987 JEW 87-351 Director of Nuclear Reactor Regulation Attn: Frank J. Miraglia, Jr.

Division of PWR Licensing-B U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Docket No. 50-312 Rancho Seco Nuclear Generating Station

, License No. DPR-54 PROPOSED AMENDMENT NO. 152, REVISION 1

Dear Mr. Miraglia:

By letter dated December 5, 1986, the District submitted to the Commission Proposed Amendment No. 152 to permit the operation of the Emergency Feedwater Initiation and Control (EFIC) system.

Revision 1 to Proposed Amendment No. 152 clarifies the limiting conditions of operation (LCOs) and surveillance requirements for the EFIC time delay modules and the backup instrument air bottle supply systems for operating certain valves. In response to a verbal request by the NRC assistant project manager, the requirements for conducting the monthly test of the auxiliary feedwater pumps and valves in accordance with the inservice inspection program are also clarified.

Because the EFIC time delay modules and the use of backup instrument air bottle supply systems for operating certain valves were described in the December 5, 1986, submittal, the District is clarifying the proposed technical specifications for only these portions of the EFIC system.

Enclosure 1 is the Description of Proposed Changes, Associated Safety Analysis and the "No Significant Hazards Evaluation." Enclosure 2 is the proposed Technical Specifications, resubmitted in their entirety. The conclusions of the previous "No Significant Hazards Evaluation" have not been altered by these clarifications to the proposed Technical Specifications. Enclosures 3, 4, and 5 of the December 5, 1986, letter have not changed and are still applicable.

8704010133 870326 PDR ADOCK 05000312 0 h P PDR RANCHO SECO NUCLEAR GENERATING STATION O 14440 Twin Cities Road, Herald, CA 95638-9799;(209) 333 2935

F. Miraglia, Jr. JEW 87-351 Pursuant to 10 CFR 50.91(b)(1), the Radiological Health Branch of the California State Department of Health Services has been informed of this proposed amendment by mailed copy of this submittal.

Because this is a revision to Proposed Amendment No.152, no additional license fee is required.

If you have any questions concerning this submittal, please contact Mr. Ron Colombo at (209) 452-3211, extension 4236.

Sincerely, John . Ward eputy General Manager, Nuclear Attachments cc: Region V (2)

MIPC (2)

INPO Sworn to and subscribed before me this bb day of March, 1987.

OUR O Notary Public 7"MN6 i DAWN DARUi!G NOTARYPU3UO CAUTOMtA

?- ShCfW!DGO CCUNTY

$E My Comm b;/ues Jen. I?,1990 vmem

~~

ENCbSURE1 Description of Proposed Changes, Associated Safety Analysis,.'and "No Significant Hazards Evaluation".

D =

1 4

i i

1 i

1

., . - .. . . . .. . ,.,..y._ ~_ - .. . r _. . .,..

[.

---

DescCigtiggi _1.

Proposed Amendment No. 152 incorporates changes to the Rancho Seco Technical Specifications required because of modifications to the auxiliary feedwater system and the addition of EFIC (See ECN A-54i5). The purpose of'EFIC is to perform specific safety related primary protective functions in response to various plant conditions. It is a logic, control and elect'ical r switching system designed to provide the following:

l. Initiation of auxiliary feedwater (AFW),

2. Control of AFW flow to maintain steam generator level at appropriate setpoints, .

3. Steam Generator level rate increase control when required to minimize overcooling,

4. Isolation of the main feedwater lines of a depressurized steam generator,

5. The selection of AFW flow to the appropriate steam generator (s) under conditions of steamline break, main feedwater or emergency feedwater line break downstream of the last check valve.

6. Control the Atmospheric Dump Valves (ADVs) independent of ICS or other safety grade control. Control should minimize challenges to the main steam safety valves, and allow l cooldown to be controlled from the main control room or the Appendix "R" shutdown area.

EFIC is a four channel, safety grade, seismic Class 1 AFW initiation and control system. The design basis for EFIC is discussed in the Design Basis Report'for ECN A-5415. EFIC installation affects the Main Steam System (MSS), Feedwater System (FWS), Auxiliary Feedwater System (AFWS), Reactor Protection System (RPS), Safety Features Actuation System (SFAS), Control Room Panels (HISS, HlRC, H2YS, H2PS, and H2SF), Safe Shutdown Panel (H2SD), Integrated Control System (ICS), Interim Data Acquisition and Display System (IDADS), and Safety Parameter Display System (SPDS).

Reasgg igt Changel Several significant transients at nuclear power plants with Babcock & Wilcox supplied NSSS which occurred during the 1970s were caused by inappropriate, post reactor trip, steam generator feedwater and/or steam pressure control. Reactor Coolant System

.overcoolings at Rancho Seco and Crystal River 3, undercoolings at Davis-Besse and TMI-2, and others were investigated by the NRC in the spring of 1980. The transients and suggested plant alterations are summarined in NUREG 0667, " Transient Response of B&W Designed Reactors." In the summer 1980 following issuance of NUREG 0667, and in between TMI Short-Term lessons learned (NUREG 0578) and the clarification of TMI Action Plan Requirements (NUREG O~737 ) SMUD agreed in discussions with the NRC to install "EFIC" ene to oporado 6 m AFW system t. o substentially comaly witn thre

w c .. a , .

NRC: " Standard Review Plan" for auxiliary Feedwater Systems; (NUREGL0800, Section 10i.4.9). ___ __

~ A conceptual design _for EFIC and_its related plant modifications was submitted-in draft form to the NRC in October of 1980. and a preliminary Saf ety Evaluation Report based on a ~

point by point comparison with SRP 10.4.9 was received from the NRC in January'1981. The_ salient features of the design at that time were to provide: .

• Assured redundant availability of automatically initiated AFW~

for all AFW design basis events.

• Redundant saf ety grade control. of AFW to . assure suf ficient but not excessive AFW~ flow.

• Isolation of Main Feedwater (MFW) and AFW to prevent continued feeding of a Steam Line~ Break (SLB) inside contai nnient.

• Failsafe control of ADVs to prevent "mid-range" failure on loss of control power and to' prevent common mode' failure-which would open ADVs on both main steam lines.

Following the District's initial commitment to install the EFIC changes, features of~the design were found to accommodate the licensing requirements of NUREG 0737 II.E.1.1, II.E.1.2, and II.K.2.10 (AFW reliability, safety grade AFW initiate, and Anticipatory; Reactor trip loss of MFW), and portions of Reg Guide 1.97 (Class 1 Steam Generator level and pressure indication).

Eyaluattgg'and Basts tot Safety Elgdtagst The District has reviewed this modification in accordance with 10 CFR 50.59 and determined that it is not an unreviewed safety question, but requires changes to the Rancho Seco Technical Specifications. These include revisions to the limiting conditions for operation and surveillance standards to incorporate EFIC and AFW system upgrades. EFIC will require changes to the descriptions in chapters 6, 7, 8, and 10 of the USAR. Installing EFIC does not change the analysis in Chapter 14 but provides additional margins because EFIC is a fully Class 1 Control and Initiation System and therefore, more reliabic system. An example of this-increase in margin is the steam line break analysis which relies on the main steam failure logic (MSFL) to isolate MFW f ro<n the steam generator. EFIC replaces the non safety grade MSFL with a safety grade system that isolates MFW and AFW to a depressurized steam generator.

The EFIC Auxilicr3 Feedwater System Description and the Design Basis Report for EFIC provide a descriptton of the channes being made.

e

.. -4.m..,.. . . ~ , .  ;

4 The NRC has reviewed the District's proposed Auxiliary Feedwater Sys_ tem opgrade (which' includes EFIC) and the NRC's-evaluation -

concluded in their April 7, 1983 and September 26, 1983 SERs that -

"The proposed AFWS upg~rade represents a considerable-and acceptable improvement over the existing design." The SER further stated "We therefore conclude that, until a staff position is developed regarding the need for further modifications to improve AFWS reliability, operation of Rancho Seco, with the proposed epgraded AFWS design,.is acceptable."

The District has modified the EFIC design to incorporate " lessons learned" from Crystal River 3 and ANO 1 without changing the basic

~

functional goal to provide a highly reliable AFW system.

The failure modes for EFIC are discussed in the DBR for ECN A-5415 and Casualty Events are discussed in Section 6.0 of the EFIC System Description. The failure or casualty events discussed in the EFIC System Description include a discussion of the recovery procedures and design features to mitigate the effects of the assumed event. The failures discussed include Loss of Main Feedwater (LMFW), LMFW with loss of offsite power, LMFW with loss of all AC (onsite and offsite), plant cooldown, turbine trip with and without bypass, main feed line break, main steam line break (MSLB) and AFW line break, small break LOCA, and fire inside and outside the control room. The failure modes d.iscussion in the DBR also includes a discussion of AFW valve failure, failure of fiberoptic cables between channels, failure of RPS inputs to EFIC, failure of SFAS input to EFIC, failure of EFIC trip interface equipment, power sources failures for EFIC and EFIC related hardware, and EFIC control failures.

The events discussed in the EFIC system description include, design basis events and hypothetical events for Rancho Seco that have already been analyzed in the USAR. The design of the EFIC controls will allow a minimum of 10 minutes before operator action is required over the full spectrum of decay heat rates.

The discussion indicates that the required initial actions are to verify or confirm AFW initiation and flow and steam generator levels to ensure EFIC is functioning as required. EFIC is designed to minimize overcooling following a loss of MFW event.

However, this feature of EFIC is not designed to meet single failure criterion. For a SBLOCA, the operator will have to select the ECC level setpoint for steam generator level. For all cases the operator can take manual control of EFIC (AFW flow, steam generator level, etc.). For all Design Basis Events discussed in USAR Chapter 14, the addition of EFIC does not change the USAR analysis.

The failure modes discussed in the DBR for ECN A-5415 addresu EFIC system failures. The following is a summary of the failure modes discussed in the DBR:

1. AFW valve failure - AFW is controlled by a parallel combination of series sets of valves (parallel flow A faliure of on e . a l .r e paths to each steam cenerator).

w"

. will affect only one of the~ paths in'the parallel set.

-The existing" design does not have C1' ass 1 parallel flow

, paths to each-steam generator.

2. Failure of fiberoptic cables between channels - the fiberoptic communication between EFIC channiels is

~

designed so that a single failure (such as loss of all fiberoptic cables going into one EFIC cabinet) will not result in-a dailure of EFIC functions to actuate as A f ailure of any cable causes the signal t'o .

required.

go to an actuated state.-

Should.a single event affect'more than one-channel, it could inadvertently cause actuation of either AFW initiation or MFW isolation. Initiation of AFW will only supply water to the steam generators if the steam generator levels are low (starts AFW pumps,' but AFW valves are closed due to no demand signal). Isolation of MFW can lead to plant trip.

However, for this improbable event AFW is available to provide cooling.

It should be noted that there are currently several failure modes which exist-that lead to LMFW (e.g.

failed NNI turbine header pressure sensor). In this case EFIC represents no additional plant failure modes.

3. Failure of RPS inputs to EFIC - EFIC receives actuation signals from RPS for MFW pumps tripped and RCPn tripped.

For both cases EFIC looks at the RPS inputs as four channels and actuates based on a one out of two taken twice logic. Thus any single failure of the RPG inputs to EFIC will not prevent actuation of EFIC function or cause inadvertent EFIC actuation.

4. Failure of SFAS Input to EFIC - The SFAS inputs to EFIC are designed so that a single failure will not stop EFIC from initiating AFW when SFAS actuates. There are two channels of initiate signals sent to EFIC from SFAS.

There are 2 signals per channel, each signal delivering a half trip to the AFW trip module. A loss of power in a SFAS channel will prevent the channel from initiating its corresponding EFIC channel. A signal failure in a SFAS channel could cause a half trip in its corresponding EFIC channel. An actuation of either channel of SFAS is sufficient to actuate one train of AFW thereby ensuring AFW initiation and control even assuming a concurrent single failure. Thus a single failure in the SFAS input to EFIC will not result in EFIC failing to initiate or cause an inadvertent initiation.

5. Failure of EFIC trip interface equipment (TIE) - i;FIC actuates various components through the trip outputs of the train A and B TIE cabinets. The n.ttuuts of trotn A are redundant to train B. therefore, a ninqle failure will not cauw the *ailure of more Ltw. o: of train v

. , , . . . . .,,,..p. s ., ...,g.,

. , w, g. _ .. , . .

- . o AFW.

~ ~

6. Failure of ' power sources f or -EF-IC- and EFIC related

. hardware - EFIC AFW power sources are discussed in section III.C.8 of the DBR for ECN A-5415. It describes

.the upgraded.AFW system as a two train system with either train capable of supplying the required AFW'to ,

both steam generators. It concluded that.with

• channelized power and logic a single failure will neither prevent feed or isolation of AFW flow. The DBR- .

also discusses specific failures and their affects.

All of these failures assume concurrent loss of offsit'e power. They are:

a. Failure of Diesel Generator GEA or GEB No AFW components are powered from these diesel generators. However, mainsteam system branch isolation valves are. Without GEB the normally closed HV-20565 would fail in its last position.

If closed, its EFIC function would be correct. If open, and a major steam leak were occurring, both main steam lines would de pressurize. In this event, P-318 would not function using the turbine driver. EFIC would feed bothssteam generators. To avoid overcooling, operator action would be required either to close HV-20560 (powered from GEA) or to manually regulate AFW flow.

b. Failure of Diesel Generator GEA2 or GEB2

1. Failure of Diesel Generator GEA2 Without GEA2 power the AFW pump P-319 would not operate. P-318 is sufficient for all cooling requirements and would be available in either its turbine or motor driven mode.

Without GEA2 power, MFW block valves HV-20529 and HV-20530 would not function. The EFIC MFW isolation function would still be provided by MFW isolation valves HV-20515 and HV-20516.

2. Failure of Diesel Generator GEB2 Without GEB2 the motor driver for P-318 will not be available. P-318 should still be functional on its turbine driver and P-319 would still be functional.

Without GEB2, HV-20515 and HV-20516 would fail in their last position. However, without offsite power. the condensate pumps would probably fai1 and fIow theough these valves I wi11 not oc c.ur . In any case, i sol af.i on ui NFW q

'e 1

A ,

c,.g ,

~ '

o , , , . ~.,,.

. w t

~

^

woul'd_still occur via the NFW control and

~

~

_ block, valves.-

(._ -: . -

L c.. Failure of EFIC and AFW indication in the Control Room Power f or control - circuits and f or backlighting of -

push-button which control EFIC comes from^the EFIC

. channel affected e.g.,.-if. power to EFIC Channel "A" is lost,Lthe "A" channel EFIC controlicircuits on H1SS will go dark.and control will be non-

. functional._

< The Class 1 analog-indication on_ HISS requires'two ~

inputs to be functional;; signal'and power. If the-signal is lost, .the display:will go "off scale low",.i.e., the digital read out will be at its lowest possible value,.and the bar graph will flash ~

a single LED in the lowest position.- If the 120-VAC power.is lost the indicator will go dark.

Power to the. Channel;"A" indicators is from the same battery backed ~ inverted power'which powers EFIC Channel "A". . Power to the Channel-"B" indicators is from the same battery backed inverted power which powers EFIC Channel "B".

^

Since all' Class 1 indications except AFW pump discharge pressure have redundant indicators of a

! different channel, the only process indication-lost

on loss ofca single power-source would be one'of the pump discharge pressures., Control lights.to the back lighted push-buttons and the ammeter

, would be back-up indication showing pump

. operation.

7. EFIC Control Failure - The.following is a discussion of -

EFIC control failures. It'should be noted that for l

these failures, the rate of change of RCS and secondary 4 system parametersEis not different than would be expected for similar control failures to the existing AFW and ADV controls.

i_

a. Atmospheric Dump Valve Fails Closed f If the Turbine Bypass Valveu do not control the main steam pressure, the pressure would increase j and be controlled by the code safety valves. If the other steam generator in available, and has pressure control, RCS cooling would proceed through it and steam pressur e in the impacted generator 4

would follow saturation pressure consistent with RCS hot leg temperature.

i 9

i

.,__3, ,, - . _ _ _ , _ , . _ _ . . _ . _ , . _ , , _ . , - , , _ , , . _ _ , _ - _ _ . , , _ _ _ . _ _ _ _ _ , _ _ _ _ . _ _ . _ . . , _ - _ _ .-

b. Atmospheric Dump Valve Fail,s Open The energy release would cause main steam pressure to decrease with a resulting decrease in Steam Generator secondary temperature. The RCS-temperature would decrease. The best response is for the operator to isolate the open ADV(s) using the motor operated ADV isolation valves. However, 3 if steam generator pressure drops below 600 psig, EFIC will isolate MFW and AFW to the affected ..

generator.

c. AFW Valve Fails Closed If an AFW control valve-fails closed, the. process control point would shift rapidly to the parallel control valve.

d. AFW Valve Fails Open The energy required to heat the cold AFW to saturation will cause a temperature and subsequent '

i pressure decrease in the steam generator. Operator action to isolate the open AFW valve using the g series aligned motor operated isolation valve is -

the best operator response. Actual valve position indication is available to identify the errant valve.

If only one S.G. is impacted, EFIC will automatically isolate AFW to that steam generator if pressure drops below 600 psig. In the event that the excess AFW develops to an overfill condition, the MFW overfill protection and annunciation would alert the operator to the need to isolate the errant valve.

e. Single EFIC Control Failures The four bounding EFIC control failures are:

1) loss of power to EFIC "A" or "B" channel, 2)1oss of a control module within EFIC "A" or "B" channel, 3) failure of a pressure or level sensing circuit, and 4) failed signal to a single device.

A single failure cannot simultaneously cause failure of control signals from both channel "A" and channel "B". Control failures for either channel would be si milar. Therefore, only failures of channel "A" will be discussed below.

Losn of power to channel "A" would cause the ADV(s) on one main steamline to fail closed, and one AFW contr al valve to each steam generator t c; f 3i1 open. Dur inq normal plant operation no change in oper at i on uot l d r esul t. If AFW has been

4 . . . .... .. .

initiated, the ADV closure would initially play a minor ro1~e b(cause-cooling from excess AFW flow

'would eventually dominate secondary pressure.

Manual closure.of the series AFW isolation valves

• is required. Following re pressurization, the failure of the ADV(s') will become apparent.and the course of action is as described in 7.a above.

. Losseof one of the two control modules within EFIC channel "A" will cause either a' control valve to ,

the "B" steam generator to fail open (See 7.d) or a control valve and'thle ADV(s) of the "A" steam genera' tor.to fail open and closed respectively.

This latter failure becomes a subset of loss of channel power.

Failure of a pressure sensor signal, though possible in either direction, would be expected to fail low. This would cause the ADV(s) on one steam generator to fail closed and one AFW-valve on the same steam generator to fail closed (due to Feed Only Good Generator or F.O.G.G. logic). Manual control of both valves, through EFIC would still*be possible.

Failure of a low range level sensor, though possible in either direction, would be expected to fail low. If it failed low, and AFW had been

initiated, one AFW control valve would fail open (See 7.d). If it failed high, one AFW control valve would , fail closed (see 7.c).

Failure of a wide range level sensor, though possible in either direction, would be expected to

fail low. This would lead to like scenarios for a failed low level sensor, but only if all RCPs were not running.

A failed signal to a single controlled component could cause a valve to open or close. Those events are described in 7.a to 7.d. However, due to the nature of the 4-20ma control circuits used, failures which produce 4ma or less are the e:tpacted failure modes. Therefore, the expected fail state i

for a single component would be closed f6r'an ADV(s) or open for an AFW control valve.

f. EFIC Sensing Line Fa'ilures The single EFIC control failure discussion assumou loss of only one sensor or loss of power to all sensors in one channel. EFIC sensors may share process sensing lines wi th other EFIC channel sensors or other system sensoru dopcoding upon speci f i c nonnor instal 1alion detri1m This a

I l

~*?" includra ctccm gen:rcter Icval cnd prccturo

, instrumentation. In bdth cases the design uses shared instrument' taps. Failure of a tapoor sensing line is bounded by the existing small break analysis provided in USAR 5ection 14.2.2.1.3.

~

The lower OTSG taps are each shared by 2 EFIC channuls of both narrow and wide range level indication and one channel of NNI level indication. The middle (narrow range) and upper (wide range) OTSG taps are each shared by 2 EFIC channels. The lower level taos are Teed and have two root valves, one for the EFIC channel tubing and one for the NNI tubing. Excess flow chuck valves are installed downstream of each of the root valves on the lower taps. These ensure that a tubing failure on either EFIC or NNI sensing line will not affect the other level sensing line on that tap. The middle and upper level taps also have root valves.

The failure of a bottom level tap will cause the transmitters to f ail low, while failure of a reference leg (top level) tap will cause the transmitters to fail high. The failure of the individual taps or associated instrument tubing will result in the following:

Lgwet QTQQ Tag - f silure of ~ a lower tap would cause the

shared EFIC channels on that tap to indicate level of f scale low. This would cause AFW initiation and full AFW flow to the af f ected steam generator while MFW is still flowing. This event would not terminate MFW. The control room operator would take action to terminate this event. The operator has several indications that this failure has occurred. They include

!r l a. Both narrow and wide range EFIC level indication on i

the affected channel would be offscale low (a single blinking LED in each indication will show this) while the unaf f ected channel would show normal levels for that range of operation.

b. Both EFIC channel AFW flow indicators would show high, steady flow to the affected steam generator and demand indication and actual position indication for the valve on the affected channel would show the valve to be wide open.

c. The EFIC AFW initiation would be annunciated.

diedle Ql@Q leR (top of narrow range level indication) -

failure of this tap would not cause automatic EFIC actuation. However, both EFIC channels on the affected

, tap would not be available for auto initiate of AFW on low steam generator level. The unaffected channel of EFIC would provide proper feed control to the affected l steam generator with no operator action required.

9 L

m - .. . . ~ , . . , . . ~ . . .q

. o The operator would be al'erted t' hat this pr'oblem has -

occurred (without AFW initiate)j because affected changel, narrow range level indicators ~would be reading.ofiscalei.

high (single bitnking LED in each indication will show

^ ^

this). *

4 y

. Igg QIQG Iag: (top of wide range' level indication) -

I failure of this tap would cause the affected EFIC channels to indicate high steam generator level and f

y cause' one EFIC channel to. isolate MFW to the affected steam generator. .The narrow range indication would- :;.

actuate AFW on low steam generator level. If at least one RCP was running, EFIC'would control AFW via the narrow range indication. ](e If EFIC goes to the natural circulation mode (no RCPs running) the affected EFIC channel would not feed the -

affected steam generator. However, the unaffected EFIC channel would properly feed the steam generator without immediate operator action required. .

If this failure caused the steam generator pressure to 7 drop below 600 psig, EFIC would isolate this generator -

via the vector logic (FOGG). Operator action would be required to return this steam generator to service.

The operator has several indications that this failure ,

has occurred. They includes

a. The affected channels wide range EFIC level indication would be offscale high (single blinking LED in each indication) while the unaffected channel indication would show normal for than range

- of operation.

b. A MFW isolation valve or MFW control valve station to the affected steam generator would indicate closed with the remaining MFW isolation or control valve utation indication open.

c. The EFIC MFW isolation would be annunciated.

Eight pressure transmitters (pts) are employed by EFIC to indicato steam generator presnure. Four of the pts are installed in 4 separate, independent taps. The other four PTn are installed in 2 tapu (2 PTu per tap).

The shared prensure tapn aru on the mainsteam nample linen on the main utoam lines (one one "A", and one on "D").

SG Ptyntucq Tgg - Failure of a nhared prenuure tap would cause both Pls on that tap to indicate lou steam generator p r e s s u r rr. EFIC wouid then initiato AFW and i solate MFW to the affected utuam generator. One EFIC chann91 would continue to control invol in the oteam 1'

. , ,,,-7re..e ,-r f v ~ y v v ~ 4 generhtor b ccuca only onn AFW control path (2 ccrion valves) would be isolated. The other paralleled AFW *

, control path would still.pr. ovide controlled AFW to the affected steam generator. Throughout this failure mode, the unaffected steam generator would still be fed by the NFW system, with a fully operational AFW system and EFIC '

system available to control steam generator level if MFW is lost. No imme'diate operator action would be required because EFIC would still regulate AFW to ensure there is .

• no overcooling or undercooling of.the RCS. Full manual AFW control and indications would be available to-the .

operator in the control room. This includes all indication and control .provided by EFIC except f or steam-generator pressure for the affected channels and steam generator (one steam generator pressure indicator on H1SS panel).

The failure modes discussed above show that a single failure of the " shared" instrument taps affects only one steam generator and that ,the affects can be mitigated by the operator in the control room. Tap or instrument line failures will not deprive the operator of necessary indications or annunciations pertaining to AFW control or status of the secondary side of the steam generator.

The failure of a shared. instrument tap will not cause  !

undercooling of the NSSS. However,., logic required to automatically initiate AFW for certain failure modes (f ailure of the OTSG middle level tap) is reduced to 2 out of 2. Also, for certain single failures (f ailure' of the OTSG low 1evel tap), operator action is required to reduce AFW flow to mitigate overfeed. This is similar to some single active failures which will require operator action"to diagnose and isol' ate f eedwater coolant flow to prevent overcooling (such as loss of a fail open AFW control valve or its power supply) .-

Again, even with these shared tap failure modes, EFIC i

represents a significant plant enhancement compared to the existing system design.

8. Instrument Air System Failure - Four independent Class 1 backup air supply systems are provided to assure power is available to EFIC-related air operated valves in the event of the loss of normal air supply. One system supplies power for the MFW, Startup Feedwater, and AFW control valves feeding the "A" OTSG; another system supplies power for name valves feeding the "b" OTSG.

Two systems supply power for ADVs with one for the ADVs on the "A" main steam line and one for the ADVs on the "B" main steam line. Each system is sized to provide at least two hours of air supply.

Hugmgry EFIC is bounded by the design basis and the safety analysis as described in the Rancho Seco USAR. EFIC provides additional 11

margin to the~ existing USAR Chapter 14 analysis. The District's February 18, 1983 letter provided the transient analyses supporting the design basis _for the auxiliary feedwater system

-including EFIC. 'The September 26, 1983 NRC SER documents the acceptability of the design basis and supporting transient

' analyses. Therefore, this' change has been reviewed anW in not an unreviewed safety question as' defined by-10 CFR50.59 (a) (2) . The system as proocsed is bounded by the NRC eoprovec SER cated September 26, 1983. ,

This change does not increase the probability of occurrence or~ the consequences-of an accident or malf unctiori . of eculpment important to safety previously evaluated in the SAR, because the September 26, 1983 NRC SER documents the acceptability of the design basis and supporting transient analyses.' It is also an upgrade of existing plant systems and enhances SAR accident analysis.

This change does not create the possibility for an accident or malfunction of a different type than any evaluated previously in

~

the SAR,-because the September 26, 1983 NRC SER documents the acceptability of the design basis and supporting transient

~

analyses. .

This change does not reduce the margin of safety as defined in the bases for the Technical Specifications, because the September 26, 1983 NRC SER documents the acceptability of the design basis and supporting transient analyses. It increases the margin of safety by upgrading the reliability of the existing plant systems.

I 12

1. Existing Specification:

,- 1.2.10 Remain Critical:

A technical specification that requires that the reactor shall not remain critical shall mean that an uninterrupted normal hot shutdown will be completed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

New Specification:

1.2.10 Remain Critical A technical specification that requires that the reactor shall not remain critical shall mean that an uninterrupted normal hot shutdown procedure.will be completed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> unless otherwise specified.

1.20 Vector Logic A set of circuitry.in each channel of the Emergency Feedwater Initiation and Control (EFIC) which, once Auxiliary Feedwater (AFW) has been initiated, determines whether AFW to a steam generator should be allowed or terminated and the signal output for each EFIC channel to the AFW valves associated with that channel.

Discussion:

The revision to the definition " remain critical" clarifies that certain specifications.have action times different from that required by the existing definition. The addition defines the term vector logic as used in the EFIC system.

2

2. Existing Specifications: _ , ,

3.1.1.2 Steam Generator A. One steam generator shall be operable whenever the reactor coolant average temperature is above 280 degrees-F.

New Specification:

3.1.1.2 Steam Generator A. Two steam generators shall be operable whenever the reactor coolant average temperature is above 280 degrees-F except as described in 3.1.1.2.B.

B. With one or more steam generator (s) inoperable due to excessive leakage per 3.1.6.9, bring the reactor to cold shutdown conditions within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

C. With one or more steam generator (s) inoperable due to steam generator defective tube (s), restore the inoperable generator (s) to operable status prior to increasing the reactor coolant average temperature above 200 degrees-F.

Bases:

When the reactor is not critical but TAV is above 280 '

degrees-F, one steam generator provides sufficient heat removal capability for removing decay heat. However, single failure considerations require that both steam generators be operable.

Discussion:

This change requires both steam generators to be operable and defines the corrective action for inoperable steam generator (s). This revision is consistent with analysis supporting the EFIC system by requiring both steam generators to be operable to satisfy single failure considerations.

3

M

^ - ~

3.- Existing Specifications:

. 3.4.1- The reactor shall not remain above 280 degrees-F with irradiated fuel in the pressure vessel unless the following conditions are met:

3.4.1.1 Capability to supply feedwater to one steam generator at a process flow rate corresponding to a decay heat of 4-1/2 percent full reactor power from at least one of the following means.

A. A condensate pump and a main feed pump or B. A condensate pump or C. An auxiliary feedwater pump.

The required flow rates are:

Feedwater temperature Required flow degrees-F gpm 40 743 60 756 90 780 3.4.1.2 Two steam system safety valves are operable per steam generator.

3.4.1.3 The turbine bypass system to the condenser shall have one valve operable or the atmospheric dump system shall have a minimum of 1 of 3 valves operable per steam generator.

3.4.1.4 A minimum of 250,000 gallons of water shall be available in the condensate storage tank.

3.4.2 In addition to the requirements of 3.4.1, thes reactor shall not remain critical unless the i following conditions are met:

i 3.4.2.1 Seventeen of the eighteen main steam system safety valves are operable.

3.4.2.2 When two independent 100 percent capacity auxiliary feedwater flow paths are not

, available, the capacity shall be restored

. within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the plant shall be placed in a cooling mode which does not rely on steam

generators for cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. -

4

_ _ - - . _____ _ _.__ ~-- .-._ _ _-_ -- _ __ _ _ - _ _ , _ _ _ _ _ _ . _ _ _ - ~ _ - - - . _ . _ _ _ . .

I

, \

l

~

3.4.2.3 When at least one 100 percent capaciEy auxiliary feedwater flow path is not -  !

available, the reactor shall be made  !

subcritical within four hours and the facility j placed in a shutdown cooling mode which does ,

not rely on steam generators for cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Bases: , [

The feedwater system and the turbine bypass system are normally used for decay heat removal and cooldown above 280 degrees-F. Feedwater makeup is supplied by operation of a condensate pump and main feedwater pump.

In the event of complete loss of electrical power, feedwater is supplied by a turbine driven auxiliary feedwater pump which takes suction from the condensate storage tank. Steam relief would be through the 3 system's atmospheric relief valves.

If neither main feed pump is available, feedwater can be supplied to .the steam generators by an auxiliary i feedwater pump and steam relief would be through the  :

turbine bypass system to the condenser. .

In order to heat the reactor coolant system above 280 degrees-F, the maximum steam removal capability required is 4-1/2 percent of rated power. This is the maximum decay heat rate at 30 seconds after a reactor trip. The requirement for two steam system safety valves per steam ,

generator provides a steam relief capability of over lo i percent per steam generator (1,341,938 lb/h). In addition, two turbine bypass valves to the condenser or two atmospheric dump valves will provide the necessary ,

capacity.

The 250,000 gallons of water in the condensate storage l

. tank is the amount needed for cooling water to the steam r p generators complete loss forofa all period unitinac excess power.ogne day following a l

[

f I l

The minimum valves relief capacity is 13,329,163 lb/hr.(2qf 1

17 steam system safety '

This is sufficient.

l capacity to protect the steam systeg pnder the design overpower condition of 112 percent.4 33 1 l l Referencest l (1) FSAR paragraph 14.1.2.8.4

{ (2) FSAR paragraph 10.3.4 i

(3) FSAR Appendix 3A, Answer to Question 3A.S I

i o

5 i r

_ nn ___.,,- - , - _ , A

~

New Specifications:

3.4.1 The reactor shall not be brought or remain above 280 degrees-F with irradiated fuel in the pressure vessel unless the following conditions are met:

A. Capabil'ity to remove decay heat by use of two steam generators as specified in 3.1.1.2.

B. One atmospheric dump valve per steam generator shall be operable.

C. A minimum of 250,000 gallons of water '

shall'be available in the condensate storage tank.

D. Two main steam system safety valves are operable per steam generator.

E. Both auxiliary feedwater trains (i.e.,

pumps and their flow paths) aru operable.

F. Both trains of main feedwater isolation on each main feedwater line are operable.

G. Four independent backup instrument air bottle supply systems for ADVs and MFW, SFW, and AFW valves are operable.

With less than the above required components operable be on decay heat cooling within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

3.4.2 The reactor shall not be brought or remain critical unless the following conditions are met:

A. Capability to remove decay heat by use of two steam generators as specified in 3.1.1.2.

6

^~

B. One atmospheric dump valve per' steam 1

. generator shall be operable except that:

(1) with only one atmospheric dump valve

, operable, restore an inoperable valve for the other steam generator within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in hot shutdown within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; (2) with no atmospheric dump valves operable, restore at least 1 inoperable valve within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

C. A minimum of 250,000 gallons of water shall i be available in the condensate storage tank except that with less than the minimum volume, restore the minimum volume within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

D. Seventeen of the eighteen main steam safety valves are operable except that with less than the minimum number of valves, restore the inoperable valves within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

E. Four turbine throttle stop valves are operable except that with less than the minimum number of valves, restore the inoperable valves within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

F. Both auxiliary feedwater trains (i.e., pump and their flow path) operable except thatt (1) With one auxiliary feedwater train inoperable, restore the train to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />st (2) With both auxiliary foodwater trains inoperablo, the reactor shall be mado subcritical within four hours and the reactor chall on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

7

~

~~

G. Both trains of main feedwater isolation on

- each main feedwater line are operable except that; (1) With one main feedwater isolation

. train inoperable, restore the train to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; (2) With both main feedwater isolation trains inoperable, the reactor shall be made subcritical within four hours and the reactor shall be on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

H. Two independent backup instrument air bottle supply systems (one per steamline) for ADVs are operable except that:

1) With one system inoperable, restore the system to operable status within 7 days or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

2) With two systems inoperable, restore at least one system within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. With one system restored to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, follow 3.4.2.H.(1).

I. Two independent backup instrument air bottle supply systems (one per feed water line) for MFW, SFW, and AFW control valves are operable except that with either one or both system (s) inoperable, restore the inoperable system (s) within 7 days or be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and on decay heat cooling within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Danes The feodwater system and the turbine bypass system are normally unod for decay heat removal and cooldown above 280F. Main foodwater in supplied by operation of a condannato pump and main foodwater pump. If neither main food pump in available, foodwater can bo supplied to the steam gonoratora by an auxiliary foodwater pump.

Steam relief capability in provided by the syntom's atmosphoric dump valven.

O

The auxiliary feedwater system is designed to providei -

sufficient flow on loss of main feedwater to match decay heat plus Reactor Coolant Pump heat input to the Reactor Coolan ystem before solid pressurizer operation could occur.

1 The 250,000 gallons of water in the condensate storage tank is sufficient to remove decay heat (plus Reactor Coolant pump heat for two pumps) for approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. This volume provides sufficient water to remove the decay heat for approximately 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and, to .

subsequently cool the plant to the system pressure at a cooldown rate of 50 degrees-F/hr. -

' The minimum relief capacity (,qf 17 valves is 13,328,153 lb/hr. d1 steam system safety This is sufficient capacity to protect the steam systeg pnder 3 the design overpower condition of 112 percent.L 3 Both trains of main feedwater isolation on each main feedwater line are operable. Train A of main feedwater isolation is comprised of main feedwater control valves, main feedwater block valve and startup feedwater control  ;

valve. Train B of main feedwater isolation is comprised of main feedwater isolation velvns.

Four independent Class 1 back-up air supply systems are provided to assure power available to certain air operated valves in the event of the loss of normal air supply. One system supplies power for the MFW, Startup Feed Water (SFW), and AFW control valves feeding the "A" OTSG; another system supplies power for same valves feeding the "B" OTSG. Two systems supply power for ADV's with one for the ADVs on the "A" main steam line

, and one for the ADVs on the "B" main steam line. Each system is sized to provide at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of air supply.

References t

(1) B and W Document 32-1141727-00, " Heat Removal Capability of SMUD CST," March 1984.

(2) FSAR paragraph 10.3.4 (3) FSAR Appendix 3A, Answer to Question 3A.5

, (4) B and W Calculation 86-1123794-99, "SMUD AFW System

Following Loss of Feedwater," March 1981 T

9 i

, . q. _

r '

.j._

,. '/ g

/

s , hti , ,!

' >1 1

' Discussion: -

./ t This specification defines the-ddditional components . ,-

required to be operable by the installation ofAEFIC and g -r l '

the amount of time components can'be inoperable -prior.'to' taking corrective action. The.?nquirements for-both .f f steam generators and both auxiliary fcadwater trairu to s be operable is consistent with the approach as described in item 1. A revision to this specification'has been previously submitted by Proposed Amendment No.107, e dated October 30, 1985. This specification includes the l

features of Proposed Amendment No. 107. )

i g i i

/ p(

/ 't,

'k k

t. {

or 2

,I I

/

'/

I I

I I

1 l

l 10

_ , , - . . . _ . _ _ _ . . . , - _ _ _ . , . _ _ , , , _ , __..._._._,.__________,__y__ _ . . _ . _ . , _ , _ , . . _ . , - - - _ . _ _ _ _ , , _

1

-m

4. Existing Specification: -

3.5.1.1 Startup and operation are not permitted unless the requirements of table 3.5.1-1, Columns A-and B are met:

3.5.1.2 In .the eve *nt the number of protection channels operable falls below the limit given under Table 3.5.1-1, Columns A and B, operation shall be limited as specified in Column C.

In the event the number of operable Process Instrumentation channels is less than the Total Number of Channel (s), restore the inoperable channels to operable status within 7 days, or be in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If the number of operable channels is less than the minimum channels operable, either restore the inoperable channels to operable within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or be in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Table 3.5.1-1 INSTRUMENTS OPERATING CONDITIONS (A) (B) (C)

Operator Action if Minimum Conditions of Total Number Channels Columns A and B Functional Unit of Channels Operable Cannot be Met.

Auxiliary Feedwater

1. Low Main Feedwater See Section Pressure: Start 3.5.1.2 Motor Driven Pump and Turbine Driven l Pump 2 1

2. Phase Imbalance /

Underpower RCP:

Start Motor Driven and Turbine Driven Pumps 2 1 11

( 'a New Specifications: .

3.5.1.1 ~ Startup and operation are not permitted unless the requirements of Table 3.5.1-1, Columns A-and B are met.

'3.5.1.2 In the event the number of protection channels operable falls below the limit given under Table 3.5.1-1, ' Columns A a' nd B, operation shall be limited as specified in Column C.

In the event the' number of operable Process Instrumentation or EFIC system channels is less than . the Total Number of Channel (s),

restore the inoperable" channels to operable status within 7 daysi or be in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If the number of operable channels is one less than the minimum channels operable, either restore the inoperable channels to operable within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or be in at least hot shutdown within the next 12%hcurs. If the number of operable channels is two less than the minimum channels operable, the reactor shall be made subcritical within four hours and on decay heat cooling wiphin the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

3.5.1.7 For calibration l or\ maintenance of an Emergency

' t. Feedwater Initiation and Control (EFIC) channel, a key operated " maintenance bypass" switch associated with each channel will be used which will prevent the initiate signal from being transmitted to the Channel A and B trip logic. Only one channel shall be locked into " maintenance bypass" at any one time.

3.5.1.8 If a channel of the RPS is in bypass, it is permissible to bypass only the corresponding channel of EFIC.

l l

l 12 l

Tabler 3.5.1-1 INSTRUMENTS OPERATING CONDITIONS (A) (B) (C)

Operator Action if Minimum conditions of Total Number Channels Columns A and B Functional Unit of Channels Operable Cannot be Met Emergency Feedwater Initiation and Control i (EFIC) System

1. AFW Initiation

a. Manual 2 2 See 3.5.1.2.

b. Low Level, SGA or B 4/SG 3/SG See 3.5.1.2. May be (Note 2) (Note 1) bypassed below 750 psig OTSG pressure.

c. Low Pressure 4/SG 3/SG See 3.5.1.2. May be SGA or B (Note 1) bypassed below 750 (Note 3) psig OTSG pressure.

d. Loss of MFW 4 3 See 3.5.1.2. Loss Anticipatory (Note 1) of MFW Anticipatory Reactor Trip Reactor Trip is effectively bypassed in RPS below 20 percent power.

e. Loss of 4 RC 4 3 See 3.5.1.2. May be

-Pumps (Note 1) bypassed below 750 psig pressure.

f. Automatic Trip 2 2 See 3.5.1.2.

Logic

2. SG-A Main Feedwater Isolation

a. Manual 2 2 See 3.5.1.2.

b. Low SGA Pressure 4 3(Note 1) See 3.5.1.2. May be (Note 3) bypassed below 750 psig OTSG pressure,

c. Automatic Trip 2 2 See 3.5.1.2.

Logic 13

Table 3.1.1 (contimed) -

N OPH& TING 00NDITIN p -(A) (B) (C)

Qau.du d Action if

+ Mininum conditions of Total Ninnhat- Channels Coluusis A and B Functional Unit of Channels Operable Cannot be Met

3. SG-B Main Feedwater Isolation

a. Manual 2 2 See 3.5.1.2.

b. Iow SGB 4 3(Note 1) See 3.5.1.2. May be Pressure bypaqqad below 750 (Note 3) psig OISG pressure.

c. Automatic Trip 2 2 See 3.5.1.2.

Iogic

4. AEW Valve Otsunands (Vector)

a. Vector Enable 2 2 See 3.5.1.,2

b. Vector Module 4 3 See 3.5.1.2 (Note 4)

c. Control Enable 2 2 See 3.5.1.2

d. Control Module 2 2 See 3.5.1.2

• Note 1 The number of minimum channels operable may be reduced to 2 provided one.of the inoperable channels is in a tripped state.

Note 2 Low level AFW initiation has a maximum of a 10.0 second delay.

l l

Note 3 Low pressure AFW initiation has a maximum of a 3.0

second delay.

Note 4 SG Pressure Difference AFW Valve Command (Vector) has a maximum of a 10.0 second delay, t

i l 14

-L Bases:

Every reasonable effort will:be made to maintain all safety instrumentation in operation. A startup is not  ;

permitted unless three power range neutron instrument i channels and two channels each of the following are operable: four reactor coolant temperature instrument channels, four reactor coolant flow instrument channels, four. reactor coolant pressure instrument channels, four pressure-temperature instrument channels, four flux-imbalance flow instrument channels, four power-number of pumps instrument channels, and four high reactor building pressure instrument: channels. The safety features actuation system must have two analog channels functioning correctly prior to startup. EFIC system i instrumentation as required by Table 3.5.1-1 must be operable.

There are four reactor protection channels. Normal trip logic is two out of four. Required trip logic for the power range instrumentation channels is two out of three. The EFIC trip logic is two times one-out-of-two taken twice. Minimum trip logic on other instrumentation channels is one out of two.

The EFIC system is designed to automatically initiate AFW when:

1. all four RC pumps are tripped,

2. RPS has tripped the reactor on anticipatory trip indicating loss of main feedwater,

3. The level of either steam generator is low,

4. either steam generator pressure is low, or

5. SFAS ECCS actuation (high RB pressure or low RCS pressure).

The EFIC system will isolate main feedwater to any steam generator when the pressure goes below 600 psig.

The EFIC system is also designed to isolate or feed AFW according to the following logic:

If both SGs are above 600 psig, supply AEW to both SGs.

If one SG is below 600 psig, supply AEW to the other SG.

If both SGs are below 600 psig but the pressure difference between the two SGs exceeds 100 psig, supply AFW only to the SG with the higher pressure.

If both SGs are below 600 psig and the pressure ,

difference is less than 100 psig, supply AEW to both SGs.

15

1

- At cold shutdown conditions,"&ll EFIC . initiate and

. isolate functions are manually or automatically bypassed. When pressure:in both steam generators is greater than 750 psig, the following bypassed initiation signals will have been automatically reset:

1) loss of 4 RC pumps, 2) low steam generator pressure, and 3) low steam generator level.

Since the EFIC' receives signals from the RPS, it is important that only corresponding channels be placed in

" maintenance bypass". If a channel of RPS is in maintenance bypass, the corresponding channel of EFIC can be bypassed. An interlock feature also prevents

-bypassing more than one EFIC channel at a time. These-interlocking features allow the EFIC system to take a single failure in addition to having one channel in maintenance bypass.

Various RPS test features can inhibit initiate signals to the EFIC system and degrade the EFIC system below acceptable limits if the RPS channel is not in bypass.

Therefore, no testing should be performed on a RPS instrument string which supplies an output to EFIC without placing that RPS channel in bypass.

The EFIC system is designed to allow testing during power operation. The EFIC system can be tested from its input terminals to the actuated device controllers without placing the channel in key locked " maintenance bypass." JL test of the EFIC trip logic will actuate one

of two relays in the controllers. The two relays are tested individually to prevent automatic actuation of the component.

Each EFIC channel key operated maintenance bypass switch

l. is provided with alarm and lights to indicate when the maintenance bypass switch is being used.

Discussion:

The existing instrumentation that controls the Auxiliary Feedwater System has been replaced by the EFIC system instrumentation. Also, the revisions in Proposed Amendment No.150 are no longer required since that l

instrumentation has been replaced by EFIC system

( instrumentation. This specification defines the operating requirement on the EFIC system.

l 16

1

~

5. Existing Specifications: - - -

3.5.3 'Iha safety features actuation setpointis and s permissible bypa- shall be as follows:

Ebnctional Unit Action Setpoint Tewm of all RC Punps Starts Ativ414ary Not Applic-able Feedwater Pungs Iow Feedwater Pressure Starts Ativiliary >750 psig Feedwater Punps New Specifications:

3.5.3 'Ibe safety features actuation setpoints and permissible bypa- shall be as follows:

Functional Unit Action Setpoint High Reactor Buildirq Reactor Biilding spray pressure

• valves *** $30 psig Reactor Billding spray pumps *** $30 psig High pressure injection and start of Reactor Biilding cooling and Reactor Billairy isolation. $4 psig Iow pressure injection, EFIC AEW initiate $4 psig low reactor coolant High pressure injection system pressure ** and start of Reactor Building cooling and Reactor Building isolation. >1600 psig Iow pressure injection, EFIC AEW initiate >1600 psig 4

• May be byp-M during Reactor Building leak rate test.

• • May be bypmed below 1850 psig ani is automatically reinstated above 1850 psig.

c**Five-minute time delay.

17

Discussion: - - _

~

Loss of all.RC Pumps and low Feedwater Pressure actuation setpoints are deleted since the signals now

. provide input to initiate the EFIC. system. The SFAS actuation signal will result in EFIC AFW initiating.

6. Existing Specifications:

Table 4.1-1 INSTHMENT SURVEIIIANCE Fdwn<tz1ENTS Channel Description Check Test Calibrate Remarks

48. #wilimy Feedwater Start Circuit

a. Phase Imbalance /

Underpower RCP S N/A R

b. Iow Main Feed-water Pressure N/A M R t

i NEW SPECIFICATION i Table 4.1-1 INSTRUMENT SURVEIIIANCE Fdwu<t24ENIS Channel Description Check Test Calibrate Remarks

48. Deleted it

68. AEW Initiation '

a. Manual N/A M N/A

b. Iow Ievel (1) Include time SGA or B S M (1) R (1) delay module

c. Iow Pressure (1) Include time SGA or B S M (1) R (1) delay module

d. Ioss of MEW Anticipatory <

Reactor Trip S M R

e. Loss of 4 RC Pumps S M N/A

f. Autmatic Trip Iogic N/A M N/A 18

^

~ * '

._ Table 4.1-1(oontirned) - ---

INS'IMDENT SURVRTTIANG ic:yuue24ENTS Channel Descripticn Check Test Calibrate Resnarks

69. SGA Main Feedwater Line Isolation

a. Manual N/A M N/A

b. Autanatic Trip Iogic N/A M N/A

70. SGB Main Feedwater Line Isolaticn

a. Marmal N/A H N/A

b. Automatic Trip Invel N/A M N/A

71. AEW Valve (hmands (Vector)

a. AEW Initiation Autcmatic Trip Iogic Tripped N/A M N/A

b. SGA Pressure (1) Include time Iow S M(1) D(1) delay module

c. SGB Pressure (1) Include time Iow S M(1) D1) delay module

d. SG Pressure Difference (1) Include time SGA Pressure > S D(1) R(1) delay module SGB Pressure SGB Pressure > (1) Include time SGA Pressure S M(1) R(1) delay module

72. AFW Control Valve Control

a. Manual / Auto in Manual N/A M N/A

b. AEW Initiation Automatic Trip Iogic Tripped N/A M N/A l

19 l _ - _ _ _ _ . . . -- - --

I I

l Teble 4.1-1 (Continued) -

INSTRUMENT SURVEILIANCE REQ'UIREMENTS Chrnnsl Description Check Test Calibrate Remark

73. SG Level Control Setpoint Selection

n. Manual / Auto in Manual N/A ~M N/A

b. AFW Initiation Automatic Trip Logic Tripped N/A M N/A

c. Loss of 4 RC Pumps S M N/A

74. ADV Control Valve Control

a. Manual / Auto N/A M N/A in Manual

75. Backup Instrument Air Supply System

a. Pressure D N/A N/A S = Ench shift M = Monthly P = Prior to each startup if D = Daily- Q = Quarterly not done previous week W = Weekly SY = Semiannual R = Once during the refueling interval Discussion:

This change deletes the surveillance requirements for the existing control functions for the auxiliary l feedwater system and replaces them with the new control

( functions for the EFIC system.

I i

l l

l 20 t

r.

l l

1

'7. Existing Specifications: -

' ~ ~ ~ ~

Table 4.1 MINIMUM EQUIPMENT TEST FREQUENCY Item Test Frequency

6. Turbine steam stop valves Movement of each valve Monthly New Specifications:

Table 4.1-2 MINIMUM EQUIPMENT TEST FREQUENCY ItCO- Test Frequency

6. Turbine Throttle Stop Valves Movement Monthly of each valve

16. Main Feedwater Isolation Valves

a. Main Feedwater Isolation Valves Functional Each. refueling interval

b. Main Feedwater Block Valves Functional Each refueling interval

c. Startup Feedwater Control Valves Functional Each refueling interval

d. Main Feedwater Control Valves Functional Each refueling interval i

17. Turbine Throttle Stop Valves Cycle Each refueling interval

18. Backup Instrument Air Supply Functional Each refueling interval System 6

Discussion:

This new specification defines the surveillance requirements included for satisfying the operability requirements of specifications 3.4.2.E, 3.4.2.G, 3.4.2.H, and 3.4.2.I.

21

. , - - __ - - . - - .. .- _ _ _ . _ _ _ . , = -_- - - _ , _ _ . - - -

__x- ,

i I

'I

8. Existing Specifications:

4.8.1- Monthly on a staggered test basis at a time when the average reactor coolant system temperature is 2 305 degrees-F, the turbine / motor driven and motor driven auxiliary feedwater pumps shall be operated on recirculation to the condenser to verify _

proper operat. ion. Separate tests will be performed in order to verify the turbil.a driven capability and the motor driven capability'of auxiliary feedwater pump P-318.

The monthly test frequency requirement shall be brought current within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the average reactor coolant system temperature is 2 305 degrees-F for the motor driven pumps.

The turbine driven capability shall be brought current within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of obtaining 5 percent reactor power.

Acceptable performance will be indicated if the pump starts and operates for fifteen minutes at a discharge pressure of greater than or equal to 1050 psig at a flow of greater than or equal to 780 gpm. This flow will be verified using tank level decrease and pump differential pressure. i 4.8.2 At least one per 18 months during a shutdown: '!,

1. Verify that each automatic valve in the flow path actuates to its correct position upon receipt of each auxiliary feedwater. actuation test signal.

2. Verify that each auxiliary feedwater pump starts as designed automatically upon receipt of each auxiliary feedwater

actuation test signal.

4.8.3 All valves, including those that are locked,  !

sealed, or otherwise secured in position, are i to be inspected monthly to verify they are in the proper position.

4.8.4 Prior to startup following a refueling shutdown or any cold shutdown of longer than 30 days duration, conduct a test to demonstrate that the motor-driven AFW pumps can pump water from the CST to the steam generator.

22

- _ - - . . . , .. . -=

(

4.8;5 Provide a~ dedicated individual during - - '

^

surveillance testing who will be in communication with the control room. This individual shall be stationed near any (locally) manually realigned valves that would inhibit injection into the steam generators, when only one auxiliary feedwater train is available.

4.8.'6 Component Tests A.- < Testing

.At least quarterly, when the average reactor coolant system temperature is greater than or equal to 305 degrees-F, inservice testing of Auxiliary Feedwater System pumps and. valves shall be performed in accordance with Section XI of the ASME Boiler and Pressure Code and applicable Addenda as required by 10 CFR 50, Section 50.55a(g)(6)(i).

The quarterly. test requirement shall be brought current within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the average Reactor Coolant System temperature is greater than or equal to 305 degrees-F.

B. Flow Path Verification 4

'Following inservice testing of pumps and valves as required by paragraphs 4.8.1 and 4.8.2, required flow paths shall be demonstrated operable by verifying that each valve (manual, power-actuated or automati4 in the flow path that is not locked in position is in its normal operating position.

i Bases:

! The monthly test frequency will be sufficient to verify

( that the turbine / motor driven auxiliary feedwater pumps l are operable. Verification of correct operation will be l

made both from the control room instrumentation and direct visual observation of the pumps.

.The OPERABILITY of the auxiliary feedwater system

, ensures that the Reactor Coolant System can be cooled

! down to less than 305 degrees-F from normal operating j conditions in the event of a total loss of off-site j power.

23

Each electric driven auxiliary feedwater pump is capable -

of delivering a total. feedwater flow of 780 gpa at a -

pressure of 1050 psig to the entrance of the steam generators. The steam driven auxiliary feedwater pump is capable of delivering a total feedwater flow of 780 gpa at a pressure of 1050 psig to the entrance of the steam generators. This capacity is sufficient to en.sure that adequate feedwater flow is available to remove decay heat and reduce the Reactor Coolant System ~

temperature to less than 300 degrees-F when the Decay Heat Removal System may be placed into operation.

New Specifications:

4.8.1 Monthly on a staggered basis, at a time when the average reactor coolant system temperature is 2305 degrees-F, the turbine / motor driven and motor driven auxiliary feedwater pumps shall be operated on recirculation to the condenser to verify proper operation.

Separate tests will be performed in order to verify the turbine driven capability and the

. motor driven capability of auxiliary feedwater pump P-318.

The monthly test frequency requirement shall be brought current within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the average reactor coolant system temperature is 2305 degrees-F for the motor driven pumps.

The turbine driven capability shall be brought current within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of obtaining 5 percent reactor power.

Acceptable performance will be indicated if the pump starts and operates for fifteen minutes at a flow rate of greater than or equal to 760 gpm and at a discharge pressure sufficient to drive that flow through the most restrictive flow path to a single steam generator which is at a pressure of 1050 psig.

The monthly testing of the auxiliary feedwater pumps and valves shall be performed in accordance with the inservice inspection requirements of Specification 4.2.2.1. .

24

4.8.2 At least onc'e'per 18 months: __

1. verify that each automatic valve in the flow'. path actuates to its correct position upon receipt of each auxiliary feedwater actuation test signal.

. :2 . Verify that each auxiliary feedwater pump starts as designed automatically upon receipt of each auxiliary feedwater actuation test signal.

4.8.3 All valves, including those that are locked, sealed, or otherwise secured in position, are to be inspected monthly to verify they are in the proper position.

4.8.4 Prior to startup following a refueling shutdown or any cold shutdown of longer than 30 days duration,. conduct a test to demonstrate that the motor-driven AFW pumps can pump water from the CST to the steam generator.

Bases:

The monthly test frequency will be sufficient to verify that the turbine / motor driven and motor driven auxiliary feedwater pumps are operable. Verification of correct operation will be made both from the control room instrumentation and direct visual observation of the pumps.

The OPERABILITY of the auxiliary feedwater system ensures that the Reactor Coolant System can be cooled down to less than 305 degrees-F from normal operating conditions in the event of a total loss of off-site power.

l The electric driven auxiliary feedwater pumps are capable of delivering a total feedwater flow of 760 gpm at a pressure of 1050 psig to the entrance of the steam generators. The steam driven auxiliary feedwater pump is capable of delivering a total feedwater flow of 760 gpm to the entrance of the steam generators over the steam generator operating range of 800 psig to 1050 I , psig. This capacity is utilized as analytical input to the Loss of Main Feedwater Analysis which is the design basis event for AFW flaw requirements.

25 I

i

. l i

Discussion: ,

This revision ' incorporates the features of 1) Proposed Amendment No. 107 which changed the required auxiliary feedwater flow to 760 gpa and 2) Proposed Amendment No.

148 which would permit auxiliary feedwater periodic

-testing either during plant operation .or shutdown conditions. The definition.of acceptable performance-for.the auxiliary feedwater pumps has been clarified to better define the pressure requirement. associated with the 760 gpa flow. The prescription that testing of AFW pump and valves is performed in accordance with Specification 4.2.2.1 requirement is also added. The revision does not alter the flow requirements as defined in Proposed Amendment No.107.- Specification 4.8.5 was deleted since the AFW flow. test valves can now be automatically operated from the control room, an individual is no longer required to be stationed at the valves during surveillance testing. Also, existing Specification 4.8.6 was deleted. Since the NRC issued Amendment 80 dated April 14, 1986 requiring monthly testing, the NRC also left in the requirement for the quarterly testing of the same pumps.

i l

4 26

SAFETY ANALYSIS FOR AUXILIARY FEEDWATER SYSTEM REVISIONS '-'

The design basis event' originally used for sizing the auxiliary feedwater system (AFWS) is loss of main feedwater (LMFW) with a concurrent loss of offsite power (IDOP), and subsequent loss of the reactor coolant pumps. The pertinent parameters for this accident relative .to the AFWS are design flowrate and required time to full AFW flow. The design values which resulted from this original (FSAR) analysis are 780 gpa deliverable to the steam generator within 40 seconds of the initiation signal.

The 40 second time was chosen to allow the AFWS to inject .

feedwater and begin increasing steam generator level to the 50 percent operating range level required for natural circulation prior to completion of the reactor coolant pump . The design flowrate was selected to be equal to or greater than the decay heat generation rate at 40 seconds. Each AFW pump has a rated capacity of 840 gpa at 1150 psig with a normal recirculation flow of 60 gpm; thus the net flow rate to the steam generators is 780 gpm.

' The AFW flow design basis for the upgraded system has been revised to require delivery of 760 gpm within 70 seconds to at least one steam generator. The revised design basis event for sizing the AFWS is a loss of main feedwater with no loss of offsite power. The reactor and reactor coolant pump heat input resulting from this event with no anticipatory reactor trip or trip due to loss of offsite power represents the limiting condition for determining AFWS flow requirements. The time delay assumed for delivery of AFW flow is consistent with pump initiation in the design basis event and in the event of loss of main feedwater coincident with loss of offsite power. This analysis was provided to the NRC in a February 18, 1983 letter.

In the September 26, 1983 NRC SER on Auxiliary Feedwater System, the NRC concluded that " Based on our review of the licensee's February 18, 1983 submittal, we conclude that Rancho Seco AFWS design meets the minimum flow requirements and, therefore, the licensee's response is acceptable."

1 i

l l

f i

l

5 Basis'for No Significant Hazards Determination .

The proposed change does not involve a significant hazards consideration because operation of Rancho Seco in accordance with this change would not:

1. Involve a significant increase in the probability or consequences of an acciderit previously evaluated. The District's February 18, 1983 letter provide the-transient analyses supporting the design basis for the auxiliary feedwater system. The September 26,- 1983 NRC SER documents the acceptability of the design basis and supporting transient analyses.

2. Create the possibility of a new or different kind of accident from any previously analyzed. As stated above, the transient analyses have been performed that address

all transients which require auxiliary feedwater for i

mitigation. The September 26, 1983 NRC SER documents the acceptability of the transient analyses.

3. Involve a significant reduction in a margin of safety.

The revised design basis event for sizing the AFWS is a loss of main feedwater with no loss of offsite power. The reactor and reactor trip or trip due to loss of offsite power represents the limiting conditions for determining AFWS flow requirements. Our transient analysis documents the acceptability of using this revised design basis flow.

f The September 26, 1983 NRC SER documents the acceptability -

of the design basis and supporting transient analyses.

6