ML20247G380
| ML20247G380 | |
| Person / Time | |
|---|---|
| Site: | 05000601 |
| Issue date: | 08/31/1989 |
| From: | WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19307A348 | List: |
| References | |
| NUDOCS 8909190053 | |
| Download: ML20247G380 (78) | |
Text
CBEUaameam tagsg a hu
= ,
(p ', ; - '*
RESAR-SP/90 PDA
. Response to Draft Safety Evaluation Report Open Issues 42-81 i
I 1
Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, PA 15230 WAPWR-DSER AUGUST 1989 i B190e:1d ,
8 '- '
Ci . ,
I a 1 C-_-- -- J
V, ".
. DSER OPEN ISSUE 82: Plant operation during N-1 operation (15.1).
RESPONSE
There is no intent on the part of Westinghouse to license N-1 loop operation as part of the RESAR-SP/90 application. Subsection 15.0.2 will be revised to delete the reference to " power operation with a reactor coolant pump out of service."
DSER OPEN ISSUE 83: Criteria regarding transients of moderate frequency (Category II events) (15.1).
RESPONSE
All Category II events performed for the SP/90 PDA meet or exceed the design basis criteria for this class of events. All Category II events maintain the reactor coolant and main steam system pressure below 110% of design values.
The minimum departure from nucleate boiling ratio for all these events remained above the 95/95 DNBR limit thus demonstrating that clad integrity was maintained. Because the DNBR during all Category II events remained above the limit value, no fuel failures are postulated to occur and the radiological consequences of these events do not exceed a small fraction of the 10CFR100 limits. None of the Category 11 events will generate more sericus plant conditions without other faults occurring % dependently. Table 83-1 summarizes the results of the analyses presentet in RESAR-SP/90 which confirm that the Category 11 acceptance criteria are met.
The protection system setpoints used in RESAR-SP/90 design basis safety analyses were chosen with allowances made for instrument inaccuracy for the most severe abnormal situations anticipated during the events analyzed.
Technical Specification nominal and allowable setpoints will be back calculated from the setpoints used in the applicable safety analysis. These calculations will be done during a plant specific application which references RESAR-SP/90. The calculations for the technical specification setpoints will l
be done using an approved methodology which meets the requirements of Regulatory Guide 1.105.
WAPWR-DSER AUGUST 1989 8190e:1d 1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ __ 1
f; L. __ ll>8 .
1T.. r>The.Lmost limiting;fsingle:! failure _.t'o plant. systzms'4 was' assumed in'all the'
+ . safety' analyses. A discussion ~of:the single failures assumed can be found in.
s ;the response to.DSER Open Issue 87. _
i;
.u i
\-
WAPWR-DSER AUGUST 1989 8190e:1d
._-___ -. .2 . _ --_____ -_____. .._-_...a
ii-1 a
. 7
_ 5
' . o C cg C, C, o
' 8 8 B g 6
m
. u e
u om ti e l
a ner nihu v rmt g R
B u i l t enF N a eha D i 0 rthe 2 t4 6 8 1 t e m - i - - - - t e S u 1 n1 1 1 1 orr m
5 in1'5. 5
. noe i 5 5 f t .
n 1 1 1 1 seat i a erei M e he e e e oerm r tr r r r d h gi u u .u u u t L
]g rg g ] g ] g r o,in1 s 3 i ei ]i i i F tF F F F t r g-a ceRi 1 e ee e e e awBs 3
[S
.e re Gs [S e
[S e
[S e eoNe5.
R pD D 1 3
1 2 5 5 1 1 n n o o i i t t c c e e S S m
a f l l l l l f ee t r o i a a a a a o i i i i Su s t t t t t s s t i i i i i t ns l n n n n n l ie u a i i i i i u S ar s i s T MP e s n n n n n e N R p a a a a a R E mm ue e h h h h h V ) t t t t t e e e e e susl e E mt h h is xy t su sl su sl su su t 1 sl sl
) 1 aS y ea ea ea ea ea y 3 M b ( L v lv Lv l v L v b Y
F R d d 0 O e e G d d 1 E n n T u l u T A e o a o E C r B i B E u t e H R s 1 ie l e 7 7 i r
(
S O F
s e 1
- nr i u ar i u 1 1
- nu i g r t g t g i 1
S P 5. ii ii 5 5. eF T 1 nF nF 1 1 h 3 L S a i i a s t e 8 U C i e e e ie ie e S R sr ne ne sr sr nS E
L B
E R
u m
pu
]i g has .
t ,3 h
t as
,5 pu pu
]i g
]i g h a
t .1 4
A F m F e- e- F F e-T O i x e su1 sl su1.
sl e e su1 sl Y a .e ea5 ea5 e e ea5 R M [S lv1 lv1 [S [S Lv1 A
M M
U S
s s n- n-od od , , , ,
i e i e k k k k t e t e c c cl cl r cF cF a a ac ao ao n n b b br br e un un dl dl dt dt Frah fi fi n eo eo en en oe1 g t d n l l i w er er eo eo a o an ae msa o Ft n
Ft n
FC FC g1 nf e i Mo el neio L t ie sF ro ro rr rr i Rs m i
p mt r ecu me er a
em t oC t
oc oo oott tt n une eraot l
a r t ut t c ra ar ar ac ac poCis n c sda sn ce ro ro ra ra Ot t y r s yer yi nt et et ee ee aeaS e e SR e S i S dc dc dR dR t rvz t D p nw oa oa o o nel i m x ram e e rao e l ey Me vr R Me R
Mc Mc i i enara t eVue E
t gT t gF i a m m mt mt rG st f an an sd ut ui ua ua e ysS o wir dse wir dse sn eo mniu mn iu mm mm io i o vmt e deern s eut eut cc nn xn nt xt aef pi s eaa eaa xe ia aa iu au nt aea o FCw F cw Es MM MM MA MA I SSDM L
/ B 8 8 G B n / / / / /
oe 1 e e 2. el il t u 1 u l 2. le 1 u
- 3. l 1 u
- 4. le 1 u u cd .d .d . d .d 2. d eo 5o 5o 5 o 5o 5o SM 1 M 1 M 1 M 1 M 1 M
y, 3 a,I) 23 yAyumR C33;3
- O d
!g(n4
- neC lo p goeLC' il ll lll(lllll l , ll
R e e B i l l u u N n a a s s D i i i s s 2 t t t I i 4 m - i i i -
u 2 n n n o o 3 m I I I t t i 5 5 n 1 n n n e e 1 i .
a a a s s M e h h h n n e r t t t o o r u p p u
] g r r r ] s ] s ) g i e e e e e i F t t t R R F a a a e e e e e e e
- e r r r 3 3 e e e
[S G G G [S [S (S 2 2 5 5 1 1 n n e,
~. o o i i yu r
t t c c ot s e e t es S S f e m l ar a f f asp ee o o u qrn t r Su s s eoe s t t t p ns l l rao e a a a a u u a a or S iar i i i i s s i i el T MP s s s s e e s s nnl N p p p p R R p p aeu E mm h gf V ue ] ] ) ] e e } } t E mt h h me is t t sav I xy sel
) I aS y y et a 3 M [ [ ( [ b b [ [ L sv Y
F R d d 0 O e e G d d 2 E n n T u u T A e o o E C r B B E u 1 H R s 1 3 5 7 9 1 2 5 O s - - - - - - -
( F e 2 2 2 2 2 2 3 r
1 S P 5 5 5 5 5 9 5
- T 1 1 1 1 1 1 3 L S a a a a a a1 a 8 U C ie i e ie i e ie i e ie sr sr sr sr sr sr sr S R E E pu pu pu pu pu pu pu L R r/
r g g g g g g g B u ]i ]i ]i ]i ]i fi }i A F m F F F F F F F T O i x e e e e e e e Y a e e e e e e e R M [S [S [S [S [S [S [S A
M M
U S
d d r s s ns ns d n
e
. e . e .ae .ae n w kdv kdv k v k v i a o cnl cnl cyl c yl a n P aaa aaa aaa aaa M mi r b V b V brV brV u C e d y dy dp dp f s ug A s t d eaf eaf eSr eSr oe cn e a e n ere ereF pi e e e e v ai yi w cw o F pi F r1 F ri el vt cr na d ro i Sl Sl e1 el ra l e ol t r e r e rze rze uv ru ei e FF p orR orR oiR oiR s es gl F i t e t e t r t r on se ri f t r a2d azd aud aud l o nR ex l on c
p r1 e rie rse rse ci e dsp mu a a s ert ert est est t eA m sl e i dua dua dea dea t a nti n r so D r osr osr orr orr nl onr on o oo T MseepMse MPe MP e p eo CeT No N lC ep p t s v i e mrO mrO mtO mtO rI fE e ft f l r n uP uP uu uu e o n oat o ao i m r m r mor mor vm ri it b i h e ihe ihe ih e da seb sS s t c nt w xt w ae sh r s s ra r
u inti w o xt w aio io aio nt ot u oo o ae T MwP MwP iMwP MwP I S LOT Lt L PR
/ 8 8 8 6 G 4 n / / / / / /
oe il e
- 3. l 4. l e
- 5. el 6. el e
- 7. ul 1 e
.l t u u u u u u cd 2. d 2. d 2. d 2. d 2. d 3. d eo 5 o 5 o 5 o M
5 o 1 M 15 Mo 5 o 1 M SM -
1 M 1 M 1
% 2myv,mm A >cmCg4 -
h 3n ?
, lil l1
R D& s D D B e N n0 D n n D g1 g g i- 5 R i 1 i m s4 - B s - s u e 4 N e 6 e m D5 D D D i 1 5 5 n n 1 n n 1 n i as a a a M he e h h e h t r r t t r t rg u u u g
] g r r r ei i e e }i e t F F t t F t a a a a ee e e e e e
. re e r r e r GS [S G G [S G e n n n g
r g g yu i t y i ot s s
- ot s t es e e t e e f e D D f D m l ar l a a asp f f as f ee u o o u o t r qrn qrn Su eoe % % eoe %
s t p 0 0 t p ns rao 1 1 rao 10 ie or a 1 1 or 1 S ar el i el T MP nnl s n n nnl . n N aeu p ae ae aeue ae E mm h gf hr hr hgf r h r V ue t ] t u t u t u t u E mt is sav me ss s
ss s
savs mes ss s
! xy sel se se sel e se
) ! aS et a er er et ar L svp er 3 M L sv [ LP LP LP Y
F R 0 O G
3 E 1 n l l T A e a 2 n4 a a E C r h f o i i E u t y t o ie t . t H R s t 4 f . f tl i 2 i
$ O s se - o 0 o cu n - n
( F e r
sf n eae 4
%r e 5.d 5 n .
1 %r e oed tSo i 6 i 1
S P l sp 5 0u 1 a2 10us M e 5 e
- T o 1 1 s ed h 1 h 3 L S rr a 1 s n1 2 1 s snf t t B U C oel i e e o e nao e S R rl sr nr ie5 nr o n r n E E ot ue pu aP tl 4 aP p90 a u a L R m t rf r g h cun h s91 h g h B u u u ]i t n edoe t n e . t i t A F m l ses F g Soil g re2 e F e
- T O i asvs si Mt u si u su su x uel e e ss e cd ss es2 sl e sl Y a qrar e ee ef eo ee es ea e ea R M E pvp [S LD SoSM LD Si5 Lv S L v A
M M
U S
r o m -
tt e f y cc t l e re ae s o i rd er y r t l ai r R r f S t n ae C s e o o gn nt a R t t ec oal f su sk vn nno Ch o or eO n un iI oii e
t o o n o l ar t i l t C g it i CBe cn t oa mn ny L n t w aa aor uor it a p dyo n rC e l io ne l l i ol P I t e p ott ef l o r Rb a peO Vcc pa ao c mt n Or na OS mC s dea ap or due S e es oe tCe nf R t r yt D l sl f or n eyo w al ne f rn l A a oL u asy ez oae o w rl a pt a t t cP rn l Mer a so ti rr me ein t or unr eeg cmat eu rr1 nrd t ae vgn ieen vse uP a ot h rl p dri mt re dsv l t aom aar escv ael ign xnt UCt oi r t oe SCT nmu I ED h ynn CSI I Inra PV ano Fi C 3
/ 5 4 1 1 4 1 n / / /
oe il 2. el 4. ule 1 e
.l 2. l e 1 e
.l 2. el t u u u u u u cd 4. d 4. d 5. d 5. d G. d G. d eo 5 o 5 o 5o 5 o 5o 5 o SM 1 M 1 M 1 M 1 M 1 M 1 M l
E>2:$eml o nC W pcQtn4 -
m;;;s a "
l ,l'
f ; e ts 5.
RESPONSE
All Category III events meet or exceed the design basis criteria for this class of events. All_ Category III events maintain the system pressure of the reactor coolant and main steam systems below 110% of design values. Fuel failures were assumed for all rods for which the DNBR fell below the design .
limit. None of the Category III events will generate a more limiting Category IV ev'ent without other faults occurring independently.
The Category III rinor steam piping failure events cause a depressurization of the primary and secondary sides. Therefore system pressures will never approach the 110% design limit. The minimum DNBR for minor steam piping failure events is less limiting than the full double ended steam line rupture results presented in Subsection 15.1.5 of PDA Module 6. For the full double !
ended steamline ruptures the minimum DNBR was above the design DNBR limit.
Therefore no fuel failures would be postulated to occur for minor steam piping failures. The radiological consequences are a small fraction of the ,
guidelines of 10 CFR 100 (See Subsection 15.1.5.3.3.2 of PDA Module 6).
For the complete loss of forced reactor coolant flow event (Subsection 15.3.2 i of PDA Module 4) the maximum reactor coolant pressure was [ ] psia which is a,c significantly less than 110% of design pressure. The steam pressure during a I complete loss of flow event will be maintained below the steam generator l safety valve full open pressure. Therefore the secondary side pressure will be below 110% of design pressure. For the complete loss of flow the minimum DNBR was above the design limit (see Figure 15.3-8 of PDA Module 4), therefore no fuel failures are postulated to occur. The results of the complete loss of j flow analysis exceed the acceptance criteria of Category III events such that l even the acceptance criteria of Category II event are met.
I WAPWR-DSER 6 AUGUST 1989 8190e:1d I
I
. _ _ - - - _ _ - - - - - - - _ _ _ - - _ - - - - - - - - - - - l
'y,_ N g
the Category 'III small break LOCA causes a d: pressurization of the primary side and the'refore the RCS. pressure never approaches the 110% design l '.mi t .
The secondary side pressure is maintained below the steam generator safety valve full open pressure and the secondary side pressure is therefore maintained below the 110% design limit. As discussed in Subsection 15.6.4 of.
PDA Module 1: no core uncovering occurs, therefore no fuel failure is postulated to' occur.
DSER OPEN ISSUE 85: Categorization of loss-of-reactor-coolant-flow event (15.1).
RESPONSE.
The classifications of events used by Westinghouse are those defined by the ANS. The complete loss of forced reactor coolant flow transient is classified
.by the ANS as a Condition III event, an infrequent fault. However, Westinghouse analyzes this transient to Condition II (faults of moderate frequency) safety acceptance criteria.
DSER OPEN ISSUE 86: Criteria regarding limiting transients (Category IV events) (15.1)
RESPONSE
All Category IV events meet or exceed the design basis criteria for this class of events. All Category IV events maintain the reactor coolant and main steam system pressures below accept 61e design limits. All Category IV events will not generate a more serious condition or result in a loss of function of the reactor coolant or containment barriers without other faults occurring independently. All rods where the DNBR fell below the design DNBR limit were assumed to fail in all Category IV events. Fuel damage was limited such that the core remained in place and intact with no loss of core cooling capability.
The calculated radiological consequences of all Category IV events were WAPWR-DSER AUGUST 1989 8190s:1d 7 i
.o 4 j
p ..
- ' .. 'a l within the guidelines 'of. 10 CFR 100 guidelines. Tablo 86-1 summarizes the !
l
.results of the analyses ' presented in RESAR-SP/90 which confirm that the Category IV acceptance criteria are met.
l Only safety grade equipment was assumed to mitigate the' consequences of the non-LOCA and.LOCA events. A worst single failure of an active component in a safety system- was assumed in all the analyses. A summary of the worst single.
failure assumed in all the accident analyses is discussed in the response to issue 87.
WAPWR-DSER AUGUST 1989 8190s.1d 8
_- ___--________-_________ _ __ _ ___- _ - - _ )
o sl el si ii l we e g ) ne el a i rneh pel aa6i h eS on2as ueT ds eeut ce t m1 aeT r( Di- n qd
. ae t pf nd ne .f o r e- 0s 3. N B o p ei&
su R c as nei . ir de n ee rr%n diuu2 qg a
me1 l 5 c t. w s e
0n5Ds 7i 1 e ng2 o
- nu g 0ade 3 r- eecsn 2 a nr c03 aq e ns mei 0 ss e seedan asre o0 3 sa o 52.uhaei yc f t tnne cl nel arbeh e l t aR 3
en w( ot t c05 1 we1 died h art cF3 ro f ac l h %n ui t eta iC uC Rtel al R1 at s0adqu r e g03 l Birut aF . e neg soese o1 5
i Nmet ncC5 sdr das .
scedS l a Dihsii01 inuee n ) e So( on1 F LT o g1 agrt eo04 l e( r i a l un m
mg
. p nl o n o
S CdFfl a i oacc0 1 h
stt ei l dhn at o e io i Re eul R B. i ch a r i u ii . eaint l ert pl F2 eatf) st F ns) rmdac eoees aC Trt . esc i e0eeahe hoSh onc05 Conf o7 h ee MD9wrrtS Tc(T pii1 1 Pfi ot9 Tl S s.
i s
y e e l v & v l a l l a ma 7 ma n a
m i
t i
ave 1 e r-ave.r e
A ee n t yu2 t yu e t r i st s st s r Su es5 es u s e ef e1 ef e z ns h har har i e
S i e t t sps t sp T ar e S N
E V
MP mm h n
a ernr .
eoeu ht pg3 nrn aoe ht p t
f E ue t . t aoi2 t ao a mt e r F - r h V is xy su sel 2 sel S
) I sl snl e snl 2 aS ea eeue5 eeu P C
Y M L v L gfS1 L gf F R R 0 O G f 1 E o T
T A s. s E C t t
- E .
l & i l)
H R e a e m & u2 S O r i - v ,4 i s
( F u t e sl e1 l 0 e4 s ir ear- 1 r 1 S s nu rvu2 n . 3
- T e ig p ys5 s g 3 e
. 6 L r i i h5 8 U P eF et e1 s 5 . t1 S h h er e 1 2 E E S t e tf ps d - yn L R C e a e e3 bo B
A T
F O
R m h nS a
7
. nsnr .
a eu hepg0 h n r a u5 g1 dt ec i
u t .1 t eoi2 t i d e Y m e- r F - F e nS R i su1 sil 2 s l u A x sl . srl e s eb oe M a ea5 euue5 e ea B e M M L v1 L sfS1 l ST ( S U
S k
e e
r C
e k r a t t u e f f l r a a i B h h a S S F e p n ip p o g p m i n P u u t i P P ip p m i e t t r P t n n c s a a s m y l l e e S o o D t o o s r C C y e S t re r a or o m w t u t a d cz c e e ai a t e ee e S F RS R
/ 6 6 4 4 n / / / /
oe il 5. t e
- 8. le
- 3. eul 4. el t u 1. u ic u u cd 2. d 3. d 3. d eo 5o 5o 5 o 5 o sM 1 M 1 M 1 M 1 M
)
y >o:7:$$o u :
>CGC(M4 te$oa s
i D e5 eiT 02 i S ei ds s5 r1 su 0 t e(6 su ae n1 e ng& 1 3 cer ng R c 0i wno R aco 5 o n 0a oc02 F3 enc 1 c d e 7 me i 0 C ra t 0 nu aq 2el st 1 3 03 t rpeal ce 0 .
rbdcl R 1 l 1) e n aoeaF 3 6 eeht b aR4 ss a TrScC t cT na cF en h e i 08 e5 ac iT i C4 ro uC t r oeoeo f eg1 4
h1 t
wa gO oT 6 l sce Sl n l . l i s S ( on5 o a 6d3 o 5 a e (% ia1 ni t e4 n in1 F l e 0l dh at eh a3 da h 1 i atn hc s u t0 ann l stt ar- oi t e 5 4 rt o e i c f S & R e i u ean st s nF c6 st F Trt a esc se tac a esc Conh oh ee ee Ch0l 5 hee PfittTl S LS Pt1 p1 Tl S
- 1 - l -.l n1 nl nl eu gf eu gf eu gf l e av me av me av m
a el el el ee t a t a t a t r Su s
sv eye sv eye. sv eye ns ht r ht r ht r S ie t eu t eu t eu T ar f s f s f s N MP nas nas nas E ase ase ase V mm h r h r h r E ue t rp t rp t rp mt o o o V 1 s st n st n st n
) I wy sae erp sae erp sae erp 2 aS Y M L eo L eo l eo F R 0 O G
2 E .
T ,9 T A s E C t 1 l E di . rl l H R e em2 uu a S O r t i sf i
( F u l L8 s t s u ee i 1 S s as4 rv n
- T e F s pl i 6 L r e5 a 8 U P er1 ev e S ht h h E E S tSn t y t L R C -
o t B R nni ne n A F e eot af a T O hi c h a h
t .
s u tt e t s e
Y R
A i
m x
sd sne iS srn.
see su sl 8
a eoe erp ea a
D M lCS lt o L v U
S l
o g
_ r t e n ns r i p
ot u iry C n l e i Por rd a t a ei F dcd t c ean n sc e t eu o uA b aR o i l u l B t C n T ue p o th e i di r st r r ot o o u pns c R c t s e a i s e fj r f h e D oE e ot r n i P my e mW ul G u t rb rsn t m m tk a ce a cal es ps t e eeo pro SA S SBC
/ 5 6 1 n / / /
oe il 8. eul 3. ule
- 4. eul t u cd 4. d 6. d 6. d eo 5 o 5 o 5 o SM 1 M 1 M 1 M
,O
._ DCDCt-o4 lt>kmb%=
s e
t C t$E . - "
1i ll
49 06
.- OSER OPEN ISSUE 87: Justification for selection of limiting single failures
. for accident analyses (15.,1).
RESPONSE
All of the transients analyzed in the RESAR-SP/90 PDA are analyzed assuming the most limiting single failure (e.g., loss of one protection signal, safety injection (SI) train failure, emergency feedwater (EFW) train failure).
Table 87-1 lists the limiting single failures for each ANS condition II, III and IV events.
For each transient, its associated worst single failure within the protection system assumed in the RESAR-SP/90 PDA analyses is given in Table 87-1. The protection system is defined as those safety functions required to mitigate the consequences of the event. This includes the reactor' trip system, the engineered safeguards features (ESF), and pressurizer and steam generator safety valves.
These single failures were selected based on the requirements of 10CFR50 Appendix A, the SRP, and Regulatory Guide 1.53 (which addresses IEEE-279 and IEEE-37.0) . A single failure is "...an occurrence which results in the loss of capability of a component to perform its intended safety function." (10CRF50-Appendix A). The single failure criterion states that a " single failure within the protection system shall not prevent proper protective action at the ,
system level when required" (IEEE-279).
The single failures which are considered are active failures, consistent with the SRP acceptance criteria. Failures in the protection system which are not required to mitigate the consequences of an accident are not concidered.
These are failures of systems which are not challenged during the transient and are not active failures. Such failures are independent failures and are therefore not within the scope of transients presented in the RESAR-SP/90 PDA.
For each event listed in Table 87-1, a brief discussion of the assumed single failure is provided below. The purpose of these discussions is to justify WAPWR-DSER AUGUST 1989 8190e:1d 11
l 1 .
that the single failure assumed is indeed the worst single failure. These L failures are failures at the system level .and consider the failure of a protective function. The cause or mechanical nature of the failure which causes the system failure is not discussed, since these are addressed in the individual system modules of the PDA. Therefore, further detail beyond the systems level single failure of loss of one protection train is not provided.
The pressurizer safety valves and steam generator safety valves may be required to prevent a pressurization of the primary and secondary system respectively. Except where it is already stated in the RESAR-SP/90 PDA, the safety valves are not challenged or required to mitigate the consequences of the event. Failures of these valves are not considered since they are not active failures. These independent failures are not applicable. Therefore, failure of these valves is not discussed below unless they are actuated as stated in the PDA.
Finally, a loss of offsite power is not considered a single failure for these
. events. Furthermore, no single active failure will cause a loss of offsite power to the emergency buses. Therefore, consideration of this failure is not applicable.
Feedwater Temperature Reduction (15.1.1) (PDA Module 6 and 8)
As stated in 15.1.1.1, this event is similar to the effect of increasing steam flow. This is bounded by the events in 15.1.2 and 15.1.3, as stated in 15.1.1.3.
!l Excessive Feedwater Flow (15.1.2) (PDA Module 6 and 8)
The pressurizer PORVs and safety valves are shown not to be actuated and therefore, do not open. Since they are not required to mitigate the consequences of the event, a single failure in these valves is not applicable and has no impact. The only safety functions actuated are reactor trip and feedwater isolation. Failure of a feedwater isolation valve (FIV) to close will have no impact since the DNBR is already increasing by the time the FIV WAPWR-DSER AUGUST 1989 8190.:1o 12
closes (Table 15.1-1). The engineered safeguards features are not required for this event. Therefore, a single failure in the ESF is not applicable and has no impact. Therefore, the failure of one protection train as listed in Table 87-1 is the limiting single active failure.
Excessive Steam Flow (15.1.3) (PDA Module 6 and 8)
As stated in 15.1.3.2, the plant reaches a stabilized condition. No reactor trip is required, no pressurizer relief valves are required to reduce pressure and no ESF actuation occurs. Since the protection system is not required to function for this event, a single failure does not apply and has no impact.
Inadvertent Secondary Depressurization (15.1.4) (PDA Module 6 and 8)
As stated in 15.1.4.1, it is the failure (opening) of a steam dump, relief, or safety valve which initiates the transient. This is a depressurization event, therefore pressure relieving functions of the protection system are not challenged nor required to mitigate the consequences of the event. The only portion of the protection system required is the safety injection portion of the ESF. A single failure in a protection train of the signals which actuate SI will have no impact due to the redundancy, diversity, and independence of the SI actuation signals. The failure of one SI electrical train is the limiting single failure since it reduces SI flow, results in less boron injected into the core, and consequently reduces the margin to return to criticality. This is the single failure assumed in the RESAR-SP/90 PDA as stated in 15.1.4.2. For this event, the DNB design basis is met by demonstrating no return to criticality (15.1.4.3).
Steam 5ystem Piping Failure (15.1.5) (PDA Module 6 and 8)
The limiting case presented in Subsection 15.1.5 of the PDA is a full double-ended rupture analyzed with and without offsite power available. As in the Subsection 15.1.4 d:scussion above, the transient results in a depressurization of the prbary and secondary systems. Therefore, pressure relieving functions of the protection system are not challenged or required to WAPWR-DSER AUGUST 1989 8190.:1 d 13
j.
g1. L '
- .e ..
.- o mitigate the consequences of the event. The only portion of. the protection system required is the safety inje'ction portion of.the ESF. The failure of an electrical train results in minimum safety injection capability. It results in reduced SI flow and less boron injected into the core, consequently I maximizing the return to power.
Loss of External Load (15.2.2) (PDA Module 6 and 8)
This is bounded by the turbine trip event.
Turbine Trip (15.2.3) (PDA Module 6 and 8)
L For this analysis, the ability to maintain RCS pressure below 110 percent of design in accordance with the SRP criterion must be explicitly addressed.
Since the DNBR increases with pressure (assuming all other variables are held constant), the event is analyzed with and without pressure control to address both peak pressure and DNBR concerns. Both the pressurizer and steam generator safety valves may be required to operate. Assumptions relative to their_ operation are described in the RESAR-SP/90 PDA.
If the pressurizer relief / safety valves fail to close once the pressure has been reduced, there will be no impact on the minimum DNBR. This is because the valves are not required to close.until after the time of reactor trip, at which point the DNBR is rising and is very high. Steam relief is obtained by the steam generator safety valves. However, these or any other steam relief valves would not be required to close until after reactor trip, when both the RCS pressure and DNBR are past their maximum and minimum values, respectively.
Therefore, failure to close would have no impact. Although the ESF may be required to function to supply emergency feedwater, a failure in the ESF would have no impact since credit for emergency feedwater is not taken. Therefore, thelimitingsinglefailureisoneprotectiontrain(Table 87-1).
Inadvertent Closure of MSIV (15.2,4) (PDA Module 6 and 8)
This is bounded by the turbine trip event.
WAPWR-DSER AUGUST 1989 8190e:1d 14
to %
l l
Loss of Condenser Vacuum (15.2.5) (PDA Module 6 and 8)
This is bounded by the turbine trip event.
Loss of AC Power (15.2.6) (PDA Module 6 and 8)
For this event, the ability of the protection system to provide long term cooling is verified. The loss of one emergency feedwater pump of the ESF is the limiting single failure, as stated in Table 87-1. A reduction of emergency feedwater capacity reduces the capability of the emergency feedwater to provide long terra cooling. This results in a higher primary side heating and pressure. The pressure transient shows that the pressurizer safety valves are actuated for this event. Failure of the valves to close would have no impact since the emergency feedwater is adequately removing the decay heat by that time. For the case where the single active failure is the failure of the pressurizer P0RV or safety valve to close, credit can be taken,,for complete emergency feedwater capability. This would reduce the peak pressure and cause the time at which decay heat equals heat removal capability to be sooner. The steam generator safety and relief valves are used to dissipate decay heat during long term cooling. Since it is desirable to have these valves open, failure to close has no impact, especially since the emergency feedwater supplies sufficient heat removal capability. Single failures which result in loss of signals which actuate emergency feedwater, reactor trip, or valve openings have no imp'act due to their redundancy, diversity, and independence.
Loss of Normal Feedwater (15.2.7) (PDA Module 6 and 8)
As for the loss of power event, the primary concern for the loss of normal feedwater is long term cooling capability which is provided by the emergency feedwater system. Therefore, as for the loss of ac power, the single active failure causing the lor,s of one emergency feedwater pump is the limiting single failure.
WAPWR-DSER AUGUST 1989 siso. t e 15
.. g o-lk! *-
J..
- Feedwater System Pipe Break (15.2.8)~(PDA Module 6 and 8) l . .
E As in the . loss of feedwater and loss of power events, the primary concern for
~the feedline break is long term cooling capability provided by the emergency feedwater system. The -single active failure assumed is the loss of one motor.
driven' emergency.feedwater pump.
Loss of Flow (15.3.1,15.3.2) (PDA Module 4)
'The protection for this event is provided by the low flow and RCP underspeed b trips. A single failure 'in the ESF is not applicable since the ESF are not required-to mitigate the consequences of the event. The pressurizer PORVs may
.open as a result of this event. However, failure to close will have no impact since the point of minimum DNBR.is past and the DNBR is rising by the time- the valves close (Figure 15.3-8). Therefore, the worst single failure is that of
.one protection train.
Locked Rotor (15.3.3)'and RCP Shaft Break (15.3.4) (PDA Module 4)
The locked rotor / shaft break event is analyzed for DNB, peak pressure and dose considerations. The primary protection is provided by the low flow trip, and the pressurizer and SG safety valves. Failure of the safety valves to close
.will have no impact since the point of minimum DNBR is past and DNBR is rising by the time the valves close. A stuck open secondary side valve would also have no' impact on the offsite steam releases (for dose calculations) since a higher pressure assumption is conservative. Therefore, failure of one protection train is the limiting-single failure.
RCCA Bank Withdrawal from Suberitical (15.4.1) (PDA Module 5)
Although the pressure transient is not shown for this transient, an increase in RCS pressure is expected due to the increase in heat flux and temperature.
However, if the PORVs opened and failed to close, there would be no impact on the minimum DNBR since credit for the change (increase) in pressure is not WAPWR-DSER 16 AUGUST 1989 8190e:1d tu tii r -
.. s
. etaken in the DNBR analysis. The ESF are not required for this accident, therefore, a, single failure in the ESF is not applicable. Therefore, a loss of'one protection train is the limiting single failure.
-RCCABankWithdrawalatPower.(15.4.2)(PDAModule5)
This event is primarily a DNB event and demonstrates the adequacy of the low DNBR and high flux trips. Operation of pressure relieving valves would serve to reduce pressure and thus minimize the DNBR. (If no pressure control was available, the maximum pressure would be limited to that which results in a high pressurizer pressure trip.) This is a less limiting pressure transient than those events discussed in the PDA. Failure of valves to close would have no impact, since the point of minimum DNBR is past and nuclear power is decreasing by the time the pressure begins to fall.
As discussed in 15.4.2.2, for some cases, the steam generator safety valves are opened. The result is to minimize the DNBR, as seen in Figures 15.4-11 and 15.4-12. However, failure to close has no impact since the point of minimum DNBR occurs right after reactor trip. Failures in the ESF are not applicable since the ESF are not required. Therefore, the worst single failure is one protection train.
Dropped RCCA (15.4.3)
This event was not presented in the RESAR-SP/90 PDA. It will be provided along with the limiting single failure in the FDA.
Statically Misaligned RCCA (15.4.3) (PDA Module 5)
No transient analysis is required. Furthermore, no protective functions are required and single failures have no impact.
WAPWR-DSER AUGUST 1989 B190e.1d 17
ti *s ;
g- . O_
Inactive RC Pump Startup (15.4.4) (PDA Module _4)
The' pressure transient in' Figure 15.4-4.shows that the pressurizer PORVs may be challenged for this event.- However,-failure to close would have no impact, since the point of minimum DNBR. is reached before the failure could occur.
Failures in the'ESF are not applicable since the ESF is not required to mitigate the' consequences of the event. Therefore, the limiting. single failure is the failure of one protection train.
Rod Ejection (15.4.8) (PDA Module 5)
This transient is analyzed to show that clad temperature, reactor ccolant pressure, and hot spot melting is below the applicable limits. Failures in the ESF are not applicable since the ESF is not required to mitigate the event. Although the pressure transient is not shown, the PORV's and safety valves could be actuated. Failure to close would have no impact since the peak pressure and temperature would have already been reached. Therefore, failure of one protection train is the limiting single failure.
Inadvertent Actuation of the ECCS (15.5.1) (PDA Modules 1 & 4) (Not Analyzed)
As stated in 15.5.1.1, it is a failure in the ESF which initiates the event.
For the SP/90 design at power, there would be no delivery of ECCS water to the primary system since the shutoff head is below normal operating pressure. At pressure below the shutoff head of the SIS, borated water would be added until the system pressure reached the sbdoff head. This is well below the actuation of the PORV's.
Increase in RCS Inventory (15.5.2)
This event was not considered in the PDA, and the single failure assumption is not applicable. An increase in RCS inventory could only be caused by an l
imbalance between charging and letdown.
WAPWR-DSER AUGUST 1989 F1so.:1d IB
- e. s
. inadvertent RCS Deprassurization (15.6.1) (PDA Module 4)
As stcted in 15.6.1.1, it is a single failure resulting in the opening of a pressurizer PORV or safety valve which initiates the transient. Although ESF features might be actuated, they are not required to mitigate the consequences of the event, since the DNBR rises after reactor trip. Therefore, ESF failures are not applicable. Therefore, the worst single failure is failure of one protection train.
Failure of Small Lines (15.6.2) (PDA Module 1) (Not analyzed)
No transient analysis is involved for this event. The protective system is not required to function, since operator action terminates this event as stated in 15.6.2.
Small Break LOCA (15.6.4) (PDA Module 1)
The limiting single failure is the loss of a safeguards train. This results in the loss of 2 high head safety injection pumps and a motor driven emergency feedwater pump. The portion of the protection system required to function is the low pressurizer pressure reactor trip, SI and the secondary side heat removal system. This will have no impact on the transient due to redundancy, diversity, and independence of the actuator channels. The SG PORV's and safety valves are actuated to remove heat. Failure of these valves to close has little impact since the EFW system supplies sufficient heat removal capability. The pressurizer PORV's and safeties are not actuated.
Laroe Break LOCA (15.6.4) (PDA Module 1)
The limiting single failure assessed is the loss of a safeguards train. This results in a loss of 2 high head safety injection pumps. This results in a minimum capability to refill the vessel and reflood the core. The only portion of the protector system required to function is SI actuation. As discussed above, this will have no impact on the transient. The pressurizer PORV's and safeties are not actuated since the transient results in a WAPWR-DSER AUGUST 1989 ii19erle 19
.. s .-
. d: pressurization of: the RCS. The SG PORV's and safeties may be actuated'but-no credit is taken for them in the analyses. A. postulated- stuck open valve would provide heat removal capability.
SGTR (15.6.3) (PDA Module 6 and 8)
The limiting single failure assumed is the failure of a PORV to open on an intact SG when the RCS cooldown is performed. This failure reduces the steam release capability and increases the cooldown time required to establish the subcooling margin after the affected steam generator is isolated. In addition, the EFW flow to the steam generators was assumed to be throttled following the EFW actuation to maximize the steam release from the affected steam generator. This assumption results in a very conservative operator action time to isolate the affected steam generator and conservative. offsite doses for a SGTR event.
A failure of the power operated relief valve to close on the affected steam
. generator could result in a significant amount of radioactivity release to the atmosphere, if the stuck open PORV can not be isolated promptly. In the SP/90 design, however, block valves of SGPORVs are designed to close automatically.
on low steam line pressure. Thus, consequences for a SGTR event with this failure for SP/90 are limited by the automatic closure of the block valve 'for j the stuck open PORV. >
A' SGTR event results in a depressurization of the reactor coolant system due to the continued primary to secondary leakage, thus the pressurizer safety valve will not be actuated. One pressurizer PORV is used for RCS i depressurization if the normal spray is not available as a result of a loss of offsite power. Since more than one pressurizer PORV is available, failure of a pressurizer PORV to open will not preclude the use of the pressurizer PORV for RCS depressurization. A failed open pressurizer PORV can be isolated by closing the associated block valve.
WAPWR-DSER AUGUST 1989 B190e:1d 20 L___.________________________. _ . _ _ _ _ . _ _ . _ _ . _ ___ _ _ _ _
- s. \
. SLB Containment Analysis (6.2.1.4)
The portion of the protection system required to function is reactor trip, SI actuation, steamline isolation, feedwater isolation, and containment safe-guards actuation. The SLB transients presented in the PDA are analyzed for a number of single failures. These include: (1) Loss of an emergency diesel (results in loss of SI pumps, containment fan coolers, and containment spray pumps); (2) Main steam isolation valves (MSIV) failure and; (3) feedwater isolation valves (FIV) failure. These have been considered individually and the limiting failure (loss of diesel) identified. The iMSIV and FIV failures result in additional mass and energy release to the containment. This would be offset by the additional heat removal capability provided by the assumption of full containment safeguards. The primary and secondary PORV's and safety valves are not actuated for this transient.
The LOCA mass / energy release containment analysis assumes the loss of a safeguards train resulting in minimum capability of safety injection, fan cooler, and containment spray. The portion of the protection system required to function is the safeguards actuation. There is no impact due to the diversity, redundancy, and independence of the actuation channels. The primary and secondary PORV's and safety valves are not actuated.
WAPWR-DSER AUGUST 1989 81so.1d 21
~
., ;a
.' : RESAR-SP/90 PDA'
. TABLE 87-1 k SI'GLE N FAILURES ASSUMED'FOR ACCIDENTS p.
Event Description Section Worst Failure Assumed Effect Feedwater temp. reduction 15.1.1 (1) None Excessive feedwater flow 15.1.2 One protection train None Excessive steam flow 15.1.3 (1) None Inadvertent secondary. 15.1.4 One electrical train Delays boron to depressurization .(2 SI-pumps) core
--Steam system piping 15.1.5 One electrical train r.'ays boron to failure (2 SI pumps) core Loss of, external load 15.2.2 One protection train None Turbine trip 15.2.3 One protection train None Inadvertent closure of MSIV 15.2.4 One protection train None Loss of condenser vacuum 15.2.5- One protection train None Loss of ac power 15.2.6 One electrical train Increases primary (1 EFW pump) heatup Loss of normal feedwater 15.s.7 One electrical train Increases primary i (1 EFW pump) heatup Feedline break 15.2.8 One electrical train Increases primary
. (1 EFW pump) heatup Loss of forced reactor 15.3.1 One protection train None
. coolant flow &2 Locked rotor & RCP 15.3.3 & One protection train None shaft break 15.3.4 NOTES:
(1) No protective action required WAPWR-DSER 22 AUGUST 1989 8190s:1d
.. : v
,RESAR-SP/90 PDA (Con %'d)~
TABLE 87-1 (Cont'd)
' SINGLE FAILURES ASSUMED FOR ACCIDENTS Event Description Section Worst Failure Assumed. Effect RCCA bank withdrawai from 15.4.1 One protection train None suberitical RCCA bank withdrawal at 15.4.2 One protection train None power
. Statically misaligned RCCA 15.4.3 (2) None Inactive RC pump startup 15.4.4 One protection train None Rod ejection 15.4.8 One protection train None Inadvertent ECCS opera- 15.5.1 One protection train None tion'at power Increase in RCS Inventory 15.5.2 One protection train None Inadvertent RCS depres- 15.6.1 One protection train None surization Failure of small lines 15.6.2 (2) None carrying primary coolant outside containment SGTR 15.6.3 Failure of SG PORV to Increases time to open establish subcool-ing Small break LOCA 15.6.4 One electrical train Maximizes potential (2 SI pumps) for core uncovery Large break LOCA 15.6.4 One electrical train Increases reflood (2 SI pumps) PCT NOTES:
(2) No transient analysis involved WAPWR-DSER AUGUST 1989 T1so.1e 23
i RESAR-SP/90 PDA'(Cont'd)
TABLE 87-1-(Cont'd)
SINGLE FAILURES ASSUMED FOR ACCIDENTS 1
l Event Description Section Worst Failure Assumed Effect LOCA Containment Analysis 6.2.1.3 One electrical train Decreases contain-(Min SI, fan cooler ment heat removal and containment spray maximizing long capability) term containment pressure transient SLB Containment Analysis 6.2.1.4 One electrical train . Maximizes mass /
(Min SI, fan cooler energy &. minimizes and containment spray heat removal in-capability) creasing'contain-ment temperature
& pressure I
I WAPWR-DSER AUGUST 1989 8190e:1d 24
x ,
e a 1
DSER OPEN ISSUE 88: Transients / Accidents at low power (15.1).
. Qualitative discussions are provided below to discuss the consequences of the Chapter 15 events in the lower modes of operation. The SP/90 Technical ,
Specifications will be written to ensure that equipment and systems available f to mitigate transients in Modes 3, 4, and 5 will provide the same level of I protection as the equipment and systems available in Modes 1 and 2. The SP/90 Technical Specifications will be written to the STS format. In lieu of SP/90 specific specifications, this response references the STS in discussing equipment available to mitigate the consequences of events initiated in the lower modes of operation.
RESPONSE
FSAR analyses of most anticipated operational occurrences (A00s) and postulated accidents (pas) consider only events assumed to occur in Modes 1 and 2, since the elevated temperatures and pressures characteristic of these modes would tend to aggravate the consequences of hardware malfunctions or operator errors, and lead to the most limiting system transients. The technical specifications, which will be based upon these analyses, ensure the availability of required protection logic and equipment in Modes 1 and 2. The following discussion will center upon the consequences of events that are postulated to occur while the plant is in any of the suberitical operational modes (Modes 3, 4, and 5), and upon protection system requirements in those modes.
Generally, the occurrence of an A00 or PA, when the plant is in a suberitical mode, will not result in consequences more severe than those which would result in Modes 1 and 2. In some modes, certain A00s or pas cannot occur !
(e.g.,the initiating failure is assumed to occur in an inoperative or disconnected system), or cannot produce a significant transient (i.e.,a !
transient which would challenge plant safety limits), and therefore, pro +ection is not always required to the same level as that required in Mode; I and 2.
WAPWR-DSER 25 AUGUST 1989 8190e:1d
E 1
- j. ,
Each A00 and PA, reported in the RESAR-SP/90 PDA, has been reviewed with
! attention to the- expected consequences of assumed occurrences in the subtritical operational modes (Modes 3 through 5). Consideration has also been given to applicable protection system requirements, and to protection system equipment availability, which will be required in the SP/90 Technical Specifications. The results and conclusions of this review are presented below:
15.1.1 and 15.1.2, Feedwater System Malfunction This A00 increases the core heat removal rate, which recaces the core temperature, leading to an increase in power generation (due to the negative moderator temperature coefficient) and a consequential reduction in thermal margin. The heat removal rate may be increased either by an increase in feedwater flow, or a G rrease in feedwater temperature. The RESAR-SP/90 PDA contains analyses or evaluations for both cases, in Modes 1 and 2.
In Modes I and 2, protection is available from the power range high neutron flux ano low DNBR reactor trips. If the increased heat removal is due to abnormally high feedwater flow, then turbine trip and feedwater isolation will occur when the narrow range high-high level setpoint is reached in any of the operating steam generators.
In subtritical modes, a postulated increased heat removal rate would cause an increase in neutron flux (and an accompanying increase in the audible count rate). It is also possible that the source range "high-flux at shutdown" alarm would sound, alerting the operator to the increase in neutron flux. If no operator action is taken, then any withdrawn rods will be automatically inserted into the core when the source range high neutron flux trip setpoint is reached. The source range high neutron flux trip is available below Mode 2.
The ADO caused by a reduction in feedwater temperature is not a concern in any of the modes below Mode 2, since there is no pre-heating of feedwater in those modes (the A00 is assumed to be initiated by an open heater bypass valve).
WAPWR-DSER AUGUST 1989 s1so..ie 26
.. .c
. The A00 characterize:d by an inersase in feedwater flow, and postulated to result from .the failing open of a main feedwater control valve, is not really i credible below Mode 2, since the main feedwater system would probably be secured. Even if the main feedwater system were in operation in Mode 3, the flow would be controlled via the bypass feedwater control valves, not the main feedwater control valves, since the (smaller) bypass valves provide much better control under reduced flow conditions. Furthermore, a failed open feedwater bypass valve, in Mode 3 and below, would result in a slow transient, due to the low feedwater flow rate.
In the SP/90 design the emergenev Sedwater or startup feedwater system would be in use in the lower modes. The consequences of an increase in flow would
- be much less than the increase from the main feedwater system due to the system flow capacities.
In Mode 5, the RCS is cold, and eny increase in heat removal rate, if possible, would have little or no effect upon the core.
The potential for serious consequences, resulting from cooldown events due to feedwater system malfunctions in the suberitical modes is low, since the RCS is relatively cool (usually less than the no-load temperature); and the core is shutdown.
l 15.1.3, Excessive Load Increase I This A00 is an increase in steam flow (load), usually 10 percent, which may or may not generate a reactor trip signal, depending upon the plant and protection system characteristics. Mode 1 analyses, are presented in the RESAR-SP/90 PDA. An excessive load increase in Mode 1 is considered limiting, since an excessive load increase while the plant is operating at its full rated power would put the plant at the highest achievable power level. Load increases at less than full power, or during startup (Mode 2), would not reach as high a power level before trip (if a trip is required).
WAPWR-DSER AUGUST 1989 81so.:1e 27
., 5 F . In ' Mode 2, -any increase in steam flow, up to ten percent of nominal, will not L
1 result in consequences more severe than those predicted by the Condition 11 steamline break analysis (described below).
In Mode 3, the excessive load increase may be considered to be an inadvertent release of steam, since there can be no load, per se, when the turbine is off-line and the core is suberitical. The Mode 3 load increase would be less limiting than the Mode 1 or Mode 2 case, since the core is already suberitical. It is possible that automatic safety injection actuation may be blocked by the operator, since it is necessary to block the low pressurizer pressure SI signal in order to depressurize the RCS. However, the RCS must be borated to the cold shutdown concentration prior to blocking SI, in order to prevent return to criticality in the event of an accidental cooldown.
The Mode 4 situation is also bounded by the Condition II steamline break, since pressure and temperature conditions in the primary and secondary systems are further reduced. At some point in Mode 4, the RHR system will be placed in service, permitting the shutdown of one or more reactor coolant pumps, and shifting the principal heat sink away from the steam generators.
In Mode 5, the residual heat removal system must be in operation. Any steam release, if p1ssible, would have little or no effect upon the core, since the core would alceady be cold.
15.1.4, Spurious Or,ening of a Steam Generator Safety or Relief Valve The Condition 11 steafnline break, or the spurious opening of a steam generator safety or relief valve, also cools down the core like a load increase; but the assumptions that are applied to the accident analysis are different. The Condition 11 steamline break is assumed to be an unisolatable, uncontrolled steam release which may cause a non-uniform core cooldown (typical of an open safety valve, following steamline isolation), or a uniform cooldown (typical of an open condenser dump valve, or any open steam valve prior to steam line isolation) during the period immediately following a reactor trip, which WAPWR-DSER AUGUST 1989 s1so..t o 28
- 1 inserts all but the most rsactive RCCA. (Both cases are considered, and the limiting cases are reported in the RESAR-SP/90 PDA.) The resulting reactivity excursion may be large enough to overcome the shutdown margin and return the core to critical. The stuck RCCA is assumed to be located in the coldest section of the core. This combination of assumptions results in a high power level in the region of the stuck RCCA, which may lead to DNB and fuel damage.
The Westinghouse acceptance criterion for th's A00, and the main steamline rupture (15.1.5 below), requires that the minimum DNB ratio remain greater than the limit DNBR throughout the transient. The Condition II steam line break is analyzed in Mode 2. The Mode 2 (HZP) case is limiting since a post-trip return to criticality is less likely to occur for the Mode 1 case since more decay heat is present which would tend to retard the cooldown.
In Mcde 3, results are expected to be better than the Mode 2 case, since pressure, temperature and flow conditions would be less limiting, and the tore is already shutdown. An occurrence in Mode 4 would be even less severe than an occurrence in Mode 2 or 3, due to the lower initial RCS temperature, and an effective decoupling of the secondary system from the primary system as the reactor coolant pumps are removed from service and the residual heat removal system is started. Automatic SI actuation is available through Mode 3, until the RCS is borated and the SI is blocked (see excessive load increase discussion). In Mode 4, the standard technical specification requires a minimum of one ECCS subsystem to be operable and available for manual initiation.
A cooldown in Mode 5 is unlikely, since the RCS is already cold.
15.1.5, Steamline Rupture The steamline rupture is a Condition IV event, producing a greater uncontrolled steam release than the spurious opening of a steam generator safety or relief valve (above). However, Westinghouse applies the same acceptance criterion to all steamline ruptures (Condition II, III, and IV):
the minimum DNB ratio must remain greater than the limit DNB ratio.
WAPWR-DSER AUGUST 1989 iItso.1e 29
L .; s Mode 2 analysss are presented in the RESAR-SP/90 PDA. As in 15.1.4 (above),
the Mode 2 analyses bound postulated occurrences in Modes 3 and 4, and WCAP-9226 addresses steamline ruptures in Mode 1. A cooldown 'in Mode 5 is unlikely, since the RCS is already cold.
15.2.2, Loss of Electrical Load This A00 can occur only in Mode 1, since the turbine is off-line in all other modes. Loss of electrical load is baunded by the turbine trip (below), which 6-is analyzed and reported in the PDA Section 15.2.3.
15.2.3, Turbine Trip This A00 is defined only in. Mode 1, since the turbine would be off-line below Mode 1. The turbine trip bounds the loss of electrical load (above), since steam flow is terminated more rapidly by a turbine trip than by a loss of load. Full power is limiting since this results in the greatest mismatch in primary and secondary load.
15.2.4, Spurious MSIV Closure The closure of the MSIVs at full power, in Mode 1, would produce a transient more severe than closure in any of the other Modes, since this would yield the greatest mismatch between the heat removal rates of the primary and secondary coolant systems. MSIV closure in Mode 1 is bounded by the (Mode 1) turbine trip analyses (above).
The availability of a means to dump steam to the atmosphere, including PORVs and safety valves is required for decay heat removal, since MSIV closure in all active steam lines would prevent the use of the condenser.
Below Mode '4, closure of the MSIVs would have no effect, since there is no steam flow. In these Modes, the RCS is cold, and the residual heat removal system is in operation.
WAPWR-DSER AUGUST 1989 8190e.1d 30
'.s :
L1 15.2.5,-Loss of Condenser Vacuum The full power case is bounded by the turbine trip A00. Loss of the condenser vacuum, while the plant is below Mode 1, may require decay heat removal via atmospheric steam dumping, until some time in Mode 4, when the residual heat removal system is placed in operation.
15.2.6, Loss of Non emergency AC Power The RESAR-SP/90 PDA presents analyses for the loss of normal feedwater, without offsite power available. These analyses bound.the loss'of AC power.
-The loss of AC' power.results in the loss of primary coolant flow 'and main feedwater flow. It must be shown that decay heat can be removed,'via natural circulation in the reactor coolant system, to the active steam generators, which are supplied .with emergency feedwater. Therefore, a loss of AC power while the plant is at full power (maximum decay heat) would be more limiting than an oc:urrence at low power or in a lesser Mode. Emergency feedwater pumps are required in Modes 1 through 3, for decay heat removal in the Standard Technical Specifications.
In Mode 4, the transition is made from steam dumping to the residual heat removal system for further cooldown. Although the emergency feedwater pumps are not required to be available in this mode, it is reasonable to assume that, during cooldown operations, the reactor operator would continue to feed the . steam generators with emergency feedwater, well into Mode 4, until the RCS pressure decreases to a level low enough to allow the use of the residual heat removal system.
In Mode 5, the principal heat removal path would be via the residual heat removal system. A loss of AC power under these conditions would have little or no effett upon the plant heat removal capability.
.WAPWR-DSER AUGUST 1989 !
a190e:1d 31
< -15.2.7, Loss-of Feedwater This A00 is a loss of' heat sink, which results in a heatup and pressurization of the RCS. Therefore, an occurrence at full power would result in the most severe consequences (i.e., Mode 1 is limiting).
The RESAR-SP/90 PDA presents Mode 1 analyses for the loss of normal feedwater, with and without offsite power available. .The cases without offsite power available would bound the loss of AC power accident (15.2.6. above).
Loss of main feedwater, while the plant is below Mode 1, is not likely, since the main feedwater system would probably be secured, and the startup feedwater pump or emergency feedwater pumps would be used for startup and decay heat removal. Emergency feedwater is not required in Mode 4 or 5, once the residual heat removal system is placed in service.
15.2.8, Feedwater Line Rupture
.This PA reduces the heat sink, and may occur any time the steam generator shell-side is pressurized. An occurrence in Mode 1, at maximum power, would result in the highest RCS heatup and pressurization. The RESAR-SP/90 PDA contains Mode 1 analyses. These analyses would bound postulated occurrences in Modes 2, 3, and 4.
Emergency feedwater is typically required through Mode 3 for decay heat removal.
In Mode 4, the low levels of decay heat and primary and secondary side temperature and pressure would result in a relatively minor, slow transient, which would not require automatic actuation of emergency feedwater. Once the RHR System is placed in service, emergency feedwater is no longer required for decay heat removal.
~
In. Mode 5, the RHR System would be the principal means of decay heat removal. i A reduction in the steam generator heat sink would have little or no effect upon the primary coolant system.
WAPWR-DSER 32 AUGUST 1989 i 8190e:1d
6
- , i
. An occurrence in Mode 1 would produce the most severe consequences. Adequate protection is provided to mitigate the consequences of feedwater line ruptures postulated to occur in the lesser Modes.
15.3.1, Partial Loss of Flow The loss of a reactor coolant pump decreases the heat removal rate, from the primary to the secondary coolant syLtem, and c a ses a heatup in the RCS. An occurrence at full power would produce a greater heatup than would an occurrence at lower power levels or nc* load (Mode 2). In Mode 1, it is possible to violate the minimum DNB ratio limit, early in the transient, when the power-to-flow ratio is relatively high. Mode 1 cases, at maximum power, are analyzed and the results are presented in the RESAR-SP/90 PDA. For these cases, it is shown that the minimum DNBR limit is not violated, and therefore, DNB would not occur.
Below Mode 2, when the core is suberitical, DNB is no longer a credible consequence. The STS permit the shutdown of one or more reactor coolant pumps since full flow is no longer required for adequate decay heat removal. Loss of a reactor coolant pump, below Mode 2, even if it is the only pump in service, would be bounded by the loss of AC power (15.2.6 above), which shows that the natural circulation, which is established after all the reactor coolant pumps coastdown, would be sufficient to remove decay heat.
15.3.2, Complete Loss of Flow As in the partial loss of flow, the most severe consequences would result from an occurrence in Mode 1 (at high power). A loss of flow in Mode I could lead to DNB and clad failure. The PDA contains Mode 1 loss of flow analyses. The results of these analyses indicate that the minimum DNB ratio does not fall below the limit DNBR at any time during the transients. Mode 2 loss of flow would be bounded by Mode 1 due to the reduced power level.
Below Mode 2, when the core is subtritical, DNB is no longer a credible consequence. However, the loss of all reactor coolant pumps means that the WAPWR-DSER AUGUST 1989 itec e-1e 33
- . I f %
only mechanism available for decay heat removal from the core is via natural circulation, until the residual heat removal system can be placed into operation. The heat sink is assumed to be the steaming of emergency feedwater from the steam generators. The standard technical specifications require auxiliary feedwater to be available through Mode 3. However, it is expected that the operator would continue to use emergency feedwater into Mode 4, until the residual heat removal system can be placed into service. This PA, and its requirements for protection in the subtritical Modes, are similar to the loss of AC Power and Loss of Feedwater Without AC Power A00s (15.2.6 and 15.2.7).
15.3.3 and 35.3.4, Locked Rotor and Reactor Coolant Pump Shaft Break The Locked Rotor and Reactor Coolant Pump Shaft Break are addressed in the RESAR-SP/90 PDA for occurrences in Mode 1. Occurrences in Mode 2 would be bounded by the Mode 1 analyses, due to the reduced power level.
Below Mode 2, these pas are similar to the partial loss of flow (15.3.1) as far as the potential challenge to safety limits, and requirements for protection equipment are concerned.
15.4.1, RCCA Withdrawal from Suberitical Condition The RESAR-SP/90 PDA presents an analysis for this A00 in Mode 2. An occurrence in Mode 3, 4, or 5, with two or more reactor coolant pumps in operation, would be bounded by the analysis in Mode 2. This is based upon the RESAR-SP/90 PDA analysis assumption that reactor trip does not occur until the power-range (low setting) high neutron flux setpoint is reached, and that two banks are withdrawn sequentially at maximum speed (72 step / min). These conservative assumptions result in the core returning to critical and generating power prior to trip. Therefore, the primary system flow rate becomes an important consideration, as a factor in DNB evaluation. (Note that in the STS, in Mode 3, the tech specs require two reactor coolant pumps to be in operation whenever the reactor trip breakers are closed.)
l l WAPWR-DSER AUGUST 1989 eiso.1e 34 4
s :
in Modes 3, 4, and 5, the source range high n:utron flux trip will be available to terminate the event, by tripping any withdrawn and withdrawing rods, before any significant power level could be attained. Also, the reactivity insertion rate would be slower, since a cingle failure in the rod control system could cause, at most, the withdrawal of only one bank, and its withdrawal' rate would be expected to be slower than the maximum rod speed which is possible when in automatic rod control (and is assumed in the PDA analysis). Under these conditions, DNB (and fuel failure) would not be credible.
15.4.2, RCCA Withdrawal at Power This A00 is defined only in Mode 1. The RESAR-SP/90 PDA presents analyses for the RCCA Withdrawal at Power for 10%, 60%, and full power operation.
15.4.3, Dropped RCCAs (one or more RCCAs from the same group), and Dropped RCCA Bank Since the dropping of an RCCA or RCCAs or RCCA bank will perturb the core only if there is some significant neutron flux level, this event applies only to Modes 1 and 2. Dropping one or more RCCAs may, or may not, cause a reactor trip (on high negative flux rate), depending upon the RCCA worth.
Dropping one or more RCCAs while in any of the suberitical modes, if any are withdrawn, would not produce a significant core transient (i.e., would not challenge safety limits).
15.4.3, Single Rod Withdrawal The limiting case is reported in the RESAR-SP/90 PDA (an occurrence while in Mode 1, at full power). This case bounds occurrences at less than full power, and in Mode 2.
1 WAPWR-DSER AUGUST 1989 sisce.1e 35 i
i
s :.
- e. 't l An occurrence in any of the suberitical modes would have no effect. No single rod withdrawal would insert enough reactivity to cause the core to become critical, since the shutdown margin requirements are determined assuming the most reactive RCCA is fully withdrawn.
15.4.3, Static Rod Misalignmer.t As in the dropped RCCAs and dropped RCCA bank, this event would have no effect l in the absence cf a critical neutron flux. The limiting case, and analysis, is for Mode 1, at full power, which bounds Mode 2. This case is presented in the PDA.
15.4.4, Startup of an Inactive Loop Startup of an inactive loop while in any of the suberitical modes would cause a dilution of the core boron concentration, and consequently, an increase in reactivity._ Unlike a boron dilution A00, in which the dilution is assumed to be ' caused by the charging of clean water into the RCS until some action is taken to terminate the flow, the dilution due to the startup of an isolated loop ends when the entire water volume of the isolated loop is swept into the RCS. While the idle loop may not contain water of a boron concentration lower than the remainder of the RCS, it is conservative to assume that this water is l unborated, and that the active RCS water is borated to the ma.v.imum level, i
In Mode 3, more than one loop may be idle. If only one loop is idle, and the reactor coolant pump in that loop is activated, then the transient would be very much like the Mode 2 boron dilution event. The main difference between the Mode 2 and Mode 3 cases would be an earlier trip in Mode 3 (from the i source range high neutron flux trip signal).
If more than one loop is assumed to be idle, then the active RCS volume would be smaller, and the dilution rate would be faster. Following the trip, the operator will have more than ten minutes to terminate the flow into the RCS.
WAPWR-DSER AUGUST 1989 siso.:1d 36
't'- ,
, 15.'4.6i-BoronDilution~
The~ boron dilution event will be analyzed in the FDA section which covers all modes of operation, as required by the Standard Review Plan.
15.4.7, Fuel Assembly Misloading This event, like the rod misalignment events, is meaningful only in the-presence of a critical neutron flux. Mode 1 behavior is presented in the PDA, which bounds the Mode 2 startup case.
15.4.8, RCCA Cjection This PA is' defined as the mechanical failure of .a control rod mechanism pressure housing, resulting in the ejection of an RCCA and drive shaft. The consequence- of this mechanical failure is a rapid positive reactivity insertion combined with .an adverse core power distribution, possibly leading to localized fuel rod damage.
Mode 1 and 2 cases are presented in the PDA.
In Modes 3 and 4, the core may have all rods out (ARO), all rods in (ARI), or shutdown banks out with control banks in. A rod ejection is not credible in the ADO wnaltion. In the latter cases, ARI and control banks inserted, the ejection- of an RCCA would not insert sufficient reactivity to attain criticality. Since criticality, and subsequent power generation, would- not result from an RCCA ejection while the pl e.r.t is in Mode 3 or 4, then the consequences would be no worse than the consequences resulting from an RCCA ejection in Mode 2.
In Mode 5, RCCA ejection is not credible, since the RCS is at a very low pressure.
WAPWR-DSER AUGUST 1989 siso.:1d 37
i s l
, e 15.5.1, Accidental ECCS Actuation This A00 is defined in Mode 1; but may also be considered in Mode 2 (i.e.,
anytime the core is critical), since the principal effect of ECCS actuation is core shutdown, either due to the reactor trip signal which is generated by the SI signal (transient initiator), or by the injection of borated water into the !
core. For the SP/90 design no analyses are presented in the PDA since the shutoff head of the safety injection pumps is below normal operating pressure.
In Modes 2 and 3 when the RCS is still hot, accidental actuation of the ECCS would result in only the repressurization of the RCS to the shutoff head of the high head ECCS pumps.
In lower Modes 4, 5, and 6 when at low temperature conditions, the RHR system would be in operation. The RHR system is equipped with relief valves which are sized to prevent cold overpressurization design limits from being exceeded in event that the ECCS system is inadvertently actuated. A discussion of this can be found in Subsection 5.2.2.10 of RESAR-SP/90 PDA Module 4, Reac tor Coolant System," or the response to staff questions 440.255 and 440.256 ;
included in Module 4.
It should also be noted that, in Mode 4 and below, spurious ECCS actuation is not likely, since typically the automatic SI signals are blocked.
15.6.1, Spurious Opening of a Pressurizer Relief or Safety Valve When analyzed as a depressurization event (rather than a LOCA), the concern becomes a possible violation of the minimum DNBR criterion. Therefore, this A00 is analyzed in Mode 1, which also bounds Mode 2. DNB is not a realistic concern in any of the suberitical modes. In Mode 5, this A00 would have little or no effect upon the RCS, since it is depressurized.
The loss of RCS inventory aspects of this A00 are considered as part of the small break loss of coolant accident.
WAPWR-DSER AUGUST 1989 8190e:1e 38
q- -__ _
. 1506.3, Steam Generator Tube Rupture The SGTR event is less likely to occur at lower power levels or lower modes of operation due to less stringent operating conditions. The temperature differential across the steam generator tubes is less for lower power levels or lower modes'of operation than for full power which reduces the thermal stress in the tubes. The primary to secondary pressure differential at lower power levels or' lower modes of operation is also lower than at full power. In addition, the reduction in steaming rate at lower power levels or lower modes of operation results in less turbulence around the tube bundle which would reduce the effect of vibration and erosion by any loose parts which could potentially be present in the secondary side of steam generators.
The radioactivity release to the atmosphere for an SGTR event depends upon the primary and secondary coolant activity, the amount of primary to secondary break flow and the fraction of the break flow that flashes, the amount of the steam released from the affected steam generator relief valve to the atmosphere, attenuation of the flashed activity in the steam generator secondary side, and partitioning of activity between the steam generator liquid and steam. The concentrations of radionuclides of the primary and secondary system depend on the amount of defective fuel and iodine spikes. At lower power levels or lower modes of operation, the amount of the flashed portion of the primary to secondary break flow and steam released from the affected steam generator are substantially reduced since the decay heat energy and the RCS fluid energy are less for reduced power levels. The attenuation factor and partition factor used are very conservative values applicable for all modes of operation. With the reactor operated at the same initial primary and secondary coolant activity, the radioactivity release to the atmosphere will be lower if a SGTR event is initiated at lower power levels or lower modes of operation.
WAPWR-DSER AUGUST 1989 i190e:1d 39
's :
15.6.5, Loss of Coolant Accident (LOCA)
The LOCA events in the lower modes is currently being addressed by the Westinghouse Owners Group (WDG). In general the SP/90 has several significant advantages over the plants being addressed in the WDG study. These include the passive CRT's which are available at pressures above 300 psi, the separation of the ECCS and RHR systems (RHR is not used for ECCS injection),
and the length of time to core uncovery for small breaks. The results of the WDG program as they relate to the SP/90 design, will be incorporated into the LOCA analyses, technical specifications, operating procedures, etc. . . as necessary in the FDA submittal. The following qualitative discussion is provided to show the effects of a LOCA in Modes 3 and 4 for the SP/90 design.
Certain automatic safety systen and equipment are blocked or not required to be operable to preclude unwanted actuation of the systems or equipment during normal shutdown and startup conditions in the lower modes. The Standard Technical Specifications do not require that all of the equipment which is available for Modes 1 and 2 also be available for Modes 3 and 4.
During startup or shutdown the ECCS equipment described below is locked out or not required to be operable. Only shutdown is discussed since shutdown would be more limiting than startup due to the higher decay heat level following reactor shutdown.
l In Mode 3 operation, the reactor coolant temperature is between no-load and l
l 350*F, and the reactor coolant pressure ranges from the 2250 psi normal operating pressure to 400-500 psi. During the reactor coolant system (RCS) cooldown and depressurization, the operator is instructed to manually block the automatic safety injection (SI) actuation circuit at the P-11 setpoint.
This action disarms the SI signal from the pressurizer pressure transmitters to prevent automatic SI initiation on low pressurizer pressure when the RCS is depressurized below the SI setpoint. The containment high pressure SI signal l remains armed and will automatically actuate SI if the containment Hi-1 pressure setpoint is exceeded. Manual SI actuation is also available. When l
WAPWR-DSER AUGUST 1989 81sc.:1e 40 l
l
e .,
the RCS pressure is rsduced to 1000 psi, the operator closes and locks out the ECCS accumulator discharge isolation. valves to prevent accumulator discharge when the RCS pressure is ' reduced below the accumulator pressure. The Technical Specif%ations require that both ECCS trains be available for Mode 3 as well as for Modes 1 and 2. Each ECCS train consists of two high head charging pumps, and the associated operable flow paths capable of taking suction from the EWST on an SI signal. Four core reflood tanks are available to inject at RCS pressures below 200 psi. Two RHR pumps would also be required to be operable to provide containment spray. For SP/90 the RHR pumps are not used for either the injection or the recirculation phase of operation.
For long term cooling, the high head safety injection pumps remain aligned to the EWST.
In Mode 4 operation, the reactor coolant temperature ranges from 350*F to 200*F and the reactor coolant pressure is normally below 400 psi. Manual SI actuation is available. Since the SI accumulators are locked out at 1000 psi, they would not be available in Mode 4. The CRT's would be locked out at pressures below ~300 psi. Below 350*F, the Technical Specifications will require one high head safety injection pump, two RHR pumps, and two RHR heat exchangers to be operable with the remaining ECCS pumps locked out. An operable flow path for each pump capable of taking suction from the EWST during the recirculation phase of operation is also required. The RHR pumps are also used for decay heat removal in Mode 4 and can be operating in the RHR mode with suction from the RCS hot legs.
A discussion of the significance of the above actions and conditions on the mitigation of a LOCA during Mode 3 and Mode 4 operation follows. Below P-11 psig in Mode 3, the containment Hi-1 pressure signal is the only signal available for automatic SI initiation. Although the containment Hi-1 setpoint may be reached for some LOCAs, it is not expected that the setpoint will be reached for the complete range of break sizes and RCS temperatures which may be encountered in Mode 3. If the containment Hi-1 setpoint is not reached following a LOCA, manual SI actuation will be required. The accumulators will not be available for injection at RCS pressures below 1000 psi. However, the CRT's would provide low head safety injection flow below 200 psi until they WAPWR-DSER AUGUST 1989 i1so :le 41 L - . - _ _ _ - - - - - _ - - _ _____
, are locked out after RHR initiation. It is expected that the ECCS pumps and CRT's will provide adequate SI flow without the accumulators for a LOCA during Mode 3, because of the reduced initial core power, fuel rod temperatures and decay heat levels in Mode 3 as compared to full power operation in Mode 1.
For a LOCA in Mode 4, operator action will be required to manually actuate SI. If the RHR pumps are operating in the RHR cooling mode, the RHR pumps must be tripped before significant voiding occurs in the het legs to protect the pumps from damage. They are not used for the ECCS function. Action can be taken to restore the remaining ECCS pumps, accumulators, and CRTs to operable status, as necessary. As noted previously, long term cooling is accomplished by using the high head safety injection pumps which take suction from the EWST.
During the RCS cooldown and depressurization during Mode 3 and Mode 4, the operator will be monitoring the pressurizer pressure, pressurizer level and RCS temperatures per the normal cooldown procedures. The operator would readily detect the occurrenre of a LOCA due to a decrease in pressurizer pressure and level and loss of subcooling. In addition, other indications which would be available to the operator which are indicative of a LOCA include an increase in containment pressure, containment dewpoint, and radiation alarms inside containment. It is expected that these indications will alert the operator to a LOCA so that he can perform any required manual actions. It is expected that the operators can complete the manual actions to actuate SI, and restore SI equipment to operable status as required during Mode 3 and Mode 4 such that the level of protection for a LOCA in Modes 3 and 4 will be equivalent to that in Modes 1 and 2.
CONCLUSION i
Protection is available, in all suberitical modes, for all applicable A00s and pas to a level which is judged to be consistent with Modes 1 and 2, considering the potential consequences, of each A00 and PA. Protection requirements and protection system availability are reduced as Mode 6 is approached. Many components and systems, in which transient-initiating l
l WAPWR-DSER 42 AUGUST 1989 l 8190e-1d
c.? - ;
failures are postulated to occur, are ramoved from service as the RCS temperature and pressure are. reduced. This permits the disarming of protection systems when they are no longer required. Based upon engineering judgment,. adequate protection would be available, either by automatic means or
-by operator action, to a level that is consistent with the protection available in Modes 1 and 2, and with the consequential reduction in protective function requirements, as Modes are reduced below Mode 2. These conclusions will be verified in the RESAR-SP/90 FDA submittal.
.DSER OPEN ISSUE 89: DNBR curve for. steam generator relief valve or steam generator safety valve opening (15.2.1).
RESPONSE
Based on past analyses of main steam depressurization events caused by inadvertent opening of relief or safety velves, the minimum DNBR has always been found to occur at the time of maximum return to power. The core heat flux transient .and reactivity transient for the inadvertent opening of a steam generator relief or safety valve event are shown in Figuro 15.1-13 of RESAR-SP/90 PDA Module 6 & 8, " Secondary Side Safeguards System / Steam and Power Conversion." From this figure it can be seen that no return to power occurred for this event. Therefore, at no time during this event are the core DNB limits ever approached and a specific minimum DNBR was not calculated.
DSER OPEN ISSUE 90: DNBR/ nuclear power transient curves for steam system piping failures (15.2.1).
RESPONSE
Based on past analyses of main steam depressurization events caused by postulated piping ruptures, the minimum DNBR has always been found to occur at the time of maximum return to power. In evaluating the DNBR for main steam depressurization events a detailed ststepoint evaluation method is employed.
First the overall system transient is generated by the LOFTRAN code. Several statepoints are taken around the time of maximum return to power. Then WAPWR-DSER AUGUST 1989 siso.:1e 43
. peaking factors and axial power shapea are calculated using more detailed nuclear computer' codes. The LOFTRAN statepoints, peaking factors and axial power shapes are used in theDNBR calculation by the THINC computer code.
Using the statepoint method only the minimum DNBR was calculated.
The main steamline break is a Condition IV event and consequentially must meet the radiological dose release criteria of 10CFR100. Limited fuel damage is permitted as long as the dose release criteria is met. To ensure that the dose release criteria is. conservatively met, the minimum DNBR was calculated and verified to be above the Condition 11 acceptance criteria.
The full t uble ended ruptures analyzed in Subsection 15.1.5 of RESAR-SP/90 PDA Module 6 and 8, " Secondary Side Safeguards System / Steam and Power Conversion," were analyzed with and without offsite power available. The steamline break case 'with offsite power available is more limiting with respect to DNB because forced reactor coolant flow results in a more severe core cooldown transient. Using the statepoint method, only the minimum DNBR was evaluated. The minimum DNBR was found to be greater than the design bases DNBR of 1.3. The minimum DNBR was calculated to be in excess of [ ] and no a,c fuel was calculated to fail.
DSER OPEN ISSUE 91: Applicability of Westinghouse Topical Report WCAP-9226 regarding staamline rupture cases (15.2.1).
RESPONSE
1.0 The conclusions presented in WCAP-9226 Rev. 1 are applicable to the SP/90. This is based upon the similarity in transient response, similarity in design features which are important in ' !ie transient response, similarity in protection and engineered design features which mitigate the transient, and the results of sensitivity studies presented in the report.
WAPWR-DSER 44 AUGUST 1989 8190e.1d
Westinghouse methodology presents the largest double-ended steam line rupture .at EOL .HZP. with the most reactive RCCA in the fully withdrawn position as the licensing basis case to show compliance with the 10CFR100 criteria. This case demonstrates that the safety injection system and related components of the steam line break protection adequately protect the core under conditions where immediate mitigation of the event from reactor trip is not available due to the rods being already inserted.
WCAP-9226 also presents a spectrum of breaks occurring while the reactor is at power to show that the DNB design basis is not violated prior to and immediately following trip. This protection is provided on current generation plants by the OPDT/0 TDT trip functions. For the SP/90 by the low DNBR-high KW/ft setpoints can be set to assure this prctection.
The following discussion is provided to show that the conclusions of WCAP-9226 are applicable to the SP/90 design. A commitment will be made at the FDA to analyze the spectrum of breaks at HFP in setting the low DNBR-high kw/ft trip setpoints to assure that the full range of break size are covered by these trips and the steamline break protection logic.
2.0 TRANSIENT RESPONSE The transient respontes for the HZP double-ended rupture (with and without offsite power) are presented in Figure 15.1-16, 15.1-21 of the RESAR-SP/90 PDA. The transient response for the inadvertent opening of a steam dump, safety, or relief valve are presented in Figure 15.1-13 and 15.3-14 of the RESAR-SP/90 PDA. The corresponding base cases in WCAP-9226 are presented in Figure 3.1-32 (4 loop) and 3.1-6 (case ref.).
A comparison of the transient results show that the accident phenomena are similar. A SLB causes an initial steam flow increase which decreases during the accident as the steam pressure decreases. The energy removal from the RCS causes a reduction in coolant temperature and pressure. In the presence of a negative moderator coefficient, the cooldown results in an insertion of positive reactivity. The most reactive RCCA is assumed WAPWR-DSER AUGUST 1989 8190e:1d 45 L _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
c .. stuck. in its fully withdrawn position after reactor trip resulting in.a return to criticality and power. The return to power is limited by the steam flow out the break, the' injection of borated water, and the doppler power. coefficient.- The core ultimately returns suberitical following blowdown, the plant can be brought to stabilized hot standby condition.
Core Heat Flux Heat flux increases as shutdown margin is lost. The reference core shows an increase to over 20% power while SP/90 shows a smaller increase to about 5%. The peak heat flux is reached later for the SP/90.- The time difference'is due to the' increased shutdown margin for the SP/90 and the presence of SG integral fIow restrictors in SP/90 design.
Suberiticality is attained with the injection of borated water.
Core Average' Temperature The RCS temperature decreases due to the increase in steam flow. After steam line isolation, only 1 steam generator is blowing down which causes one inlet loop to the vessel to be colder than the others. Mixing between the loops is calculated in the inlet plenum. The same mixing j c W ficients were used for the standard 4 loop plant and the SP/90. The standed 4 loop mixing assumptions were shown to be conservative for the SP/90.
l The cooldown calculated is similar to that of standard 4 loop plants.
Steam Generator The SP/90 steam generator in similar to the standard Model F feedring-design. The SG transients are very much similar. Both EFW and main feedwater are assumed to be injected into the faulted and intact steam WAPWR-DSER AUGUST 1989 liiso.no 46
c ., . ; -
4
- generator. The ste3m generator 'hnat transfer models are identical and
- the phenomena is the .same. Full heat transfer is assumed.
! The SP/90 design has integral flow restrictor limiting the break to 1.4 2
ft /SG. Perfect moisture separating is assumed, dry steam is calculated to exit the break.
The intact steam generators are isolated .within 10 seconds after initiation of the transient.
Safety Injection Both safety injection systems are modeled to inject borated water into the reactor coolant system cold legs following a purge of unborated water existing in the safety injection system lines.
Initial Operating Conditions The initial operating conditions (RCS temperature, pressure and flow; SG pressure, temperature; core reactivity) are not significantly different between'the SP/90 and base plants analyzed in WCAP-9226.
3.0 DESIGN FEATURE WCAP-9226 identifies the design feature relevant to excessive steam releases. These design features include:
Steam Generator Steam Piping Layout Main Feedwater and Emergency Feedwater System RC Loop Orientation Fuel Design Safety injection System Reactor Protection WAPWR-DSER AUGUST 1989 siso :1d 47
T :
Steam Generator The SP/90 plant utilizes Model J steam generators which are discussed in Subsection 5.4.2 of RESAR-SP/90 PDA Module 4, " Reactor Coolant System."
WCAP-9226 provides analysis of model 51, D, and F steam generstors. As discussed in section 3.1.2.3 of the report the only noted difference between the reference case (Model 51) and a Model F is initial SG mass.
Section 3.1.10 sensitivity studies results show little sensitivity for a change in mass of 12,000 lbm. The difference between the model J and F is of this order of magnitude.
Both the Model F and J are non preheat feedring steam generator designs with integral flow restriction. The SG tubes surface heat transfer area is consistent based upon the plant rated thermal outputs. The initial water levels are above the top of the tube bundle. Heat transfer is dependent upon the extent of tube bundle uncovery. This is consistent with the designs of the Model F and J.
Steam Piping Layout The steam piping layouts are identical as they related to the SLB 2
transient. Integral flow restrictors of 1.4 ft exist at the exit of each SG. Main steam isolation valves exist in each line. Closure of these valves results in elimination of the blowdown for all breaks downstream. For a break upstream, one SG will blowdown. Steam piping volumes are not assumed for this event.
Main Feedwater and AFW (EFW) System Layouts The MFW Systems as they relate to the SLB are similar. Subcooled feedwater is delivered to each steam generator. FW control and isolation valves close on a "S" signal to terminate main feedwater.
WAPWR-DSER AUGUST 1989 E190e.1d 48
, , The AFW (EFW) systems. inject cold water to each steam generator. The capacitias of the SP/90 and standard plants are. of the same order of magnitude. Maximum emergency feedwater flow is assumed.
Reactor Coolant Loop Orientation The SP/90 layout is similar to a typical 4 loop plant. There is no difference which would impact the conclusions of WCAP-9226.
Fuel Design While the SP/90 and base case analyzed in WCAP-9226 have different fuel assembly types, they are insignificant based on the method of analysis.
The LOFTRAN Code uses a point kinetics model to predict core conditions.
The T/H differences are not significant to alter the transient behavior.
Reactor Vessel While there are substantial differences between the SP/90 and WCAP-9226 base plants (long downcomer, radial reflector, upper plenum calandria design,- etc.), these differences do not alter the SLB transient response phenomenon. Flow entering the downcomer is mixed in the lower plenum, the coldest core inlet flow is in the sector with the assumed stuck rod, the core outlet flow is mixed in the upper plenum, and exits through the hot legs.
Safety Injection System Both the SP/90 and WCAP-9226 base plants inject borated water into the RCS cold legs to mitigate the return to power transients. Cold unborated water is purged prior to injecting highly concentrated borated water for the RWST (EWST for SP/90). The safety injecticn systems are activated following an "S" signal. The time delays for valve alignments and pump start up are similar for the two plants.
WAPWR-DSER AUGUST 1989 B190e 1d 49
6 > i R: actor Protection and ESF Actuation Reactor trip is initiated on the following signals:
SP/90 WCAP-9226 plants "S" Signal "S" Signal high neutron flux high neutron flux low DNBR OTDT kw/ft OPDT low pressurizer pressure low pressurizer pressure Basically the same trip functions exist..
ESF includes:
SP/90 WCAP-9226 plants Feedwater Isolation Feedwater Isolation SI SI Steam Line Isolation Steam Line Isolation AFW Initiation AFW Initiation The engineered safeguards features (ESF) required to mitigate the consequence of a SLB are identical.
Reactor Trip and ESF Action Section 1.2.3 of WCAP-9226 provides a discussion of the functions which mitigate the consequences of a steam break transient and which determines the transient response.
Negative reactivity is provided by the reactor trips. Although a reactor trip is of no significance when the plant is at hot shutdown, it does WAPWR-DSER AUGUST 1989 ,
iitso.:1e 50
_ - - _ __ _ __ - ____ - a
.. provide shutdown reactivity for transients initiated at power. Reactor trip may be generated from the following signals:
(1) .A safety injection signal (2) High neutron flux - low and high settings trip the reactor when nuclear power exceeds the preset values.
-(3) Low DNBR/high kw-ft. This protection provides the same function as the current generation OTDT/0PDT trip functions. These func-tions are provided to assure that the core limits are not violated.
(4) Low pressurizer pressure (5) Low SG water level Steamline Break Protection System This protection system is provided specifically to mitigate the consequences of a secondary side break.
Safety injection is actuated by:
(1) Low steam line pressure primary signal for the large breaks.
(2) Low pressurizer pressure (3) Hi-1 Containment pressure (4) Low-3 T coid For the large breaks which result in the greatest cooldown and return to power, the low steam line pressure signal is generated within a few seconds. The "S" Signal generates a reactor trip, feedwater and steam line isolation, and safety injection actuation.
WAPWR-DSER AUGUST 1929 is so.:1e 51
L . .
Fcedwater isolation closes the f :dwater control and isolation valves, terminating the addition of feedwater to the steam generators. The addition of feedwater accentuates the cooldown transient. FW isolation '
occurs approximately 7.0 seconds following generation of an "S" signal.
Steamline isolation results in closure of the fast acting steam line stop valves. Because the core power level will inherently rise to meet the steam extraction rate, closing the stop valves reduces the steam l extraction rate, limiting the return to power. Steamline isolation occurs within 7.0 seconds of the following signals.
(1) Low steam line pressure (2) high steam line pressure rate (3) Hi-2 Containment pressure (4) Low-3 T eold The reactor protection and ESF actuation for the SP/90 provides the same function as the steam line protection system described in Section 1.2.3 of WCAP-9226. The functioning of these systems determines the transient response following a secondary side break.
4.0 WCAP-9226 SENSITIVITY STUDIES The limiting cases presented in typical FSARs and the RESAR-SP/90 PDA submittal were identified based upon sensitivity studies performed in WCAP-9226.
Double-ended Ruotures (3.1.3.1)
As shown in Figure 3.1-42 in WCAP-9226 the full DER Case is the limiting case. The large DER cases result in the greatest cooldown and the largest return to power. This conclusion is applicable to SP/90.
WAPWR-DSER AUGUST 1989 Tiso.:1o 52
3 .,..
. m SplitBreaks(3.1.3.2) 4 The 'overall response 'to a split break is very much.similar to that for a DER. 'A 1.0 ft2split represents - each SG .having a. break area of .25 2
.After steam line isolation one SG' wou1d have a 1.0 ft 2break
~
ft .
area. For a~1.0 ft 2DER the faulted SG would have a break area of-~1.0 2
.ft while the 3 remaining steam generators would see a break area of
.33 ft 2. The DER would represent a greater break area, cooldown, and more limiting transient.
Limiting Power Level (3.2)
.Steamline breaks from full power result in lower DNBRs prior to reactor trip when compared to cases initiated from part power'or HZP. Studies in WCAP-9226' show that the spectrum of break sizes must be protected against by the low steam line pressure ESF function and the low DNBR-high kw/ft reactor trips. Larger break sizes reach the low ~ steam line pressure setpoint quickly resulting in lower peak power and higher DNBRs. For breaks thc.t do not reach the low steamline pressure setpoint, protection is provided by the low DNBR-high kw/ft reactor trips. The low DNBR trip setpoint can be set to provide this protection to assure that the DNB design basis is met.
Figure 3.2-23 of WCAP-9226 shows that the cases for full power are limiting over the part power cases. This is due to the peak core power o reached for each power level. This conclusion is applicable for the SP/90.
l For the SP/90 FDA, a spectrum of breaks will be analyzed to show that the combination of protection assures that the DNB design basis is met.
DSER OPEN ISSUE 92: DNBR transient curve for loss-of-nonemergency-ac power event (15.2.2).
WAPWR-DSER AUGUST 19E9 81so.1e 53
3 g H. ,
L
, RESPONSE:
The transient DNBR for the loss of nonemergency AC power event'and the loss of normal-. feedwater event is shown in Figure 92-1. Prior to reactor trip the DNBR remains approximately equal to the initial value of DNBR. Following
' reactor trip the DNBR increases rapidly. The minimum DNBR never approaches the design DNB limit.
DSER OPEN ISSUE 93: Comparison of loss-of nonemergency-ac power event / turbine trip (15.2.2).
RESPONSE
The text in Section 15.2.6 of RESAR-SP/90 PDA Module 6 and 8, " Secondary Side Safeguards System / Steam and Power Conversion," comparing turbine trip events to the loss of non-emergency AC power events was from the perspective of long term core decay heat removal capability, not from a short term overpressure perspective. During: the early portions (prior to reactor trip) of turbine trip and loss of non-emergency'AC power events, the turbine trip event will result in a more severe RCS pressure transient. In the long term following reactor trip, the loss of non-emergency AC power event will result in l ower.
steam generator inventory being available to remove core decay heat. Thus in-the long term the loss of non-emergency AC power event will result in lower RCS subcooling margins and a more severe transient in this perspective.
DSER OPEN ISSUE 94: DNBR transient curve for loss-of-normal-feedwater-flow event (15.2.2).
RESPONSE
See the response to DSER Open Issue 92.
DSER OPEN ISSUE 95: DNBR transient curve for feedwater line rupture event (15.2.2).
WAPh'R-DSER AUGUST 1.989 8180.:1e 54
c RESPONSE:
The = transient - DNBR for the feedwater line break event with and without Offsite -
l poweravailabliisshownin Figure 95-1. Prior to reactor trip the DNBR remains approximately equal to: the initial value of DNBR. Following reactor
. trip the DNBR increases rapidly. The minimum DNBR never approaches the design DNB limit.:
DSER' OPEN ISSUE' 96: Demonstration of acceptability 'of a loss-of-reactor-core-flow event with a single failure (15.2.3)
RESPONS_E:
See response to DSER Open Issue 87.
DSER OPEN ISSUE 97: Analyses of reactor coolant pump shaft seizure and shaft-break events (15.2.3).
RESPONSE
With respect to single failures assumed during the reactor coolant pump shaft seizure and the shaft break event, see the response to Issue 87.
A transient DNBR analysis was done for the RCP shaft seizure break event.
Cases were' analyzed 'with and without offsite power. Figure 97-1 shows the transient DNBR ratio for the case with offsite power available. The minimum DNBR for this case does not exceed the design therefore no fuel failures are predicted for this case. The case without offsite power resulted a minimum DNBR below the design value. For the case without offsite power [ ] of the a,c rods underwent DN8.
The radiological consequence analysis for the locked rotor (RCP pump shaft seizure) accident is provided in revisions (as shown in Attachment 3) to Subsection 15.3.3, and Tables 15.3-3 and 15.3-4 of RESAR-SP/90 DDA Module 4,
WAPWR-DSER 55 AUGUST 1989 8190s:1d
3
. The analysis assumed that [ ] of the fuel rods fail instantan:ously and a,c activity contained in the gaps of the failed rods is released to the primary coolant. All activity is released to the' environment with no consideration given to radioactive decay or to cloud depletion. The resultant radiological consequences represent the most conservative estimate of the potential integrated dose due to the postulated locked rotor accident. The results, given in Table 15.3-4 show the resultant doses are within a small fraction of the 10 CFR 100 guidelines.
The results of the reactor coolant pump shaft break event are very similar to and bounded by the results shown for the shaft seizure event.
DSER OPEN ISSUE 98: Analysis of an inadvertent operation of ECCS during plant startup or shutdown (15.2.4).
RESPONSE
See section on spurious operation of ECCS in the response to Open Issue 88, and Subsection 5.2.2.10 of RESAR-SP/90 PDA Module 4, " Reactor Coolant System."
DSER OPEN ISSUE 99: Analysis of an inadvertent operation of the centrifugal pumps with letdown lines isolated (15.2.4).
RESPONSE
Inadvertent operation of the centrifugal charging pumps with letdown lines isolated would result in gradual overfilling and pressurization of the reactor coolant system. In the event that charging is inadvertently operated, over-pressure protection for the RCS is provided in all modes of operation. During hot conditions when the RCS average temperature is greater than 350*F (Modes 1, 2, & 3) overpressure protection is provided by the pressurizer safety valves. During cold conditions when the RCS average temperature is less than 350*F (Modes 4, 5, & 6) overpressure protection is provided by RHR relief valves. The water relief capacity of the pressurizer safety valves or the RHR relief valves is greater than the maximum charging pump flow.
WAPWR-DSER SS AUGUST 1989 8190e:1d
y
?At worst,-inadvertent operation of the charging pumps will result in a grad'ual
. overfilling .and pressurization of the RCS. Depending on the initial made of operation,.if no operator action is taken the RCS pressure will increase until' the pressurizer safety valve or the RHR relief valve setpointr are reached.
- The prer.surizer safety or the RHR relief valves would open to. relieve the charging pump flow and maintain the system pressure below the applicable RCS design pressure limits. RCS pressure would be stabilized at the relief valve setpoints until the operator resumes control of the charging flow.
In 'the startup and power modes charging flow may be automatically modulated by the pressurizer level control system. Charging flow is modulated by. the' control system to maintain a programmed level based on measure power, measured cold leg temperature and measured pressurizer' level. A signal selection device is used in the integrated control system to ensure that a failed signal will not result in a control action that could result in a plant condition
-requiring protective action. The signal selection device provides this capability by comparing all of the redundant signals and automatically eliminating an aberrant signal from use in the control system. Realistically, inadvertent operation of the charging pumps could not be postulated due to failure of a single signal channel.
In Modes 1, 2, or 3 inadvertent operation of the charging pumps due to multiple system fe' lures or operator error would not result in RCS pressures above design limits. .In event of an inadvertent operation of the centrifugal charging pumps the operator would be initially alerted by high pressurizer level alarms. If no action was taken the pressurizer would continue to fill until the high pressurizer level reactor trip and alarm would occur.
Following reactor trip the pressurizer level would decrease due to the contraction of the RCS fluid thus giving the operator additional time to correct the fault. Failure of the high pressurizer level reactor trip could only occur assuming failure of more than two pressurizer level channels. The trip uses four redundant level measurements and reactor trip occurs on two out of four high level signals. Following the reactor trip if no operator action was taken, the pressurizer would eventually fill. No oserpressurization of the RCS would occur. If the pressurizer power operated relief valves (PORV)
WAPWR-DSER AUGUST 1989 iitso.:1e 57
4 'were available, RCS pressure would be maintained at the PORV setpoint. The PORV's have sufficient capacity to relieve the maximum mass input that could be' supplied by the charging pumps. If the PORV's were not available RCS pressure would increase slowly until the pressurizer safety valve set pressure was reached. The safety valves would open and have sufficient capacity to maintain the RCS pressure at the safety valve setpoint. The operator would eventually be expected to resume control of the charging flow, and return system levels and pressure to normal operation conditions.
In Modes 4, 5, & S the RHR system would be operating. Overpressurization of the RCS by inadvertent operation of the centrifugal. charging pumps would be prevented by the RHR relief valves. The relief valve set pressure and capacity is chosen to ensure ASME Section III, Appendix G guide lines and limits, for RCS pressure at low temperature conditions, are not exceeded. A further discussion of overpressurization due to inadvertent charging pump operation and other events at low temperatures can be found in Subsection 5.2.2.10 of RESAR-SP/90 PDA Module 4, " Reactor Coolant System."
DSER OPEN ISSUE 100: Analysis of an inadvertent opening of a pressurizer safety or relief valve with a limiting single failure (15.2.5).
RESPONSE
See response to DSER Open Issue 87.
l I
DSER OPEN ISSUE 101: Time delay of reactor trip during steam generator tube rupture (SGTR) (15.2.5).
RESPONSE
The 690 second time of reactor trip following an SGTR event for the SP/90 is significantly longer than for the reference plant in Supplement 1 to WCAP-10698, " Evaluation of Offsite Radiation Doses for a Steam Generator Tube Rupture Accident." This is due mostly to a much slower depressurization rate following an SGTR event and a less limiting reactor protection system setpoint WAPWR-DSER AUGUST 1989 8190e:1d 58
,(low DNBR) for the SP/90 d: sign, which allows a prolonged trip. The RCS depressurization rate is slower because the pressurizer volume (-2500 ft 3) for the SP/90 design is much larger than current PWR designs and the break flow rate is smaller. However, this longer reactor trip time is not expected to have a significant effect on the offsite dose calculation since an additional conservative assumption was used in the SP/90 SGTR analysis to maximize steam releases.
Jr i ie generic study documented in WCAP-10698 and Supplement 1 to WCAP-10698, the affected steam generator is assumed to be identified and isolated when the narrow range level reaches [ a,c
), or at [ ] minutes after initiation of the SGTR, whichever is longer. a,c In the generic study documented in WCAP-10698, the affected steam generator a,c was isolated at the minimum time of [ ). In this case, an earlier reactor trip time would be conservative for the offsite dose calculation since more steam would be released to the atmosphere through the steam generator power operator relief valves (SGPORVs).
In the SP/90 SGTR analysis, an additional conservative assumption was used to produce a conservatively longer time from reactor trip until the affected SG is isolated, namely, the EFW flow to the steam generators was assumed to be throttled following the EFW actuation. In reality, the EFW flow to the steam generators is not expected to be throttled until level is returned to the a,c narrow range. As a result, the affected SG was isolated at approximately [ ]
minutes after trip, which is significantly longer than that calculated in thc.
generic study. Since the steam released from the affected steam generator to the atmosphere, and the integrated primary to secondary leakage after trip are maximized by a prolonged operator action time to isolate the affected steam generator, the results of the offsite dose calculation should be conservative.
The calculated duration from reactor trip until the affected steam generator is isolated is expected to be relatively insensitive to the reactor trip time. This is due to the fact t.at the affected steam generator secondary mass at reactor trip should be nearly the same due to steam generator level control and that the break flow rate and steam release rate after trip are not 1
WAPWR-DSER AUGUST 1989 s1so.;1e 59
_________.__-_________-__a
... .(
7,
.significantly? affected. Since the calculatzd duration from reactor trip to-iisolation of. the affected steam generator is not significantly affected by the reactor trip time. Additionally, the radioactivity release to the atmosphere
.is conservatively maximized by a prolonged operator action time to isolate the affected steam generator. Thus, a longer reactor trip time would have an insignificant impact on the offsite dose calculation.
l DSER Open Issue 102: Analysis of an SGTR with power operated relief valve' (PORV) failed open (15.2.5).
Response
The steam generator power-operated relief valves (SGPORV's) are solenoid E operated, fail closed valves (RESAR-SP/90 PCA Module 6/8, " Secondary Side Safeguards System / Steam and Power Conversion," Subsection 10.3.2.1.2).
Failure of these valves to close is, therefore, a mechanical failure.
The SGPORV bicek valves are designed to close automatically on low steam line pressure (RESAR-SP/90 PDA Module 6/8, " Secondary Side Safeguards System / Steam and Power Conversion," Subsection 10.3.2.1.3; also Figure 7.2-1, Sheet 9 of14).
Since only a single failure needs to be assumed, it is not necessary to consider a combination of a SGPORV to fail open and failure of a SGPORV block valve to close automatically. The consequences for an SGTR with a single failure of the power-operated relief valve on the affected steam generator failing in its open position are limited by the automatic closure of the block valve for the stuck open PORV.
(It should be noted that RESAR-SP/90 PDA Module 6/8, " Secondary Side Safeguards System / Steam and Power Conversion," Subsection 10.3.2.1.2 contains a typographical error. The sentence "For the case where the PORV fails to open the block valve is automatically closed or, a low-low steam line pressure; 2 out of 4 logic" should read "For the case where the PORV fails to close, the j
WAPWR-DSER AUGUST 1989 eisoe:1d 60
s .
block valve is automatically closed on a low steam line pressure 2 out of 4 logic." A corrected version of this Subsection will be included in Amendment 2 to RESAR-SP/90 PDA Module 6/8.)
DSER OPEN ISSUE 103: Most limiting case for small-break LOCA (15.2.5).
RESPONSE
In Subssction 15.6.4 of PDA Module 1 the results of the 3 inch, 4.313 inch and 6 inch Small Break LOCA analyses are presented. No uncovering of the core occured in any of the cases. Therefore no significant core heatup transient would occur and the core integrity acceptance criteria for small break LOCA would all be met with significant margin. The analyses all assumed the worst single failure of 1 SI train (i.e. 2 out of the 4 high head injection pumps are assumed to fail). As an additional conservatism no credit was taken for the accumulators.
The analyses bounded the limiting small break case by bounding the minimum core mixture level. The most limiting small break case is the 4.313 inch diameter break which results in the minimum margin to core uncovering (See Table 15.6.4-5 of Module 1). The 4.313 inch break is the worst case because this is the diameter of the reactor vessel SI injection nozzle. Breaks 4.313 inches or smaller could be postulated to be in the injection line. If the break is in the injection line then one SI pump would be spilling to the containment and only one SI pump would actually be injecting. Therefore the 4.313 inch and smeller breaks were only assumed to have 1 SI pump injecting.
Breaks larger tuan 4.313 inches could not be postulated to be in the SI injection line and would have two SI pumps injecting.
Therefore the 3 inch and the 4.313 inch break results presented in 15.6.4 only assumed 1 SI pump was injecting while the 6 inch break assumed that 2 SI pumps were injecting. This is the reason that the 4.313 inch break results in the minimum margin to core uncovering.
WAPWR-DSER 61 AUGUST 1989 8190e:1d t
yw, ~
e i: .- m
- ' Jl *In the response to staff question-'440.210 'on Modulo.1' ' additional - results ' were:.
presented' fort a.:-6 inch break with only one SI pump injecting.. The analysis 1
' assumed theLfailure of 1 SI . train (Le. 2 51 pumps),:an Ladditional ' failure of L
.another! SI pump and the failure of all the accumulators.- The results of?this-
~
- analysis also showed that'no core' uncovering occurred.
. DSER OPEN ISSUE 104: ' Dropped' control rod event (15.3, 15.3.3).
RESPONSE
-This;open issue involves a-continuing review'on the 'part of the staff, and will be a' ddressed in the Final SER.
- DSER OPEN ISSUE 105
- Uncontrolled rod cluster control assembly (rod) bank ~
withdrawal.at power event (15.3.2).
RESPONSE
' This.open issue. involves a continuing review on the 'part of the. staff, and will be addressed in the Final SER.
DSER OPEN ISSUE 106: . Quality Assurance (17.5).
RESPONSE
I This open ' issue was previously addressed in letter number NS-NRC-88-3374, Johnson (W) to Miller (NRC), dated October 25, 1988, and letter number
' NS-NRC-88-3373, Johnson (W) to Weiss (NRC), dated October 6, 1988.
DSER OPEN ISSUE 107: Probabilistic risk assessment (core melt frequency)
. Issued separately March 21,1988).
RESPONSE
1
- The Draft SER for the Risk Assessment portion (Front End) of the RESAR-SP/90 Probabilistic Safety Study (Reference 1) has been reviewed. The results as
. WAPWR-DSER AUGUST 1989
- sisa.:1d 62
.}.
.s .. ;
i 'r: ported in ;this' SER are. based on BNL-NUREG-52157, which is essentially, '
L unchanged from a draft version provided ~to Westinghouse 'previously, despite u
the fact that' Westinghouse provided substantial comments.(Reference 2) on that ;
draft.
Fundamentally, there are only two significant differences between the- BNL and Westinghouse core melt' frequency analysis methodologies; these are:
- 1. The determination of the probability of a loss of the integrated
. protection system (IPS) following a transient.and the determination of the probability of decay heat removal during this event.
- 2. The determination of the probability of. mechanical failure of the control ' rods to enter t'e n core. I These differences impact basically four accident sequences, which are .
described in Section 6.3. of Reference 1.- Attachment I contains a detailed
. analysis of'these sequences and provides the' Westinghouse conclusions on how
.they should be treated. These conclusions are as follows: ;
o The transient with failure of IPS and failure to recover within three hours should not be quantified since there is no basis for either the value used for probability of loss of IPS nor for the value assumed !
for probability of decay heat removal following loss of IPS.
o The ATWS sequences with failure of control rods to enter the core l should be revised in order to be consistent with the ongoing l Westinghouse program to demonstrate compliance with the ATWS rule.
BNL-NUREG-52157 contains a comparison between the BNL and b' SP/90 PSS Core Melt Frequencies (Table 0.3). In the attached Table 107-1, we have adjusted l both results by incorporating the aforementioned conclusions. When this is done, the difference between the Westinghouse and BNL results is small, suggesting that for the events analyzed and subject to certain limitations WAPWR-DSER AUGUST 1989 iiiso.-1o 63
,. .(e.g. av'ailability'of detailed design information for the IPS) there is good agreement between these studies.
The major conclusion ' ,m this is that the RESAR-SP/90 plant successfully addresses those.sequenet hat have historically been 'the major contributors
.to 'PWR plant risk. In doing so, other sequences, which in the past have been neglig hle contributors, may have become more important. During- the detailed design phase, additional efforts will be expended to ensure that these sequences do not become dominant, and they will be included in an updated and expanded PSS to be submitted with the FDA application.
I BNL-NUREG-52157 also contains sensitivity studies from which'it is concluded that an upper bound estimate for the.SP/90 core melt frequency is about 2.0 E-05' per year. In Reference 2 we provided limited comments on these studies which were not reflected in the Draft SER. Attachment 2 contains a more comprehensive analysis on this subject and concludes that these sensitivity studies are inappropriate, either because the underlying assumptions are not applicable, or because the assumed failure rates are unrealistically conservative.
Finally, we wuuld like to comment on the statement with tr y -d to optimisms and pessimisms in the Draft SER. Of the optimisms listed ii. hoference 1, only the probability of manual rod drop has a measurable impact c,n core melt frequency; this subject is covered in the foregoing and should be a topic of further discussion.
With regard to pessimisms, it is stated in Reference 1 that BNL identified none. In our opinion, the following three areas contain significant pessimisms.
- 1. Frequency of transients: The SP/90 plant is designed to experience less than one reactor trip per year. It incorporates numerous features to achieve this goal including:
'WAPWR-DSER AUGUST 1989 81so.:1d 64 I
.,_ . o ' full load rejection capability o On-line and automatic testing of the Integrated Protection System o Single Failure capability for' reactor trip breakers o Redundant Integrated Control System Nevertheless, a frequency of 10 transients was assumed in the }{ SP/90 PSE, which was the prevailing experience. at the time the study was initiated. Even today, operating plants which do not include the above improvements are experiencing fawer than 10 transients and are expected to continue to improve in future years. Thus the assumed frequency for the SP/90 is expected to be highly conservative.
- 2. Loss-of-all-AC: .The original SP/90 plant incorporated provisions to be able to sustain a loss-of-all-AC for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which is reflected in the PSS. Recently, Westinghouse committed to extend this period to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (Reference 3); thus, the original PSS is conservative.
- 3. RCP Seal LOCA: The original SP/90 PSS assumed a 0.5 probability of a RCP seal LOCA occurring upon loss of seal injection and thermal barrier cooling. Since that study was performed, RCP seal tests were performed in France under simulated operating conditions; these tests indicated that seal leakage would be quite low, and for this reason we believe that the above seal failure probability can be revised downward to 0.1.
If the above conservatism were eliminated the SP/90 core melt frequency would decrease from an adjusted value of 1.6 E-06 per year to about 1.0 E-06 per year. Of course the practical significance of this improvement is questionable because the original core melt frequency is so low. It is only included here to clarify the fact that the SP/90 PSS is conservative (or pessimistic) in some respects; it is worthy to note that this conservatism is i concentrated in the sequences which contribute the most to core melt l frequency, i.e. loss of offsite power and transients.
1 WAPWR-DSER AUGUST 1989 lit eo.;1e 65 )
I i
I V
s, .
TABLE 107-1 CORE MELT FREQUENCY COMPARISON BNL Review SP/90 PSS BNL Review SP/90 PSS (Adjusted) (Adjusted)
Transient 3.04E-6(51%)* 1.61E-7 (10.5%) 1.9E-7 1.6E-7 LOOP 1.00E-6 (17%) 8.08E-7 (52.5%) 1.0E-6 8.1E-7 SGTR 2.712-8 (0.45%) 2.14E-8(1.4%) 2.7E-8 2.1E-8 SSBK 2.09E-8 (0.35%) 2.98E-9(0.2%) 2.1E-8 3.0E-9 SLOCA 2.47E-8 (0.41%) 1.97E-8(1.3%) 2.5E-8 2.0E-8 LLOCA 2.24E-8 (0.3B%) 2.24E-8 (1.5%) 2.2E-8 2.2E-8 ATWS 1.33E-6 (22%) 5.53E-8(3.6%) 1.6E-7 1.3E-7 ISL 2.81E-8 (0.47%) 5.85E-9(0.4%) 2.8E-8 5.9E-9 VEF 1.00E-7 (1.7%) 1.00E-7 (6.5%) 1.0E-7 1.0E-7 LC 3.74E-7 (6.3%) 3.43E-7 (22.3%) 3.7E-7 3.4E-7 Total 5.97E-6 1.54E-6 2.0E-6 1.6E-6 ,
- Number in parenthesis indicates contribution to total core melt frequency.
WAPWR-DSER AUGUST 1989 iI190s.1d 66
u l
ATTACHMENT 1 A REVIEW OF BNL ACCIDENT SEQUENCES CONTRIBUTING 1.0 E-07 OR MORE TO RESAR-SP/90 CORE MELT FREQUENCY l
l l
l l
l EAPWR-DSER AUGUST 1989 B190e:1d l
., - SEQUENCE 1 - TRANS1ENT Failure' of the Integrated Protection System (IPS) is the basic issue raised by
.BNL for this sequence.
The value quoted in Section 3.2.2 of the RESAR-SP/90 PDA. Module 16, "Probabilistic Safety Study" for " failure of JPS" has caused significant confusion. In Reference 2, Westinghouse commented on the inappropriate use of this data in the Draft BNL review, but these comments have not been reflected in BNL-NUREG-52157.
We would like to further clarify our previous. comments.
The value of 5.7E-07 was calculated by a Westinghouse lict,see (ANSALD0 of Italy) for the PUN plant which utilizes the Integrated Protection System (IPS). It represents the failure probability per demand of the IPS to provide an Engineered Safety Features Actuation (ESFAC) signal on a single parameter, e.g., an "S" (safety injection) signal on low pressurizer pressure. This unavailability is comprised of the following parts:
o 5.6E-07 for common mode failure of 3 out of 4 sensors.
o 1.0E-08 for common mode failure of 125V Vital AC Instrument Power o 3.0E-09 for random failure of the IPS hardware.
The latter is, of course, a serious limitation of this study because it ignores common mode failure of the IPS hardware. The reason for this omission was a lack of detailed hardware design information and the absence of an accepted methodology to analyze common mode failure of such a highly redundant and diverse system.
The questionable pedigree of the ESFAC signal unavailability calculation was one of the primary reasons the IPS was not modeled explicitly in the i
1.
WAPWR-DSER AUGUST 1989 siso.:1e Al-1 I
l
t RESAR-SP/90 PDA Module 16. It should be noted that if the above value were used, there would be' virtually no impact on the RESAR-SP/90 PDA Module.1 j results becar e the_ unavailability of the mechanical system being actuated is generally at least two orders of magnitude higher.than the above ESFAC signal unavailability of 5.7E-07 per demand.
The foregoing can be summarized as follows: '
o The value of 5.7E-07.for unavailability of the IPS referenced in the RESAR-SP/90 PDA Module 1 is almost exclusively the result of common mode failure of 3 out of 4 sensors used to generate an ESFAC signal, o The effect of unavailability of ESFAC signals on the results of the RESAR-SP/90 PDA Module 1 is negligible if common mode failure of the IPS hardware is not considered.
o Common mode failure of IPS hardware should be considered; however, no such analysis has been performed at this time.
Some additional comments are in order with regard to loss of instrument indication for the operators, and ability to effect decay heat removal during such an event.
Failure of the IPS .is an event that is not well defined; the IPS is a highly diverse and redundant system, and there are numerous failure modes that could be postulated, e.g.:
o failure to generate a reactor trip signal and/or to open reactor trip breakers l
o failure to generate Engineered Safety Features Actuation (ESFAC) signals WAPWR-DSER AUGUST 1989 liiso..te Al-2
o failure'to communicate information to other parts of the I&C, e.g. the-integrated control system -(ICS), the. post-accident monitoring system (PAMS), or the main and emergency-control rooms The first two have generally been accounted for.in past PRA's, but the -'latter has, to our knowledge, not been considered up to now.- Yet the lack of instrumentation indication to the operators appears to be the. primary issue-raised in BNL-NUREG-52157.
From a safety point of view,-instrumentation signals can be divided in three categories:
- 1. Class 1E signals that enter the IPS and are processed there; from the IPS these signals may be transmitted to the ICS, to PAMS, and-to the control room as required.
- 2. Class 1E signals that enter PAMS and are processed there; these signals are displayed in tha main and emergency control rooms. They may also be transmitted to AMSAC and to the ICS as required; however, these signals are not transmitted to the IPS.
- 3. Non-Class 1E signals, which are processed in the ICS or in the monitoring systems; these signals may be transmitted to PAMS and to the control room as required; however none of these signals is transmitted to the IPS.
Table 107-Al provides a listing of selected key variables and their distribution among these different systems. It should be noted that these systems are totally separate with one major exception, i.e. the IPS and PAMS share the same power supplies (the four Class 1E batteries).
As is evident from Table 107-A1, failure of all Class 1E power supplies would indeed lead to significant loss of information to the operator because parameters entering both the IPS and PAMS would be lost. However, it was WAPWR-DSER AUGUST 1989 8180.:1e Al-3
'concluder) in. Reference 2 that this is an extremely unlikely event with a probability of 1.0E-08 per demand. Assuming 10 transients per year, the probability of this particular sequence being initiated is only 1.0E-07 per year. rven so, the.Startup Feedwater Pump would be started by the ICS and would be available to perform the decay heat removal function; however, no steam generator level information would be available to the operators such that this mode of operation would be difficult to sustain indefinitely.
Loss of either IPS or PAMS would be a much less severe event. Fellowing loss of IPS decey heat removal would be initiated automatically with a high degree of certainty.
(i) The startup feedwater puiap would be automatically started by the ICS upon loss of main feedwater.
(ii) In case of failure of the startup feedwater pump, steam generator water level would continue to decrease until the wide range level setpoint would be resched, at which point AMSAC would start the emergency feedwater pumps.
With wide range steam generator level information available, deccv heat removal operation could be monitored by the operators without difficulty.
These observations can be summarized as follows:
o Loss of all Class IE instrumentation requires failure of both IPS and PAMS, which is an extremely low probability event. The startup feedwater pump would be automatically started to supply feedwater te the steam generators, but no steam generator level information would be availabie to guide the operators in maintaining steam generator i
level.
l WAPWR-DSER AUGUST 1989 l
iilso.:1d Al-4
L, .
o D3 cay heat removal following loss of -IPS will be effceted automatically with a high degree of certainty. Steam generator wide range level will be available such that-decay heat removal performance can be monitored continuously.
Overell, our comments on the BNL treatment of this sequence are as follows:
L 1. The value of 5.7E-07 per demand is not related to any loss of IPS analysis performed by Westinghouse and the assumptions made by BNL in this regard are incorrect.
- 2. Loss of IPS does in any. case not lead to a significant degradation in l decay heat removal capability following ~ transients and is therefore unlikely to result in core damage.
BN!.-NUREG-52157 should be revised by deleting the quantitative treatment of this scenario. Loss of IPS is a potential scenario, but its consequences do
<not appear to be significant. A more detailed analysis of this scenario will be perforted at the FDA stage when the necessary IPS hardware design information will be available. !
WAPWR-DSER AUGUST 1989 sieo.;t e Al-5
... .. TABLE 107-Al KEY PARAMETERS AVAILABLE FOR MONITORING RCS AND SG STATUS 4
'PAMS (IE) 'IPS (IE)- ICS (NON-1E)
Reactor Vessel Level Neutron Flux Pzr Level Core Outlet Temp.. N-16' Power Pzr Temp.
HotLegTemp(Wide) ColdLegTemp(Narrow) Surge Line Temp Cold Leg Temp (Wide) 'Pzr Level Spray Line Temp.
RCS Hot Leg Pressure (Wide) Pzr Pressure (Narrow)
RCP Status Reactor Coolant Flow RCP Seal Inject'an Flow RCP Speed Pzr PORV Status Pzr SV Status SG Level (Wide) SG Level (Narrow) Main FW Flow Startup FW Flow Steamline Pressure Main FW Flow
~
Emergency FW Pump Status SG- Emergency FW Flow Startup FW Valve Status SG Isolation Valves Status SG PORV Status SG SV Status WAPWR-DSER AUGUST 1989 lI190s:1d Al-6
f .4t .e.
l:
W -* SEQUENCE l2 -'ATWS L The fundamental issue in this sequence is the probability of. success of p -operator action.to manually trip the reactor.
'In the Westinghouse'RESAR-SP/90 Probabi:istic Safety Study,-the probability of an ATWS occurring is 3.0 E-0.6 per ' year. The following assumptions led to -
this value i o- Number of Transients - 10 per year o Probability of failure of Automatic Scram - 3.0 E-05 per demand o . Probability of Failure of Manual Scram - 0.01 per demand.
BNL-NUREG-52157 pointed out that a successful manual trip initiation may not' necessarily lead to a successful reactor trip.. It was then assumed. that the failure of only two control rods to enter the core would constitute a failure to scram. In Reference _2, Westinghouse pointed out that even with three stuck
- control rods,-the core would become suberitical and that therefore the BNL.
evaluation was overly conservative, and resulted in an ATWS core melt
' frequency ~ contribution which was overstated by a factor of 27.
Nevertheless, the basic premise that a successful manual trip initiation may
, not result in a scram is correct and should be investigated further.
Basically, in-case of failure of automatic scram, there are three options open to the operator to attempt to effect the control rods to enter the core:
(i) pushing the manual trip button (ii) switching from automatic to manual rod control and directing the control rods to go into the core
.(iii) interrupting the power to the motor generator sets.
WAPWR-DSER AUGUST 1989 5190e:1d Al*7
- In the first case, the trip signal is sent to the trip breakers, which may have been the.cause of the failure to scram in the first place; thus, the combined probability of automatic and manual trip can be no better than the l unavailability of the reactor trip breakers, regardless of probability of operator action.
The second and third actions can lead to success even if the reactor trip breakers remain closed. But even here there is a limitation, i.e., the mechanical ability of the rods to enter the core. Based on the ongoing program to demonstrate ATWS rule compliance for Westinghouse PWR's, a value of 1.0E-06 per demand has been calculated for the failure probability of a significant number of control rods to enter the core because of mechanical problems (friction, misalignment, interference, etc.), given that power to the Control Rod Drive Mechanisms (CRDM's) has been interrupted.
In BNL-NUREG-52157, it was also pointed out that the number of transients to be used should be 7 per year rather than the 10 per year assumed by Westinghouse, the difference being the number of transients that are being initiated by a reactor trip. Combining this value with the 1.0E-06 derived above, the probability of an ATWS occurring becomes 7.0 E-06 per year, which is higher by a factor of 2.3 than the result originally derived for RESAR-SP/90. The ATWS contribution to core melt frequency should thcrefore be increased by this factor and becomes 1.3 E-0.7 per year instead of 5.5 E-0.8 per year.
WAPWR-DSER AUGUST 1989 Eiso.1e Al-8
- SEQUENCE 3 - SGTR As in .the . previous sequence, manual trip is the primary issue; additionally,-
there is an issue associated with the success criterion for secondary cooling.
BNL-NUREG-52157 assumed a steam generator tube rupture (SGTR) followed by an ATWS; the event frequency is rather high (2.6 E-07) because of the assumed value for failure of manual trip. Using the value derived by Westinghouse in the previous section, this event frequency would be 5.9 E-0.8 Further conservatism was added by BNL by assuming that this sequence would lead to core melt with a probability of 1.0 because only three intact steam generators would be available. It should be noted that in developing the success criterion for secondary cooling, Westinghouse only considered the case
.of 4 intact steam generators because the probability of coincidence of an ATWS and faulted steam generators was deemed to be so low that further analysis was not warranted. It seems obvious though that three EFW pumps feeding three steam generators would also constitute success.
However, a mere fundamental point is that from a decay heat removal point of view, the steam generator experiencing the tube rupture would be fully effective as long as it would be supplied with- feedwater; even if the operator were to terminate feedwater flow to the affected steam generator (a highly unlikely action in case of an ATWS) there would continue to be a tendency to replenish secondary inventory due to the tube leak.
When these factors are taken into account, the contribution to core melt frequency from this sequence would become negligible.
WAPWR-DSER AUGUST 1989 siso..ie Al-9
., .. . ,, SEQUENCE 4'- ATWS b 'As- in- the two previous sequences, the fundamental issue is the probability of
. success for manual trip.
Using the methodology derived for Sequence 2, the contribution to core melt frequency- would be 2.5 E-08 per year, compared to.6.0 E-09 in'the original
.RESAR-SP/90 Probabilistic Safety-Study and 1.7 E-07 in BNL-NUREG-52157.
I I
1 1
WAPWR-DSER AUGUST 1989 liisoe:1d Al-10 l