ML23292A144
| ML23292A144 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 10/12/2023 |
| From: | Susquehanna |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML23291A105 | List:
|
| References | |
| PLA-8081 | |
| Download: ML23292A144 (1) | |
Text
SSES-FSAR Text Rev. 64 15.2 INCREASE IN REACTOR PRESSURE The results of event analyses for the current cycles are in Appendix 15C for SSES Unit 1 and Appendix 15D for SSES Unit 2. Appendix 15E contains information and analytical results that are for non-limiting events for the initial cycles for Units 1 and 2. Note that since the data in Appendix 15E is for the initial cycles for Units 1 and 2, the values for key parameters/variables do not represent the actual values if these events were to occur for the current cycles for Units 1 and 2. However, the data and figures in Appendix 15E do show qualitative behavior of the non-limiting events.
15.2.1 PRESSURE REGULATOR FAILURE - CLOSED This event has been identified as non-limiting, and therefore, it is not explicitly analyzed each cycle. The analysis described below was performed for the initial cycles for Units 1 and 2.
15.2.1.1 Identification of Causes and Frequency Classification 15.2.1.1.1 Identification of Causes Two identical pressure regulators are provided to maintain primary system pressure control.
They independently sense pressure just upstream of the main turbine stop valves and compare it to two separate setpoints to create proportional error signals that produce each regulator output. The output of both regulators feeds in a high gate value. The regulator with the highest output controls the main turbine control valves. The lowest pressure setpoint gives the largest pressure error and thereby the largest regulator output. The backup regulator is set 3 psi higher giving a slightly smaller error and a slightly smaller effective output of the controller.
It is assumed for the purposes of this transient analysis that a single failure occurs which erroneously causes the controlling regulator to close the main turbine control valves and thereby increases reactor pressure. If this occurs, the backup regulator is ready to take control as described in Subsection 15.2.1.2.1.
15.2.1.1.2 Frequency Classification This event is treated as a moderate frequency event.
15.2.1.2 Sequence of Events and System Operation 15.2.1.2.1 Sequence of Events Postulating a failure of the primary or controlling pressure regulator in the closed mode as discussed in Subsection 15.2.1.1.1 will cause the turbine control valves to close momentarily.
The pressure will increase, because the reactor is still generating the initial steam flow. The backup regulator will reopen the valves and re-establish steady-state operation above the initial pressure equal to the setpoint difference of 3 psi.
FSAR Rev. 71 15.2-1
SSES-FSAR Text Rev. 64 15.2.1.2.1.1 Identification of Operator Actions The operator will verify that the backup regulator assumes proper control. However, this action is not required as discussed below in Subsection 15.2.1.2.3.
15.2.1.2.2 Systems Operation Normal plant instrumentation and control is assumed to function. This event requires no protection system or safeguard systems operation.
15.2.1.2.3 The Effect of Single Failures and Operator Errors The nature of the first assumed failure produces a slight pressure increase in the reactor until the backup regulator gains control. If the backup pressure regulator fails at this time, the turbine control valves (TCVs) will close in the servo or normal operating mode. Since the TCV closure is not a fast closure, there is no direct scram on closure. The reactor pressure will increase to the point that a flux or a pressure scram is initiated to shut down the reactor. Under these conditions the Recirculation Pump Trip (RPT) will occur if initiated by high dome pressure.
Analyses have been performed for a failed pressure regulator (closed) with the backup pressure regulator out of service. The analyses were for a range of operating conditions and determined operational limits. These limits for the backup pressure regulator out of service are in the COLR.
15.2.1.3 Core and System Performance The disturbance is mild, similar to a pressure setpoint change and no significant reductions in fuel thermal margins occur. This transient is much less severe than the generator and turbine trip transients described in Subsections 15.2.2 and 15.2.3.
15.2.1.3.1 Mathematical Model Only qualitative evaluation is provided.
15.2.1.3.2 Input Parameters and Initial Conditions Only qualitative evaluation is provided.
15.2.1.3.3 Results Response of the reactor during this regulator failure is such that pressure at the turbine inlet increases quickly, in less than 2 seconds or so, due to the sharp closing action of the turbine control valves which reopen when the backup regulator gains control. This pressure disturbance in the vessel is not expected to exceed flux or pressure scram trip setpoints.
15.2.1.3.4 Consideration of Uncertainties All systems utilized for protection in this event were assumed to have the poorest allowable response (e.g., relief setpoints, scram stroke time, and work characteristics). Plant behavior is, therefore, expected to reduce the actual severity of the transient.
FSAR Rev. 71 15.2-2
SSES-FSAR Text Rev. 64 15.2.1.4 Barrier Performance As noted above, the consequences of this event do not result in any temperature or pressure transient in excess of the criteria for which the fuel, pressure vessel or containment are designed; therefore, these barriers maintain their integrity and function as designed.
15.2.1.5 Radiological Consequences Since this event does not result in any additional fuel failures or any release of primary coolant to either the secondary containment or to the environment, there are no radiological consequences associated with this event.
15.2.2 GENERATOR LOAD REJECTION The generator load rejection with the steam bypass system operable is a non-limiting event, and therefore, it is not explicitly analyzed each cycle. The analysis of this event described below was performed for the initial cycles for Units 1 and 2.
The generator load rejection with the steam bypass system failed is a limiting event, and therefore, it has been analyzed for the current cycles for Units 1 and 2.
15.2.2.1 Identification of Causes and Frequency Classification 15.2.2.1.1 Identification of Causes Fast closure of the turbine control valves (TCV) is initiated whenever electrical grid disturbances occur which result in significant loss of electrical load on the generator. The turbine control valves are required to close as rapidly as possible to prevent excessive overspeed of the turbine-generator (T-G) rotor. Closure of the main turbine control valves will cause a sudden reduction in steam flow which results in an increase in system pressure and a reactor scram.
15.2.2.1.2 Frequency Classification 15.2.2.1.2.1 Generator Load Rejection With or Without Bypass This event is categorized as an incident of moderate frequency.
15.2.2.2 Sequence of Events and System Operation 15.2.2.2.1 Sequence of Events 15.2.2.2.1.1 Generator Load Rejection - Turbine Control Valve Fast Closure with Bypass Operable _
A loss of generator electrical load from high power conditions produces the sequence of events listed in Table 15E.2.2-1.
FSAR Rev. 71 15.2-3
SSES-FSAR Text Rev. 64 15.2.2.2.1.2 Generator Load Rejection with Failure of Bypass A loss of generator electrical load at high power with bypass failure produces the sequence of events listed in Table 15C.2.2-1 and 15D.2.2-1 for the current cycles for Units 1 and 2.
15.2.2.2.1.3 Identification of Operator Actions The operator should perform those actions listed in Table 15E.1.1-1.
15.2.2.2.2 System Operation 15.2.2.2.2.1 Generator Load Rejection with Bypass Operable To properly simulate the expected sequence of events, the analysis of this event assumes normal functioning of plant instrumentation and controls, plant protection and reactor protection systems.
Turbine control valve (TCV) fast closure initiates a scram trip signal for power levels greater than Pbypass, where Pbypass = 26% power for Unit 1 and Unit 2. In addition, a recirculation pump trip (RPT) is initiated. Both of these trip signals satisfy single failure criterion and credit is taken for these protection features.
The pressure relief system which operates the relief valves independently when system pressure exceeds relief valve instrumentation setpoints is assumed to function normally during the time period analyzed.
All plant control systems maintain normal operation unless specifically designated to the contrary.
15.2.2.2.2.2 Generator Load Rejection with Failure of Bypass Same as Subsection 15.2.2.2.2.1 except that failure of the main turbine bypass valves is assumed for the entire transient. A number of other conservative assumptions are made when analyzing this event. These are listed in Subsection 15.2.2.3.2.
15.2.2.2.3 The Effect of Single Failures and Operator Errors Mitigation of pressure increase is accomplished by the reactor protection system functions.
Turbine control valve trip scram and RPT are designed to satisfy the single failure criterion.
An evaluation of the most limiting single failure (i.e., failure of the bypass system) was considered in this event.
15.2.2.3 Core and System Performance 15.2.2.3.1 Mathematical Model The generator load rejection with bypass operable was analyzed for the initial cycle for Units 1 and 2 using the computer model described in References 15.2-5 and 15.2-10. The generator load rejection with bypass inoperable is a limiting event and is analyzed for each cycle. The methods for modeling and analyzing this event are described in References 15.2-6 and 15.2-11 for Unit 1 and Unit 2.
FSAR Rev. 71 15.2-4
SSES-FSAR Text Rev. 64 15.2.2.3.2 Input Parameters and Initial Conditions These analyses have been performed, unless otherwise noted, with the plant conditions tabulated in Tables 15C.0-2 and 15D.0-2.
The generator lockout relays initiate turbine control valve fast closure upon detection of load rejection before a measurable speed change takes place.
The closure characteristics of the turbine control valves are assumed such that the valves operate in the full arc (FA) mode and have a full stroke closure time, from fully open to fully closed, of 0.15 second. If the valves were to operate in the partial arc mode at powers above 90%, three turbine control valves would be fully open and one valve would be partially open.
Therefore, closure time for the valves would be approximately 0.15 seconds. In the full arc mode at powers above 90%, four turbine control valves are approximately 50% to 60 % open and their closure time would be less than 0.15 seconds. Operation is currently in the full arc mode and is within the analysis performed.
Auxiliary power would normally be independent of any turbine-generator overspeed effects and continuously supplied at rated frequency since automatic fast transfer to auxiliary power supplies normally occurs. This is what is assumed for this analysis.
The reactor is operating in the manual flow-control mode when load rejection occurs. The SSES Units do not use automatic flow-control.
The bypass valve opening characteristics are simulated using the specified delay together with the specified opening characteristic required for bypass system operation.
The analyses for the current cycles for power levels above Pbypass for Units 1 and 2 were performed for the following conditions:
- 1. A range of power, flow, and exposures to establish the most limiting initial conditions.
- 2. Scram speed: Realistic and Maximum Allowable Scram times based on the Core Operating Limits Report.
- 3. Recirculation Pump Trip: Operable and Inoperable
- 4. Bypass: Failed.
- 5. Beginning with Unit 2 Cycle 13 and Unit 1 Cycle 15, the SRVs are assumed to open based on their safety valve pressure set points plus a 3% calibration tolerance. At least two SRVs at the lowest pressure settings are assumed to be out of service for EPU conditions.
Because of the similarity of the sequence of events between the generator load rejection without bypass and the turbine trip without bypass, the two events are analyzed as a single event with the additional assumptions described in Subsection 15.2.3 Turbine Trip.
The analysis of this event for power levels at Pbypass or less are described in Subsection 15.2.3.2.2.3, Turbine Trip at Low Power with Failure of Bypass.
FSAR Rev. 71 15.2-5
SSES-FSAR Text Rev. 64 15.2.2.3.3 Results 15.2.2.3.3.1 Generator Load Rejection with Bypass Figure 15E.2.2-1 shows the results of the generator trip from rated power. The peak neutron flux and the peak average heat flux are given as a percent of rated power in Table 15E.0-1.
The MCPR does not significantly decrease below its initial value.
These results are less severe than the generator load rejection with failure of the bypass and are presented as typical results that are applicable to Units 1 and 2. The analyses were based on the initial cycle conditions for Units 1 and 2. These analyses have not been performed for the current cycles for Units 1 and 2.
15.2.2.3.3.2 Generator Load Rejection with Failure of Bypass Figures 15C.2.2-1 and 15D.2.2-1 show the response of the key variables versus time for the generator load rejection without bypass for the current cycles for Units 1 and 2. Tables 15C.0-1 and 15D.0-1 provide peak neutron flux and peak heat flux for Unit 1 and Unit 2 for this event.
15.2.2.3.4 Consideration of Uncertainties Typically, the actual full stroke closure time of the turbine control valve is 0.15 seconds. Clearly the less time it takes to close, the more severe the pressurization effect. For these analyses, it was assumed that the TSVs and the TCVs begin closing simultaneously. In the analysis of this event, the closure characteristics of these valves are modeled. The closure time of the turbine control valves will be dependent on the initial power level assumed for the event. However, in all cases the closure time determined by the model will be equal to 0.1 second (if the TSVs close first) or less than 0.1 second, (if the TCVs close first).
All systems utilized for protection in this event were assumed to have the poorest allowable response (e.g., relief setpoints, scram rod insertion time (realistic and maximum allowable), and analytical setpoints for reactor protection system setpoints). Plant behavior is, therefore, expected to reduce the actual severity of the transient.
15.2.2.4 Barrier Performance 15.2.2.4.1 Generator Load Rejection with Bypass Operable Peak pressure remains within the normal safety range, and no threat to the barrier exists.
15.2.2.4.2 Generator Load Rejection with Failure of Bypass Peak pressures for Unit 1 and Unit 2 are given in Tables 15C.0-1 and 15D.0-1. These peak nuclear system pressures are below the nuclear barrier transient pressure limit of 1375 psig.
15.2.2.5 Radiological Consequences While the consequence of this event does not result in fuel failures, it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating FSAR Rev. 71 15.2-6
SSES-FSAR Text Rev. 64 personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore, this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.3 TURBINE TRIP The turbine trip with the steam bypass system operable is a non-limiting event, and therefore, it is not explicitly analyzed each cycle. The analysis of this event described below was performed for the initial cycles for Units 1 and 2.
The turbine trip with the steam bypass system failed is a limiting event, and therefore, it has been analyzed for the current cycles for Units 1 and 2.
The turbine trip with the steam bypass system failed is defined as closure of the turbine stop valves followed almost immediately by closure of all turbine control valves with coincident failure of the turbine bypass valves to open. The generator load rejection without bypass is defined as the rapid closure of all of the turbine control valves followed by the closure of all of the turbine stop valves with coincident failure of the turbine bypass valves to open. The analysis of the generator load rejection without bypass and the turbine trip without bypass is performed as a single event by conservatively assuming simultaneous closure of the TCVs and TSVs (no time delays between the start of closure of the valves). The results of this analysis will bound the two events and a single set of results for the current cycles are reported in appendices 15C and 15D.
15.2.3.1 Identification of Causes and Frequency Classification 15.2.3.1.1 Identification of Causes A variety of turbine or nuclear system malfunctions will initiate a turbine trip. Some examples are moisture separator and heater drain tank high levels, large vibrations, operator lock out, loss of control fluid pressure, low condenser vacuum and reactor high water level.
15.2.3.1.2 Frequency Classification 15.2.3.1.2.1 Turbine Trip This transient is categorized as an incident of moderate frequency. In defining the frequency of this event, turbine trips which occur as a by-product of other transients such as loss of condenser vacuum or reactor high level trip events are not included. However, spurious low vacuum or high level trip signals which cause an unnecessary turbine trip are included in defining the frequency. In order to get an accurate event- by-event frequency breakdown, this type of division of initiating causes is required.
FSAR Rev. 71 15.2-7
SSES-FSAR Text Rev. 64 15.2.3.2 Sequence of Events and Systems Operation 15.2.3.2.1 Sequence of Events 15.2.3.2.1.1 Turbine Trip with Bypass Operable Turbine trip with bypass operable at high power produces the sequence of events listed in Table 15E.2.3-1. For the initial cycles of Units 1 and 2.
15.2.3.2.1.2 Turbine Trip with Failure of the Bypass Turbine trip at high power with bypass failure produces the sequence of events listed in Tables 15C.2.2-1 and 15D.2.2-1 for the current cycles for Units 1 and 2.
15.2.3.2.1.3 Identification of Operator Actions The operator must perform those actions illustrated in Table 15E.1.1-1.
15.2.3.2.2 Systems Operation 15.2.3.2.2.1 Turbine Trip with Bypass Operable All plant control systems maintain normal operation unless specifically designated to the contrary.
Turbine stop valve closure initiates a reactor scram trip via position signals to the protection system. Credit is taken for successful operation of the reactor protection system.
Turbine stop valve closure initiates recirculation pump trip (RPT) thereby reducing the jet pump drive flow as the recirculation pumps coast down.
The pressure relief system, which operates the relief valves independently when system pressure exceeds relief valve instrumentation setpoints, is assumed to function normally during the time period analyzed.
It should be noted that below Pbypass, where Pbypass = 26% power for Unit 1 and Unit 2, a main stop valve scram trip inhibit signal derived from the first stage pressure of the turbine is activated. This is done to eliminate the stop valve scram trip signal from scramming the reactor provided the bypass system functions properly. In other words, the bypass would be sufficient at this low power to accommodate a turbine trip without the necessity of shutting down the reactor. The recirculation pump trip is also bypassed at power levels below Pbypass. All other protection system functions remain functional as before and credit is taken for those protection system trips.
15.2.3.2.2.2 Turbine Trip with Failure of the Bypass Same as Subsection 15.2.3.2.2.1 except that failure of the main turbine bypass system is assumed for the entire transient time period analyzed.
FSAR Rev. 71 15.2-8
SSES-FSAR Text Rev. 64 15.2.3.2.2.3 Turbine Trip at Low Power with Failure of the Bypass Same as Subsection 15.2.3.2.2.1 except that failure of the main turbine bypass system is assumed.
It should be noted that below Pbypass, the main stop valve scram trip inhibit signal derived from the first stage pressure of the turbine is activated. This is done to eliminate the stop valve scram trip signal from scramming the reactor provided the bypass system functions properly. In other words, the bypass would be sufficient at this low power to accommodate a turbine trip without the necessity of shutting down the reactor. The EOC-RPT is disabled below Pbypass. All other protection system functions remain functional as before and credit is taken for those protection system trips.
However, since it is assumed that the turbine bypass system fails and since the scram trip derived from the closure of the turbine stop valves is bypassed at power levels below Pbypass, this event may set the thermal limits for power levels below Pbypass. It therefore has been analyzed for the current cycles for Units 1 and 2.
15.2.3.2.3 The Effect of Single Failures and Operator Errors 15.2.3.2.3.1 Turbine Trips at Power Levels Greater Than Pbypass Mitigation of pressure increase is accomplished by the reactor protection system functions.
Main stop valve closure scram trip and RPT are designed to satisfy single failure criterion.
15.2.3.2.3.2 Turbine Trips at Power Levels Less Than Pbypass Same as Subsection 15.2.3.2.3.1 except RPT and stop valve closure scram trips are normally inoperative. Since protection is still provided by high flux, high pressure, etc., these will also continue to function and scram the reactor should a single failure occur. However, to assure that thermal margins are maintained in the event of failure of the steam bypass system, this event is analyzed (See Subsection 15.2.3.3.3.3).
15.2.3.3 Core and System Performance 15.2.3.3.1 Mathematical Model The computer model described in References 15.2-5 and 15.2-10 was used to simulate the turbine trip with bypass event. The methods for modeling and analyzing this event are described in References 15.2-6 and 15.2-11 for Unit 1 and Unit 2.
15.2.3.3.2 Input Parameters and Initial Conditions The turbine trip with bypass operable and recirculation pump trip operable is a non-limiting event and was performed for the initial cycle for Units 1 and 2. The analyses of these non-limiting events used the plant conditions in Table 15E.0-2. The analyses of the turbine trip with failure of the bypass events have been performed, unless otherwise noted, with plant conditions tabulated in Table 15C.0-2 and 15D.0-2.
FSAR Rev. 71 15.2-9
SSES-FSAR Text Rev. 64 Turbine stop valves full stroke closure time is slightly greater than 0.1 second. A closure time of 0.1 seconds is used for the turbine stop valves in the simulation of this event. Note that the turbine control valves may be partially closed (depending on the initial power level), and since both the turbine control valves and the turbine stop valve closing characteristics are modeled, the turbine control valves may close slightly before the turbine stop valves. Therefore, the cessation of steam flow will occur in slightly less than or equal to 0.1 second.
A reactor scram is initiated by position switches on the stop valves when the valves are less than 90% open. This stop valve scram trip signal is automatically bypassed when the reactor is below Pbypass.
Reduction in core recirculation flow is initiated by position switches on the main stop valves, which actuate trip circuitry that trips the recirculation pumps.
Beginning with Unit 2 Cycle 13 and Unit 1 Cycle 15, the SRVs are assumed to open based on their safety valve pressure set points plus a 3% calibration tolerance. At least two SRVs at the lowest pressure settings are assumed to be out of service for EPU conditions.
15.2.3.3.3 Results 15.2.3.3.3.1 Turbine Trip with Bypass Operable A simulation of the turbine trip with the bypass system operating normally was performed for the initial core for Units 1 and 2 for conditions prior to power uprate. The results of this analysis are presented in Figure 15E.2.3-1.
Neutron flux increases rapidly because of the void reduction caused by the pressure increase.
However, the flux increase is limited by the stop valve scram and the RPT system. Peak neutron flux and fuel surface heat flux are given in Table 15E.0-1 as a percent of rated power for the initial cycles for Units 1 and 2 for this event.
15.2.3.3.3.2 Turbine Trip with Failure of Bypass A turbine trip with failure of the bypass system is simulated as described in Subsection 15.2.3.
The neutron flux and heat flux versus time are shown in Figure 15C.2.2-1 and 15D.2.2-1 for the current cycle for Units 1 and 2.
Peak neutron flux, peak average heat flux and CPRs for this event are given in Tables 15C.0-1 and 15D.0-1 for Unit 1 and Unit 2.
15.2.3.3.3.3 Turbine Trip with Bypass Valve Failure, Low Power Below Pbypass the turbine stop valve closure and turbine control valve closure scrams are automatically bypassed. At these lower power levels, turbine first stage pressure is used to initiate the scram logic bypass. The scram which terminates the transient is initiated by either high vessel pressure or high neutron flux. The bypass valves are assumed to fail; therefore, system pressure will increase until the pressure relief setpoints are reached.
For the analyses of this event, the opening of the safety/relief valves is assumed to occur based on the safety valve setpoints. At least two SRVs at the lowest pressure settings are assumed to be out of service for EPU conditions. Analyses are performed with the recirculation pump trip FSAR Rev. 71 15.2-10
SSES-FSAR Text Rev. 64 operable and inoperable. A power level Pbypass is analyzed for a number of initial core flows.
Peak pressures are expected to slightly exceed the pressure safety valve setpoints and will be significantly below the RCPB transient limit of 1375 psig.
15.2.3.3.4 Considerations of Uncertainties Uncertainties in these analyses involve protection system settings, system capacities, and system response characteristics. In all cases, the most conservative values are used in the analyses. For example:
(1) In addition to using realistic scram speeds, the analyses were also performed using the slowest allowable control rod scram motion.
(2) Scram worth shape for all-rod-out conditions is assumed.
(3) Minimum specified valve capacities are utilized for over-pressure protection.
(4) Setpoints of the safety/relief valves include errors (high) for all valves.
(5) The analyses were performed at various cycle exposures to assure that the most limiting neutronic conditions are analyzed.
15.2.3.4 Barrier Performance 15.2.3.4.1 Turbine Trip with Bypass Operable Since the turbine trip with the failure of the bypass is more severe, the turbine trip with bypass operable has not been analyzed for the current cycles for Units 1 and 2. The results of the analysis described below are based on the initial core for Units 1 and 2 and are shown in Figure 15E.2.3-1.
Peak pressure in the bottom of the vessel is below the ASME code limit of 1375 psig for the reactor coolant pressure boundary. Vessel dome pressure and the pressure at the bottom of the vessel are given in Table 15E.0-1 for this event. The severity of turbine trips from lower initial power levels decreases to the point where a scram can be avoided if auxiliary power is available from an external source and the power level is within the bypass capability.
15.2.3.4.2 Turbine Trip with Failure of the Bypass The safety/relief valves open and close sequentially as the stored energy is dissipated and the pressure falls below the setpoints of the valves. Peak nuclear system pressure for the overpressure transient is below the reactor coolant pressure boundary transient pressure limit of 1375 psig.
The peak pressure within the vessel for this event is given in Tables 15C.0-1 and 15D.0-1 for the current cycles for Units 1 and 2.
15.2.3.4.2.1 Turbine Trip with Failure of Bypass at Low Power The analysis of this event described in Subsection 15.2.3.3.3.3 used conservative assumptions to maximize the thermal transient. It was assumed that the safety/relief valves would open at FSAR Rev. 71 15.2-11
SSES-FSAR Text Rev. 64 their nominal safety setpoints plus 3%. At least two SRVs at the lowest pressure settings assumed to be out of service for EPU conditions. The analyses show that the reactor is scrammed on high pressure before any of the operable safety valves open. Based on this conservative analysis it is concluded that the pressure in the reactor vessel will be no higher than the lowest pressure setting for the operable safety valves. This pressure is below the 1375 psig reactor coolant pressure boundary transient limit.
15.2.3.5 Radiological Consequences While the consequence of this event does not result in fuel failure it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.4 MSIV CLOSURES This event has been identified as non-limiting, and therefore, it is not explicitly analyzed each cycle. However, since the SSES Units have been licensed for EPU conditions and the use of Framatome Advanced Methods starting with Unit 2 Cycle 21 and Unit 1 Cycle 23, the MSIV closure events were analyzed to confirm that they remain non-limiting.
15.2.4.1 Identification of Causes and Frequency Classification 15.2.4.1.1 Identification of Causes Various steam line and nuclear system malfunctions, or operator actions, can initiate main steam isolation valve (MSIV) closure. Examples are low steam line pressure, high steam line flow, high steam line radiation, low water level or manual action.
15.2.4.1.2 Frequency Classification 15.2.4.1.2.1 Closure of All Main Steam Isolation Valves This event is categorized as an incident of moderate frequency. To define the frequency of this event as an initiating event and not the byproduct of another transient, only the following contribute to the frequency: manual action (purposely or inadvertent); spurious signals such as low pressure, low reactor water level, low condenser vacuum, etc.; and finally, equipment malfunctions such as faulty valves or operating mechanisms. A closure of one MSIV may cause an immediate closure of all the other MSIVs depending on reactor conditions. If this occurs, it is also included in this category. During the main steam isolation valve closure, position switches on the valves provide a reactor scram if the valves in three or more main steam lines are less than 90%* open (except for interlocks which permit proper plant startup). Protection system logic, however, permits the test closure of one valve without initiating scram from the position
- Changed to 85% with no significant impact on transient results.
FSAR Rev. 71 15.2-12
SSES-FSAR Text Rev. 64 switches.
15.2.4.1.2.2 Closure of One Main Steam Isolation Valve This event is categorized as an incident of moderate frequency. One MSIV may be closed at a time for testing purposes; this is done manually. Operator error or equipment malfunction may cause a single MSIV to be closed inadvertently. If reactor power is greater than about 80%
when this occurs, a high flux, high pressure, or high steam line flow scram may result, (if all MSIVs close as a result of the single closure, the event is considered as a closure of all MSIVs).
15.2.4.2 Sequence of Events and Systems Operation 15.2.4.2.1 Sequence of Events Table 15E.2.4-1 lists the sequence of events for Figure 15E.2.4-1.
15.2.4.2.1.1 Identification of Operator Actions Table 15E.1.1-1 lists the sequence of operator actions expected during the course of the event.
15.2.4.2.2 Systems Operation 15.2.4.2.2.1 Closure of All Main Steam Isolation Valves MSIV closures initiate a reactor scram trip via position signals to the protection system. Credit is taken for successful operation of the protection system.
The pressure relief system which initiates opening of the relief valves when system pressure exceeds relief valve instrumentation setpoints is assumed to function normally during the time period analyzed.
All plant control systems maintain normal operation unless specifically designated to the contrary.
15.2.4.2.2.2 Closure of One Main Steam Isolation Valve The closure of a single MSIV at any given time will not initiate a reactor scram. This is because the valve position scram trip logic is designed to accommodate single valve operation and testability during normal reactor operation at limited power levels. Credit is taken for the operation of the pressure and flux signals to initiate a reactor scram.
All plant control systems maintain normal operation unless specifically designated to the contrary.
15.2.4.2.3 The Effect of Single Failures and Operator Errors Mitigation of pressure increase is accomplished by initiation of the reactor scram via MSIV position switches and the protection system. Relief valves also operate to limit system pressure. All of these aspects are designed to single failure criterion and additional single failures would not alter the results of this analysis. Closure of one MSIV plus a single active component failure (the second MSIV) results in a situation no worse than the analysis of the four closed MSIVs.
FSAR Rev. 71 15.2-13
SSES-FSAR Text Rev. 64 Failure of a single relief valve to open is not expected to have any significant effect. Such a failure is expected to result in less than a 20 psi increase in the maximum vessel pressure rise.
The peak pressure will still remain considerably below 1375 psig. The design basis and performance of the pressure relief system is discussed in Chapter 5.
15.2.4.3 Core and System Performance 15.2.4.3.1 Mathematical Model The computer models described in References 15.2-11 and 15.2-12 were used to simulate these transient events shown in Figure 15E.2.4-1 for EPU conditions.
15.2.4.3.2 Input Parameters and Initial Conditions These analyses have been performed, unless otherwise noted, with the plant conditions tabulated in Table 15C.0-2.
The main steam isolation valves close in 3 to 5 seconds. A conservative 2-second closure time is assumed in this analysis.
Position switches on the valves initiate a reactor scram when the valves are less than 90%*
open. Closure of these valves inhibits steam flow to the feedwater turbines terminating feedwater flow.
Valve closure indirectly causes a trip of the main turbine and generator.
Because of the loss of feedwater flow, water level within the vessel decreases sufficiently to initiate trip of the recirculation pump and initiate the HPCI and RCIC systems.
15.2.4.3.3 Results 15.2.4.3.3.1 Closure of All Main Steam Isolation Valves Figure 15E.2.4-1 shows the changes in important nuclear system variables for the simultaneous isolation of all main steam lines while the reactor is operating at 100% of rated steam flow for the initial cycles for Units 1 and 2. Peak neutron flux occurs within a few seconds of the start of the main steam line isolation valve closure. At this time, the nonlinear valve closure becomes a strong effect and the conservative scram characteristic assumption has not yet allowed credit for the full shutdown of the reactor.
Since credit is taken for the valve position switch scram for this event, this analysis for EPU conditions confirms that this event is non-limiting from either CPR or pressure boundary considerations.
15.2.4.3.3.2 Closure of One Main Steam Isolation Valve Only one isolation valve is permitted to be closed at a time for testing purposes to prevent
- Changed to 85% with no significant impact on transient results.
FSAR Rev. 71 15.2-14
SSES-FSAR Text Rev. 64 scram. Normal test procedures require an initial power reduction to approximately 80 to 90% of design conditions in order to avoid a high flux scram, a high-pressure scram, or full isolation from high steam flow in the "live" lines. With a 3-second closure of one main steam isolation valve during 100% rated power conditions, the steam flow disturbance raises vessel pressure and reactor power. This event is non-limiting from a CPR or pressure boundary condition even at EPU conditions. The event was conservatively analyzed at EPU conditions with credit taken for the high-pressure scram.
Inadvertent closure of one or all of the isolation valves while the reactor is shut down will produce no significant transient. Closures during plant heatup (operating state D) will be less severe than the maximum power cases (maximum stored and decay heat) discussed in Subsection 15.2.4.3.3.1.
15.2.4.3.4 Considerations of Uncertainties Uncertainties in these analyses involve protection system settings, system capacities, and system response characteristics. In all cases, the most conservative values are used in the analyses. For examples:
(1) Slowest allowable control rod scram motion is assumed.
(2) Scram worth shape for all-rod-out conditions is assumed.
(3) Minimum specified valve capacities are utilized for overpressure protection.
(4) Setpoints of the safety/relief valves are assumed to be 3% higher than the valve's nominal setpoint.
15.2.4.4 Barrier Performance 15.2.4.4.1 Closure of All Main Steam Isolation Valves As shown in Table 15E.2.4-1, the nuclear system safety valves begin to open shortly after the start of isolation. The SRVs close sequentially as the stored heat is dissipated but continue to discharge the decay heat intermittently. Peak pressure at the vessel bottom is given in Table 15E.0-1 and is clearly below the pressure limits of the reactor coolant pressure boundary.
Peak pressure in the main steam line is also given in Table 15E.0-1.
15.2.4.4.2 Closure of One Main Steam Isolation Valve If closure of the valve occurs at an unacceptably high operating power level, a flux or pressure scram will result; therefore, no significant effect is imposed on the RCPB. The main turbine bypass system will continue to regulate system pressure via the other three "live" steam lines.
15.2.4.5 Radiological Consequences While the consequence of this event does not result in fuel failure it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment FSAR Rev. 71 15.2-15
SSES-FSAR Text Rev. 64 under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.5 LOSS OF CONDENSER VACUUM PPL NRC approved methods (Reference 15.2-7) have identified this event as non-limiting, and therefore, it is not explicitly analyzed each cycle. The analysis described below was performed for the initial cycles for Units 1 and 2.
15.2.5.1 Identification of Causes and Frequency Classification 15.2.5.1.1 Identification of Causes Various system malfunctions which can cause a loss of condenser vacuum due to some single equipment failure are designated in Table 15E.2.5-1.
15.2.5.1.2 Frequency Classification This event is categorized as an incident of moderate frequency.
15.2.5.2 Sequence of Events and Systems Operation 15.2.5.2.1 Sequence of Events Table 15E.2.5-2 lists the sequence of events for Figure 15E.2.5-1.
15.2.5.2.1.1 Identification of Operator Actions The operator must perform those actions illustrated in Table 15E.1.1-1.
15.2.5.2.2 Systems Operation In establishing the expected sequence of events and simulating the plant performance, it was assumed that normal functioning occurred in the plant instrumentation and controls, plant protection and reactor protection systems. Tripping functions incurred by sensing main turbine condenser vacuum pressure are designated in Table 15E.2.5-3.
15.2.5.2.3 The Effect of Single Failures and Operator Errors This event does not lead to a general increase in reactor power level. Mitigation of power increase is accomplished by the protection system initiation of scram. Failure of the integrity of the condenser unit itself is considered to be an accident situation and is described in Subsection 15.7.1.
Single failures will not affect the vacuum monitoring and turbine trip devices which are redundant. The protective sequences of the anticipated operational transient are shown to be single failure proof.
FSAR Rev. 71 15.2-16
SSES-FSAR Text Rev. 64 15.2.5.3 Core and System Performance 15.2.5.3.1 Mathematical Model The computer model described in References 15.2-5 and 15.2-10 was used to simulate this transient event.
15.2.5.3.2 Input Parameters and Initial Conditions This analysis was performed with the plant conditions tabulated in Table 15E.0-2 unless otherwise noted. Turbine stop valves full stroke closure time is 0.1 second.
A reactor scram is initiated by position switches on the stop valves when the valves are less than 90% open. This stop valve scram trip signal is automatically bypassed when the reactor is below Pbypass, where Pbypass = 26% power for Unit 1 and for Unit 2 rated power level.
The analysis presented here is a hypothetical case with a conservative 2.0 inches Hg per second vacuum decay rate. Thus, the bypass system is available for several seconds since the bypass is signaled to close at a vacuum level of about 10 inches Hg less than the stop valve closure.
15.2.5.3.3 Results Under this hypothetical vacuum decay condition, the turbine bypass valve and main steam isolation valve closure would follow main turbine and feedwater turbine trips about 12 seconds after they initiate the transient. This transient, therefore, is similar to a normal turbine trip with bypass. The effect of main steam isolation valve closure tends to be minimal since the closure of main turbine stop valves and subsequently the bypass valves have already shut off the main steam line flow. Figure 15E.2.5-1 shows the transient expected for this event. It is assumed that the plant is initially operating at 105% of rated steam flow conditions (prior to power uprate). Peak neutron flux and peak average fuel surface heat flux are given in Table 15E.0-1 as a percent of rated value. Safety/relief valves open to limit the pressure rise, then sequentially reclose as the stored energy is dissipated.
15.2.5.3.4 Considerations of Uncertainties The reduction or loss of vacuum in the main turbine condenser will sequentially trip the main and feedwater turbines and close the main steamline isolation valves and bypass valves. While these are the major events occurring, other resultant actions will include scram (from stop valve closure) and bypass opening with the main turbine trip. Because the protective actions are actuated at various levels of condenser vacuum, the severity of the resulting transient is directly dependent upon the rate at which the vacuum pressure is lost. Normal loss of vacuum due to loss of cooling water pumps or steam jet air ejector problems produces a very slow rate of loss of vacuum (minutes, not seconds); (See Table 15E.2.5-1). If corrective actions by the reactor operators are not successful, then simultaneous trips of the main and feedwater turbines, and ultimately complete isolation by closing the bypass valves (opened with the main turbine trip) and the MSIVs will occur.
A faster rate of loss of the condenser vacuum would reduce the anticipatory action of the scram and the overall effectiveness of the bypass valves since they would be closed more quickly.
FSAR Rev. 71 15.2-17
SSES-FSAR Text Rev. 64 Other uncertainties in these analyses involve protection system settings, system capacities, and system response characteristics. In all cases, the most conservative values are used in the analyses. For example:
(1) Slowest allowable control rod scram motion is assumed.
(2) Scram worth shape for all-rod-out conditions is assumed.
(3) Minimum specified valve capacities are utilized for over-pressure protection.
(4) Setpoints of the safety/relief valves are assumed to be at the upper limit of the Technical Specifications for all valves.
15.2.5.4 Barrier Performance Peak nuclear system pressure at the vessel bottom is given in Table 15E.0-1 and is below the reactor coolant pressure boundary transient pressure limit of 1375 psig. Vessel dome pressure is also given in Table 15E.0-1. A comparison of these values to those for Turbine Trip with Bypass Failure at high power shows the similarities between these two transients. The primary differences are the loss of feedwater and main steam line isolation, and the resulting low water level trips.
15.2.5.5 Radiological Consequences While the consequence of this event does not result in fuel failure it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.6 LOSS OF AC POWER PPL NRC approved methods (Reference 15.2-7) have identified this event as non-limiting, and therefore, it is not explicitly analyzed each cycle. The analysis described below was performed for the initial cycles for Units 1 and 2.
15.2.6.1 Identification of Causes and Frequency Classification 15.2.6.1.1 Identification of Causes 15.2.6.1.1.1 Loss of Auxiliary Power Transformer Causes for interruption or loss of the auxiliary power transformer power can arise from normal operation or malfunctioning of transformer protection circuitry. These can include high transformer oil temperature, reverse or high current operation as well as operator error which trips the transformer breakers.
FSAR Rev. 71 15.2-18
SSES-FSAR Text Rev. 64 15.2.6.1.1.2 Loss of All Grid Connections Loss of all grid connections can result from major shifts in electrical loads, loss of loads, lightning, storms, wind, etc., which contribute to electrical grid instabilities. These instabilities will cause equipment damage if unchecked. Protective relay schemes automatically disconnect electrical sources and loads to mitigate damage and regain electrical grid stability.
15.2.6.1.2 Frequency Classification 15.2.6.1.2.1 Loss of Auxiliary Power Transformer This transient disturbance is categorized as an incident of moderate frequency.
15.2.6.1.2.2 Loss of All Grid Connections This transient disturbance is categorized as an incident of moderate frequency.
15.2.6.2 Sequence of Events and Systems Operation 15.2.6.2.1 Sequence of Events 15.2.6.2.1.1 Loss of Auxiliary Power Transformer Table 15E.2.6-1 lists the sequence of events for Figure 15E.2.6-1.
15.2.6.2.1.2 Loss of All Grid Connections Table 15E.2.6-2 lists the sequence of events for Figure 15E.2.6-2.
15.2.6.2.1.3 Identification of Operator Actions The operator should maintain the reactor water level by use of the RCIC and/or HPCI system, control reactor pressure by use of the relief valves and verify that the turbine dc oil pump is operating satisfactorily to prevent turbine bearing damage. Also, he should verify proper switching and loading of the emergency diesel generators.
Table 15E.1.1-1 lists the sequence of operator actions expected during the course of the events when no immediate restart is assumed.
15.2.6.2.2 Systems Operation 15.2.6.2.2.1 Loss of Auxiliary Power Transformer This event, unless otherwise stated, assumes and takes credit for normal functioning of plant instrumentation and controls, plant protection and reactor protection systems.
FSAR Rev. 71 15.2-19
SSES-FSAR Text Rev. 64 The reactor is subjected to a complex sequence of events when the plant loses all auxiliary power. Estimates of the responses of the various reactor systems (assuming loss of the auxiliary transformer) provide the following simulation sequence:
(1) The recirculation pumps are tripped at a reference time, t=0, with normal coastdown times.
(2) At approximately 2 seconds, independent MSIV closure and scram are initiated due to loss of power to MSIV logic and actuator solenoids.
(3) At approximately 4 seconds, feedwater pump trips are initiated.
Operation of the HPCI and RCIC system functions are not simulated in this analysis. Their operation occurs at some time beyond the primary concerns of fuel thermal margin and overpressure effects of this analysis.
15.2.6.2.2.2 Loss of All Grid Connections Same as Subsection 15.2.6.2.2.1 with the following additional concern.
The loss of all grid connections is another feasible, although improbable, way to lose all auxiliary power. This event would add a generator load rejection to the above sequence at time t = 0.
The load rejection immediately forces the turbine control valves closed, causes a scram, and initiates recirculation pump trip (RPT) (already tripped at reference time t = 0).
15.2.6.2.3 The Effect of Single Failures and Operator Errors Loss of the auxiliary power transformer in general leads to a reduction in power level due to rapid pump coastdown with pressurization effects due to turbine trip occurring after the reactor scram has occurred. Additional failures of the other systems assumed to protect the reactor would not result in an effect different from those reported. Failures of the protection systems have been considered and satisfy single failure criteria and as such no change in analyzed consequences is expected.
15.2.6.3 Core and System Performance 15.2.6.3.1 Mathematical Model The computer model described in References 15.2-5 and 15.2-10 was used to simulate this event.
Operation of the RCIC or HPCI systems is not included in the simulation of this transient, since startup of these pumps does not permit flow in the time period of this simulation.
15.2.6.3.2 Input Parameters and Initial Conditions 15.2.6.3.2.1 Loss of Auxiliary Power Transformer These analyses have been performed, unless otherwise noted, with the plant conditions tabulated in Table 15E.0-2 and under the assumed systems constraints described in Subsection 15.2.6.2.2.
FSAR Rev. 71 15.2-20
SSES-FSAR Text Rev. 64 15.2.6.3.2.2 Loss of All Grid Connections Same as Subsection 15.2.6.3.2.1.
15.2.6.3.3 Results The results described below are for the initial cycles for Units 1 and 2. These events are non-limiting and have not been analyzed for the current cycles.
15.2.6.3.3.1 Loss of Auxiliary Power Transformer Figure 15E.2.6-1 shows graphically the simulated transient. The initial portion of the transient is similar to the loss-of-feedwater transient. At 2 seconds MSIV's start to close and the reactor is scrammed. The feedwater turbines trip off at about 4 seconds.
The RHR system, in the shutdown cooling mode, is initiated to dissipate the heat. Sensed level drops to the RCIC and HPCI initiation setpoint at approximately 32 seconds after loss of auxiliary power.
There is no significant increase in fuel temperature or decrease in the operating MCPR value, fuel thermal margins are not threatened and the design basis is satisfied.
15.2.6.3.3.2 Loss of All Grid Connections Loss of all grid connections is a more general form of loss of auxiliary power. It essentially takes on the characteristic response of the standard full load rejection discussed in Subsection 15.2.2. Figure 15E.2.6-2 shows graphically the simulated event. Peak neutron flux and peak fuel surface heat flux are given in Table 15E.0-1 as a percent of the initial value.
There is no significant increase in fuel temperature.
15.2.6.3.4 Consideration of Uncertainties The most conservative characteristics of protection features are assumed. Any actual deviations in plant performance are expected to make the results of this event less severe.
Operation of the RCIC or HPCI systems is not included in the simulation of the first 50 seconds of this transient. Startup of these pumps occurs in the latter part of this time period but these systems have no significant effect on the results of this transient.
Following main steam line isolation and RHR initiation the reactor pressure is expected to increase until the safety/relief valve set point(s) (5) are reached. At this time the valves operate in a cyclic manner to discharge the decay heat to the suppression pool.
15.2.6.4 Barrier Performance 15.2.6.4.1 Loss of Auxiliary Power Transformer The consequences of this event do not result in any significant temperature or pressure transient in excess of the criteria for which the fuel, pressure vessel or containment are designed; therefore, these barriers maintain their integrity and function as designed.
FSAR Rev. 71 15.2-21
SSES-FSAR Text Rev. 64 5.2.6.4.2 Loss of All Grid Connections Safety/relief valves open in the pressure relief mode of operation as the pressure increases beyond their set points. The pressure in the dome is limited to the value given in Table 15E.0-1, which is well below the vessel pressure limit of 1375 psig.
15.2.6.5 Radiological Consequences While the consequence of this event does not result in fuel failure, it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual specifications; therefore, this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.7 LOSS OF FEEDWATER FLOW The loss of feedwater flow has been identified as non-limiting, and therefore, it was not explicitly analyzed each cycle. However, since the SSES Units have been licensed for EPU conditions, and the use of Framatome Advanced Methods starting with Unit 2 Cycle 21 and Unit 1 Cycle 23, the loss of feedwater flow was analyzed to confirm that it remains non-limiting.
15.2.7.1 Identification of Causes and Frequency Classification 15.2.7.1.1 Identification of Causes A loss of feedwater flow could occur from pump failures, feedwater controller failures, operator errors, or reactor system variables such as the high vessel water level (L8) trip signal.
15.2.7.1.2 Frequency Classification This transient disturbance is categorized as an incident of moderate frequency.
15.2.7.2 Sequence of Events and Systems Operation 15.2.7.2.1 Sequence of Events Table 15E.2.7-1 lists the sequence of events for Figure 15E.2.7-1.
15.2.7.2.1.1 Identification of Operator Actions The operator should ensure RCIC and HPCI actuation so that water inventory is maintained in the reactor vessel and monitor reactor pressure.
Table 15E.1.1-1 lists the sequence of operator actions expected during the course of the event.
FSAR Rev. 71 15.2-22
SSES-FSAR Text Rev. 64 15.2.7.2.2 Systems Operation Loss of feedwater flow results in a proportional reduction of vessel inventory causing the vessel water level to drop. The first corrective action is the low level (L3) scram trip actuation. The reactor protection system responds within 1 second after this trip to scram the reactor. The low level (L3) scram trip function meets the single failure criterion.
15.2.7.2.3 The Effect of Single Failures and Operator Errors The nature of this event, as explained above, results in a lowering of vessel water level. Key corrective efforts to shut down the reactor are automatic and designed to satisfy single failure criterion; therefore, any additional failure in these shutdown methods would not aggravate or change the simulated transient.
The potential exists for a single relief valve failing to close once it is opened. This would result in a complete depressurization of the reactor. This is discussed in Subsection 15.1.4. Either the HPCI or RCIC system is capable of maintaining adequate core coverage and will provide inventory control.
15.2.7.3 Core and System Performance 15.2.7.3.1 Mathematical Model The computer models described in References 15.2-11 and 15.2-12 were used to simulate this event.
15.2.7.3.2 Input Parameters and Initial Conditions These analyses have been performed, unless otherwise noted, with the plant conditions tabulated in Table 15C.0-2.
15.2.7.3.3 Results The results of this transient simulation are shown in Figures 15E.2.7-1 through 4. Feedwater flow terminates at approximately 5 seconds. Subcooling decreases causing a reduction in core power level and pressure. As power level is lowered, the turbine steam flow starts to drop off because the pressure regulator is attempting to maintain pressure. Water level continues to drop until the vessel level (L3) scram trip set point is reached whereupon the reactor is shut down. The recirculation system is tripped and HPCI and RCIC operation are initiated due to vessel water dropping to the (L2) trip. Note, for this simulation only the RCIC was assumed to operate. Prior to reaching L1, water level starts increasing due to the RCIC flow entering the vessel. MCPR remains considerably above the safety limit since increases in heat flux are not experienced since the water level does not reach L1, the MSIVs do not close and system pressure remains low.
15.2.7.3.4 Considerations of Uncertainties End-of-cycle scram characteristics are assumed.
This transient is most severe from high power conditions, because the rate of level decrease is greatest and the amount of stored and decay heat to be dissipated are highest.
FSAR Rev. 71 15.2-23
SSES-FSAR Text Rev. 64 Operation of the HPCI system is not included in the simulation of this transient. Operation of the RCIC is included in the simulation of the transient.
15.2.7.4 Barrier Performance Peak pressure in the bottom of the vessel is given in Table 15E.0-1 and is below the ASME Code limit of 1375 psig for the RCPB. Vessel dome pressure is also given in Table 15E.0-1.
The consequences of this event do not result in any temperature or pressure transient in excess of the criteria for which the fuel, pressure vessel or containment are designed; therefore, these barriers maintain their integrity and function as designed.
15.2.7.5 Radiological Consequences While the consequence of this event does not result in fuel failure, it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposure to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.8 FEEDWATER LINE BREAK (Refer to Subsection 15.6.6) 15.2.9 FAILURE OF RHR SHUTDOWN COOLING Normally, in evaluating component failure considerations associated with the RHR Shutdown Cooling mode operation, active pumps or instrumentation (all of which are redundant for safety system portions of the RHR aspects) would be assumed to be the likely failed equipment. For purposes of worst case analysis, the single recirculation loop suction valve to the redundant RHR loops is assumed to fail. This failure would, of course, still leave two complete RHR loops for LPCI, suppression pool, and containment cooling minus the normal RHR Shutdown Cooling loop connection. Although the suction valve could be manually manipulated open, it is assumed failed indefinitely.
If it is now assumed that the SACF criteria is applied, the plant operator has one complete RHR loop available with the further selective worst case assumption that the other RHR loop is lost.
Recent analytical evaluations of this event have required additional worst case assumptions.
These included:
(1) loss of all offsite ac power (2) utilization of safe shutdown equipment only (3) operator involvement no earlier than 10 minutes after coincident assumptions.
FSAR Rev. 71 15.2-24
SSES-FSAR Text Rev. 64 These accident-type assumptions would change the initial incident (malfunction of RHR suction valve) from a moderate frequency incident to a classification in the design basis accident status.
However, the event is evaluated as a moderate frequency event with its subsequent limits.
15.2.9.1 Identification of Causes and Frequency Classification 15.2.9.1.1 Identification of Causes The plant is operating at 102% of rated Thermal Power when a long-term loss of offsite power occurs, causing multiple safety-relief valve actuations (see Subsection 15.2.6 Loss of AC Power) and subsequent heatup of the suppression pool. Reactor vessel depressurization is initiated to bring the reactor pressure to approximately 100 psig. Concurrent with the loss of offsite power, an additional (divisional) single failure occurs which prevents the operator from establishing the normal shutdown cooling path through the RHR shutdown cooling lines. The operator then establishes a shutdown cooling path for the vessel through the ADS valves.
15.2.9.1.2 Frequency Classification This event is evaluated as a moderate frequency event. However, for the following reasons it could be considered an infrequent incident:
(1) Only a few RHR valves have failed in the shutdown cooling mode in BWR total operating experience.
(2) The set of conditions evaluated is for multiple failures as described above and is only postulated (not expected) to occur.
15.2.9.2 Sequence of Events and System Operation 15.2.9.2.1 Sequence of Events The sequence of events for this event is shown in Table 15E.2.9-1.
15.2.9.2.1.1 Identification of Operator Actions For the early part of the transient, the operator actions are identical to those described in Table 15E.1.1-1 resulting in an isolation. The operator then proceeds to do the following:
(1) at approximately 10 minutes into the transient, initiate RPV shutdown depressurization at 100°F/hr by manual actuation of the safety/relief valves; (2) at approximately 15 minutes into the transient, initiate suppression pool cooling (again for purposes of this "worst case" analysis, it is assumed that only one RHR heat exchanger is available);
(3) when the reactor pressure vessel is depressurized to approximately 100 psig, opens the RHR shutdown cooling system isolation valves. However, it is assumed that a failure occurs and the operator cannot open one of the isolation valves on the RHR suction line and the normal RHR shutdown cooling path is not established; FSAR Rev. 71 15.2-25
SSES-FSAR Text Rev. 64 (4) selectively opens safety/relief valves (ADS) to complete blowdown and floods the vessel up through the safety/relief valves thereby establishing a closed cooling path as described in the notes for Figure 15E.2.9-1 and off normal procedures.
15.2.9.2.2 System Operation Plant instrumentation and control is assumed to be functioning normally except as noted. In this evaluation credit is taken for the plant and reactor protection systems and/or the ESF utilized.
15.2.9.2.3 The Effect of Single Failures and Operator Errors The worst case single failure (Loss of Division Power) has already been analyzed in this event.
Therefore, no single failure or operator error can make the consequences of this event any worse.
15.2.9.3 Core and System Performance 15.2.9.3.1 Methods, Assumptions, and Conditions An event that can directly cause reactor vessel water temperature increase is one in which the energy removal rate is less than the decay heat rate. The applicable event is loss of RHR shutdown cooling. This event can occur only during the low pressure portion of a normal reactor shutdown and cooldown, when the RHR system is operating in the shutdown cooling mode. During this time MCPR remains high and nucleate boiling heat transfer is not exceeded at any time. Therefore, the core thermal safety margin remains essentially unchanged. The 10-minute time period assumed for operator action is an estimate of how long it would take the operator to initiate the necessary actions; it is not a time by which he must initiate action. The initial conditions used for evaluation of failure of RHR Shutdown Cooling are given in Table 15E.2.9-2.
15.2.9.3.2 Results For most single failures that could result in loss of shutdown cooling, no unique safety actions are required. In these cases, shutdown cooling is simply re-established using other, normal shutdown cooling equipment. In cases where both of the RHR shutdown cooling suction valves cannot be opened, alternate paths are available to accomplish the shutdown cooling function (Figure 15E.2.9-2). An evaluation has been performed assuming the worst single failure that could disable the RHR shutdown cooling valves.
This evaluation demonstrates the capability to safely transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded.
The evaluation assures that, for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available), the safety function can be accomplished, assuming a worst-case single failure.
The alternate cooldown path chosen to accomplish the shutdown cooling function utilizes the RHR and ADS or normal relief valve systems (see Reference 15.2-1 and Figure 15E.2.9-1).
FSAR Rev. 71 15.2-26
SSES-FSAR Text Rev. 64 The alternate shutdown systems are capable of performing the function of transferring heat from the reactor to the environment using only safety grade systems. Even if it is additionally postulated that all of the ADS or relief valve discharge piping also fails, the shutdown cooling function would eventually be accomplished as the cooling water would run directly out of the ADS or safety/relief valves, flooding into the drywell.
The systems have suitable redundancy in components such that, for onsite electrical power operation (assuming offsite power is not available) and for offsite electrical power operation (assuming onsite power is also not available), the systems' safety function can be accomplished assuming an additional single failure. The systems can be fully operated from the main control room.
The design evaluation is divided into two phases: (1) full power operation to approximately 100 psig vessel pressure, and (2) approximately 100 psig vessel pressure to cold shutdown (14.7 psia, 200oF) conditions.
15.2.9.3.2.1 Full Power to Approximately 100 psig Independent of the event that initiated plant shutdown (whether it be a normal plant shutdown or a forced plant shutdown), the reactor is normally brought to approximately 100 psig using either the main condenser or, in the case where the main condenser is unavailable, the RCIC/HPCI systems, together with the nuclear boiler pressure relief system.
For evaluation purposes, however, it is assumed that plant shutdown is initiated by transient event 15.2.6 (loss of A-C power), which results in relief valve actuation and subsequent suppression pool heatup. For this postulated condition, the reactor is shut down and the reactor vessel pressure and temperature are reduced to and maintained at saturated conditions at approximately 100 psig. The reactor vessel is depressurized by manually opening selected safety/relief valves. Reactor vessel makeup water is automatically provided via the RCIC/HPCI systems. While in this condition, the RHR system (suppression pool cooling mode) is used to maintain the suppression pool temperature within shutdown limits.
These systems are designed to routinely perform their functions for both normal and forced plant shutdown. Since the RCIC, HPCI and RHR systems are divisionally separated, no single failure, together with the loss of offsite power, is capable of preventing reaching the 100 psig level.
15.2.9.3.2.2 Approximately 100 psig to Cold Shutdown The following assumptions are used for the analyses of the procedures for attaining cold shutdown from a pressure of approximately 100 psig:
(1) the vessel is at 100 psig and saturated conditions; (2) a worst-case single failure is assumed to occur (i.e., loss of a division of emergency power); and (3) there is no offsite power available.
FSAR Rev. 71 15.2-27
SSES-FSAR Text Rev. 64 In the event that the RHR shutdown suction line is not available because of single failure, the first action to be taken will be for personnel to gain access and effect repairs. For example, if a single electrical failure caused a suction valve to fail in the closed position, a hand wheel is provided on the valve to allow manual operation. If for some reason the normal shutdown cooling suction line cannot be repaired, the capabilities described below will satisfy the normal shutdown cooling requirements and thus fully comply with GDC 34.
The RHR shutdown cooling line valves are in two divisions (Division 1 = the outboard valve, and Division 2 = the inboard valve) to satisfy containment isolation criteria. For evaluation purposes, the worst-case failure is assumed to be the loss of a division of emergency power, since this also prevents actuation of one shutdown cooling line valve. Engineered safety feature equipment available for accomplishing the shutdown cooling function includes (for the selected path):
ADS (DC Division 1 and DC Division 2)
RHR Loop A (Division 1)
RHR Loop B (Division 2)
Core Spray A (Division 1)
Core Spray B (Division 2)
For failures of Division 1 or 2, the following systems are assumed functional:
(1) Division 1 Fails, Division 2 Functional:
Failed Systems Functional Systems RHR Pumps A & C HPCI CS Loop A ADS RCIC RHR Loop B CS Loop B RHR Pumps B & D (2) Division 2 Fails, Division 1 Functional:
Failed Systems Functional Systems RHR Pumps B & D CS Loop A CS Loop B RCIC HPCI RHR Loop A ADS RHR Pumps A &C Assuming the single failure is the failure of Division 2, the safety function is accomplished by establishing one of the cooling loops described in Activity C2 of Figure 15E.2.9-1. If the assumed single failure is Division 1, the safety function is accomplished by establishing one of the cooling loops described as Activity C1 of Figure 15E.2.9-1.
FSAR Rev. 71 15.2-28
SSES-FSAR Text Rev. 64 Using the above assumptions and following the depressurization transient shown in Figure 15E.2.9-3, the suppression pool temperature is shown in Figure 15E.2.9-4.
15.2.9.4 Barrier Performance As noted above, the consequences of this event do not result in any temperature or pressure transient in excess of the criteria for which the fuel, pressure vessel, or containment are designed. Release of coolant to the containment occurs via SRV actuation. Release of radiation to the environment is described below.
15.2.9.5 Radiological Consequences While this event does not result in fuel failure, it does result in the discharge of normal coolant activity to the suppression pool via SRV operation. Since this activity is contained in the primary containment, there will be no exposures to operating personnel. Since this event does not result in an uncontrolled release to the environment, the plant operator can choose to leave the activity bottled up in the containment or discharge it to the environment under controlled release conditions. If purging of the containment is chosen, the release will have to be in accordance with the Technical Requirements Manual; therefore, this event, at the worst, would only result in a small increase in the yearly integrated exposure level.
15.2.10 REFERENCES 15.2-1 Letter - R.S. Boyd to I. F. Stuart; dated November 12, 1975,
Subject:
Requirements Delineated for RHRS - Shutdown Cooling System--Single Failure Analysis.
15.2-2 Fukushima, T.Y. "Hex 01 User Manual," NEDE-23014, July 1976.
15.2-3 Brutschy, F.G., et al, "Behavior of Iodine in Reactor Water During Plant Shutdown and Startup."
15.2-4 Nquyen, D., "Realistic Accident Analysis for General Electric Boiling Water Reactor -
The RELAC Code and User's Guide," NEDO-21142, to be issued (December 1977).
15.2-5 Linford, R.B., Analytical Methods of Plant Transient Evaluations for General Electric Boiling Water Reactor, April 1973 (NEDO 10802).
15.2-6 ANP-10300P-A Revision 1, AURORA-B: An Evaluation Model for Boiling Water Reactors; Application to Transient and Accident Scenarios, Framatome, January 2018.
15.2-7 Deleted.
15.2-8 Deleted.
15.2-9 Deleted.
FSAR Rev. 71 15.2-29
SSES-FSAR Text Rev. 64 15.2-10 F. Odar, "Safety Evaluation for General Electric Topical Report: Qualification of the One-Dimensional Core Transient Model for Boiling Water Reactors,"
NEDO-24154, NEDE-24154-P, Vols. I, II, III, dated June 1980.
15.2-11 XN-NF-80-19(P)(A) Volume 4 Revision 1, Exxon Nuclear Methodology for Boiling Water Reactors: Application of the ENC Methodology to BWR Reloads, Exxon Nuclear Company, June 1986.
15.2-12 ANF-913(P)(A) Volume 1 Revision 1 and Volume 1 Supplements 2, 3, and 4, COTRANSA2: A Computer Program for Boiling Water Reactor Transient Analyses, Advanced Nuclear Fuels Corporation, August 1990.
FSAR Rev. 71 15.2-30