ML18100A423

From kanterella
Revision as of 05:10, 3 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Emergency Application for Amends to Licenses DPR-70 & DPR-75,changing Current Licensing Basis Requirements to Address Potential Single Failure Identified in Rod Control Sys
ML18100A423
Person / Time
Site: Salem  PSEG icon.png
Issue date: 06/17/1993
From: Hagan J
Public Service Enterprise Group
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LCR-93-21, NLR-N93098, NUDOCS 9306220388
Download: ML18100A423 (24)


Text

'.

Public Service Electric and Gas Company Joseph J. Hagan Public Service Electric and Gas Company P.O. Box 236, Hancocks Bridge, NJ 08038 609-339-1200 Vice President - Nuclear Operations JUN 17 1993 NLR-N93098 LCR 93-21 United States Nuclear Regulatory Commission Document Control Desk Washington, DC 20555 Gentlemen:

REQUEST FOR EMERGENCY LICENSE AMENDMENT ROD CONTROL SYSTEM SALEM GENERATING STATION UNITS 1 AND 2 FACILITY OPERATING LICENSE NOS. DPR-70 AND DPR-75 DOCKET NOS. 50-272 AND 50-311 Public Service Electric and Gas Company (PSE&G) hereby requests an Emergency License Amendment for Facility Operating License Nos. DPR-70 and DPR-75 in accordance with the requirements of 10CFR50.90 and 10CFR50.91. This request for Emergency License Amendment concerns a change to the current licensing basis requirements to address a potential single failure identified in the Rod Control System. During startup of Salem Unit 2 following the seventh refueling outage, a failure in the rod control system caused a single rod to withdraw while the operator applied a rod insertion command. Investigation of this event has determined that a failure may occur resulting in a possible rod withdrawal event. Assuming the failure is a single failure, it is not within the current plant licensing basis. Based on the current information available, the identified failure is being conservatively treated as a single failure which would result in this event being classified as a Condition II event. This conservative assumption of an increase in probability results in an Unreviewed Safety Question in accordance with 10CFR50.59.

Attachment 1 provides the detailed Engineering Evaluation in support of this Emergency License Amendment and the proposed compensatory actions in support of this amendment. As discussed in Attachment 2, PSE&G's conclusion is that granting this request would involve neither a Significant Hazards Consideration nor any irreversible environmental consequences.

This Emergency License Amendment request addresses the potential failure, and is requested in order to allow the safe restart and operation of Units 1 and 2. This Emergency License Amendment is

~

/

LO_o,o *'.),__*_____

9306220388 930617 PDR ADOCK 05000272 P PDR D'

Document Control Desk NLR-N93098 JUN 17 1993 considered an interim measure pending completion of ongoing actions and industry initiatives to resolve this concern.

Per discussion with NRC Region I and NRR on June 16,1993, this request for Emergency License Amendment supersedes the Justification for Continued Operation for Salem Unit 1 previously provided to the NRC in response to the NRC Confirmatory Action Letter dated June 6, 1993. Thus, this modifies the agreements reached in the referenced letter. It is recognized that Unit 2 will not restart until all of the actions of the Confirmatory Action letter are completed.

This request has been reviewed and recommended for approval by the Salem Station Operations Review Committee. A copy of this request for amendment has been sent to the State of New Jersey, in accordance with 10CFR50.91.

Sincerely, Attachment Affidavit C Mr. T. T. Martin, Administrator - Region I U. s. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 Mr. J. c. Stone, Licensing Project Manager U. s. Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike Rockville, MD 20852 Mr. s. Barr (S09)

USNRC Senior Resident Inspector - Acting Mr. Kent Tosch, Manager, IV NJ Department of Environmental Protection Division of Environmental Quality Bureau of Nuclear Engineering CN 415 Trenton, NJ 08625

SS.

COUNTY OF SALEM J. J. Hagan, being duly sworn according to law deposes and says:

I am Vice President - Nuclear Operations of Public Service Electric and Gas Company, and as such, I find the matters set forth in the above referenced letter, concerning the Salem Generating Station, Unit Nos. 1 and 2, are true to the best of my knowledge, information and belief.

to~rne 1

Subscribed_ppd Sworn this /'JCf11l day of ~ 1993 SHERRY L. CAGLE NOTARY PUBLIC OF NEW JERSEY

'.> ., ((T My commission Expires March 5, 1997 My Commission expires on

Attachment 1 JUSTIFICATION FOR SGS UNITS 1 AND 2 RESTART AND OPERATION ROD CONTROL SYSTEM FAILURES TABLE OF CONTENTS

. It

1.0 INTRODUCTION

2.0 DESCRIPTION

OF ROD CONTROL SYSTEM FAILURE MODES 3.0 DISCUSSION OF SALEM LICENSING BASIS 4.0 ROD CONTROL SYSTEM SINGLE FAILURE ASSUMPTIONS/

DETECTABILITY 5.0 SAFETY ANALYSES 5.1 Key Assumptions 5.2 Evaluation Results 5.3 Conclusions 6.0 ADDITIONAL JUSTIFICATION 6.1 Rod Control System Alarms and Indications

  • 6.2 Operator Training 6.3 Procedures 6.4 Testing 7.0 ROD CONTROL SYSTEM OPERABILITY 8.0 ASSESSMENT OF UNIT 2 FAILURE ON SALEM UNIT 1

9.0 CONCLUSION

10.0 REFERENCES

JUSTIFICATION FOR SGS UNITS 1 AND 2 RESTART AND OPERATION ROD CONTROL SYSTEM FAILURES

1.0 INTRODUCTION

A failure in the Salem Generating Station (SGS) Unit 2 Rod Control System has been recently identified, which, coincident with a rod motion command, could result in abnormal operation of the Rod Cluster Control Assemblies (RCCA's).

On May 27, 1993, a failure in the rod control system caused a single rod to withdraw from the core 15 steps while the operator was applying a rod insertion signal. The failure, an integrated circuit on a slave cycler decoder card, disrupted the normal sequence of pulses that the rod control system sends to the rods in the selected bank. Normally on insert demand, the pulses are staggered in a sequence that leads to rod insertion. With the failure, the rod control system periodically sent simultaneous pulses to the movable gripper coil, lift coil, and stationary coil for each of the rods in the selected bank. Under these conditions, based on the preliminary investigation, each rod in the bank may either remain where it is or withdraw from the core when a rod movement demand occurs. When the rod control system is in the automatic mode of operation, a rod movement demand is generated automatically in response to changes in the turbine load and changes in the average reactor coolant temperature. Rod movement then occurs without any operator action until the demand is satisfied. When the rod control system is in the manual mode of operation, a rod movement demand is generated only in response to operator manipulation of the raise-lower pushbuttons, given no .

failures in the demand circuit.

The identified failure could potentially result in operation of the plant outside the design basis. Evaluation of the identified failure in accordance with 10 CFR 50.59 (Ref .8) has concluded that this potential single failure would be an Unreviewed Safety Question. The purpose of this evaluation is to ensure safe restart and continued operation of Salem Units 1 and 2 given the potential for this failure to occur.

The Salem Generating Station (SGS) Updated Final Safety Analysis Report (UFSAR) Sections 4.3 and 15.3~5.1 presently state that multiple failures would be required for a single rod withdrawal to occur. The single rod withdrawal event is generally treated as an ANSI N18.2 Condition III event (Infrequent Faults), for which the acceptance criteria allow a small percentage of fuel failure based on a low probability of occurrence.

  • The basis for this justification includes an evaluation of the licensing basis safety analyses to account for the effects of the identified failure. This evaluation conservatively demonstrates that no fuel design limits are exceeded for the affected transients, which is consistent with Condition II events (Events of Moderate Frequency), and 10CFRSO Appendix A, General Design Criterion (GDC) 25.

This safety analysis evaluation is predicated on the following:

The failure does not affect the ability of the Reactor Protection System to perform its intended safety function.

Reactor trip is not affected by the Rod Control System logic.

The failure is detectable based on periodic surveillance testing and control operator verification of rod position.

Although this failure is detectable with the rod control system in automatic, manual operation and modified surveillance testing during subcriticality provide further assurance of detecting the failure. Detectability and its significance relative to the safety analyses is discussed further in Section 4.0.

Although not credited in the analysis, alarms, administrative controls and compensatory measures implemented specifically in response to this event (Section 6.0) provide further assurance that the discovered failure will not result in any consequences adverse to public health and safety.

This evaluation bounds all of the possible rod movements described in Section 2.0 This justification for restart and operation assumes that the Rod Control System is placed in either the individual bank select, manual, or automatic modes of operation. This evaluation is valid for the present fuel loadings of Salem Unit 1 (cycle 11) and Salem Unit 2 (cycle 8) . Future fuel cycles will be analyzed to the same criteria presented in Section 5.0 of this document (or subsequent revisions) during the Core Reload Safety Evaluation 10CFR50.59 process.

In light of continuing activities, this justification for restart and operation is an interim document. Further investigations are underway to pursue long term resolution of the issue. Industry initiated investigations may also provide additional insights.

As these activities yield conclusive results, this justification for restart and operation will be revised to reflect the most current information and analyses.

2.0 DESCRIPTION

OF ROD CONTROL SYSTEM FAILURE MODES On May 27, 1993, a failure in the rod control system caused a single rod to withdraw while the operator applied a rod insertion motion command to the Shutdown Bank A (SDBA) . The remainder of the SDBA RCCA's remained stationary. The rod withdrawal was observed by the operator on the Individual Rod Position Indicator.

The Rod Control System logic is designed to provide an insertion or withdrawal direction command to the selected rod bank(s). The direction command establishes the sequence of Control Rod Drive Mechanism (CRDM) coil operation. When combined with a motion command, the direction command is designed to result in the proper number and sequence of RCCA steps. It is now known that.a card failure in the rod control system logic can result in an undesired "insert" or an undesired "withdraw" direction command.

It has been determined that the logic failure could result in rod motion only if a rod motion command exists. The following rod

.,1,

  • I movements are possible, given the presence of the discovered failure coincident with a motion command (Ref. 6):
1. Case 1 - Single failure that gives an insert direction command.

When a rod insertion motion command is given, all rods in the selected bank(s) will insert normally.

When a rod withdraw motion command is given, each rod in the selected bank(s) may either not move, or may withdraw. No rod will be capable of stepping in.

  • 2. Case 2 - Single failure that gives a withdraw direction command.

When a rod insertion motion command is given, each rod in the selected bank(s) may either not move, or may withdraw.

No rod will be capable of stepping in.

When a rod withdraw motion command is given, all rods in the selected bank(s) will withdraw normally.

3. Case 3 - A single gate failure that result in insertion and withdraw direction commands being present. (This is the case that existed in Salem Unit 2.)

Irrespective of whether an insertion or withdraw command is given, each rod in the selected bank, or banks if in overlap, may either not move, or may withdraw. No rod will be capable of stepping in.

For each of these cases the logic failure does not affect the reactor trip function.

3.0. DISCUSSION OF SALEM LICENSING BASIS A potential single failure that could cause a single or multiple rod withdrawal event without an urgent failure alarm involves a change to the current licensing basis for Salem Units 1 and 2.

UFSAR Section 15.3.5.1 states that a single RCCA withdrawal at power would result in an "urgent failure" and a rod "deviation alarm" on the control room console. An "urgent failuren annunciates in the control room and inhibits further rod withdrawal through the affected cabinet. During the actual failure, a "deviation alarm" was generated but an "urgent failure" was not received. Evaluation has concluded that for the experienced failure, the conditions for an "urgent failure" alarm were not satisfied. That is, the "urgent failure" should not have (and did not) actuate. No credit is taken in the safety analyses for the "urgent failure" alarm or its termination of rod movement. As discussed in Section 6.2, operators have been briefed that abnormal rod movement may occur without resulting in an "urgent failure" alarm.

UFSAR Sections 4.3 and 15.3.5.1 describe single rod withdrawal events, based on the assumption that multiple failures would be required for a single rod withdrawal to occur. Multiple rod withdrawals are not considered in the present SNGS licensing basis (except for the bank withdrawal events) .

UFSAR Section 15.3.5.1 classifies the single RCCA withdrawal at power accident as an ANSI N18.2 Condition III Event (Infrequent Fault) . This classification is based on the assumption that multiple independent equipment failures are required for a single RCCA withdrawal to occur. The current UFSAR RCCA withdrawal at power analysis indicates, based on F-delta-H calculations, that localized Departure From Nucleate Boiling would result. This is consistent with acceptance criteria for Condition III events (i.e., a small fraction of fuel may exceed its design limits).

Based on the assumption that a single failure of the rod control system may cause a single or multiple RCCA withdrawal event to occur, the RCCA withdrawal at power events have been conservatively evaluated, based on explic~t DNBR calculations, against the criteria for a Condition II event. This is accomplished by demonstrating that the Departure From Nucleate Boiling Ratio (DNBR) limit is not exceeded and, therefore, fuel design limits are maintained.

Per UFSAR Section 3.1, SNGS is committed to the intent of the General Design Criteria (GDC) of 10 CFR 50 Appendix A. General Design Criterion 25 states: "The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods. 11 Based on the previous assumption that multiple independent failures would be required to have a single rod withdrawal event, GDC 25 compliance is addressed in the UFSAR (Section 4.3.1.4 and 15.2) by demonstrating that a rod bank withdrawal would not result in exceeding any fuel design limits. The new assumption that a potential single failure can cause misoperation of a single or multiple RCCAs necessitates a reevaluation of compliance with GDC 25. The analyses summarized in Section 5.0 ensured continued compliance with GDC 25.

4.0 ROD CONTROL SYSTEM SINGLE FAILURE ASSUMPTIONS/DETECTABILITY Consistent with Westinghouse safety analysis methodology, control systems are not assumed to mitigate any UFSAR Chapter 15 transient. Random single failures of control systems are not considered provided they are detectable during normal operation or surveillance testing. This is based on the low probability of an initiating event coincident with a random single failure.

For the purposes of evaluating the UFSAR Chapter 15 safety analyses, the identified rod control system logic failure is defined as a detectable failure, based on the following.

The logic failure does not affect individual rod position indication, which is a direct measurement of the rods physical location. Therefore, comparison of the group step demand counter with the individual rod position indication is a means of verifying that the rods have responded per the motion command.

Technical Specification Surveillance 4.1.3.1.2 is applicable in MODES 1 and 2. It requires each full length rod not fully inserted in the core, to be moved at least 10 steps in either direction at least once per 31 days. The surveillance procedure requires an insertion of between 10 and 20 steps of motion, followed by a comparison of group step counter indication and individual rod position indication. The procedure then requires a withdrawal to the original position, followed by a final comparison of group step counter indication and individual rod position. This test, therefore, demonstrates proper operation of the group step demand counter and proper RCCA response.

  • Technical Specification surveillance 4.1.3.2.2 is applicable in MODES 3, 4, and 5, with the reactor trip system breakers in the closed position. It requires at least 10 steps of rod motion to verify that group step counter indication is consistent with the individual rod position. This test is required every 31 days for each bank that is not fully inserted.

Prior to each startup, a modified surveillance test will be performed at SNGS 1 and 2, to ensure that the failure does not exist. The test will be performed for all shutdown and control banks, and will begin from the fully inserted position (although Technical Specifications do not require testing for fully inserted banks) . Each bank will be tested after the trip breakers are closed and the rod drive motor-generato'r sets are energized, prior to withdrawing the banks for startup. The test will be performed by sequentially withdrawing and inserting each of the shutdown and control banks a minimum of ten steps, with the operator verifying that individual rod position matches group demand. While the test is being performed, current traces will be taken. These traces will indicate abnormalities if the failure is present. If the failure is present, the condition will be corrected and evaluated prior to commencing startup.

During normal surveillance testing, the only way the test would not detect the failure in the logic would be if all rods (i.e.,

all shutdown and control banks) operated normally despite the presence of an undesired insert direction command. If this is the case, the logic failure has no adverse affect on rod motion.

Therefore, normal 31 day surveillance testing is capable of detecting the ability of a logic failure to adversely affect rod motion.

The failure is also detectable during normal rod control system operation. The control operator compares the individual rod position indication to the demand counter whenever rods are moved. In accordance with the control room logs, individual rod position indication is also compared to group step demand once every four hours when the rod deviation alarm is inoperable. In the unlikely event the control operator does not detect a misalignment during rod motion with the failure present, it can be observed during this four hour check, subsequent to the rod motion that caused the misalignment.

Detectable control system failures are typically assumed to initiate events of moderate frequency. As a result, the rod control system single failure of concern in this evaluation, which is a detectable control system failure, has been considered an initiating event. However, it need not be considered coincident with (or instead of), the protection system single failure assumed in any of the UFSAR Chapter 15 safety analyses.

  • 5.0 SAFETY ANALYSES UFSAR Chapter 15 accident events were examined for adverse impact resulting from the postulated rod control system single failure.

Based on this review the only events that are potentially impacted are Rod Ejection (UFSAR Section 15.4.7), RCCA Misalignment (Dropped Rod) (UFSAR Section 15.2.3), Single RCCA Withdrawal At Power (UFSAR 15.3.5), Uncontrolled Boron Dilution (UFSAR Section 15.2.4), RCCA Bank Withdrawal At Power (UFSAR Section 15.2.2) and RCCA Bank withdrawal From Subcritical (UFSAR Section 15.2.1). In addition, a multiple asymmetric RCCA withdrawal both at power and from subcritical has been evaluated based upon the postulated failure scenario.

5.1 Key Assumptions Based on the PSE&G and Westinghouse investigations' into the effects of the identified failure summarized above, the evaluations of the UFSAR accident events are based on the following key assumptions:

Alarm Response - Consistent with the present UFSAR analysis assumptions, no analyses performed for this evaluation take additional credit for any alarms that may occur. The RCCA static misalignment event continues to credit Technical Specification 3/4.1.3.1, which prescribes surveillances and corrective measures for misaligned rods.

Single Failure of Control Systems - The identified rod control system logic failure that may cause single or multiple rod withdrawal has not been considered in addition to (or instead of) the protection system single failure assumed in any of the UFSAR Chapter 15 accident analyses. As a detectable failure (See Section 4.0), it is not assumed to pre-exist at the onset of any transient.

RCCA position will be maintained consistent with reactor coolant system Tavg measurements, within the rod speed controller deadband of +/-1.5 degree F of reference Tavg, consistent with the Precautions, Limitations, and Setpoints Document (Ref. 11).

Reactor Protection System Functions - No RPS functions are adversely affected by the identified rod control system logic failure.

Technical Specifications - The present Technical Specification Limiting Conditions of Operation (e.g., Power Distribution Limits, Rod Insertion Limits) establish the initial conditions for the evaluated transients.

  • 5.2 Evaluation Results 5.2.1 Rod Ejection As described in UFSAR Section 15.4.7, a rod ejection is caused by a mechanical failure of the control rod drive mechanism (CRDM) pressure housing which results in the instantaneous ejection of an RCCA and drive shaft. Neither single nor multiple failures in the rod control system can initiate a rod ejection event.

Therefore, the UFSAR analysis and conclusions are unaffected and remain valid considering the postulated single failure which may cause erratic RCCA withdrawal.

5.2.2 RCCA Misalignment UFSAR Section 15.2.3 describes the Condition II events of static misalignments and dropped RCCAs, groups, and banks. The static misalignment is not a concern given this failure since the Salem Technical Specifications prescribe recovery actions for a static misalignment. Since inadvertent RCCA insertion is not a consequence of this failure, there is no impact on the UFSAR dropped RCCA analyses. Any dynamic misalignments would continue to be addressed and bounded by the current dropped RCCA analyses presented in this UFSAR section.

In summary, this single failure will not' result in any RCCA misalignment (static or dynamic) which is worse than that already analyzed for the Salem licensing basis.

5.2.3 Uncontrolled Boron Dilution UFSAR Section 15.2.4 describes the Condition II event of an uncontrolled boron dilution. The dilution will result in a positive reactivity insertion and the power and temperature will rise until the reactor reaches the overtemperature delta T setpoint. This single failure will not change the reactivity insertion rate or the time at which the overtemperature delta T trip occurs, which is obtained from the UFSAR RCCA bank withdrawal at power analysis. Therefore, the boron dilution results presented in the UFSAR remain valid.

5.2.4 RCCA Bank Withdrawal At Power (Symmetric)

UFSAR Section 15.2.2 describes the Condition II event of an uncontrolled RCCA bank withdrawal occurring at various power levels (e.g., representative cases at 10%, 60% and 100% rated thermal power) . A wide range of reactivity insertion rates are assumed which bound the maximum number of RCCAs that can withdraw.

  • The high neutron flux and overtemperature delta T trip functions continue to provide automatic protection over the entire power and reactivity insertion ranges described in the UFSAR. The resulting minimum DNB ratios are always greater than the limit value. In summary, a single failure causing a symmetric RCCA withdrawal at all power levels is within Salem's current licensing basis and the UFSAR conclusions remain valid.

5.2.5 Single RCCA Withdrawal At Power This event is described in UFSAR Section 15.3.5 as withdrawal of a single RCCA from the inserted D-bank at full power operation.

As part of the current accident description, it is noted that no single electrical or mechanical failure in the rod control system can result in a accidental withdrawal of a single RCCA. The current UFSAR also states that in all cases it is not possible to provide assurance that the core safety limits are not violated.

It has been determined for Salem that, a potential single failure could cause a single (or multiple asymmetric) RCCA to withdraw.

A single RCCA withdrawal at power has been conservatively evaluated to meet the Condition II acceptance criteria. Thus, for this transient, fuel safety limits are shown to be met by demonstrating that the DNBR limit value is met.

Based on explicit analyses performed for Salem Units 1 and 2, the single RCCA withdrawal at power event was determined to be bounded by a multiple RCCA withdrawal of two adjacent D-bank RCCAs (one from each group) at full-power. This analysis, now termed Multiple RCCA Withdrawal at Power (Asymmetric), is discussed below.

5.2.6 Multiple Asymmetric RCCA Withdrawal At Power Case Given the potential single failure, any number of RCCAs (up to

17) can experience uncontrolled withdrawal.
1. Above 68% power, any number of the nine group 1 and 2 D-bank RCCAs could withdraw on an insert or withdraw demand. The maximum number of RCCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 8 (one less than a complete bank withdrawal) . For this scenario, the most limiting case is the witpdrawal of two adjacent D-bank RCCAs (one from each group) .

The basis for this statement is due to the core physics response.

If more than two RCCAs are withdrawn, the maximum peaking factor will be reduced as a result of the flattened power distribution.

2. Between 15% and 68% power, any combination of the nine D-bank and eight C-bank RCCAs could withdraw on an insert or withdraw signal. The maximum number of RCCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 16 (one less than the two complete banks) . Since the DNB benefit gained by the reduction in power more than off sets the increased peaking factors, there is no combination of asymmetric withdrawals at

these power levels that is more limiting than item 1 above. This has been confirmed by explicit analyses for Units 1 and 2.

3. Below 15% power, the worst scenario - all RCCAs at their insertion limits - is that any combination of the eight C-bank RCCAs and the B-bank RCCAs (4 four Unit 1 and 8 for Unit 2) could withdraw on an insert or withdra*w signal. The maximum number of RCCAs which are not bounded by the RCCA Bank Withdrawal at Power analysis is 11 for Unit 1 and 15 for Unit 2 (one less than the two complete banks) Again, since the DNB benefit gained by the reduction in power more than off sets the increased peaking factors, there is no combination of asymmetric withdrawal at these power levels that is more limiting than item 1 above. This has been confirmed by explicit analyses for Units 1 and 2.

Salem Unit 1 and 2 analyses were performed to address the RCCA withdrawal at power case. The standard NRC-approved method described in WCAP-9272 was employed. A 1.08 design allowance (consistent with WCAP-7308) was made for the hot rod F-delta-H calculations. Consistent with the current licensing-basis analysis in UFSAR Section 15.3.5, no rod deviation or rod control urgent failure alarm or operator action was assumed. The analyses concluded that the DNB design basis continued to be met for the limiting case, and thus, there were no fuel failures given the rod control system failure.

In conclusion, based on the explicit analyses performed for Units 1 and 2, an asymmetric RCCA withdrawal at any power level would not result in any fuel failures at Salem. This is in compliance with GDC-25.

5.2.7 Symmetric RCCA Bank Withdrawal From Subcritical Case UFSAR Section 15.2.1 discusses this Condition II event, the uncontrolled addition of reactivity to the reactor core caused by withdrawal of RCCAs resulting in a power excursion. This transient could be caused by a single malfunction in the rod control system at subcritical, hot zero power, or at power. The at power case is presented above in the RCCA Bank Withdrawal At Power section.

The maximum reactivity insertion rate analyzed in the UFSAR is greater than that occurring from a simultaneous withdrawal of the combination of two control banks having the maximum combined worth at maximum speed (rod speed is not affected by this failure) . The neutron flux response to a continuous reactivity insertion is characterized by a very fast rise terminated by the reactivity feedback effect of the negative Dapple; coefficient.

This limits the power to a tolerable level during the delay time for protection action. The transient will be terminated by an automatic feature of the reactor protection system. In summary, a single failure causing a symmetric RCCA withdrawal from subcritical or hot zero power conditions is within Salem's current licensing basis and the UFSAR conclusions remain valid.

5.2.8 Asynunetric RCCA Withdrawal From Subcritical Case This is defined as a single or multiple asymmetric withdrawal of RCCAs from subcritical or hot zero power conditions. The rod control system is maintained in the manual mode while the reactor is subcritical. The UFSAR Section 15.2 analysis for an uncontrolled bank withdrawal is based on a single malfunction of the rod control system or control rod drive system, and shows that DNBR would remain above the design limit. It is judged extremely unlikely that any single failure could result in a spurious motion demand coincident with the direction command logic failure. However, if one were to assume that such a failure did occur and an asymmetric rod withdrawal resulted, it is reasonable to conclude that operator action would be expeditiously taken to prevent challenging fuel integrity. The worst case scenario would be for the rod withdrawal to occur at the point when the reactor is critical. At the point when the operator takes the reactor critical, motion continues with no demand (i.e., the rod direction pushbutton is released). Since rod speed is not affected by the failures, the rods step out at a rate of 48 steps per minute.

Identification would be almost immediate due to the continuous observation of the IRPI's and the bank demand counters changing both audibly and visually. The action taken would be to trip the reactor as required by the Abnormal Operating Procedure 81(2) .OP-AB.ROD-0003(Q), "Continuous Rod Motion," and reinforced by training exercises.

Although it is reasonable to credit operator action for mitigating this type accident, administrative measures will be imposed to preclude achieving criticality should a asymmetric rod withdrawal accident occur. This will be accomplished by maintaining the reactor coolant system boron concentration sufficient for the reactor core to remain subcritical even if all rods are postulated to spontaneously move to their fully withdrawn position. Rod withdrawal to the desired critical rod configuration will be performed prior to a boron dilution to criticality. Thus the DNBR limit could not be challenged for a continuous rod withdrawal from subcritical, even with no operator response. This approach to criticality is similar to that used for the initial fuel cycle startup.

Once criticality is achieved, any subsequent asymmetric rod movement that might occur would be bounded by the previously discussed analysis of Multiple RCCA Withdrawal at Power (Asymmetric) .

5.3 Summary of Safety Analyses UFSAR Chapter 15 accident analyses have been evaluated to account for the possible effects of the failure. The evaluation considered the failure to be a single failure, and applied the criteria of 10CFR50, Appendix A General Design Criterion 25.

  • The evaluation concluded that the DNB design limits for the fuel continued to be met.

6.0 ADDITIONAL CONSIDERATIONS FOR RESTART AND OPERATION 6.1 Rod Control System Alarms and Indications The following alarms are designed to provide the operator with indications of abnormal rod control system operation. No analyses performed specifically for this evaluation take credit for any alarms that may occur or resulting operator action.

However, credit can be taken for operators to ensure alignment within the +/- 12 step Technical Specification allowance.

Reactor Coolant Temperature Deviation Alarms - The alarms listed below are annunciated on the control console and provide indication that asymmetric bank movement might have occurred in a particular region of the core resulting in an uneven increase in Reactor Coolant temperature.

RC Loop D/T Deviation RC Loop Tavg Deviation Tavg RC Tavg - Tref Deviation The Tavg and (Tavg - Tref) alarms also annunciate if rod position is not maintained consistent with Tavg.

Deviation Alarm - A rod deviation alarm is provided on the Overhead Annunciator (OHA) Windows. OHA Window E-24, "ROD DEV OR SEQ" is generated if any two rods in a given bank are more than 12 steps apart or if any rod deviates from the bank position by 12 steps. No automatic actuations are associated with this alarm. If a rod deviation does occur, the operator is alerted and responds in accordance with alarm response procedures (Sl or S2.0P-AR.ZZ-OOOS(Q) for E OHAs). These procedures ensure the operator investigates, takes corrective actions, and enters Technical Specification action statements as required. Technical Specification LCO 3.1.3.1 requires each rod to be operable and positioned to within 12 steps of its group step counter demand position within one hour after rod motion.

Individual Rod Position Indication (IRPI) - Visual indication of rod position is provided to the operators via the Individual Rod Position Indication (IRPI) system. The IRPI's are not affected by the rod control system failure mechanism under consideration.

Each indicator is derived from a signal based on the rods' actual physical location rather than the demanded position.

Rod Insertion Limit (RIL) Alarms - RIL alarms give the operator advance warning of bank insertion demand in excess of rod insertion limits. The failure does not affect the demand sent to the RIL circuits. The Rod Insertion Limits for Control Banks B,

C and D are given in Technical Specification Table 3.1-1. Control Bank A is withdrawn when the reactor is critical. The computer uses the difference in reactor coolant system temperature across the core to calculate the RIL. This delta-T is a direct correlation to reactor power and thus can be used to compare against the Technical Specification limit. The calculated limit is compared to actual bank demanded position as determined by the pulse to analog converter from the data logging cards.

Two OHA rod insertion limit alarms are provided. OHA E-8, "ROD INSERT LMT LO" alarms if one or more control banks are within 10 steps of the insertion limit. OHA E-16, "ROD INSERT LMT LO-LO" alarms if one or more control banks are at the insertion limit.

Operators respond to these alarms in accordance with alarm response procedures (Sl or S2.0P-AR.ZZ-0005(Q) for E Windows).

For a "ROD INSERT LMT LO" alarm, the operator is directed to identify the affected rod bank and determine if it is a dropped rod or rod misalignment event. For a "ROD INSERT LMT LO-LO" alarm, the operator is directed to identify the affected rod bank and commence rapid boration in accordance with the procedure.

Both alarm procedures ref er the operator to Technical Specifications.

Determination of rod position for the insertion limit alarms is based on position demanded, not by the physical position as determined by the individual rod position indicators. Therefore, the RIL alarms will be received if an insertion demand exceeds the alarm setpoints, regardless of whether the RCCAs are moving as demanded.

Symptoms of misaligned rods also include abnormal variations in axial flux distribution (AFD) and quadrant power distribution.

AFD is indicated on the control console with alarm annunciation when flux distribution is outside the allowable band. The quadrant power tilt ratio (QTPR) is continuously monitored by the upper section/lower section deviation alarm by comparing the difference in the detected power range flux. If the overhead deviation alarm is received, a hand calculation is performed to verify QPTR. Depending on the symmetry of the misaligned rod(s),

it is possible to have significant misalignment that would not satisfy the alarm conditions. However, these alarms provide an additional means of detecting any rod misalignment that would result in abnormal AFD or QPTR. In addition, monthly core-Flux mapping surveillances provide an additional opportunity to detect severe RCCA misalignments.

6.2 Operator Training Reactivity manipulations are a key element in the training of reactor operators. Operators are trained to confirm any movement of rods either in auto or manual with the anticipated plant response. Heightened awareness during startup is emphasized with the operating crew during startup training conducted at the Training Center, as well as just prior to the actual plant

startup. Continuous comparison of bank demand versus actual position is performed during the approach to criticality as well as administrative stops to compare these indications. The operators are required to stop rod movement should any deviation from the anticipated response occur and enter the appropriate procedure, (eg., Abnormal, alarm response, etc.).

The active control room operating crews, and operations staff personnel, have been briefed on the potential for misoperation of the rod control system. An Operations Department temporary standing order directs the operator to carefully monitor rod position during any manual rod movements, noting that withdrawal may occur instead of insertion, or that less than the full group or bank may withdraw upon a withdrawal command. The temporary standing order will be amended to allow automatic rod control based upon analyses presented in Section 5.0. The temporary standing order also states that abnormal rod movement may occur without resulting in an urgent failure alarm. Each supervisor and control operator will review the actions of the standing order prior to assuming the watch.

Startup training is performed on the simulator at the Nuclear Training Center prior to unit startup. This training is provided for licensed personnel that participate in the actual plant startup and will include the potential effects of this failure.

Emphasis will be placed on the importance of readily identifying and taking the appropriate actions for any abnormal response of the RCCA's. These actions will include reference to the appropriate Abnormal Operating Procedure as outlined below.

6.3 Procedures Control Operators enter Abnormal Operating Procedure S2.0P-AB.ROD-0001(Q), "Immovable/Misaligned Rods," on any indication that one or more rods are not responding to demand signals, or are misaligned by 12 or more steps from the respective bank. This procedure provides the direction necessary to:

a. Stabilize plant conditions in the event that one or more control rods indicate misalignment or the inability to move,
b. Determine if a rod position indication failure has occurred or if rods are actually misaligned,
c. Determine if a control system malfunction has occurred which prevents rod motion in the absence of an Urgent Failure Alarm,
d. Maintain plant control with an Urgent Failure Alarm,
e. Realign a mispositioned control rod,
f. Comply with Technical Specification requirements, as appropriate.

This procedure has been reviewed and determined to provide adequate guidance to ensure adequate diagnostics and subsequent actions are taken should any rod movement occur that is indicative of a logic failure. Other related procedures have been reviewed and are not impacted by a failure in the rod control logic.

In accordance with the current operating procedure, the rod bank selector switch is positioned to Shutdown Bank A (SDBA) prior to energizing the rod control system. It is maintained in that position after the rod drive system is energized and before any rod withdrawal prior to startup or testing. By keeping the selector switch on SDBA, the potential for rods to inadvertently withdraw in any bank other than SDBA is reduced. With the plant in the condition with rod control energized capable of moving rods and all control banks inserted, the operator can initially focus on SDBA should he be alerted to a spurious rod withdrawal.

This selector switch is sequenced through the shutdown banks until all shutdown rods are out, then placed in manual (i.e, overlap) for the remainder of the reactor startup. Automatic rod control is used above 15% turbine power.

6.4 Testing Prior to startup for each unit, a modified version of surveillance test 4.1.3.2.2 will be performed prior to control rod withdrawal in order to detect and correct the failure prior to startup. This test is described in more detail in Section 4.0.

For Salem Unit 2, Surveillance Test 4.1.3.1.2 will be performed weekly for two weeks, biweekly for two cycles, and monthly thereafter. This will provide an added level of confidence that this failure is not present.

7.0 ROD CONTROL SYSTEM OPERABILITY Technical Specification 3/4.1.3, Movable Control Assemblies, establishes operability and surveillance requirements for control rods and their position indicating systems. The bases for these Technical Specifications include assurance that fuel integrity is maintained for Condition I (Normal Operation) and Condition II (Incidents of Moderate Frequency) events. Fuel integrity is maintained by demonstrating that DNBR in the core remains greater than or equal to the design limit following such events. This evaluation demonstrates that the Condition II criteria are met for rod withdrawal events based on the present plant Technical Specifications.

8.0 ASSESSMENT OF UN!T 2 FAILURE ON SALEM UNIT 1 The failure of the logic card experienced on Salem Unit 2 is believed to be isolated to that unit. The Rod Control System had undergone Westinghouse-recommended preventative maintenance during the Unit 2 refueling outage. During this activity, the cards were removed, tested and inspected. Failed cards were repaired before being inserted back into the system.

Unit 1 cards have been in place unhandled since the 1988 when this same maintenance was performed. Since this time, numerous rod manipulations have been.performed without failure, including:

reactor startups, numerous normal power reductions and escalations, transient responses, and rod surveillances in accordance with Technical Specifications. During the last Unit 1 refueling outage, a system checkout was performed, during which any abnormalities would have been detected. Any failures that might have been induced due to the preventive maintenance activities would have been detected by this time.

In summary, failed cards are not expected to exist at Unit 1.

However, PSE&G has conservatively opted to impose the same compensatory actions proposed for Unit 2. These include:

performing a new surveillance test prior to startup, diluting to criticality on the next startup, ensuring operators are cognizant of the failure symptoms and applicable responses.

9.0 CONCLUSION

S The potential single failure has been conservatively evaluated against the criteria for a Condition II event. This failure is detectable via surveillance testing and normal operation, and is treated as such in the evaluation. Based on this evaluation, the DNBR design limit is met. Compensatory measures relative to testing and operator training, combined with existing alarms and procedures, provide assurance that should the failure occur, it would be readily detected and corrected. Therefore, startup and continued operation of Salem Units 1 and 2 would not result in any condition adverse to safety.

10.0 REFERENCES

1. 10CFRSO, Appendix A, General Design Criterion 25 2.. ANSI N18.2-1973, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," 1973.
3. SGS Updated Final Safety Analysis Report
4. Salem Unit 1 Technical Specifications up to and including Amendment 138-I.
  • 5. Salem Unit 2 Technical Specifications up to and including Amendment 118-II.
6. Westinghouse Letter PSE-93-631 dated June 11, 1993, "Results of Control Rod System Failure Investigation for Use in Salem Startup Justification."
7. Westinghouse Letter ET-NSL-OPL-II-93-274 dated June 10, 1993, "Public Service Electric and Gas Company, Salem Units 1 and 2 Safety Evaluation for Safe Startup and Operation".
8. 10 CFR 50.59 Evaluation for DEF DES-93-0146
9. Engineering Discrepancy DES-93-0146
10. Precautions, Limitations, and Setpoints Doc~ent, Revision 19 1/3/91.

I

  • NLR-N93098 ATTACHMENT 2 1.0 EMERGENCY REQUEST FOR LICENSE AMENDMENT UFSAR Sections 4.3 and 15.3.5.1 are based on the assumption that multiple failures would be required for a single rod withdrawal.

to occur. At the present time, multiple rod withdrawal events are not considered in the present Salem Generating Station (SGS) licensing basis (except for the bank withdrawal events) .

However, a failure in the rod control system logic has been identified that can cause withdrawal of a single or multiple Rod Cluster Control Assemblies (RCCA) . The potential single failure that may result in a rod withdrawal event requires a license amendment to address the impact of this failure and ensure compliance with 10CFR50, Appendix A, General Design Criterion (GDC) 25. This change to the SGS licensing basis has been evaluated in accordance with 10CFR50.59, which concluded, based on the current information available, that this issue is considered an Unreviewed Safety Question.

PSE&G hereby requests an Emergency License Amendment to support safe restart and operation of Salem Units 1 and 2 with the rod control system placed in either the automatic or manual mode of operation. Reactor startup will be accomplished by pulling the rods to the desired critical position, followed by boron dilution to achieve criticality. The License Amendment will be implemented as an interim measure pending completion of ongoing actions and industry initiatives to resolve this concern.

This request is based upon re-evaluation of the the SGS licensing basis safety analyses which are potentially affected by the identified failure. This re-evaluation is contained in Attachment 1.

The following evaluation has determined that the proposed changes to the SGS licensing basis does not involve a Significant Hazards Consideration in support of an Emergency License Amendment request as discussed in Section 3.0 below.

Compensatory actions which have been implemented to support this change to the licensing basis are described in Attachment 1.

2.0 BASIS FOR REQUESTING EMERGENCY APPROVAL Upon discovery of the RCCA withdrawal single failure scenario, timely actions were taken to investigate its potential impact on the licensing basis safety analyses. Considerable effort on the part of PSE&G and Westinghouse has been made to determine the

-2~

effects of the Rod Control System failure, and to reevaluate the safety analyses affected by the failure. The results of those efforts establish the basis for this request, which could not have been submitted prior to achieving an adequate understanding of the potential effects of this newly discovered condition.

PSE&G believes the delay in restart and operation of the SGS associated with the normal amendment process is not warranted.

Therefore, the emergency provisions of 10CFR50.91 are requested.

3.0 10CFR50.92 SIGNIFICANT HAZARDS CONSIDERATION ANALYSIS PSE&G has, pursuant to 10CFR50.92, reviewed the proposed license amendment to determine whether our request involves a Significant Hazards Consideration. It has been determined that:

1) The operation of Sa1em Generating Station in accordance with the proposed change wi11 not invo1ve a significant increase in the probabi1ity or consequences of an accident previous1y eva1uated.

UFSAR Chapter 15 accident analyses which may be affected by the observed rod control system failure causing inadvertent RCCA withdrawal have been identified. The probability of the Single RCCA Withdrawal at Power event discussed in UFSAR section 15.3.5 is considered to be increased since only multiple failures were previously considered to cause this event. The analysis contained in UFSAR Section 15.3.5 was previously evaluated against the criteria of a Condition III event. The reanalysis of this event considered the more stringent criteria of a Condition II event. The analysis concluded that the DNB design limits for the fuel continued to be met in accordance with GDC 25.

Therefore, although the probability of this event has theoretically increased, this increase is not considered significant since the criteria for a Condition II event as defined in ANSI N18.2 have been conservatively demonstrated to be met (i.e., although the probability of the event has increased, the consequences meet the more stringent Condition II criteria) .

Therefore, the proposed license amendment does not involve a significant increase in the probability or, consequences of any accident previously evaluated.

2) The operation of Sa1em Generating Station in accordance with the proposed change does not create the possibi1ity of a new or different kind of accident from any accident previous1y eva1uated.
  • A spectrum of RCCA withdrawal events is documented in the Salem licensing basis. A symmetric RCCA group/bank withdrawal event from subcritical is analyzed and presented in UFSAR section 15.2.1 and a symmetric RCCA group/bank withdrawal at power is analyzed and presented in UFSAR Section 15.2.2. The single RCCA

withdrawal event is analyzed and presented in Section 15.3.5 of the Salem UFSAR but assumes that initiation can only occur as a result of multiple failures. This event, although now potentially caused by a single failure, is not considered to be an event which is different than already evaluated.

Given that this failure could cause the asymmetric withdrawal of more than one RCCA, which is not currently analyzed for the UFSAR, new RCCA withdrawal cases have been postulated. However, based on the guidelines of the Standard Review Plan (section 15.4.3), this postulated scenario only represents a variation of the reactivity and power distribution anomalies that are currently addressed in the Salem licensing basis and is not considered to be a new event of a different type. Thus, although it requires reanalysis of the RCCA withdrawal event, the assumed single failure does not create the possibility of an accident that is different than that already evaluated.

Therefore, the proposed license amendment does not create the possibility of a new or different kind of accident from any previously evaluated.

3) The operation of Salem Generating Station in accordance with the proposed change does not involve a significant reduction in a margin of safety.

The rod control system failure and subsequent RCCA withdrawal will have no affect on the availability, operability or performance of any safety-related equipment required for accident mitigation. Operation in automatic, or manual control and criticality achieved through boron dilution will ensure that the requirements of GDC 25 will continue to be satisfied. Any potential releases resulting from RCCA withdrawals will remain within the limits of 10CFR20 and 10CFRlOO limits. Therefore, the proposed license amendment does not involve a significant reduction in a margin of safety.

Determination that the Reguest does not Involve Irreversible Environmental Conseguences

. The requested amendment would modify the SGS licensing basis to account for a Rod Control System failure mechanism.

The requested amendment would not allow for any increase to the amount or type of any effluent released offsite. Manual or automatic operation of the rod control system does not affect radiation exposure to personnel. As provided above, PSE&G's conclusion is that the proposed amendment does not require a Determination of No Significant Hazards Consideration.

Therefore, the request does not involve any irreversible environmental consequences.