Text

Proposed Changes to Tech Specs Re Bypassing of Reactor Protective Sys & ESF Channels
	ML20080J401
Person / Time
Site:	Fort Calhoun
Issue date:	09/20/1983
From:	; OMAHA PUBLIC POWER DISTRICT
To:	;
Shared Package
ML20080J399	List: ML20080J394; ML20080J401;
References
	NUDOCS 8309260347
	Download: ML20080J401 (17)
	v • d • e

__

2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and Control Systems Applicability Applies to plant instrumentation systems.

Objective To delineate the conditions of the plant instrumentation and control systems necessary to assure reactor safety.

Specifications The operability of the plant instrument and control systems .

shall be in accordance with Tables 2-2 through 2-5.

(1) In the event the number of channels of a particular system in service falls one below the total number of installed channels, the inoperable channel shall be placed in either the bypassed or tripped condition within one hour if the channel is equipped with a key operated bypass switch, and eight hours if jumpers or blocks must be installed in the control circuitry.

The inoperable channel may be bypassed for up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months from time of initial loss of operability; how-ever, if the inoperability is determined to be the re-sult of malfunctioning RTDs or nuclear detectors sup-plying signals to the high power level, thermal margin / low pressurizer pressure, and axial power dis-tribution channels, these channels may be bypassed for up to 7 days from time of initial loss of operability.

If the inoperable channel is not restored to operable status after the allowable time for bypass, it shall be placed in the tripped position or, in the case of malfunctioning RTDs or linear power nuclear detectors, the reactor shall be placed in hot shutdown within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . If active maintenance and/or surveillance test-ing is being performed to return a channel to active service or to establish operability, the channel may be bypassed during the period of active maintenance and/or surveillance testing. This specification ap-plies to the high rate trip-wide range log channel only during plant startup or when the plant is criti-cal and is operating below 15% of rated power. Other-

- wise, if one high rate trip-wide range log channel be-comes inoperable, that channel may be bypassed indefi-nitely.

(2) In the event the number of channels of a particular system in service falls to the limits given in the column entitled " Minimum Operable Channels", one of the inoperable channels aust be placed in the tripped position or low level actuation permissive position Ame nd me n t No . 67 ,20', ,5 4', 65 2-65 ATTACHMENT A l

~

i C309260347 830920 PDR ADOCK 05000285 P PDR

2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and control systems (Continued) for the aur.iliary feedwater system within one hour, if the channel is equipped with a bypass switch, and with-in eight hours if jumpers or blocks are required. If the channel has not been restored to operable status after 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , the reactor shall be placed in a hot shutdown condition within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ; however, operation can continue without containment ventilation isolation signals available if the containment ventilation iso-lation valves are closed. If after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from time of initiating a hot shutdown procedure the inoperable engineered safety features or isolation f. unctions channel has not been restored to operable status, the reactor shall be placed in a cold shutdown condition within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This specification applies to the high rate trip-wide range log channel only during plant startup or when the plant is critical and is operating below 15% of rated power.

(3) In the event the number of channels of a particular system in service falls below the limits given in the columns entitled " Minimum Operable Channels" or " Mini-mum Degree of Redundancy", except as conditioned by the column entitled " Permissible Bypass Conditions",

the reactor shall be placed in a hot shutdown condi-tion within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ; however, cperation can continue without containment ventilation isolation signals available if the ventilation isolation valves are closed. If minimum conditions for engineered safety features or isolation functions are not met within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the reactor shall be placed in a cold shutdown condition within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If the number of operable high rate trip-wide range log channels falls below that given in the column entitled " Minimum Operable l Channels" in Table 2-2 and reactor startup is in pro-l gress or the plant is critical with power operation below 15% of rated power, the plant startup or reactor l critical operation should be discontinued and the l plant placed in an operational mode allowing repair of the inoperable channels before startup or reactor critical operation may proceed.

l If, during power operation, the rod block function of l

the secondary CEA position indication system and rod l block circuit are inoperable for more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , or the plant computer PDIL alarm, CEA group deviation alarm and the CEA sequencing function are inoperable i

for morn 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , the CEAs shall be withdrawn and maintained at fully withdrawn and the control rod l

2-65a l

t .

2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and control systems (Continued) drive system mode switch shall be maintained in the off position except when manual motion of CEA Group 4 is required to control axia1 power distribution.

Basis During plant operation, the complete instrumentation systems will normally be in service. Reactor safety is pro /ided by the reactor protection system, which automatically initiates appropriate action to prevent exceeding established limits.

Safety is not compromised, however, by continuing operation with certain instrumentation channels out of service since provisions were made for this in the plant design. This specification outlines limiting conditions for operation necessary to preserve the effectiveness of the reactor con-trol and protection system when any one or more of the chan-nels are out of service.

All reactor protection and almost all engineered safety feature channels are supplied with sufficient redundancy to provide the capability for channel test at power, except for backup channels such as derived circuits in engineered safe-guards control system.

When one of the four channels is taken out of service for maintenance, the protective system logic can be changed to a two-out-of-three coincidence for a reactor trip by bypassing the removed channel. If the bypass is not effected, the out-of-service channel (Power Removed) assumes a tripped condi-tion (except high rate-of-change of power, high power level and high pressurizer pressure),(1) which results in a one-out-of-three channel logic. If in the 2 of 4 logic system of the reactor protective system one channel is bypassed and a second channel manually placed in a tripped condition, the resulting logic is 1 of 2. At rated power, the minimum oper-able high-power level channels is 3 in order to provide ade-quate power tilt detection. If only 2 channels are operable, the reactor power level is reduced to 70% rated power which

! protects the reactor from possibly exceeding design peaking

! factors due to undetected flux tilts and from exceeding dropped CEA peaking factors.

All engineered safety features are initiated by 2-out-of-4 logic matrices except containment high radiation which oper-ates on a 1-out-of-5 basis.

[ The engineered safety features system provides a 2 of 4 logic on the signals used to actuate the equipment connected to each of the two emergency diesel generator units.

l l

[

Amendmen t No. I, M, M, Jd 43 2-66

(

l l

--- _ - _ _ _. . _ . - - _ , . . - - , _ . , _ . _ _ _ . . . _ _ - , _ _ _ _ _ . . , ~ _ . . _- -.,, . . . , _ _ _ - - - _ . _ . , _ . . .

4 2.0 LIMITING CONDITIONS FOR OPERATION 2.15 Instrumentation and control systems (Continued)

The rod block system automatically inhibits all CEA motion in the event a Limiting Condition for Operation (LCO) on CEA in-a sertion, CEA deviation, CEA overlap or CEA sequencing is ap-1 proached. The installation of the rod block system ensures i that no single failure in the control element drive control system (other than a dropped CEA) r... cause the CEA's to move .

such that the CEA insertion, deviation, sequencing or overlap limits are exceeded. Accordingly, with the rod block system

, installed, only the dropped CEA event is considered an AOO and factored into the derivation of the Limiting Safety System Settings and Limiting conditions for Operation. With the rod block function out-of-service several additional CEA deviation events must be considered as AOO's. Analysis of these incidents indicates that the single CEA withdrawal in-cident is the most limiting of these events. An analysis of

the at-power single CEA withdrawal incident was performed for j Fort Calhoun for various initial Group 4 insertions, and it has been concluded that the Limiting conditions for Operation (LCO) and Limiting Safety System Settings (LSSS) are valid for a Group 4 insertion of less than or equal to 15%.

References (1) USAR, Section 7.2.7.1 i

i l

4 1

4 2-66a e-- .._ . _,-,m,,...,m- - c,mm- .._.y, --.,,c.ry,,--__ , %3.w.wm,-y,,..7 ,.-.-,__we-e,y,..,y,--_--w ,,m

1 TABLE 2-2

[

Instrument Operating Requirements-for Reactor Protective System Test,

)

Minimum Minimum Permissible Maintenance Operable Degree of Bypass & Inoperable

No. Functional Unit Channels Redundancy Condition Bypass 1 Manual (Trip Buttons) 1 None None N/A 2 High Power Level 2(b)(c) 1(c) Thermal Power (e)(f)

Input Bypassed 3

Below 10-4% of i Rated Power (a)(d) 3 Thermal Margin / Low 2(b) 1 Below 10-4% of (e)(f)

Pressurizer Pressure Rated Power (a)(d) 4 High Pressurizer 2(b) 1 None (e)

I Pressure

! 5 Low R.C. Flow 2(b) 1 Below 10-44 of (e)

Rated Power (a)(d) 6 Low Steam Generator 2/ Steam 1/ Steam None (e)

Water Level Gen (b) Gen

. 7 Low Steam Generator 2/ Steam 1/ Steam Below 550 psia (e)

Pressure Gen (b) Gen (a)(d)

8 Containment High 2(b) 1 During Leak (e)

Pressure Test 9 Axial Power Dis- 2(b)(c) 1(c) Below 15% of (e)(f) i tribution Power

! 10 High Rate Trip- 2(b) 1 Below 10-4% and (g) l Wide Range Log Above 15% of l Channels Rated Power (a) 11 Loss of Load 2(b) 1 Below 15% of (e)

Rated Power a Bypass automatically removed.

b If minimum operable channel conditions are reached, one inoperable channel must be placed in the tripped condition within one hour from the time of discovery of loss of operability. The remaining inoperable channel may be bypassed for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months and, if an inoperable channel is not returned to operable status within this time frame, a unit shutdown must be initiated.

(See Specification (2) and exception associated with the high rate trip-wide range log channel.)

I Amendment No. 60 2-67

TABLE 2-2 (Continued) c If two channels are inope rable , load shall be reduced to 70% or less of rated power.

d For low power physics testing this trip may be bypassed up to 10-l% of rated power.

o If one channel becomes inoperable, that channel may be bypassed for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . .If not returned to operable status within this time frame, the channel must.be placed in the tripped condition. (See Specification (1) and associated exceptions.)

f If the inoperable channel is determined to be caused by malfunctioning RTD's or nuclear detectors, the channel may be bypassed for up to 7 days from time of discovery of loss of operability. If not returned to operable status within this time frame, the unit must be placed in hot shutdown within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

g One inoperable channel may be bypassed for an unlimited time period.

1 i

2-67a t

TABLE 2-3 Instrument Operating Requirements for Engineered Safety Features Test, Minimum Minimum Permissible Maintenance Operable Degree of Bypass & Inoperable No. Functional Unit Channels Redundancy Conditions Bypass 1 Safety Injection A Manual 1 None None N/A B High Containment Pressure A 2(a)(d) 1 During Leak (f)

B 2(a)(d) Test C Pressurizer Low /

Low Pressure A 2(a)(d) 1 Reactor Coolant (f)

B 2(a)(d) 1 Pressure Less Than 1700 psia (b) 2 containment Spray A Manual 1 None None N/A B High Containment Pressure A 2(a)(c) 1 During Leak (f)

(d) Test B 2(a)(d) 1 (d)

C Pressurizer Low /

Low A 2(a)(c) 1 Reactor Coolant (f)

(d) pressure Less B 2(a)(c) 1 Than 1700 psia (b)

(d) t 3 Recirculation A Manual 1 None None N/A B SIRW Tank Low Level A 2(a)(d) 1 None (f)

B 2(a)(d) 1 4 Emergency Off-Site Power Trip A Manual 1(*) None None N/A-B Emergency Bus Low Voltage (Each Bus)

- Loss of Voltage 2(d) 1 Reactor Coolant (f)

- Degraded Voltage 2(a)(d) 1 Temperature Less Than 3000F Amendment No. JWI, 65 2-68

+ .

TABLE 2-3 (Continued)

Test, Minimum Minimum Permissible Maintenance Operable Degree of Bypass & Inoperable No. Functional Unit channels Redundancy Conditions Bypass 5 Auxiliary Feedwater A Manual 1 None None N/A B Auto. Initiation A Operating Modes B 3, 4, and 5

- Steam Generator 2(a)(d) 1 (h)

. Low Level

- Steam Generator 3(a)(g) 1 (i)

Low Pressure

- Steam Generator 3(a)(g) 1 (i)

Differential Pressure a A and B actuation circuits each have 4 channels.

b Auto removal of bypass above 1700 psia.

c Coincident high containment pressure and pressurizer pressure low signals requirod for initiation of containment spray, d If minimum operable channel conditions are reached, one inoperable channel must be placed in the tripped condition within eight hours from the time of discovery of loss of operability. The remaining in-1 operable channel may be bypassed for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months and, if an inoperable ncnnel is not returned to operable status within this time frame, a

unit shutdown must be initiated [see Specification (2)].

e Control switch on incoming breaker.

f If cne channel becomes inoperable, that channel must be placed in the tripped or bypassed condition within eight hours. If bypassed and that channel is not returned to operable status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , that channel must be placed in the tripped condition within eight hours. (See Speci-fication (1) and exception associated with maintenance.)

g Three channels required because bypass or failure results in auxiliary I feedwater actuation block in the affected channel.

I h If one channel becomes inoperable, that channel must be placed in the actuation or bypassed condition within eight hours. If bypassed and that channel is not returned to operable status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , the channel must be placed in the low level actuation permissive condition within eight hours. (See Specification (1) and exception associated with maintenance.)

l Amendment No. 65 2-68a

TABLE 2-3 (Continued) i If the channel becomes inoperabic, that channel must be placed in the bypassed condition within eight hours. If the channel is not returned to operable status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , one of the eight channels may con-tinue to be placed in the bypassed condition provided the Plant Review Committee has reviewed and documented the judgment concerning prolonged operation in bypass of the defective channel. The channel shall be re-turned to operable status no later than during the next cold shutdown.

If one of the eight channels is in prolonged bypass and a second channel becomes inoperable, a second channel must be placed in the bypass con-dition within eight hours. If the second channel is not returned to operable status within seven days from the time of discovery of loss of operability, the unit must be placed in hot shutdown within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

{

l l

l 2-68b l

l l

l

TABLE 2-4 Instrument Operation Conditions for Isolation Functions Test Minimum Minimum Permiacinia b ut tonan c .

Operable Degree of Bypara & Inoparabl<

No. Functional Unit Channels Redundancy Conditicns Bypaca

1. Containment Isolation A Manual 1 None None N/ A B Containment High Pressure A 2(a)(e) 1 During Leak (f)

B 2(a)(e) 1 Test C Pressurizer Low /

Low A 2(a)(e) 1 React u-B 2(a)(e) 1 Pres:

Than '

2. Steam Line Isolation A Manual 1 None None N/A ,

I B Steam Generator Low 1 Pressure A 2/ Steam 1/ Steam Steam nonerator (f) l Gen (G) Gen Prese.!re Less B 2/ Steam 1/ Steam Than ; > psia (C)

Gen (e) Gen

3. Ventilation Isolation A Manual 1 None None N/A B Containment High Radiation A 2(d) None If Containment B 2(d) Ventilation Isolation Valves Are Closed a A and B circuits each have 4 channels, b Auto removal of bypass above 1700 psia. i 1

c Auto removal of bypass above 550 psia.

d A and B circuits are both actuated by any one of the five VIAS ini- l tiating channels; RM-050, RM-051, RM-060, RM-061, or RM-062; how-ever, only RM-050 and RM-051 are required for containment. ventilation isolation.

2-69

TABLE 2-4 (Continued) e If minimum operable channel conditions are reached, one inoperable channel must be placed in the tripped condition within eight hours from the time of discovery of loss of operability. The remaining inoperable channel may be bypassed for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months and, if an inoperable channel is not returned to operable status within this time frame, a unit shutdown must be initiated [see Specification (2)].

f If one channel becomes inoperable, that channel must be placed in the tripped or bypassed condition within eight hours. If bypassed and that channel is not returned to operable status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , that channel must be placed in the tripped condition within eight hours. (See Specification (1) and exception associated with mainte-nance.)

4 I

I 2-69a

DISCUSSION AND SIGNIFICANT HAZARDS CONSIDERATIONS FOR PROPOSED CHANGES INVOLVING THE BYPASSING OF ALL CHANNELS EXCEPT AUXILIARY FEEDWATER INITIATION CHANNELS The proposed changes to the Fort Calhoun Station's (FCS) Technical Specifications impose additional limitations on the inoperability of Reacto. Protective System (RPS) and Engineered Safety Features (ESP) instrumentation and initiation channels. The purpose of these changes is to provide additional assurance that the RPS and ESP systems are available to perform intended functions in the event of a plant trip or accident.

The existing FCS Technical Specifications permit a single. channel of a RPS or ESP system, employing two-out-of-four logic, to be by-i passed indefinitely. A time limit of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for all channels ex-cept those channels which are inoperable due to failure of an RTD or nuclear detector is proposed. This 48-hour time limit is con-sistent with the intent of the Standard Technical Specifications which have been approved by the Nuclear Regulatory Commission.

For those channels which are made inoperable due to a failure of an RTD or nuclear detector, a time limit for permissible bypass has been set at 7 days. The District believes this longer time ,

limit is justified since the failure of these components occurs in-frequently and the RPS and ESF systems are designed with suffi-cient redundancy to ensure proper performance of their intended function with one channel inoperable. Since the repair of a i failed RTD or nuclear detector will require the plant to be placed in a hot shutdown condition, the time limit proposed will permit appropriate planning and scheduling. The proposed Technical Speci-fications also require that if the allowed time limit for bypass is reached and a channel is not returned to an operational condi-tion, the channel must either be placed in a trip condition or the plant must be placed in a hot shutdown condition within the follow-ing 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . One exception to this requirement is as follows:

If maintenance is actively being performed on the affected channel to restore that channel to operability or its surveillance testing is actively being performed to allow that channal to be restored to operability, the bypass of that channel can be continued past i the 48-hour time limit. The District believes a time limit of 12 I hours to place the reactor in hot shutdown is satisfactory, since a sufficient amount of system redundancy is still available. The 12-hour time limit is consistent with similar time limits in the FCS Technical Specifications concerning limi ting conditions for operation of safeguards equipment.

! In keeping with the requirements set forth in the Standard Techni-cal Specifications, the District has proposed a time limit for placing an inoperable channel in the bypassed or trioped condition of one hour from the time of discovery. This one-hour limitation applies only to those channels which can be bypassed by a key l switch.

ATTACHMENT B I

Certain channels of the ESF at the FCS require the installation of jumpers or blocks in order to accomplish a circuit bypass, since the channels are not equipped with key operated bypass switches.

Therefore, bypassing these circuits within one hour is not always possible, since properly trained off-duty personnel may have to respond, review drawings and procedures, and obtain necessary ap-proval for installing jumpers or blocks and then accomplish the action to implement the bypass. Experience has demonstrated that an 8-hour period is an appropriate time to accomplish this bypass.

When the inoperable channel has been repaired and the jumper or block is removed, testing is performed on that channel to ensure operability. The use of jumpers or blocks to bypass an ESP chan-nel at the FCS is quite infrequent (2 to 3 times per year). Their use is governed by FCS Standing Order 0-25, " Electric Jumpers Con-trol". This procedure assures the proper control of jumpers and blocks via the following: (1) requires that a maintenance order for the installation of the jumper or block is properly prepared and authorized; (2) requires that no jumpers or blocks be in-stalled which would violate the FCS Operating License; (3) re-quires the maintenance of a jumper log which is maintained and controlled by the Shift Supervisor; (4) requires prior Plant Re-view Committee and Shift Supervisor permission be obtained before installing a jumper or block and that Shif t Supervisor permission be obtained prior to removing a jumper or block; (5) requires an independent verification of jumper or block removal; (6) requires a monthly audit of all existing jumpers and blocks by the Super-visor - I&C and Electrical Field Maintenance or his designated alternate; and (7) requires and sets forth a procedure for pecper tagging or tag removal of all jumpers and blocks. Each jumper or block requires an individual tag. In addition to Standing Order 0-25, it should be noted that jumpers and blocks are not and will not be used for routine surveillance testing of the systems govern-ed by this proposed Tecanical Specification.

The proposed Technical Specifications also set forth actions to be taken in the event a number of channels of a particular system in service reach or fall below the indicated number of " Minimum Oper-able Channels", as specified in the existing FCS Technical Speci-fications. If the number of channels of a particular RPS or ESF system falls to these limits, one of the inoperable channels must be placed in the trip condition within one hour, if the channel is equipped with a switch, and within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , if jumpers or blocks are required. If the number of channels of a particular system in service falls below the limits given in the columns titled " Mini-mum Operable Channels" or " Minimum Degree of Redundancy", the reactor shall be placed in a hot shutdown condition within 12

hours. If the minimum conditions are not met within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the reactor shall be placed in a cold shutdown within the next 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This requirement is consistent with those set forth in the Standard Technical Specifications.

l l

l t

As per 10 CFR 50.92, the following significant hazards consider-ations have been made:

(1) These changes do not involve a significant increase in the probability or consequence of an accident previously evalu-ated because it establishes specific time limitations on the bypassing of systems which could previously be bypassed in-definitely. The design of the affected systems or the ability of these systems to perform their intended safety functions has not been altered. The only change has been to impose more stringent time limitations for the inoperability of these systems. These more stringent time limitations will not increase the probability or consequence of a pre-viously evaluated accident.

(2) These proposed changes will not create the possibility of a new or different kind of accident from any accident pre-viously evaluated. As stated above, the only change con-stitutes an administrative control imposing additional time restrictions upon the inoperability of safety systems and, therefore, will not create a new or different kind of ac-cident.

(3) The proposed changes to the Technical Specifications do not involve a significant reduction in the margin of safe ty. By imposing more stringent bypass requirements on the RPS and ESP systems and making no. changes or alterations in the ability of these systems to perform their intended functions, the margin of safety will not be reduced.

=-- - . - _ - _ _ - _ .- . . - --. . . -__- -

i 1

DISCUSSION AND SIGNIFICANT HAZARDS CONSIDERATIONS FOR PROPOSED CHANGES INVOLVING AUXILIARY l FEEDWATER INITIATION CHANNEL BYPASS l 1

3 The steam generator low pressure and steam generator differential

pressure channels of the auxiliary feedwater ( AFW) automatic initi-ation circuitry are used to detect and prevent delivery of AFW to l a " faulted" ' steam generator. Upon channel failure, the channel can be placed in a " low level actuation permissive" condition (i.e., if a low level signal occurs, the channel will provide a

" feed" signal to the decision matrix) or a " low level actuation prevention" or bypassed condition (i.e., if a low level signal j occurs, the channel will provide a "do not feed" signal to the

decision matrix). Placing the channel in the " low level actuation prevention" condition provides a two-out-of-three matrix logic for i AFW actuation for that steam generator, while placing the channel

in the " low level actuation permissive" condition provides a one-out-of-three matrix logic for AFW actuation (both cases assume

the presence of valid low level signals). This later case has the possibility of feeding a faulted stean generator with a concurrent single failure to the AFW actuation circuit.

The bypass philosophy chosen by the District is to place one chan-i nel of steam generator and/or steam generator differential pres-sure in the " low level actuation prevention" or bypass condition

! for a prolonged time period until the next cold shutdown. If a second failure occurs in the 8 channels on either steam generator, the channel must be fixed in 7 days or the unit must be placed in hot shutdown. The essence of this requirement is that the unit is allowed to operate for a prolonged period of time with a two-out-of-three logic for the automatic AFW actuation circuitry of one

! steam generator and a two-out-of-four logic for the automatic AFU l actuation circuitry of the second steam generator. The unit may operate for up to 7 days with a two-out-of-three logic on both steam generators or it may operate for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months in a one-out-t of-two mode on one steam generator and two-out-of-four logic on

, the other steam generator.

i i The design basis events for the automatic AFW actuation circuitry l are the feedline break event, the loss of main feedwater event, and the steamline break event. Each event is discussed with re-spect to the prolonged bypass of a single steam generator low pressure and steam generator differential pressure channel (i.e.,

failure of one pressure transmitter).

The feedline break analysis assumes the stean generator blows down l Lin the liquid phase through a hole equivalent to the diameter of the main feedwater line. This event is the most severe loss of heat removal accident analyzed for the FCS. The AFW system is re-quired to provide water to the " intact" steam generator and not to feed the " faulted" steam generator. If the bypassed channel is on n

,+, .--,__m._., .

-w_,, ,,,_..,___.,emve_-_, ...,._,,.,.,m,,..,,,,,,.,,,,,.u,.,,_m_r,,,,y ,,,,,_r ,,,,..,,,.,,_.,y., , . _ _ . -

the " intact" steam generator, the actuation logic must work in a two-out-of-three logic to ensure the AFU is actuated to prevent primary system overpressurization for the feedline break analysis.

Two additional failures wou:0 have to occur such that the AFN system would fail to feed the " intact" steam generator. If the bypassed channel was or. the " faulted" steam generator, two addi-tional failures would be necessary such that the AFW system would feed this generator. In both cases, two additional failures are necessary for system failure. In addition, the feeding of a

" faulted" steam generator would not invalidate the feedline break analysis. The AFW lines at the FCS enter the steam generators through separate nozzles above the U-tubes and'are not connected to the main feedwater lines. The main feedwater line and feed ring are located above the top of the U-tubes. If the AFW system incorrectly feeds the " faulted" steam generator, the water would reach the tube sheath and would exit in the form of steam through the " fractured" main feedwater line. Therefore, heat removal capability would be naintained. Also, the feedline break analysis assumes no credit for any trips associated with the " faulted" steam generator. If credit was taken, a much longer time period would be available for AFW actuation to the " intact" steam gener-ator and the severity of the accident would be greatly reduced.

i The AFW actuation circuit must prevent the AFW system from feeding the " faulted" steam generator during the steamline break accident.

The actuation circuit would also initiate AFW to the " intact" steam generator, but at a much later time in the accident such that manual actuation could be depended upon. If the bypassed channel is located in the " faulted" steam generator, two addi-tional failures must occur such that the AFW would feed a faulted -

steam generator which is the same situation that occurs in the case of the two-out-of-four logic. Therefore, no degradation of safety margin occurs with one channel bypassed for the steamline break accident.

l The AFW actuation circuit must feed the steam generators in the loss of main feedwater event which may be caused by any number of

' initiators, including loss of offsite power. However, it is only necessary for the AFW system to feed one steam generator to pre-vent exceeding any of the specified acceptable fuel design limits which are the acceptance criteria for this event. If AFW is initi-ated to one steam generator, more than sufficient time exists to manually re-establish feedwater to the other steam generators.

Since one steam generator will always have an operable two-out-of-four logic circuit, there is no degradation of safety margin for the loss of main feedwa ter event.

As per 10 CFR 50.92, the following significant hazards consider-ations have been made:

l l

l i

(1) These changes do not involve a significant increase in the probability or consequence of an accident previously evalu-ated because it establishes specific time limitations on the bypassing of systems which could previously be bypassed in-definitely. The design of the affected systems or the ability of these systems to perform their intended safety functions has not been altered. The only change has been to impose more stringent time limitations for the inoperability of these systems. These more stringent time limitations l

will not increase the probability or consequence of a pre-viously evaluated accident.

(2) These proposed changes wiAl not create the possibility of a new or different kind of accident from any accident pre-viously evaluated. As stated above, the only change con-stitutes an administrative control imposing additional time restrictions upon the inoperability of safety systems and, therefore, will not create a new or dif ferent kind of ac-cident.

(3) The proposed changes to the Technical Specifications do notBy involve a significant reduction in the margin of safe ty.

imposing more stringent bypass requirements on the RPS and ESF systems and making no changes or alterations in the i

ability of these systems to perform their intended functions, the margin of safety will not be reduced.

l l

l

. - _ - - - = - - . .. - -.

ML20080J401

Text

Navigation menu

Search