ML20148C732

From kanterella
Revision as of 23:16, 11 December 2021 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Safety Evaluation Supporting Amend 93 to License DPR-54
ML20148C732
Person / Time
Site: Rancho Seco
Issue date: 01/05/1988
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML20148C634 List:
References
NUDOCS 8801250246
Download: ML20148C732 (33)


Text

90 CICg

+ o UNITED STATES g

[ g NUCLEAR REGULATORY COMMISSION

g. C WASHINGTON, D. C. 20555 s,

/

SAFETY EVALU,ATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORTING AMENDMENT N0. 93 TO FACILITY OPERATING LICENSE NO. OPR-54 SACRAMENTO MUNICIPAL UTILITY DISTRICT RANCHO SEC0 NUCLEAR GENER,ATING STATION DOCKET N0. 50-312 1.0 J_NTRODUCTION By letters dated December 5, 1986, March 26, 1987, July 31, 1987 and November 6, 1987 the Sacramento Municipal Utility District (SMUD or licensee) submitted proposed Technical Specification (TS) amendments to address changes in the TS's necessitated by the adoition of the emergency feedwater instrumentation ar.d control (EFIC) systcn. and associated changes to the auxiliary feedwater (AFW) systen.. The November 6, 1987 subnittal consists of administrative restructuring cf Table 3.5.1-1 and clarification of system testing constraints. The submittal does not constitute a change in l the application as noticed in the Federal Register on September 23, 1907.

The EFIC and AFW TS changes .iere evaluated separately and are addressed below. The safety evaluatian related to the EFIC system is included under Section 2.0 and the AFW evaluation is included under Section 3.0.

2.0 EMERGENCY FEEDWATER INITIATION AND CONTROL (EFIC) SYSTEM The post accident design review by the Nuclear Regulatory Comission (NRC) after the March 28, 1979 accident at the Three Mile Island (TMI) Nuclear Station, Unit 2, established that the auxiliary feedwater system (AFWS) should be designed, implemented and maintained as a safety system.

Tc improve the reliability of AFW systems, the NRC required all utilities to upgrade existing AFW systems, where necessary, to ensure timely automatic initiation when required. The upgraat involved cualifying the automatic initiation signals and circuits in accordance with safety-grade requirements.Section II.E.1.2, "Auxiliary Feedwater System Automatic Initiation and Flow Indication," of NUREG-0737, "Clarification of TMI Action Plan Requirements," specifies that this objective can be met by the installation of an AFW actuation system that confoms to the requirements of IEEE Std 279-1971,

  • Criteria for Protection Systems for Nuclear Power r

enerating Stations," and provides the following set of minimum equirements.

(1) The design shall provide for the automatic initiation of the AFW system, (2) The automatic initiation signals and circuits shall be designed so that a single failure will not result in the loss of AFW system function, 8801250246 880105 PDR ADOCK 05000312 P PDR

~_

$ +

(3) Testability of the initiating signals and circuits shall be a feature of the design, (4) The initiating signals and circuits shall be powered from the emergency buses, (5) Manual capability to initiate the AFW system from the control room shall be retained and shall be implemented so that a single failure in the manual circuits will not result in the loss of system function, ,

(6) The AC motor-driven pumps and valves in the AFW system shall be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses, and (7) The automatic initiating signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room. '

Section II.E.1.2 of NUREG-0737 also required that safety grade indication of auxiliary feedwater flow to each steam generator be provided in the control room. For Babcock and Wilcox (B&W) designed plants such as Rancho Seco, a minimum of two auxiliary feedwater flowrate indicators for each steam generator must be provided. The auxiliary feedwater flow instrument channels are to be powered from the emergency buses.

In dddition,Section II.K.2.2, "Control of Auxiliary Feedwater Independent of the Integrated Control System," of NUREG-0737 requires that licensees of B&W designed reactors provide procedures and training to initiate and control auxiliary feedwater independent of the non-safety related

integrated control system (ICS),
a. Auxiliary Feedwater System Description The AFW system provides secondary coolant to the once through steam generators (OTSGs) if the main feedwater (MFW) system becomes unable to perform this function or if auxiliary feedwater is needed to promote 1

natural circulation in the reactor coolant system. When monitored plant

, parameters indicate the need for it, the emergency feedwater initiation and control (EFIC) system will automatically initiate AFW flow to the l OTSGs. The AFW system may also be initiated manually at the discretion of the operator. Following AFW system actuation, the EFIC system is designed

, to automatically control the levels in the OTSGs at one of three possible setpoints, depending upon the actual plant conditions.

The AFW system consists of two interconnected flow paths / trains. Each train is capable of supplying auxiliary feedwater to either or both OTSGs.

Figure 2-A is a flow diagram of the Rancho Seco AFW system. This figure also identifies the EFIC system control signals to AFW system components.

I 1 I i 1

Raiicho Seco Auxiliary Feedwater System Flow Diagram and EFIC System Control W-30eO, M mC-e

~

~a..

. ~ .

TO D C (TYP Or 4) uANuAL i

g ....Erc- A

  • EMC-C u uANu&

j

M g {i G  ;

" -^ Q Q

  • P1

- AT@(RE

~

. g.2 sar A

l x  : A-+

W-20581 FV-20527 (C-3'802 x

W-20577 rV-20531 p 313 p3

,gg e .- W-31826 (TYP Or 3)

' LT l .  ! ErIC- A, O d -o uANuAL ROK . COrOOrlR CCF O LT ETIC-B ST09

.. . ....-- TO ETIC y 'g2 . rE-31850

=a T Aax r- TO ETIC (TYP Or 4) MANUAL --

" (TYP Or 4)  : N C.

~

(TIC-O W-3182 7 FT

!,,,,,,,gg 4 '/

t~ $ a W-20578 rv-205;s e

lFE-31902 i PT W-20552 FV-20532 T W =l '4 P-319 PT (TYP 3) U

}

V ,! EOC-C MC-8

... ...L TO mC (TYP Or e)

MGS1008 90 FIGURE 2-A -

4 The AFW System is designed to provide a minimum of 780 gpm of AFW to the OTSGs at 1050 psig within 70 second of a system initiation signal. Prior to restart, flow restricting venturis will be installed in the AFW system injection lines. l Flow for AFW system Train "A" (which supplies auxiliary feedwater to OTSG "B"  !

is normally provided by pump P-319; Train "B" flow (supplied to OTSG "A") is '

normally provided by pump P-318. Each pump has a rated capacity of 840 gpm at 1150 psig, with a normal minimum flow recirculation of 60 gpm. Either of the pumps can provide the required system flow rate to both OTSGs. AFW system pump ,

P-318 is a combination turbine / motor-driven pump with the turbine and motor mounted on a common shaft. Either motive force can drive the pump at rated {

i capacity. The primary motive force which receives an automatic start signal is the turbine. The motor drive is not automatically initiated, but can be started by the control room operator. AFW system pump P-319 is strictly a motor-driven pump.

The steam supply for the pump P-318 turbine (K-308) is obtained from both l OTSGs through 6-inch lines that contain check valves, locked open manual valves, and motor operated valves. The check valve and motor-operated valve associated with each OTSG provide redundant isolation capability to preclude blowing down the good 0TSG in the event that a rupture (main steamline or main feedwater line) occurs in an OTSG.

AC power for the pump P-319 motor is normally provided by 4160V bus 4A2 through switchgear S4A2, with emergency backup power provided by Emergency Diesel Generator A (GEA2). AC power for the pump P-318 motor is normally provided by 4160V bus 482 through switchgear $482, with emergency backup power provided by

} Emergency Diesel Generator 8 (GE82).

The primary water source for both AFW trains is the seismic Category 1 condensate storage tank (CST), which has a minimum capacity of 250,000 gallons.  !

Backup sources of water are available from the onsite reservoir and the Folsom '

South Canal.

Isolation valves, control valves, check valves, and flow instruments are located in the flowpaths between the AFW pumps and the OTSGs to monitor and control the flow of AFW to the OTSGs.

The EFIC system determines the need for auxiliary feedwater; initiates AFW by starting the pumps and opening valves, as necessary, to provide a flow path to the OTSGs; and controls the flow of auxiliary feedwater to maintain the proper water level in the OTSGs. l

b. EFIC System Design and Operation The EFIC system at Rancho Seco is a four channel, safety grade, seismically qualified and Class 1E AFW initiation and control system. The EFIC system also provides control of the atmospheric dump valves, and is used to isolate main j

feedwater (MFW) flow under certain conditions as discussed below. The following functions are accomplished by the EFIC system:

I

4 (1) Monitoring of plant conditions and automatic initiation of AFW flow to both OTSGs when required (manual initiation capability for AFW is also provided),

(2) Automatic control of AFW flow' rate to achieve and maintain proper OTSG levels, in accordance with established setpoints, to minimize overcooling and undercooling of the primary system (manual control capability for AFW is also provided),

(3) Automatic isolation of AFW and MFW flow to a cepressurized (ruptured)

OTSG, (4) Automatic control of the atmospheric dump valves (ADVs) independent of the integrated control system (manual control capability for the ADVs is also provided), and (5) Automatic closure of the MFW isolation valves upon detection of high OTSG water level to prevent an OTSG overfill condition.

The EFIC system consists of four physically separate and electrically independent channels: A, 8, C, and D. These channels are powered from Class 1E battery-backed emergency buses S1A2-1, S182-1, SIC 2-1 and $102-1 respectively. The EFIC system instrument channels, logic and control circuitry, and actuated / controlled equipment used to initiate and control AFW flow are powered from Class 1E diesel generator-backed or battery-backed buses that are separate from the buses providing power to the ICS and non nuclear instrumentation (NNI). The EFIC system controls and indications are located on control console HISS (E) in the main control room. The EFIC system logic and actuation circuitry is located within four cabinets (one cabinet for each EFIC channel) located in the Nuclear System Electrical Building (NSEB). Certain EFIC system controlled equipment receives actuation / control signals directly from these cabinets (e.g., AFW flow control valves and ADVs). Other EFIC system controlled equipment receives actuation / isolation signals from the EFIC logic via trip interface equipment (TIE) cabinets (e.g., MFW flow control and isolation valves, and AFW system pumps). The TIE cabinet circuitry interfaces between the EFIC system actuation logic and field equipment. Four TIE cabinets are provided in the NSEB. For each train of EFIC system actuated equipment, one cabinet is used to interface between the EFIC system and Class 1E circuits, and another interfaces between the EFIC system and non-Class 1E circuits.

Each EFIC channel receives analog inputs from steam generator level and steam-line pressure transmitters associated with each OTSG. The level signals are temperature compensated to provide an accurate indication of actual water level.

The EFIC system also receives initiation signals from the reactor protection system (RPS) and the safety features actuation system (SFAS). During plant

operation, the EFIC system constantly monitors the input signals, and generates individual channel level protective action signals whenever process parameters exceed their preestablished setpoint values. Actual system level actuation will take place only if at least two of the four EFIC instrument channels have initiated commands for protective action.

Figures 2-8, 2-C, 2-0 and 2-E illustrate the input and output signals associated with EFIC channels A, 8 C and 0 respectively. The EFIC system logic is subdivided into the following logic functions:

(1) Input Logic - receives and provides individual channel level trip and bypass signals to the remaining portions of the EFIC system logic.

(2) Actuation Logic - initiatas AFW system flow to the OTSGs, i

(3) Control Logic - controls AFW system flowrate and OTSG 1evel (this logic also includes the ADV controls),

(4) Vector Logic - isolates AFW system flow to a depressurized 0TSG, and (5) Isolation Logic - isolates MFW system flow to a depressurized OTSG, or to an OTSG with a high-high water level.

Figure 2-F is an overall block diagram of the EFIC system that shows the EFIC logic functions and the associated actuated equipment. The EFIC system and '

its actuated / controlled equipment will be completely installed, tested, and fully operational at restart as governed by the Rancho Seco Plant Technical Specifications, i

c. EFIC System Initiation of AFW j

The EFIC system is designed to initiate AFW (1) on low water level in either OTSG h 9 inches), (2) on low pressure in either OTSG steamline, h 575 psig),

(3) when all four reactor coolant pumps trip (this signal is provided to the EFIC system from the RPS), (4) on the loss of both MFW pumps at greater than 20% reactor power (this is an anticipatory trip signal also provided to the EFIC system from the RPS), and (5) on reactor building high pressure (< 4 psig),

or (6) on reactor coolant system (RCS) low pressure (> 1600 psig). The EFIC system receives the reactor building high pressure and RCS low pressure signals from the SFAS.

Trie EFIC system AFW actuation logic is arranged in a 1-out-of-2 taken twice logic configuration. All four EFIC input logic channels provide AFW initiation {

l commands to the AFW actuation logic modules which are physically located in the l "A" and "B" EFIC channel cabinets. The EFIC system AFW system actuation logic is functionally shown in Figure 3-G. Actuation of AFW pump P-319 and the associated train "A" control valves occurs when the actuation logic modules in l l

i . _ _ _ _ _

LEVEL i SENSORS 3 r i N!/RPS-A CLASS 1E SIGNALS PRESSURE SENSORS 3 -- NON-CLASS 1E SIGNALS SFAS ECC r ACTUATION ,

CHANtCL A I ISOLATED OUTPUTS U V SGA AFW CONTROL e VALVES SGB AFW EFIC A EFiC B EFIC C EFIC D CONTROL e VALVES ,

SGA ADV * "

j i O JL JL PLANT '

J > >

ANNLNCIATOR !NTERCHANNEL COWAJNICATIONS (FIBER OPTIC CABLES)

PLANT g COMPUTER (IDADS)

Q TRIP INTERFACE _

TRAIN "A" ACTUATED REMOTE EQUIRENT CABINET EQUIPMENT SHUTDOWN 4-- >

PANEL MAIN CONTROL ROOV SCA AFW VALVES  ;

SGA - LEVEL CONTROLS -

CHANNEL A ADV CONTROLS (VECTOR SIGNALS) L -

CHANNEL A HABO/ AUTO STATION SGB AFW VALVES - J INITIATE TEST MATRIX A SGA - LEVEL & PRESSURE INDICATION (VECTOR SIGNALS)

FIGURE 2-B EFIC Channel A. e c oo79

h 3 g NI/RPS-B CLASS 1E SIGNALS PRESSURE ----- NON-CLASS 1E SIGNALS SENSORS l 3 SFAS ECC '

ACTUATION @ ISOL ATED OUTPUTS I CHANNEL B INTERCHAt#EL COMMUN' CATIONS (FIBER OPTIC CAOLES) r 3r a 3

,. 1r i f1 r1 r 1r 1r r -- - I i----7 ---7 I l t  : I I I I I I I I I I I I I SGA AFW I EFIC A i EFIC B i EFIC C I i EFIC D i CONTROL g i i 1 I I VALVES I I I I i i I l I I I I SCB AFW L--- s '--- J i---J CONTROL VALVES

=h '

PLANT SGB ADV M A M IATOR

, PLANT p Q TRIP INTERFACE = TRAIN 'B" ACTUATED COMPUTER (IDADS)

EQUIPMENT CABINET EQUIPtENT REMOTE SHUTDOWN PANEL MAIN CONTROL ROOM SGA AFW VALVES _  ; SGB - LEVEL CONTROLS (VECTOR SIGNALS)

( CHANNEL 8 ADV CONTROLS CHANNEL B HATO/ AUTO STATION SG8 AFW VALVES -

INITIATE TEST MATRIX B -

(VECTOR SIGNALS) SGB - LEVEL & PRESSURE INDICATION FIGURE 2-C EFIC Channel B.

OMGOOC80

LEVEL SENSORS 7 r N!/RPS-C PRESSURE SENSORS 3 s

CLASS 1E SIGNALS 1r 1r

,____q ,____q ,____q --

NON-CLASS 1E SIGNALS

, i , g , g I I I I I I I I I I I I Q I EFIC A I I EFIC B B EFIC C I EFIC D I w ISOLATED OUTPUTS I I I I I I I I I I I I I I I I I I

____s u____s ____s e JL JL JL JL ,

( t at J INTERCHANNEL CONMUNICATIONS

, (FIBER OPTIC CABLES) l PLANT 4 SGA AFW VALVES A

AtNJNCIATOR (VECTOR SIGNALS)

PLANT 4 SGB AFW VALVES COMPUTER (IDADS) (VECTOR SIGNALS) ,

i FIGURE 2-D EFIC Channel C.

8vCOOO81

)

LEVEL SENSORS 3 g NI/RPS-D PRESSURE SENSORS 3 CLASS 1E SIGNALS U U

,____, ,____q ,____, " -

-- NON-CLASS 1E SIGNALS i I i  ;  ;

1 1 I I I I I EFIC A I I

!EFICBl l EFIC C I EFIC D @ ISOLATED OUTPUTS I I I 1 I I I I I I I I I I I I '

i. _ _ _ _ s t____J 6____s -

JL JL JL JL

( t t J INTERCHANtEL COMMUNICATIONS ,

(FIBER OPTIC CABLES)

PLANT 4 SGA AFW VALVES

/

AbNUNCIATOR (VECTOR SIGNALS)

PLANT 4 COMPUTER (IDADS) (SGB AFW VALVESVECTOR SIGNALS) ,

FIGURE 2-E EFIC Channel D.

BVGOOC82

i i_ i iI

,a ,

,I n -

'l '

lli lli

,,,I i!!!b -l!ilb _1r?tjj7- -itijf~ !!!j! l j;j; Fiiii  !!!!]Il ii i I liii l jjjj; llj!  ;

i,i,i,i, i,!,!,i, lililili lililili!j"'ul  ! $ 1 lii!illi lillilii ililill! ilill!!! Yinu n '

Yiou i -

iiiiii

I 11 .M.j m ittij!

HHH , ,,

.m -  :::: :! II:,.::

-!!;lb_ -irij$" r-Etijf- j]llll y : l:llil

!!;ib  :: 11 iiitT iiii ri ri i iiii i Li,i,i, i,i,iei, iiiiiiii liiiiili III iliilili iillilii ililill! ili!ill! u iiii o jlc " <

ldd jjg; >>ll +

o li li li 11 li 11 I I i ini uu i.

i y

11 jry sIiI jiijii nu un i i .i i 1 I

IflI  !: UI"$

. !!!}!!i1111!lffff i ti i i i 1111 it  !,,,

illililili!!a11i111illi lillt o -

-- im ju lliii -lj !!,, .

I diillllll1

[ i-j jil, 1; )fl e Iill1 oi

}lilil I

ui u

o i lui .

ivi 8<

f N di!g eits dil ei!: @its dil

EF/C SYSTEM INITIATION OF AUX /UARY 2EDWATER CF/C S YS TEM sew 3 ACrtin Tron [f/C 3 YS TEM MW3 ACyt/A Y/M ltGIC A lbGtC B mt sww cric imntr

(*srE M rC W ) (mesivoseswr em) .~

es.re a a a.e e a

~

Q u

enc e r gne m r (n*TfWit#*%N F (m***(L) (a yTraNr (ee==vt)

  • uwe s uwe e w

tu

~ =

~ , > .

.o =

~~~r

., =

n-r fate mmr l m.riew fric worr (n*3 W (" W (tw$N H WT f mW) tonic c s onic s OR rO OR m

g s,ac ,~~ar ,,, : ,. , c

,: ,re ,

c.-) e.,mu- ~r c. - )

is.'c y av.ic p

%4 Nb%

% , co rm ssenor sic,nat, or res ssNK ,,r, p m ,,,r 3,amg3 n,,,,,y,,,,,

~ WM k warnry se astresT *!M L m a w. ears au corpur sisung s

FIGURE 2-G

1 1

l l

the "A" EFIC channel cabinet receive channel level initiate commands from EFIC system input logic channels "A" or "B" and "C" or "D." Actuation of AFW pump P-310 and the associated train "B" control valves occurs when the actuation logic modules in the "8" EFIC channel cabinet receive initiate commands from EFIC system input logic channels "A" or "C" and "B" or "D." Since all four <

EFIC channels menitor the same parameters, they >'uld all simultaneously issue initiate commands, thereby actuating both AFW system trains. The channel level AFWS actuation signals are not "sealed-in" by the EFIC system input logic circuitry. However, once the 1-out-of-2 taken twice actuation logic is satisfied, the system (train) level actuation signal is sealed-in and cannot be reset until the initiating condition has returned to normal and the actuation logic reset pushbutton is depressed. The actuation logic seal-in circuits ensure that completion of the associated protective actions occurs upon generation of a system level a:tuation signal.

d. EFIC System Isolation of Main Feedwater (MFW)

Prior to the December 26, 1985 event, the Rancho Seco plant used a non-safety related main steamline failure logic system (MSFLS) to isolate MFW flow to the OTSGs in the event of a failure of a main steamline (MSL). Main feedwater isolation was accomplished by the automatic closure of three valves in each feedwater line: the main flow control valve, the downstream series MFW stop valve, and a single startup MFW flow control valve located in a parallel line around the other two valves. NUREG-1195 identified the following concerns regarding the MSFLS: (1) the valve arrangement does not appear to meet the single failure criterion with respect to MFW system isolation, (2) the MSFLS is not a safety related system but is used to perform a safety related function, and (3) the MFW system flow control valves might not be adequate for isolation.

The MSFLS detected low steamline pressure (indicative of a main steamline break) via pressure switches on the steam header downstream of each OTSG, Two redundant MSFLS trains consisting of sensing elements, DC powered logic, and actuation devices were provided. Two pressure switches within each train were configured in a 2-out-of-2, energize-to-actuate, logic arrangement. When the logic was satisfied, solenoid-operated valves would actuate to block the control air to, and vent the air from the MFW system flow control valves, causing them to close.

The ICS would then, in turn, close the MFW stop valves. The ICS is designed to close the stop valves when the main flow control valves go to less then 20%

open. The Rancho Seco Final Safety Analysis Report (FSAR) analysis assumes the successful operation of the non-safety related MSFLS and the non-safety related ICS to close the MFW stop valves for a main steamline break accident.

Subsequent to the December 26, 1985 event, the licensee has modified the MFW system valve configuration. An additional motor operated isolation valve has been installed in the MFW flow path to each OTSG downstream of the flow control and stop valves, as shown in Figure 2-H. The non-safety related MSFLS has been l

l l

.- __.. . . _. _ - _ _ _ , - - , . .- - - __ _- . _ _ . . ~ . . - - . -- .

rJ

. . .... .~ ~ ~ - . ... .... . ETIC "A" FV i 20525 i  :- ErlC 'U' r' 2 2 h 0529 hDN20515 P-317A ) TO STEAM CEtERATOR "A"

MAN FEED NP P-317A Er!C "A" ... -- IV

~~

0575 s o

~

tEw MOTOR OPERATED -

Mrw ISOLAT VES ^

it COtJTROLLED IC ,

rj "A"

~.....**.  : . .. ETIC

" , . . . , , . . ~ {:~

FV i 70526 i

[

aP-3178 )  : -. ErIC 'B' ,

l  :.

MAN FEED NP .0530 h tu 20516 l P-3178

) &

d _

~

TO STEAV CEPERATOR 'B' i

enc A -... --

pv,,

i i >

., FIGURE ?-H - Main feedwater system.

m iOo3 i

i

removed and the MFW isolation function will now be performed by the safety related EFIC system. The EFIC system will isolate the MFW flow control and block valves, and the new isolation valves. During normal operation, the ICS still provides control of the MFW flos. control and block valves.

The EFIC system will isolate MFW flow to an OTSG when either a pressure of less than 600 psig or a high water level (setpoint to be determined later) is detected in that OTSG. Four redundant instrument channels, A, 8, C and D, are provided to monitor each of these parameters for each OTSG. The EFIC system MFW isolation logic is arranged in a 1-out-of-2 taken twice logic (identical to the AFW system actuation logic) and is shown in Figure 2-I. MFW isolation to an OTSG occurs when the logic modules in EFIC system cabinet "A" receive commands from input logic Channels A or 8 and C or 0, or when the logic modules in EFIC system cabinet "B" receive initiate commands from logic Channels A or C and 8 or D.

The EFIC system channel "A" cabinet MFW isolation logic isolates MFW valves FV-20525, FV-20529 and FV-20575 to OTSG A, and valves FV-20526, FV-20530, and FV-20576 to OTSG 8. The EFIC system channel "B" cabinet MFW isolation logic isalates valve HV-20515 in the MFW line to OTSG-A and valve HV-20516 in the MFW line to OTSG-8. Since all four EFIC system input logic (sensing) channels monitor the same parameters, they should simultaneously issue commands causing all valves used for MFW isolation to an OTSG to close.

Valves FV-20525, FV-20575, FV-20526, and FV-20576 are air-operated MFW flow control valves MFW stop valves FV-20529 and FV-20530 are powered from 480V motor control center (MCC) S2A3 and are backed up by diesel generator GEA2.

The new downstream series isolation valves (HV-20515 and HV-20516) are powered from 480V MCC S283, and are backed up by diesel generator GEB2.

Based on the review of the information provided by SMUD., concerning modifications to provide additional MFW system isolation valves, and to initiate isolation of the new and existing valves by the safety related EFIC system, the staff concludes that the MFW isolation function conforms to the single failure criterion of IEEE Std. 279-1971. Therefore, the staff concludes that the NUREG-1195 concerns in this area have been resolved. The adequacy of the MFW system flow control valves for accomplishing MFW isolation, and the acceptability of the Rancho Seco FSAR analysis with regard to assuming the proper functioning of non-safety related systems to mitigate transient and accident events are discussed in the "Safety Evaluation Report Related to the Restart of Rancho Seco Nuclear Generating Station, Unit 1 following the Event of December 26, 1986." (NUREG-1286).

16 -

1 FIGURE 2-1 EFIC SYSTEM .2~s0LA770N OF MAIN fE2 'bWA75R WIC SYS TEM MrW ZwTIOtl LoGtc A OTSG A .

, , _ 0T56 t,

< . , - , - > -h- MrW

. ~ . -

rsa.An:W

. Er/C SYS7EM nw c~r .) - MFW TSO!A77M

-a LOG /C B g es m e9 f e6*nlt h W ao.< c =

-m-. = = = an a m - --

,~ -~r 07SG A "5 's 1,

um

_ _ _ _ _ _ _ , IMM e e e o e e e a e e O T S G '8 I

'"* ~

<w  : e -=) OT56 B

mpw
    • ^ _1' Zsof.ATM

,m ' - "

(N du.Wa4) W' ma e,4 senf t.,- c ) - - - - t ace 4 C V>

a l 1

~

- .~r me e-) '

o736 B ggMFW os v 1 i

e a

e

e. EFIC System Isolation of AFW The EFIC system includes logic used to isolate AFW flow to a ruptured or depressurized OTSG. This logic is referred to as the feed only good generator (F0GG) or "vector" logic. Upon actuation, the vector logic precludes the centinued addition of AFW to a depressurized OTSG; thus minimizing the over-cooling effects of a steam leak. The vector logic may isolate AFW to one OTSG only, never to both.

Each EFIC system channel contains vector logic. Each set of vector logic receives OTSG pressure signals from each of the four EFIC system channel input logics. The pressure information received is (1) OTSG-A pressure less than 600 psig, (2) OTSG-8 pressure less than 600 psig, (3) OTSG-A pressure 100 osig greater than OTSG-8 pressure, and (4) DTSG-8 pressure 100 psig greater than OTSG-A pressure.

Each vector logic also receives a vector / control enable signal from both EFIC Channel A and Channel 8 upon AFW system actuation. The vector logic develops signals for open/close control of OTSG-A and 0TSG-8 auxiliary feedwater valves.

The individual vector logics are not single failure tolerant (i.e. , a single failure could cause an inadvertent valve closure, or prevent valve closure when required). However, the combination of four redundant and independent vector logics, and the AFW system flow control valve / isolation valve arrangement (i.e. , two parallel flow paths for each OTSG, with two series valves in each path) ensure that any EFIC system single failure will neither prevent addition or isolation of AFW to an OTSG when required. The vector logic outputs are in a neutral state until enabled by the control / vector enable from the Channel A or B AFW actuation logics. When enabled, the Channel A vector logic issues close commands to valves FV-20527 and FV-20528. The Channel 8 vector logic issues close commands to valves FV-20531 and FV-20532. The Channel C vector logic issues open or close commands to valves HV-20578 and HV-20581. The Channel 0 vector logic issues open or close commands to valves HV-20577 and HV-20582. The table below shows the OTSG pressure conditions that cause the vector logic to isolate AFW flow.

OTSG-A Valves OTSG-8 Valves Pressure Status Command Command If OTSG-A & OTSG-B > 600 PSIG OPEN OPEN If OTSG-A > 600 PSIG & OTSG-8 < 600 PSIG OPEN CLOSE If OTSG-A < 600 PSIG & OTSG-8 > 600 PSIG CLOSE OPEN If OTSG-A < 600 PSIG & OTSG-B < 600 PSIG AND OTSG-A & OTSG-8 WITHIN 100 PSIG OPEN OPEN IF OTSG-A < 600 PSIG & OTSG-8 < 600 PSIG AND OTSG A 100-PSIG > OTSG-8 OPEN CLOSE IF OTSG-A < 600 PSIG & OTSG-8 < 600 PSIG AND OTSG-8 100 PSIG > OTSG-A CLOSE OPEN

f. EFIC System OTSG Level Control Control of AFW to the OTSGs is provided by control logic contained within Channels A and 8 of the EFIC system. The control logic becomes active upon EFIC system actuation of AFW. The system is designed so that either channel will control water level in both OTSGs by controlling its own dedicated control valve for each AFW train. The EFIC system Channel A control logic provides signals to air-operated valves FV-20527 (OSTG "A") and FV-20528 (OTSG "B") and the EFIC system Channel 8 control logic provides signals to solenoid-operated valves FV-20531 (OSTG "A") and FV-20532 (OSTG "B") for control of AFW flow.

The duplication of control channels provides added assurance that sufficient auxiliary feedwater flow will be delivered to at least one OTSG to maintain water level. However, duplication of the control channels does not preclude the possibility of excessive auxiliary feedwater flow and consequent OTSG over fill. Operator intervention is relied on to prevent OTSG overfill. Prior to restart, flow restricting venturis will be installed in the AFW system injection lines to reduce the AFW flow rate.

There are three different modes of automatic level control, depending on whether one or more reactor coolant pumps are running and whether the "ECC setpoint" has been selected for emergency core cooling (ECC). With one or more reactor coolant pumps operating, the EFIC system level control logic automatically controls OTSG level at a setpoint value of 27.5 inches. When none of the four reactor coolant pumps are running, the level controller auto-matically selects a setpoint of 317 inches, which is high enough to ensure good natural circulation. The third level setpoint of 381 inches (the ECC setpoint) is manually selected if all four reactor coolant pumps are off and the plant is in a small-break LOCA transient. The ECC setpoint is used to promote condensation heat transfer from the primary system.

The licensee has stated that the level control system is based on a design utilized in other B&W reactor plants, and is expected to provide stable, reliable level control of the water level in the OTSGs.

g. EFIC System Control of the Atmospheric Dump Valves (ADVs)

The EFIC system Channel A and Channel 8 control logic also provide control of the two trains of atmospheric dump valves for steam line overpressurization control. Atmospheric dump valves PV-20571 A, B, C and PV-20562 A, 8, C are modulating control valves which relieve main steam to the atmosphere from main steamline "A" and main steamline "B," respectively. EFIC system Channel A will continuously monitor pressure in main steamline "A" and will signal PV-20571 A, 8, and C to open if pressure in that line exceeds a setpoint value of 1020 psig. EFIC Channel B will similarly control PV-20562 A., B, and C.

Prior to the December 26, 1985 event and subsequent installation of the EFIC system, the ADVs were powered and controlled by the non-safety related integrated control system (ICS). The ADVs are now controlled by the safety related EFIC system, which is electrically independent from the ICS.

Two of the three ADVs per steamline are normally blocked during reactor operation via upstream local manually operated valves. The unblocked ADV for each steamline has an associated upstream normally open remote manually controlled motor operated valve that provides the operator with the ability to I

isolate a stuck-open ADV to prevent an uncontrolled steam release that could result in overcooling of the primary system. Although this valve is powered from the EFIC system buses, it can be operated independent of the EFIC system ADV control logic / circuitry. A single OTSG pressure transmitter is used to provide the input signal for each channel of ADV control logic. If an unblocked ADV fails to open, the downstream main steam safety valves (MSSV) will open to

} relieve steam pressure, if steam pressure should increase to the MSSV open setpoints,

h. EFIC System Interfaces The major systems that interface with the EFIC system are as follows:

o Auxiliary Feedwater System

! o Main Feedwater System o Main Steam System o Once Through Steam Generator System o Electrical Distribution System l o Reactor Protection System '

. o Safety Features Actuation System l o Interim Data Acquisition and Display System o Safety Parameter Display System o Appendix "R" Remote Shutdown Panel (H250) ,

o Plant Instrument Air System o Main Control Room Panels / Consoles (HISS, HIRC, H2YS and H2SF) l l To assure proper isolation between the Class 1E EFIC system and non-Class IE systems with which it interfaces, the EFIC system design utilizes fiber optic cables, optical isolators, and isolation relays.

l The following table lists the non-Class 1E interface systems and the specific l type of isolation used to prevent faults within the non-Class 1E systems from degrading the EFIC system safety functions. The staff concludes that the isolation provided between the EFIC system and non-safety related systems is l acceptable.

1

(

EFIC INTERFACE METHOD OF' ISOLATION

1. Auxiliary Shutdown Panel a) GE-SM8 Isolation Switch b) Optical Isolators
2. 10 ADS Panel Optical Isolators l 3. EFIC Channel A and 8 with Isolation Relays Auxiliary Feedwater Valves

[

I

4. All Others Fiber Optics i
1. EFIC System Bypasses I i The EFIC system design includes two types of bypasses: maintenance bypasses

) and shutdown bypasses. The bypass circuitry is contained in the input logic l portions of EFIC Channels A, 8, C, and D. l l

The maintenance bypass circuit design provides individual EFIC system input l l logic channel bypass capability for each of the four channels. The EFIC system l

is designed to allow channel testing from the input terminals to the actuated device controllers without placing the channel in maintenance bypass. Placing an EFIC system channel in maintenance bypass inhibits / disables that channel's I

capability to perform its associated protective function. Maintenance bypasses are used to allow maintenance / repair of an inoperable channel during reactor {

operation without causing an unwanted / unnecessary channel trip. The use of l E,'IC system channel maintenance bypasses is controlled in accordance with plant j technical specifications, where the inoperable / bypassed channels must be  !

restored to an operable status within a specified time, or otherwise reactor  !

operation is suspended or restricted to power levels at which the associated {

protective action is no longer required. Channel bypass for maintenance is j accomplished by placing the key-lock maintenance bypass switch at the associated EFIC system cabinet (in the NSEB) in the "MAINTENANCE BYPASS" position. Each EFIC channel key-operated maintenance bypass switch actuates i an associated bypass status light at its local EFIC panel, and actuates an IDADS alarm in the control room to indicate when the maintenance bypass switch is being used. The indication associated with the IDADS alarm will be antinuously displayed in the control room for as long as the bypass condition exists.

Interlock features within the EFIC system maintenance bypass circuitry make it impossible to bypass more than one channel at a time. These interlock features l

edsure that the EFIC system is capable of performing its AFW actuation and MFW isolation safety functions given a single failure when one channel is in maintenance bypass.

l

The EFIC system AFW actuation logic also receives maintenance bypass signals from the reactor protection system (RPS). Placing an RPS channel in bypass disables the RPS input signal to the corresponding EFIC system channel. An interlock feature is provided within the EFIC system channel input logic that will only allow the corresponding EFIC system channel to be bypassed when a RPS channel is bypassed. For example, if Channel A of the RPS is placed in maintenance bypass, only a Channel A EFIC system maintenance bypass can be actuated, and EFIC Channels B, C, and 0 are automatically prever.ted from being placed in maintenance bypass. Should either of EFIC Channels B, C, or D be in maintenance bypass when EFIC Channel A receives the RPS maintenance bypass signal, that EFIC channel will automatically be removed from bypass. Should a second RPS maintenance bypass signal be received by the EFIC system, all EFIC l maintenance bypasses will be cleared / disabled (i.e., no EFIC system channel can be placed in maintenance bypass, and any EFIC system channel in maintenance bypass will automatically be removed from bypass).

The EFIC system shutdown bypass design provides the capability to defeat the AFW system automatic actuation logic and MFW isolation logic, to ensure that i actuation / isolation does not occur during normal reactor shutdown. The '

shutdown bypass logic is designed such that when the pressure in either OTSG drops below 725 psig, the reactor operator can manually initiate the shutdown bypass (prior to reaching the AFW actuation /MFW isolation setpoint value of 600 psig). A shutdown bypass cannot be initiated if the pressure in both OTSGs is greater than 725 psig.

Each of the four channels of EFIC system shutdown bypass logic can be actuated by one of two dedicated shutdown bypass switches. One shutdown bypass switch for each channel is located in the reactor control room on console HISS (E), and the other shutdown bypass switch is located at the EFIC system channel cabinet.

The shutdown bypass circuitry will "seal-in" following actuation. The seal-in can be removed by the shutdown bypass reset switch. The shutdown bypass will be automatically removed (restoring the EFIC system AFW actuation and MFW isolation protective functions) if the pressure in both OTSGs increases / returns to above 700 psig i.e., if the permissive condition that allowed the bypass condition to exist is no longer satisfied). The shutdown bypass condition for each EFIC system channel is continuously indicated in the main control room and at the EFIC system cabinets in the NSEB for as long as the bypass condition I exists.

j. Conformance to the Requirements of NUREG-0737, Item II.E.1.2 The EFIC design has been evaluated for conformance to NUREG-0737, "Clarification of' TMI Action Plan Requirements," Item II.E.1.2, "Auxiliary Feedwater System Automatic Initiation and Flow Indication." The requirements of NUREG-0737, Item II.E.1.2 can be met by providing a design for automatic AFWS actuation j that meets the requirements of IEEE Standard 279, "Criteria for Protection l Systems for Nuclear Power Generating Stations." IEEE Std. 279 includes require- i ments regarding quality of components, compliance with the single failure l criterion, independence of redundant channels, control and protection system interaction, channel / system bypasses, automatic and r.tanual initiation, test capability, and system status information provided to the control room operator. j 1

The automatic initiation circuits of the EFIC system are diverse, redundant, physically separated, electrically independent, and powered from battery-backed emergency buses. The two AFW pumps have diverse sources of motive power (electric motor and steam turbine). AFW system pump P-319 is actuated by EFIC Channel A. The steam supply to the turbine-driven pump (P-318) is initiated by EFIC Channel 8. The failure of either Channel A or 8 may cause one of the two AFW pumps to be unresponsive to an AFW actuation signal. However, one operational pump is suf ficient to supply the water requirements of the system.

The EFIC and AFW systems are capable of providing suf ficient AFW flow to the intact (pressurized) OTSG following a main steae line/ main feedwater line break coincident with a loss of offsite power and a worst case /most limiting single failure as discussed below. Upon rupture of 0TSG-B (upstream of the turbine throttle and control valves or downstream of the main feedwater isolation valve and associated check valve), an AFW system actuation signal is initiated by the EFIC system logic which sends start signals to the AFW pump P-318 turbine and the AFW pump P-319 motor. MFW flow to the failed OTSG will be isolated by the EFIC system isolation logic shown in Figure 2-I. MFW isolation on OTSG low pressure will occur given any single failure within the EFIC system isolation logic or the MFW system isolation valves.

Assuming a loss of offsite power in conjunction with the rupture of OTSG-8, emergency diesel generators GEA2 and GE82 will receive start signals and provide emergency AC power to vital bus 4A2 and vital bus 482 respectively.

The following automatic and manual actions will occur or be available following the most limiting active single failures.

a If AFW pump / turbine P-318 fails, AFW pump / motor P-319, which receives a simultaneous EFIC start signal, will automatically apply AFW to OTSG-A through the cross-connect line. The operator can also manually start the motor for AFW pump P-318 and supply AFW to OTSG-A. l o If the motor for AFW pump P-318 fails, there would be no direct  ;

impact because the AFW pump P-318 turbine and the AFW pump P-319 motor receive simultaneous EFIC start signals, and both would j supply water to OTSG-A automatically.

)

o If one of the active valves in the AFW flow path to OTSG-A fails and blocks flow, the active valve in the redundant parallel flow path, which is controlled by a redundant EFIC system channel, will open and allow flow to OTSG-A from both AFW pumps P-318 and P-319.

o If AFW pump / motor P-319 fails, the turbine for AFW pump P-318, I which receives a simultaneous EFIC start signal, will  !

automatically supply water to OTSG-A.

1

o If one of the valves in the AFW flow paths to OTSG-8 fails to close to isolate flow, there would be no consequences because its series isolation valve, controlled by a redundant EFIC system channel and powered from a separate vital bus, would close to isolate AFW flow to depressurized OTSG-8.

o If EDG GEA2 and/or associated vital bus $4A fail, the AFW pump P-318 turbine will receive an EFIC start signal and supply water to OTSG-A via valves controlled by EFIC system Channel B., and powered from EOG GE82 and/or vital bus 548.

1 o If EOG GE82 and/or associated vital bus $48 fail, the AFW pump P-319 motor will receive an EFIC start signal and supply water I to OTSG-A via the AFW cross-connect lines and valves controlled l by EFIC system Channel A, and powered from EDG GEA2 and/or vital I bus S4A. In addition, the AFW pump P-318 turbine, which receives a simultaneous EFIC start signal, will supply water to OTSG-A.

A similar discussion to that above, which applies to the rupture of OTSG-8, is applicable to the rupture of OTSG-A.

When the AFW system is actuated, the four-channel EFIC AFW actuation systen effectively becomes a two-channel system for OTSG water level control. Each of the two AFW trains has redundant valves to control the level in the OTSGs, and each of the redundant level control valves in a train is controlled by a different EFIC system control channel (A or 8). Therefore, sufficient AFW flow to both OTSGs is ensured given a single failure of any AFW flow control valve or its control circuitry.

The AFW system level control valves and the associated EFIC system control circuitry are designed to ensure that sufficient AFW flow is supplied to the 3

OTSGs following a single failure (i.e., the AFW flow control valves fail open )

on a loss of control air or loss of motive power). However, because of this design, a single failure could lead to excessive AFW flow and subsequent OTSG ,

overfill. SMUD considers this design characteristic to be acceptable based on the assumption that, although a failed open valve may result in overfilling, j the rate of increase in OTSG 1evel via AFW is slow, and that sufficient time i exists for operator intervention. Although the B&W-designed EFIC system includes circuitry to prevent OTSG overfill via the AFW system, the licensee has elected not to use this feature. The licensee's basis for not allowing the EFIC system to isolate AFW flow on OTSG high level is that the EFIC system also isolates MFW to the OTSGs. Therefore, a common mode failure could result in EFIC system isolation of both MFW and AFW flow to the OTSGs. It was, therefore, decided to only allow the EFIC system to isolate MFW. OTSG overfill protection for an AFW overfill event will be via high level alarms on the IDADS, and remote manual isolation via the AFW system control and isolation valves.

Two of the level control valves (one in each AFW train) are pneumatically operated (FV-20527 and FV-20528). The air supply for these valves is the plant air system, which is classified as a non-safety related system. To assure operation of these valves, a 2-hour, seismic Class 1, backup air supply has been provided for each valve train. The backup air supply will function only if the normal air supply is unavailable. This arrangement is considered acceptable.

The EFIC system consists of four redundant channels of safety related circuits.

Section 4.6, "Channel Independence," of IEEE Std 279states that channels providing signals for the same protective function shall be independent and physically separated to accomplish decoupling of effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis, and to reduce the likelihood of interactions between channels during maintenance operations or in the event of channel malfunction. Regulatory Guide 1.75, "Physical Independence of Electric Systems," references IEEE Std 384, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits,"

which sets forth criteria for the physical separation of redundant safety related circuits and equipment.

All instrument / sensing channels providing inputs to the EFIC system are dedicated to one of four redundant input logic channels. The redundant instrument and input logic channels are physically separated and electrically independent from each other. All communications between redundant EFIC system channels (e.g., channel bypass status information) are accomplished via fiber optic cables.

The NRC staff performed on onsite review of the physical separation provided between redundant Class IE EFIC circuits, and between Class 1E EFIC circuits and non-Class 1E circuits, to determine if the installed design conforms to the separation criteria identified in Sections 5.6 (Control Switchboards) and 5.7 (Instrumentation Cabinets) of IEEE Std 384. Where physical separation by enclosures is not possible because of the plant design, either a barrier or a 6-inch minimum separation distance should be provided. In those cases where a barrier or 6-inch separation is not provided, the design must be analyzed to ensure compliance with RG 1.75 and IEEE Std 384.

Compliance with the channel independence requirements of RG 1.75 is addressed by the licensee in engineering report ERPT-E0220, "Report on Conformance of NSEB and OG Building Electric Installation to RG 1.75," dated June 10, 1987. ERPT-E0220 addresses IEEE Std 384-1974 as applicable to Rancho Seco and includes a discus-sion on how the specific requirements are met. The staff's evaluation and conclusions concerning ERPT-E0220 are detailed in the "Staff Evaluation by the Office of Nuclear Reactor Regulation of SMUD Approach to Compliance with RG 1.75 for New Diesel Generator Installation at Rancho Seco." This report specifically addresses: equipment separation, raceway separation, separation between

redundant Class IE raceways, wiring separation within enclosures, and raceway /

circuit identification. The staff's onsite review of the physical separation provided between redundant Class 1E EFIC circuits, and between Class IE EFIC circuits and non-Class 1E circuits confirmed that the installation at Rancho Seco was as described in ERPT-E0220. Based on the review of ERPT-E0220, the staff I' concludes that the licensee's approach to demonstrating overall compliance with RG 1.75 requirements is acceptable.

i The information available in the control room for the operators to assess EFIC system status / performance is provided by the interim data acquisition and display system (IDADS), and instruments located on the EFIC system control console HISS (E). The IDADS is a plant process computer system that monitors plant conditions and performs various calculations, trending, alarm, and post i transient data logging functions. Essentially all EFIC system status alarms i are provided by the IDADS. The IDADS is a non-safety related system, and is

) isolated from the safety related EFIC system via an Anatec remote multiplexer l system. The 10 ADS interface with the operators is two CRT displays located in l the primary operating area of the control room. 10 ADS displays are also pro-l vided in the technical support center (TSC). Each IDADS alarm must be acknowledged by the operator, the condition that initiated the alarm must return to normal, and the 10 ADS alarm display must be "reset" in order for the alarm condition to clear. This design is similar to that of the control room )

1 main annunciators. During normal plant operation, each IDADS alarm condition sounds a bell, which is distinguishable from the main annunciator horn, and each alarm condition is logged by a printer in the control room. During a plant event (defined as a plant condition involving a reactor trip, SFAS actuation, EFIC system actuation, loss of offsite power, or main turbine trip) the IDADS alarm bell is suppressed for "non-critical" alarms, however, all alarm conditions will continue to be printed out in sequence. The 10 ADS includes a "plant event alarm summary" display (modeled after the main annunciator panels) that is automatically provided to the operators whenever a "critical" plant event alarm condition occurs (e.g. , EFIC system actuation /-

isolation). The plant event alarm summary display is considered to be of equal j importance as the main annunciators. The IDADS displays use white to signify.a j

normal plant condition, reverse magenta for alarm conditions, reverse yellow >

upon operator acknowledgement, and blinking white upon return to normal. The human factors aspects of the IDADS will be evaluated as part of the detailed control room design review (DCROR) to be completed following plant restart.

The EFIC system status alarms provided by the IDADS include:

l o AFWS actuation, o MFWS isolation, o loss of reactor coolant pump (s),

o approach to trip on OTSG high/ low level, and 0TSG low pressure, o OTSG overfill, o OTSG low level trip, o OTSG low pressure trip, o AFW flow test valve open, o EFIC system power failures, o EFIC system channel in maintenance bypass or module withdrawn, o vector logic isolation of AFW, and o transfer of EFIC system control to the remote shutdown panel In addition to the information provided by the IDADS, the reactor operator has status indicators for EFIC system parameters on control room panels HISS (E),

H1RC, H2YS, and H2SF, and local indications are provided on the EFIC system Channel A, 8, C, and D cabinets. Panel HISS (E) provides the operator with the immediate information needed to determine the status of the EFIC system and the OTSGs should the 10 ADS be unavailable, and provides the operator with the means to manually initiate EFIC system safety functions. The following indications are provided on HISS (E):

o OTSG A and 8 narrow range level, o OTSG A and B wide range level, o OTSG A and B pressure, o AFW pump P-318 and P-319 discharge pressure, o Dual indication of AFW flow to OTSG A and 8, and o Flow indication for the AFW test line.

Controls are provided on HISS (e) for manual operation of the AFWS pumps and valves. The operator has the capability to override EFIC control of the AFWS and assume manual control. Valve position indication is provided for the AFWS flow control valves, isolation valves, crosstie valves, and test valve. The circuits provided for manual initiation of AFW are designed such that a single failure will not prevent manual initiation, and such that failure of the automatic initiation circuits will not preclude manual initiation and vice versa.

Each channel of the EFIC system is testable during plant operation. The testing features are designed to comply with Sections 4.9 (Capability for Sensor Check) and 4.10 (Capability for Test and Calibration) of IEEE Std 279. The EFIC system circuitry can be tested during plant operation from the sensor outputs up to and

.idcluding. the trip actuation devices, without causing spurious actuations, or preventing valid automatic actuation of the AFW system when required. The testing is accomplished by the use of pushbutton switches that initiate and reset a "half-trip" condition in the actuation circuitry for EFIC system controlled equipment. The EFIC system includes "test results" circuit status lights that indicate a successful test upon proper operation of the actuation

circuitry to achieve the half-trip condition. Calibration of the process I sensors providing inputs to the EFIC system will be performed with the plant at l cold shutdown. Instrument channel operability will be checked once per shift l by comparing the indicated values (readouts) from redundant channels monitoring the same variables to ensure they are in agreement.

l l

The periodic surveillance testing proposed by the licensee for the EFIC system l is listed in Table 4.1-1, "Instrument Surveillance Requirements," of proposed Amendment No. 152, Revision 2, to the Rancho Seco Plant Technical Specifications.

The proposed amendment was transmitted from SMUD to NRC by letter GCA 87-263 dated July 31, 1987, and it includes a proposed Table 4.1-1 that identifies the required frequencies for making instrumentation checks, tests and calibrations.

In general, EFIC system instrument channels are checked each shif t, tested monthly, and calibrated at each refueling outage. The EFIC system AFW manual initiation circuits, automatic actuation logic and bypass circuitry is functionally tested on a monthly basis. The MFW isolation and AFW valve control l manual and automatic circuits (including vector signals) receive similar surveillance testing. The ADV control circuits are also tested monthly.

The staf f reviewed the following preliminary EFIC system surveillance procedures (the final EFIC system surveillance procedures had not been completed by the licensee at the time of this review):

o SP 1; Shift Surveillance and Instrument Check i

o SP 2; Daily Instrument Checks and Systems Verification o SP 98; Monthly Test of Auxiliary Feedwater Atmospheric Dump Valve Manual Controls o SP 99; Refueling Interval Auxiliary Feedwater System Auto Start Test for EFIC Actuation o SP 495A, 8, C & D; Monthly Test of EFIC Channel A (B,C,D) Pressure and Level Bistables and Bypasses o SP 496A & 8; Monthly Test of EFIC Channel A (B) Manual and Automatic Trip Logic, Steam Generator Level, and Pressure Controls o SP 498: Monthly Test of EFIC Vector Logico o SP 499A 8, C & D; Refueling Interval Calibration of EFIC Channel A (8,C,D) Pressure Circuitry, Pressure Bistables and Time Delay Module The preliminary procedures were reviewed to verify that (1) the scope of the tests is sufficient to fulfill the testing requirements identified in proposed Table 4.1-1 of the Rancho Seco Technical Specifications, (2) the tests provide complete end-to-end overlap testing such that the entire EFIC system is demonstrated to be operable, including coincident logic and actuation devices, (3) testing of all EFIC system input signals is performed, including those provided by the RPS and SFAS, and (4) operability of EFIC system control room

l indications provided to the operators are included in the tests. Based on its review, the staff concludes that the above procedures, with the exception of SP1 and SP2, are adequate to perform the desired EFIC system testing as required by the Rancho Seco Technical Specifications, and therefore, are acceptable.

However, the staff has not reviewed test procedures SP500A,B,C & O for the EFIC system level circuitry, level bistables and time delay modules. The licensee has stated that these procedures are essentially identical to SP499A,B,C & 0, which were reviewed. Neither has the staff reviewed test procedures SP406A,8,C

& D or SP42A & 8 which are used to verify operability of the RPS and SFAS interfaces with the EFIC system and the associated EFIC system circuits. Based on discussions with the licensee, these tests involve the initiation and subsequent reset of half-trip conditions similar to other EFIC system tests described above, and appear to be acceptable. The staff will review the final EFIC system test procedures upon completion.

SP1 is the procedure used to fulfill Technical Specification requirements for EFIC system instrument channel checks performed each shift. SP1 does not include prov'sions for verifying operability of EFIC system indications (vertical indicators) for OTSG level and pressure displayed on control room panel HISS (E). SP1 currently verifies instrument channel operability by comparing redundant input signals prior to the indicators. This type of channel check verifies operability of all four sensors by comparison of redundant input signals. However, the staff believes that SP1 should also require comparison of displayed values to detect failures that may have occurred in the indicators (or their input circuits) used by the control room operators (only two of the four channels are displayed). SP2 is used to verify operability of the EFIC system backup bottled air supplies by reading local pressure indications. SP2 Joes not specify what constitutes an acceptable pressure value (i.e. , acceptance criteria is not provided), nor does SP2 include provisions to ensure that both redundant backup air supplies are checked. The licensee should revise SP1 and SP2 to resolve the above concerns.

Any procedural concerns related to Technical Specification requirements will be resolved prior to restart. The proposed Technical Specifications require the license to complete EFIC surveillances before declaring the system operable.

Acceptable surveillance procedures are a prerequisite to acceptable surveillance results.

The staff has reviewed the operability requirements for EFIC system instrumen-tation, the required limiting conditions for operation (LCO) and associated action statements for when operability requirements cannot be met, as listed in Tdble 3.5.1-1, "Instruments Operating Conditions," of the Rancho Seco Technical Specifications. Table 3.5.1-1 has been modified subsequent to proposed Amendment No. 152, Revision 2, as agreed to between the staff and the licensee.

In general, if one of the four EFIC system channels monitoring a parameter becomes inoperable, it must be restored to service within 7 days or the reactor is to be placed in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Although 7 days is longer than typically allowed by the Standard Technical Specifications, (STS) the staff considers 7 days to be acceptable because even with an inoperable

channel, the EFIC system will perform its AFW initiation and MFW isolation functions given a single failure. If a second EFIC system channel should becorr.e inoperable, one of the inoperable channels must be placed in trip, and one of the inoperable channels must be restored to service within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If these conditions are not met, the reactor must be placed in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If more than two channels become inoperable, the reactor is to be brought to hot shutdown within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and cold shutdown within the subsequent 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

If one of the EFIC system manual initiation circuits / channels or automatic actuation logics should become inoperable (these circuits consist of two channels / trains as opposed to the four channels used to monitor EFIC system initiating parameters), the inoperable channel must be restored to an operable status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the reactor is to be in at least hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Should both channels ever be inoperable, the reactor is to be placed in hot shutdown within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and be in cold shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> out of service time for one of these channels is consistent with EFIC system operability requirements at other B&W operating reactors, and with STS allowed out of service times for engineered safety features (ESF) system equipment.

In order to allow routine periodic surveillance testing to demonstrate operability of EFIC system instrumentation without placing the plant in a LCO, an EFIC system instrument or logic channel may be removed from operation for a maximum of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided that the remaining redundant channels are operable.

Based on its review, the staff concludes that the Rancho Seco Technical Specification operability and surveillance requirements proposed for the EFIC system are acceptable.

k. Conclusion Based on the review of EFIC system design documents, electrical schematic /

elementary diagrams, logic diagrams, proposed technical specification operability and surveillance requirements, additional system design information provided by the licensee, and an onsite review of the installed EFIC system, the staff concludes that the EFIC system complies with (1) the requirements of NUREG-0737,Section II.E.1.2 regarding safety grade automatic initiation of the AFW system, and (2) the criteria applicable to ESF systems identified in Section 7.3 of the Standard Review Plan (NUREG-0800), and therefore, is acceptable.

_ _ _ _ - _ - - , _ - _ _ - _ _ _ _ - - . _ . _ = - _.

3. 0 AUXILIARY FEEDWATER (AFW) SYSTEM
a. Definitious The proposed changes would add the words "unless otherwise specified" to the requirement to not remain critical in the Definition, "Remain critical," Section 1.2.10 of the TS.
b. Steam Generators The proposed change would revise subsection 3.1.1.2., "Steam Generators" of Specification 3.1 "Reactor Coolant System," to require that two steam generators shall be operable whenever the reactor coolant average temperature is above 280 F. This is a more restrictive requirement since the current technical specification requires only one operable steam generator whenever the reactor coolant average temperature is above 280 F.

Therefore, the proposed change is acceptable.

c. LCOs For Reactor to Exceed 280 F & LCOs For Reactor to Remain Critical The proposed changes would revise Sections 3.4.1 and 3.4.2 of Specification 3.4 "Steam and Power Conversion System" to require redundant decay heat removal trains to be operable when the RCS temperature is above 280 F. This is more restrictive than the current TS which requires only one decay heat removal train during some plant operating conditions. Therefore, the proposed changes are acceptable.
d. Testing of Auxiliary Feedwater Pump Performance The current Section 4.8.1 of Specification 4.8. "Auxiliary Feedwater Pump Periodic Testing," requires that during the periodical testing of auxiliary feedwater pump (AFWP), the acceptable performance for each pump is to deliver 780 gpm AFW flow at a discharge pressure of 1050 psig. The proposed TS change will reduce the required AFWP capacity to deliver 475 gpm of flow to a steam generator at a pressure of 1050 psig through the most restrictive flow path.

In a letter dated July 31, 1987, the licensee stated that this reduction in required AFW flow is based on an analysis which shows that, on a loss of main feedwater transient with an assumed AFW flow rate of 475 gpm, the primary and secondary system transient conditions will remain within )

acceptable limits. This analysis is documented in 1) Rancho Seco AFW  !

Minimum Flow Analysis, SMUD Document Z-FWS-I-00150, B&W Oocument l

86-1167930, and 2) SMUD Minimum AFW Justification, SMUD Document -

ERPI-I-0018, B & W Document 51-1167962. ,

l

In the second documerit (B&W 51-1167962), the licensee provides the results of an evaluation for the impact of AFW flow on all transient and accident analyses in Updated Safety Analysis Report (USAR). Among the events that were identified as requiring AFW to some extent in order to meet the acceptance criteria of the event, the licensee provide a qualitative evaluation and identified the loss of main feedwater transient as the most limiting event for determination of the minimum required AFW flow rate. The staff has evaluated the licensee's assessment and finds it reasonable and acceptable.

The first document (B&W 86-1167930) provides the results of the loss of main feedwater transient. In this analysis, the RELAPS/M002 digital simulation code was used. A run matrix consisting of 4 RELAPS runs was completed. Cases 1 and 4 were a loss of feedwater with no anticipatory reactor trip on turbine trip (ARTS), whereas cases 2 and 3 assumed the ARTS to be operable.

In response to the staff request, the licensee identified the difference in assumptions and boundary conditions used between the new analyses and the 1981 AFW verification analysis. The major differences are as follows:

(1) The 1981 AFW verification analysis implemented the 1973 ANS decay heat curses with a multiplier of 1.2. The present analysis assumed 1979 ANS decay heat curves with a multiplier of 1.0.

(2) The AFW flow of 760 gpm was assumed in the previous analysis with AFW delivered to both steam generators (380 gpm per steam generator).

AFW flow is delivered at 550 or 475 gpm to one steam generator in the present analysis.

(3) The reactor coolant pump (RCP) heat input in the 1981 analysis was 16 MWt whereas the RCP heat addition in the present analysis is 6.0 MW . However, hand calculations were performed to account for an adbitional 10 Ffd in the present analysis. The results of the hand calculationsindicatethattheresultsofthetransientarestill acceptable.

The staff has evaluated all assumptions used for the present analysis and concludes that they are reasonably conservative and acceptable.

The RELAP5/M002 digital simulation code was used for this analysis. This thermal hydraulic system code used by B & W has not been reviewed and approved by NRC staff. In response to the staff concern regarding the capability to use this computer code for the subject analysis. SMUD in its document Nos.

2-FWS-I-00150 and ERPT-I-0018 provided a noding diagram of the RELAP5/M002 model. The model consists of 170 control volumes and 210 heat structures.

All of the primary and secondary system metal heat capacity has been accounted for. A RELAPS/M002 comparison to plant transient data is provided. This is a benchmark of a loss of feedwater transient from 90%

power at Davis Besse on June 9, 1985. Boundary values from the plant transient data were used as inputs into RELAP5/M002 computer code. From the point where the reactor tripped, the rate of cold leg temperature and RC pressure increase is much greater in RELAP5/M002 than in the plant transient data. Plant transient data indicated a 10 psi overshoot while RELAPS/M002 predicted a 90 psi overshoot. Both cases showed the peak pressure at the point when the hot leg temperature began to decrease. The excessive overshoot is a result of the conservative reduction in steam generator heat transfer in RELAP5/M002. Based on this code verification, the staff finds that there is reasonable assurance that the results of the SMUD calculation for Rancho Seco loss of feedwater transient using RELAPS/M002 are conservative and acceptable. However, the staff acceptance of the subject analysis using RELAP5/M002 does not mean the staff generically approves the use of RELAP5/M002 for future licensing analyses for Rancho Seco.

The results of the licensee's new analysis shows that the conservative case, which did not take credit for ARTS, and for which AFW flow rate of 475 gpm was assumed, met the acceptance criteria of RCS pressure not exceeding 2750 psig and the pressurizer not going solid. The best estimate case, which did take credit for ARTS, and for which AFW flow rate of 475 gpm was assumed, also met the above acceptance criteria plus the more restrictive criteria of not lifting a safety valve and keeping pressurized level on scale.

Based on the above, the staff concludes that the results from the present analyses justify a reduction in the minimum required AFW flow rate of 475 gpm. Therefore, the proposed change of TS Section 4.8.1 is acceptable.

4.0

SUMMARY

On the basis of the above consideration, the staff has concluded that the changes proposed by the licensee to the plant technical specifications comply with the Commission's requirements in Section II.E.1.2 of l NUREG-0737, Section 7.3 of NUREG-0800 and other applicable acceptance criteria.

S.0 CONTACT WITH STATE OFFICIAL The NRC staff has advised the Chief of the Radiological Health Branch, State Department of Health Services, State of California, of the proposed determination of no significant hazards consideration. No comments were received.

6.0 ENVIRONMENTAL CONSIDERATION

This amendment involves changes in the installation or use of a facility components located within the restricted area as defined in 10 CFR Part 20.

The staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that this amendment involves no significant hazards consideration and there has been no public comment on such finding. Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

7. 0 CONCLUSION We have concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to common defense and security or to the health and safety of the public.

Principal Contributors:

R. Kendall C. Liang Dated: January 5,1988 1

i l

l i

i

_. l