ML18079A949

From kanterella
Revision as of 06:03, 6 January 2025 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Evaluation of Electrical,Instrumentation & Control Design Aspects of Low Temp Overpressure Protection Sys
ML18079A949
Person / Time
Site: Salem PSEG icon.png
Issue date: 08/21/1979
From: Laudenbach D
LAWRENCE LIVERMORE NATIONAL LABORATORY
To:
Shared Package
ML18079A941 List:
References
NUDOCS 7909210359
Download: ML18079A949 (16)


Text

\\.

SELECTED ISSUES PROGRAM TECHNICAL EVALUATION OF THE ELECTRICAL, INSTRUMENTATION, AND CONTRDL DESIGN ASPECTS OF THE LOW TEMPERATURE OVERPRESSURE PROTECTION SYSTEM FOR THE SALEM NUCLEAR POWER PLANT, UNIT 1 by D. H. Laudenbach*

  • EG&G, Energy Measurements Group, San Ramon Operations

--*-*-'**~-*e.--- *-*

This report doc1JT1ents the technical evaluation of the electrical, instrunentat ion, and control des-i gn aspects of the low tenperature over-pressure protection system for the Sal em nuclear power pl ant, Unit 1.

Design basis cr.i"teria used to evaluate the acceptability of the system include operator action, system testability, single failure criterion, and seisnic Category I and IEEE Std-279-1971 criteria. This report is supplied as part of the Selected Electrical, Instrunentation, and Control Systems Issues Support Program being conducted for the U. S. Nuclear Regulatory Commission by Lawrence Livermore Laboratory.

TECHNICAL EVALUATION OF THE ELECTRICAL, INSTRUMENTATION, AND CONTROL DESIGN ASPECTS OF THE LOW TEMPERATURE OVERPRESSURE PROTECTION SYSTEM FOR THE SALEM NUCLEAR POWER PLANT, U_NIT 1

1.

INTRODUCTION By 1 etter to the Pub 1 ic Service Electric and.Gas Company {PSEG) dated August 27, 1976, the U.S. Nuclear Regulatory Commission (NRC) re-quested an evaluation of system designs to determine susceptibility to overpressuri zat ion events and an analysis of these possible events, and proposed interim and permanent modificat i ans to the systems and procedures to reduce the 1 ikel ihood and consequences of such events.

By letter dated October 25, 1976 and subsequent letters (refer to "the Appendix), the Public Service Electric and Gas Company submitted the additional information requested by the NRC staff,.including the acininistrative operating proce-dures and the proposed low temperature overpressure protection mitigating system.

The system hardware includes sensors, actuating mechanisms, alarms, and valves to prevent a reactor coolant system transient from ex-ceeding the pressure and temperature limits of the Technical Specifications for Salem Unit las required by the Code of Federal Regulations, Title 10, Part 50 (10 CFR 50), Appendix G.

The purpose of this report is to evaluate the Licensee's equipnent and procedures based on the information provided (refer to the Appendix), and to define how well they meet _the criteria established by NRC as necessary to prevent unacceptable overpressurization events.

'""".'. :~

2.

EVALUATION OF SALEM UNIT 1

2.1 INTRODUCTION

Review of the Salem Unit 1 low temperature overpressure protec-tion system design by PSEG was begun in 1976 at NRC's request.

The overall approach to eliminating overpressure events incorporates administrative, procedural, and hardware controls, with reliance upon tbe plant operator as the principal line of defense.

Preventive administrative/procedural mea-sures incl ude:

(lJ Procedural precautions *

. (2)

  • aeenergization (power removed) *of nonessential and essential components which are not required to be operable during the cold shutdown mode of operation.

(3)

Maintenance of a non-water-solid *reactor coolant system condition whenever possible.

(4)

Incorporation of a low pressure relief setpoint for*

the existing power-operated relief valve (PORV) con-trol logic.

The design basis criteria that were applied in evaluating the acceptability of the electrical, instrunentation, and control aspects of the low temperature overpressure protection system (OPS) are as follows:

(1)

(2)

(3)

Operator Action.

No assunption of operator action is made unt i 1 ten minutes after the operator is aware, through an action alarm, that a pressure transient is in progress.

Single Failure Criterion.

The OPS. shall be designed to protect the reactor vessel given a single failure which is in addition to the failure that initiated the pres?ure transient *.

System Testability.

The OPS must be testable on a periodic basis prior to dependence on th~ OPS to perform its function.

- 2

.. ~.

.. ', ~ ' '

(4}

---~----*-*... -. - __.. __.__

Seismic Category I and IEEE Std-279-1971 Criteria.

The OPS should satisfy both the seismic Category I and IEEE Std-279-1971 criteria.

The basic objective is that the OPS should not be vulnerable to a failure mode that would both initiate a pressure transient and disable the low temperature overpressure mitigating system.

Events such as loss of instrlJllent air and loss of offsite power must be considered.

2. 2 PSE G PRESSURIZER OVERPRESSURE PROTECTION SYSTEM DESIGN The PSEG Pressurizer Overpressure Protection System (POPS) design
  • information deta.iled in this section was derived from Reference 5 in the Appendix.

The PSEG design for the Salem Unit 1 POPS is a two-train over-pressurization mitigating system which uses separate and independent pres-sure transmitters to open the two pressurizer PORV's (lPRl and 1PR2) in the event that reactor coolant system (RCS) pressure exceeds the preset value of 3TS psig.

This automatic action takes place provided the system has been manually enabled by placing two keylocked pushbuttons in ~e 11on 11 position.

The system will be enabled whenever the RCS is below 312 F.

Each PORV is actuated by its own logic relay which is energized by a bistable device.

The bistable device is energized when the RCS pres-sure exceeds the setpoint. Existing installed pressure sensors are used to develop the signal for valve _actuation.

These are the same sensors which provide automatic closure of the residual heat removal (RHR) suction paths at 600 psig.

Operation of the POPS is governed by t\\'<<>. administratively con-trolled, keyl ocked pushbuttons which perform three functions, as follows:

(1)

When the RCS temperature is 1 ess than 312°F, the system is armed by depressing the 11on 11 pushbutton for each POPS train.

(2)

If ~he temperature should subsequently increase above 312 F, an actuation signal to open the motor-operated valves (MOV' s) upstream of the PORV's is initiated as well as an alarm to indicate that the POPS is armed.

In this mode of operation, the PORV wi 11 be opened automatically if the RCS pressure exceeds 375 psig.

{3)

When the RCS temp~rature increases above 312°F, the 11off 11 pushbutton for each POPS.train is depressed.

This action removes the opening permissive signal to the PORV, removes the opening signal from the associ-ated MOV, and provides an alarm.to. indicate that the *.

~

. __:__J

system is disanned i~ the temperature is subsequently decreased below 312 F.

Upon actuation, the valves wi 11 open and wi 11 reset when system pressure de-creases below 375 psig.

RCS pressure and temperature instrtmentation are provided which pennit the operator to monitor the above parameters.

An alarm is provided on the main control console to inform the operator of a POPS initiation.

Valve position indicator lights inform the operator when the valves have opened.

  • In addition, a computer-generated al ann informs the *operator of an impending pressure e'xcursion beyond the Techni.cal Specification 1 imits.

The POPS i s designed as a 11 protection grade 11 system in accordance with the applicable portions of IEEE Std-279-1971.

The use of proven d~vices*provides assurance that the system is compatibl~ with other pro-tection system equiµnent.

The use of adninistrative controls to ann the POPS is considered acceptable due to the infrequency of low-pressure, low-temperature operation.

The effects of various failures have been considered in the POPS design.

These.failures incl.ude 1 oss of control air and loss of station power.

Due to the two-train design, failures within the POPS cannot cause a.loss of protective function.

Failures capable of causing an overpres-surization event cannot cause failures within the POPS or prevent operation of the system.

An air accumulator is provided for each PORV in case of a loss of control air failure *. The accLmulators are sized to provide enough control air for up to 100 cycles of PORV valve opening and closing.

The accLmula-tors are designed 'to seisnic Category I_ requirements, and are provided with an alann which will alert the operator to a low air pressure condition.*

The.accl.ITlulator design thus precludes a total loss of control air to the PORV's.-

A loss of station power failure will not affect the POPS since protection logic power is provided by inverters, and control power for the PORV's originates at the batteries.

In the event that one PORV opens on a false signal or upon trans-mitt~r failure at~ time when protection is not required, a depr~ssuriza tion of the RCS would occur.

Any such depressurization would be less severe than those analyzed in the FSAR, Section 14.1.2.

The discharge through the PORV can be tenninated by' operator action, thus minimizing the effects of the transient.

2. 3 EVALUATION OF SALEM UNIT l USING DESIGN BASIS CRITERIA Salem.Unitl was evaluated under the guidance df the fourdesign basis.criteria stated in S~ction 2.1 of this evaluation, and with specifi~

. attention given to various pertin_ent NRC staff positions resulting from these criteria.

Sections 2.3.1 through 2.3.4 are concer.ned *with the four design basis criteria.

...:.. 4 -

'*,,I

\\

2.3.1 Operator Action In e.ach design basis transient analyzed, no credit for operator action was assuned until 10 minutes after the initiation of the RCS over-pressurization transient* and after the operator is made aware of the over-pressure transient.

Operator awareness of the overpressure transient will be derived by the low temperature overpressure transient alarm.

PSEG states in Reference* 5 that the POPS requires no operator

. action other than to enab 1e 0 the system prior to operation when the RCS temperature is less than 312 F.

All *other protective action is then per-formed automatically.

2.3.2 Single Failure Criterion PSEG states in Reference 5 that the POPS is designed to protect the reactor vessel given a single failure in addition to the failure that in.itiated the overpressure transient.

Redundant or diverse pressure pro-tection channels are used to satisfy the single failure** criterion.

The POPS* incorporates redundancy and separation. of pressure transmitters, logic, and valves in a channelized system. Single failures within the POPS wil 1 not defeat the safety function.

In addition, single failures which are capable of initiating a pressure transient cannot cause failures within the POPS which would render it unable to provide protection.

We conclude that the PSEG Salem Unit l POPS satisfies the NRC staff single failure criterion.

2. 3. 3 System T estabi 1 ity The NRC staff position requires that the POPS control circuitry

. from pressure sensor to valve solenoid shal 1 be tested prior to each heatup and cool down.

The PORV

  • s should be tested during each refueling.

Deviations from these criteria should be justified.

PSEG states in Reference 5. tha.t testing provisions in the POPS circuitry allow J:or test opening of the PORV's prior to anning of the system below.312 F.

The 11test 11 pushbutton, when depressed, will operate the P\\:RV provided that the associated upstream MOV is closed.

Other por-tions of the POPS can be tested in a manner similar to othe~ plant protec-tion systems.

The POPS design provides for testing of the analog *circuitry any.time the RHR suction valves from the RCS are closed.

The PORV 1 s (lPRl and 1PR2) can be tested prior to entry into a water-sol id condition by use of the POPS "functional test" pushbutton.

The POPS is designed to function during low-temperature low-pressure operating conditions and,. therefore, periodic testing of the system during power operation is not planned.

5

'.. *.. _:.-~ *... ' : :

*/*

I'

~-~~-~~~--------'-~--------_;...;...-......-'""-"-'...__;.,....;____.......;__'-'--~_;_-'--'-_;__,,;._.:,_._*~*~*'~-_;_c.._,;:_---..;.J


'*****-*. -- ----~------- *~

The safety evaluation report (SER)., dated December 1977, by the NRC Reactor Safety Branch/Division.of Operating Reactors (RSB/DOR) for the Salem Unit 1 OMS states that:

(1)

Testability will be provided.*

(2)

PSEG has stated that verification of operability is possible prior to RCS low tenperature operation by use of the remotely. operated i sol at ion valve, enable/

disable switch, and nonnal electronics surveillance methodology.

(3)

Testing requirements will be incorporated in the Technical Specifications as. discussed in Section 4.2 of this evaluation.

We conclude that the PSEG Salem Unit 1 POPS-satisfies the NRC staff system testability criteria.

  • It is recomnended that the NRC *staff ensure that thorough.surveillance of the POPS from sensor to valve solenoid and proper PCRV testing are adequately described in the PSEG Salem Unit 1 Technical Specifications.
2. 3. 4 Seismic Design and IEEE Std-279-1971 Cri~eria.

PSEG states in Reference 5 that the POPS design meets sei-smic Category I criteria for all equipment required to open the PORV' s, and that the instrurientation* and actuating circuitry meet the applicable require-ments of the IEEE Std-279-1971 criteria.

We conclude that the PSEG Salem Unit 1 POPS satisfies the NRC seisnic design and IEEE St.d-279-1971 criteria.

2.4 ALARM SYSTEMS DESIGNS AND OPERATION Specific details concerning alann systens designs and operation for the POPS are described below.

2.4.l High-Pressure Alarm The NRC staff position requires that a high-pressure audio/visual alarm shall be used during low RCS tet1perature o*perations as an effective means to provide unambiguous information and alert the operator that a pressure transient is in progress.

PSEG states in Reference 5 that. the high;.. pressure alarm system design is as follows:

~'

~."*

(1)

The hig.h-pressure al a!ili annunciates. on the main cog:-

trol. board when the RCS temperature i_s _less than 312 F and th~. RCS pr~ssur~ is gre~ter than 360 psig.

'*~.:.-

(2)

(3)

(4)

The annunciator provides both visible and audible signals.

Operator action is required to acknowledge the alann.

In addition, a computer-generated alann infonns the operator of an impending pressure excursion beyond the Technical Specification limits.

We conclude that this design satisfies the NRC staff position.

2.4.2 Isolation Valve Alarm The NRC staff position requires that (1)

(2)

The upstream isolation valve shall be wired into the overpressure protection alann so that the alann will not clear unless the system is enabled and the isola-tion valve is open.

  • The alann shall be of the audio/visual type and pro-vide unambiguous infonnation to. the operator.

PSEG states in Reference 5 that the isolation valve alarm system design is as follows:

(1)

The upstream PORV isolation valves {1PR6 and 1PR7) are wired into the RCS POPS in such a way that hand-switch activation of the POPS will result in the opening of the isolation valves.

(2)

An open-close indicator for each isolation valve is provided on the main. control board.

We conclude that.thfs design does Std-279-1971(4 *. 20) and the NRC staff po~i_tion.

fully satisfy IEEE 2.4.3 Enable Alann The NRC staff position re qui res that (1)

An alann shall be activated as part of the.plant cooldow.n process to. ensure that the PORV 11 low 11 set-point is activated Before the RCS tenperature is _equal to or less than 312 F.

- 7

. '-- _._ __ *. -'--'---~

    • J

(2)

The alann shall be of the audio/visual type and pro-vide unambiguous infonnation to the operator.

PSEG states in Reference 5 that the enable alann system design is as fol lows:

2.4.4 (1)

A PORV 11low 11 reset alann is activated 'tf!oen the RCS temperature is equal to or 1 ess than 312 F, and en-sures that the PORV 11low 11 setpoint is activated.

(2)

Once the PORV's are reset to the "low" relief posi-tion, an annunciator window will remain lit to

.indicate the "low" PCRV mode of operation.

The annun-

  • ciator will remain in this mode until the PORV's are reset to the "high" position.

(3)

After the PORV's are set to the "low"* position, the overpressure transient alann 0becanes operational only at RCS temperature below 312 F.

When the PORV' s are reset to provide low temperature relief at 375 psig, plant cooldowri can be resiJmed.

We conclude that this design satisfies the NRC staff position.

Disable Alarm The NRC staff position requires that (1)

An al ann shall be activated as part of the pl ant heatup process to ensur~ that the PORV's are reset to the "high" setBoint when the RCS temperature is greater than 312 F. *

(2)

The a 1 ann sha 11 be of the audio/ vi sua 1 type and pro-vide unambiguous information to_ the operataor.

PSEG states in Reference 5 that the disable alarm system design is a~ fo.llows:

( 1).

(2)

~...

During the pl ant heatup, norma 1 operating procedures will maintain the RCS pressure b0low 375 psig until the RCS temperature e6ceeds 312 F.

  • When the RCS temperature exceeds 312 F, nonnal operating procedures re qui re that the PORV' s are reset to the "high" set-poi nt.
  • At the same tirile, the overpressure* transient al ann wil b be deeriergi zed when the RCS temperature exceeds 312 F.

In order t6 ensure that the PORV'~ are reset to the "high" setpoint, an alann* will be activated

- 8

. * - i.

2.4. 5 when the RCS pressure exceeds 375 psi g.

After the PCRV' s are reset to the "high" setpoint, nonnal heatup will continue accordingly.

We conclude that this design satisfies the NRC staff position.

PORV Open A 1 arm The NRC staff pos.ition requires that an audio/visual alarm shall be activated to provide unambiguous infonnation and alert the operator that a PORV is in the "open" position.

PSEG states in Reference 5 that the PORV open al ann system design

.is as follows:

The pressurizer PORV' s have open/shut indicators on the main control board.

We conclude that this design does Std~279-1971 (4.20) and the NRC staff position.

fully satisfy IEEE

  • 2. 5 PRESSLRE TRANSIENT REPORTING AND RECCRDING REQUIREMENTS The NRC staff position is that a pressure transient which causes the POPS to function, thereby indicating the occurrence of a serious pres-sure transient, is a 30-day reportable event.

In addition, pressure-

. recording and temperature-recording i nstrlJllentat ion are required to provide a permanent record of the pressure transient.

The response time of the

  • pressure/temperature recorders shall be compatible with pressure transients that increase at a rate of approximately 100 psig per second.

PSEG states in Reference 2 that four o°F-to-700°F temperature recorders are installed in the control room to verify canpliance with the.

10 CFR 50, Appendix G pressure-temperature limits during startup, shutdown, or periods of cold shutdown.

The recorders monitor the hot-leg and cold-

" 1 eg temperatures on each of the four loops.

A pressure recorder and two pressure indicators are also. installed in the control room to monitor the hot-leg pressure.

These instrtJnents are kept in service during all modes of operation.

We conclude that this implementation, if properly incorporated in the PSEG Salem Unit 1 Technical Specifications, satisfies the NRC staff position.

9

2.6 DISABLING OF ESSENTIAL COMPONENTS NOT REQUIRED DURING COLD SHUTDOWN Tile NRC staff position requires the deenergizing of safety injec-tion system (SIS)* punps and the closure of safety injection. (SI) header/

'discharge valves during cold s~utdown operations.

PSEG states in References 3 and 5 that the disabling of essential components not required during cold shutdown is as follows:

(1)

During plant cooldown, the power to both SI punps is removed by racking out the power cf.Upply breakers When the RCS temperature is below 350 F.

Al so, SI header i-sol at ion valves are shut and their power is removed.

(2)

The SI punps are geenergized whenever the RCS tempera-ture is below 312.F except when a special surveillance test is being conducted.

During these procedures, only one SI pU11p. is energized.

Tilis allows POPS to maintain the RCS pressure below the 10 CFR 50, Appen-dix G 1 imit in case an inadvertent mass addition from.*

  • the single SI punp occur during thjs procedure.

We conclude that this implementation, if properly incorporated in.

the PSEG Salem Unit 1 Technical Specifications, satisfies the NRC staff

  • position.

J. *'.*

  • .' ~-

- 10. -

-~-

3.

TECHNICAL SPECIFICATIONS The Technical Specifications infonnation detailed in this section was derived from the RSB/DOR SER entitled, "Safety Evaluation Report of the Overpressure Mitigating System for Salem Nuclear Plant Unit 1 11,

dated

  • December 1977.

To ensure opera ti on of the POPS, the Licensee is to submit for NRC staff review its Technical Specifications for incorporation into the license for Salem Unit 1.

The Licensee should ensure that the proposed Technical Specifications are canpatible with other Licensee requirements and are consistent.with the-intent of the statements listed below:

(1)

(2)

(3)

(4)

(5)

. - {6)

  • Both PCRV 1 s must 'be operable whenever the RCS temper-ature is less0 than the minimum pressurization tem-perature (312 F); however, one PORV may be inoperable for seven days and still meet the single failure criterion.

If these conditions cannot be met, the primary system must be depressurized and vented to the atmosphere or to the pressurizer relief tank within eight hours.

Operability of the POPS requires that the low-pressure setpoint will be selected, the upstream isolation valves opened, and the backup air supply charged.

No more than one high-heat 0SI pllllp may be energized at RCS temperatures below 312 F.

A reactor cool ant pllllp may be. started or jogged only if there is a steam bubb 1 e ig the pressurizer, or if the SG/RCSllT is less than 50 F.

The POPS must be tested on a periodic b~sis consistent with the need for its use.

Failure of the.POPS.to operate when required is a reportable event~

.;. JI-*.**

4.

COOCLUSIONS The electrical, instrunentation, and control (EI&C) design as~

pects of the 1 ow temperature pressurizer overpressure protection system (POPS) for Salem Unit 1 were evaluated using those design criteria origi-nally prescribed by the NRC staff and later expanded during subsequent discussions with the Licensee.

We reccimmend that the NRC staff find the following EI&C aspects of the PSEG Sal en Unit 1 POPS design acceptable:

(1)

Operator action*

  • ( 2 )

Si n g l e fa i 1 u re c r i t er i on (3)

Seismic Category I and IEEE-279-1971 (4)

High pressure alarm (5)

Enable alarm (6)

Disable alarm.

. -12..-

APPENDIX I;) -

~.

REFERENCES

1.

NRC (Kniel) letter to PSEG (Librizzi) dated August 27, 1976.

2.

PSEG (Librizzi) letter to NRC (Kniel) dated October 25, 1976.

  • 3.

PSEG (Librizzi) letter to NRC (Lear) dated March 25, 1977.

  • 4.

PSEG (Librizzi) letter to NRC.(Lear) dated May 3, 1977.

5.

PSEG (Librizzi) letter to NRC (Lear) dated October 26, 1977.

6.

"Staff Discussion of Fifteen Technical Issues Listed i_n Attact'ment G, November 3, 1976 Memo rand um from Di rector NRR to NRR Staff,"

NUREG-0138, Novenber 1976.

7.

"Pressure Mitigating System Transient Analysis Results" prepared by Westinghouse for the Westinghouse User's Group on Reactor Coolant System Overpressuri zation, July 1977. :'.

',