ML20137F794
| ML20137F794 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 03/28/1997 |
| From: | Hebdon F NRC (Affiliation Not Assigned) |
| To: | Jerrica Johnson NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| References | |
| TAC-M97281, NUDOCS 9704010217 | |
| Download: ML20137F794 (7) | |
Text
0 t
. March 28,1997 MEMORANDUM T0: Jon R. Johnson, Director
, Division of Reactor Projects !
' . Region II FROM: Frederick J. Hebdon, Director Project Directorate 11-3 Division of Reactor Projects - I/II :
Office of Nuclear Reactor Regulation l
SUBJECT:
AMENDED RESPONSE TO TIA 96-021, SEQUOYAH AUTOMATIC AUXILIARY .
FEEDWATER ACT'? TION CONCURRENT WITH A TURBINE RUNBACK j (TAC NO. M97281)
By memorandum dated October 31, 1996, Region II requested technical assistance regarding the design of the auxiliary feedwater (AFW) control system at the Sequoyah Nuclear Plant. Specifically, the memorandum from Ellis W. Herschoff 1 requested NRR's position regarding the fact that one of the signals that l initiates AFW flow is generated by two non-safety-related main turbine impulse l pressure switches that are subject to a common mode failure, as demonstrated i by a Unit 2 event on October 11, 1996. The two switches became inoperable by inadvertent initiation of the turbine building fire protection system in June 1996, resulting in an unanticipated automatic main turbine runback and AFW inittation on October 11, 1996. NRR was requested to evaluate whether or not i the Sequoyah AFW control system design violates NRC criteria and if non-safety l related, non-independent instrumentation should be used to initiate AFW flow.
NRR provided an initial response to your request on December 13, 1996, stating that our conclusion was that the Sequoyah design does not meet the appropriate l design requirements. During a predecisional enforcement conference on December 16, 1996, the staff informed representatives of tt.e Tennessee Valley ,
Authority (TVA), licensee for Sequoyah, of this preliminary conclusion. TVA agreed to provide additional information with regard to previous design reviews of this system. This information was provided by a TVA letter dated i January 31, 1997. NRR has completed its review of this issue as noted in the l attachment. Contrary to our December 13 memorandum, our conclusion now is that the Sequoyah AFW system initiation and control circuitry meets all NRC requirements and complies with the plant design and licensing basis.
Docket No. 50-328
Attachment:
Evaluation cc w/ attachment: R. Cooper, Region I l W. L. Axelson, Region III J. Dyer, Region IV p Distribution:
Docket File SQN Reading M. Shannon S. Varga J. Roe B. Boger PUBLIC[,'
B. Sheron (Act. ADT) M. Lesser A. Chaffee T. Liu, DRPE M. Fields (e-mail only MBF1) /
J. Zwolinski M. Boyle (e-mail only MLB4) !
c'*.'*c N J E ll N O ."n*2. N N ,Y k .ei.on i/.new.u,. -
oSt$0r; anomsmi.m s v.*u. ncun.no. b# !
0FFICE PDII-3/PM PDII-3/LA PDII-3/D HICB/BJ.1/'///
NAME RHernan* BC1ayton* FHebdon*G& JWermiel" DATE 1/29/97 1/29/97 1/29/97 SN0 3/ff/97 0FFICIAL RECORD COPY b7OOO2 #/07 HHHHllH[lEEM Q7&O/DZ/ b X#
pn ctcoq
- g f
j UNITED STATES NUCLEAR REEULATORY CSMMISSION WASHINGTON, D.C, 20066 4 001
- %Q,,,,,l2 March 28,1997 MEMORANDUM TO: Jon R. Johnson, Director Division of Reactor Projects Region II FROM: Frederick J. Hebdon, Director -
Project Directorate 11-3 ' >
Division of Reactor Projects - I/II /
Office of Nuclear Reactor Regulation h
SUBJECT:
AMENDED RESPONSE TO TIA 96-021, SEQUOYAH AUTOMATIC AUXILIARY FEEDWATER ACTUATION CONCURRENT WITH A TURBINE RUNBACK (TAC NO. M97281)
By memorandum dated October 31, 1996, Region II requested technical assistance regarding the design of the auxiliary feedwater (AFW) control system at the l Sequoyah Nuclear Plant. Specifically, the memorandum frcm Ellis W. Merschoff l requested NRR's position regarding the fact that one of the signals that initiates AFW flow is generated by two non-safety-related main turbine impulse pressure switches that are subject to a common mode failure, as demonstrated by a Unit 2 event on October 11, 1996. The two switches became inoperable by inadvertent initiation of the turbine building fire protection system in June 1996, resulting in an unanticipated automatic main turbine runback and AFW initiation on October 11, 1996. NRR was raquested to evaluate whether or not i
. the Sequoyah AFW control system design violates NRC criteria and if non-safety related, non-independent instrumentation should be used to initiate AFW flow.
NRR provided an initial response to your request on December 13, 1996, stating that our conclusion was that the Sequoyab tesign does not meet the appropriate design requirements. During a predecisional enforcement conference on December 16, 1996, the staff informed representatives of the Tennessee Valley Authority (TVA), licensee for Sequoyah, of this preliminary conclusion. TVA l agreed to provide additional information with regard to previous design I reviews of this system. This information was provided by a TVA letter dated l January 31, 1997. NRR has completed its review of this issue as noted in the attachment. Contrary to our December 13 memorandum, our conclusion now is that the Sequoyah AFW system initiation and control circuitry meets all NRC requirements and complies with the plant design and licensing basis.
Docket No. 50-328
Attachment:
Evaluation cc w/ attachment: R. Cooper, Region I W. L. Axelson, Region III J. Dyer, Region IV I
. c . _ _ _ _ . _ _ _ _.. _ _ . _ _ _ _ _ _ _ _ _ . _ _ . _ _ . _ _ _ _ _ _ _ _ _ .
~
j .
- s i
l i RESPONSE TO REGION II TASK INTERFACE AGREEMENT (TIA)96-021 i
EVALUATION OF SEQUOYAH EVENT OF DCTOBER 11. 1996 AUXILIARY FEEDWATER INITIATION AND CONTROL SYSTEM 4
j gagst'otion of Event On October 11, 1996, Sequoyah Unit 2 was being brought to shutdown per l procedures because of the suspected failure of a reactor coolant system (RCS) t pump seal. During this controlled plant shutdown from 100% power, when the unit was at approximately 50% power, control room operators tripped one of the main feedwater (MFW) pumps as required by plant procedures. At that time, the unit experienced an unanticipated turbine runback and Auxiliary Feedwater (AFW) system actuation.
Following a manual reactor trip during emergency recovery procedural steps, operators had difficulty controlling RCS cooldown because they were unable to take manual control of the AFW flow control valves for the motor driven AFW pumps and speed control for the turbine driven AFW pump. To control RCS cooldown, operators controlled AFW flow by placing the motor-driven AFW pump control switches in the pull-to-lock position (which stopped the pumps) and by closing and opening as necessary the turbine driven AFW pump discharge isolation valves. During these efforts, the RCS T dropped to 538'F which, byprocedure,requiredtheoperatorstoemergencylIo*ratetheRCS.
Root Cause of Event The licensee determined that water intrusion occurred in the housing of the two non-safety related pressure switches that monitor turbine impulse pressure and provide an AFW actuation signal when one MFW pump is tripped at above 80%
-power. The water intrusion caused these switches to malfunction such that ;
they generated a continuous false signal indicating turbine power to be above i 80%, while actual turbine power was at about 50% power. Since the pressure switches were wet and stuck, thereby indicating that turbine power remained above 80%, the AFW initiation signal was sealed-in and could not be reset by the operators. ,
l AFW Control System Design The design of the AFW initiation and control system at Sequoyah is such that !
if either of the two MFW pumps trip while turbine power is above 80%, a '
signal for automatic turbine runback in conjunction with the actuation of the AFW system is generated until indicated power has been reduced to below 75%.
AFW actuation following one MFW pump trip above 80% power is intended to provide sufficient feedwater flow to compensate for loss of a portion of MFW flow and serves to prevent a subsequent reactor trip. The control logic for the control of the AFW flow regulating valves is arranged such that as long as the AFW actuating signal is present (not reset), the control for these valves locks in the " Auto" mode and disables the " Manual" mode. l l
Attachment
i .
l 2
l' Main turbine impulse chamber pressure, which is indicative of reactor power, )
is monitored at the Sequoyah plant by two non-class IE pressure switches, '
! PS47-138 and PS47-13E. These switches are arranged to !
! ~
initiation signal on a two-out-of-two (2/2) logic basis. generate anthese Both of AFW l switches are housed in adjacent electrical boxes with conduits connecting to a ,
! common junction box in close proximity to the switches. The switches are l
! subject to a common cause failure as a result of adverse environments in the -
!. common area in which they are located. Such was the case when they were !
! unintentionally deluged by water during a fire protection system test in the )
i turbine building in June 1996. The water caused the switches to fail in the i
- closed position which generated a false (but undetectable) signal indicating '
! turbine power to be above 80%. Thus, as soon as the operator tripped one MFW
. pump, the AFW actuation logic was satisfied and the signal for turbine ;
i runback /AFW actuation was sealed in. Although the AFW actuation d rcuitry i itself .is part of the Engineered Safety Feature Actuation System (ESFAS) and )
3 is, therefore, safety related, the loss of main feedwater pump runback ,
i circuitry is not safety related. The runback circuit is electrically isolated j
. from the AFW A and 8 train actuation circuitry by interposing relays. '
l During the event on October 11, 1996, the AFW actuating signal could not be 3 reset due to the faulted pressure switches. It was determined after the event
, that resetting the MFW pump would have automatically reset the turbine runback j signal and would have allowed manual resetting of the AFW actuation signal.
4 Taking this action would have restored manual AFW flow control capability.
4 However, the Sequoyah control room operators were not aware of this feature and, therefore, did not perform this reset action during the event.
AFW and AFW Initiation Desian Basis The following documents have been used in the staff's evaluation of the AFW initiation and control system design: -
- a. Sequoyah Updated Final Safety Analysis Report (UFSAR) page 10.4-24, Section 10.4.7, " Auxiliary Feedwater System," states:
The Auxiliary Feedwater (AFW) System supplies, in the event of a loss of the main feedwater supply, sufficient feedwater to the steam generators to remove primary system stored and residual core energy. ... The system is designed to start automatically in the event of a loss of offsite electrical power, a feedwater .
line break, safety injection, low-low steam generator water level, or a tri) of both main feedwater pumps, any of which will result in, may >e coincident with, or may be caused by a reactor trip. It will supply sufficient feedwater to prevent the relief of primary coolant through the pressurizer safety valves and the uncovering of the core.
i
l
, 3
- b. The staff's Safety Evaluation Report that provided the basis for licensing Sequoyah Units 1 and 2 was issued as NUREG-00ll in March 1979.
Section 10.4.2 of NUREG-00l! states:
The auxiliary feedwater system is designed to supply water to the steam generators fcr reactor coolant system sensible and decay heat remval. The need would occur when the normal feedwater system is not availe'le. o
- c. NUREG-0737, " Clarification of TMI Action Plan Requirements," was issued i in November 1980. Item II.E.1.2, " Auxiliary Feedwater System Automatic I Initiation and Flow Indication," required upgrade of AFW initiation and indication circuitry to safety-grade and demonstration of compliance with IEEE Standard 279-1971. Item II.E.1.2 required the following:
(1) The design shall provide for the automatic initiation of the AFW system.
(2) The automatic initiation signals and circuits shall be designed so that a single failure will not ault in the loss of the AFW system function.
(3) Testability of the initiating signals and circuits shall be a feature of the design.
(4) The initiating signals and circuits shall be powered from the emergency buses.
(5) Manual capability to initiate the AFW system from the control room shall be retained and shall be implemented so that a single failure in the manual circuits will not result in the loss of system -
function.
(6) The ac motor-driven pumps and valves in the AFW system shall be ;
included in the automatic actuation system sequential) of the loads onto the emergency (buses. simultaneous and/or (7) The automatic initiating signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room.
Information regarding implementation of Item II.E.1.2, provided by TVA at a public meeting on November 20, 1979, and in a letter dated January 25, 1980, was reviewed by the staff prior to issuance of an operating license to either of the Sequoyah units. Both Supplements 2 and 6 to NUREG-0Jll state that Sequoyah Units I and 2 fully comply with NUREG-0737, Item II.E.1.2. and therefore complies with Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971.
- d. UFSAR Sections 10.4.7.2 and 15.4 discuss two postulated accidents for which manual operator control of the AFW system is required. They are a
i 1 i
)
! main steam line break and a steam generator tube rupture. Operator '
- intervention within 10 minutes is postulated in these accidents.
- e. A predecisional enforcement conference was held with TVA on December 16, l 1996, to discuss the October 11 event. Following this conference, TVA j provided their evaluation, " Evaluation for SQ963123PER, Auxiliary
! with NRC requirements and with the Sequoyah UFSAR. This information was transmitted in a letter dated January 31, 1997. The staff has also reviewed this information. ,
Evaluation The safety function of the AFW system is to provide cooling to the RCS and, therefore, prevent overpressurization of the RCS which could lead to loss of coolant inventory and boiling in the core. The failure of the loss of feedwater runback pressure switches on October 11, 1996, did not prevent automatic initiation of AFW, would not have precluded manual initiation of the AFW system from the control room, and did not prevent automatic control of the system to maintain steam generator levels at the required levels. The failure did inhibit normal manual control of AFW flow rate because of the continuous AFW initiation signal. Because of RCS cooldown considerations, plant procedures required the control room operators to take manual control of AFW to reduce the flow rate into the steam generators. Had no manual operator action taken place, the AFW system would have automatically controlled steam generator levels in the normal range and the licensee estimates that RCS temperature would have stabilized at about 520*F. Plant procedures also require emergency boration once RCS temperature drops below 540*F to maintain adequate shutdown margin.
As discussed in the Sequoyah UFSAR, manual operator action to control AFW system flow is required for main steam line breaks and steam generator tube ruptures. Sequoyah Ec rgency Procedures E-2 and E-3 provide instructions for i the operator to isolato auxiliary feedwater to the faulted steam generator. 1 Diverse methods are svailable to the operator to isolate AFW including closing level control valves, stopping motor-driven AFW pumps (placing control switch in pull-to-lock position), closing manual valves, and isolating steam supply to the steam-driven AFW pump.
The staff reviewed compliance with various General Design Criteria (GDC) contained in Appendix A to 10 CFR Part 50, particularly GDC-24 which deals with separation of pr.ction and control systems. Contrary to a statement in TVA's January 31 letur regarding application of GDC-24, the staff has concluded that the ESFAS in its entirety is -equired to meet the requirements of GDC-24. This was previously stated by tM staff. Statea nts in UFSAR Chapter 7 clearly indicate that the AFW system is a part of ESFAS and in accordance with UFSAR Table 7-1, GDC-24 is applicable to the AFW system. The staff concludes that safety-related portions of the AFW system are required to meet GDC-24.
In a meeting with TVA on February 27, 1997, TVA informed the staff that the design of the safety-related portions of the AFW system meets the requirements i
I 5 ,
of GDC-24. The staff concurs with the licensee and finds the design of the AFW system to be acceptable.
The staff reviewed compliance with IEEE Standard 279-1971. Section 4.2,
" Single failure Criterion," and Section 4.17, " Manual Initiation," are satisfied because failure of the loss of feedwater runback circuitry in either mode (failed open or failed shut) will not prevent " proper protective action." l In this case, proper protective action is defined as initiation of feedwater i from the AFW system to'the steam generators to prevent overheating (and ]
overpressurization) of the RCS. During the October 11 event, AFW did, in l fact, initiate automatically, could have been manually initiated if required, j and would have automatically controlled steam generator levels without ,
operator intervention to control cooldown. The difficulties in controlling AFW flow rate did not prevent the occurrence of the protective action for which the AFW system was designed. The licensee determined after the event that these difficulties could have been eliminated by one simple operator action, resetting the tripped main feedwater pump. TVA is considering installation of a manual AFW reset circuit to prevent recurrence of this anomaly.
Conclusion !
Based upon review of the cited documents, the staff reaffirms the conclusion of its reviews of the Sequoyah AFW automation initiation and control system conducted in 1981 prior to licensing Sequoyah Unit 1. The conclusion was then, and is now, that the system meets all NRC requirements and complies with the plant design and licensing basis.
i l
l i
i l
_