ML20010C167
| ML20010C167 | |
| Person / Time | |
|---|---|
| Site: | Wolf Creek, Callaway  |
| Issue date: | 08/14/1981 |
| From: | Petrick N STANDARDIZED NUCLEAR UNIT POWER PLANT SYSTEM |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| SLNRC-81-68, NUDOCS 8108190211 | |
| Download: ML20010C167 (50) | |
Text
.
1 SNUPPS standerdised messer unit Pouser Plant System 5 choke cherry Road Nicholas A.Petrick f.
Reekville, h4oryland 20060 Executive Director taan see.colo
~NLp4,K August 14, 1981
,..,9 SLNRC 81-68 FILE 029 SUBJ:
ICSB Review 2
g f
F N
Mr. liarold R. Denton, Director p
?
Office of Nuclear Reactor R;plation 9-U g
U. S. Nuclear Regulatory Commission sU
. Washington, D. C.
20555 g,j Docket Nos.
SIN 50-482, STN 50-483, and STN 50-486
Dear Mr. Denton:
Technical review meetings with the NRC's Instrumentation and Control Systems Branch were held on April 28, May 18-20, June 16-17, and July 27, 1981.
The items discussed in this series of meetings were classified as agenda items # 1 brough # 68 and ICSB positions # 1 through # 10.
Enclosure A to t s letter provides the status of the 68 agenda items.
A separate SNUPPS letter addresses the 10 ICSB positions.
Three of the agenda items require attention beyond that given in Enclosure A.
- 25 In addition to the FSAR changes included with this letter, there was a question concerning the testing of the reset capability of specific safety functions following a safety l
injection.
The testing of the slave relays (GO-GO, NO-GO) causes certain relays to be mechanically latched up in the initiating circuits.
lhe relays are unlatched by energizing the unlatch coil of the relay.
Although this is done from the l
Safeguards test cabinets, the reset (unlatching) may be accomplished from the Control Room periodically to reconfirm the integrity of the wiring and associated components.
I
- 45 SNUPPS plans to make design changes to help insure against l
inadvertent boron dilution.
These changes are expected to
}DO f be the same as tnal employed by Comanche Peak.
The
/
Comanche Peak u sign was reviewed and approved by the NRC staff. Confirmatory FSAR changes will be provided after j[
engineering of the changes is more complete, it should be noted that the Reactor Systems Branch also requested the above information in an August 12, 1981 meeting.
- 52 The interface criteria provided in Appendices B and C of WCAP-8584, Revision 1 have been met in the SNUPPS design.
l' 8108190211 810814.
i PDR ADOCK 05000482
, SLNRC 81-68 Page Two Enclosure B to this letter is the response to ICSB agenda item #
50 for the balance-of-plant.
Enclosure C to this letter is the response to ICSB agenda item # 60.
Enclosure D to this letter is a group of FSAR changes that will be included in SNUPPS FSAR Revision 6.
Very truly yours, J~'
['NicholasA.Petrickw \\ <wv v RLS/mtk3b20
Enclosure:
A:
E'_atus of ICSB Agenda items B: Response to item # S0 - BOP C:
Response to item # 68 D: FSAR Changes cc:
- 1. K. Bryan UE D. F. Schnell UE G. L. Koester KCE D. T. McPhee KCPL W. A. Hansen NRC/ CAL T. E. Vandel NRC/WC t
ENCLOSURE A s
ICSB AGENDA ITEM STATUS 1
Complete 2
See response to Q420.4 (FSAR Rev. 5) 3 See response to 0420.4 (FSAR Rev. 5) 4 Complete 5
See SLNRC B1-49 and SLNRC 81-63 6
See response to ICS8 position # 1; SLNRC 81-67 7
Complete 8
See FSAR Rev. 5 (p. 7.3-25) 9 See FSAR Rev. 5 (T 7.1-4, sheet 2) 10 See FSAR Rev. 5 (T 7.1-7, cheet 2) 11 See response to ICSB position # 2; SLNRC 81-67 12 FSAR change included with this letter s
13 See FSAR Rev. 5, Section 18.2.17.2.2.
This section will be revised to address low condenser vacuum trip.
Expected submittal; 8/31/81.
14 FSAR change included with this letter 15 Resolved by ICSB position # 4 16 FSAR chango included w th this letter 17 SLNRC 81-54 provided the plans for a design change to resolve this item. Confirmatory FSAR changes will be provided after engineering of the change is more complete.
18 Complete 19 FSAR change included with this letter 20 See FSAR Rev. 5 (T 7.3-8) 21 See FSAR Rev. 5 (T 7.3-11) 22 Complete 23 Complete 24 See FSAR Rev. 5 (p. 7.3-35) 25 FSAR change included with this letter.
Also see cover letter.
26 Complete 27 Complete 28 Complete 29 Complete 30 Complete 31 See FSAR Rev. 5, Section 18.2.6.2 32 Complete 33 Complete 34 Response to Reg. Guide 1.97, Rev. 2 will be submitted later. Expected submittal: 8/31/81 35 Complete 36 See FS AR Rev. 5 ( T 7.5-2, sheet 2) 37 Complete 38 See response to ICSB position # 7 39 FSAR changes to be provided later. Expected submittal:
8/31/81.
40 See FSAR Rev. 5 (p. 7.6-7) f E _. _ _ _ _. _
Page 2 ENCLOSURE A e
ICSB AGENDA ITEM STATUS 41 See response to ICSB position # 8; SLNRC 81-67 42 See response to ICSB position # 8; SLNRC 81-67 43 FSAR change included with this letter 44 Complete 45 This item is addressed in the cover letter 46 FSAR change included with this letter 47 Complete 48 FSAR change included with this letter 49 See FSAR Rev. 5 (T 7.2-3, pp. 7.3-35, 36) 50 For the BOP, see enclosure B to this letter.
For the NSSS, a separate proprietary submittal will be made.
51 This item will be addressed later. Expected submittal 8/31/81.
52 This item is addressed in the covet letter.
53 See response to ICSB position # 9; SLNRC 81-67 54 SLNRC 81-54 provided the plans for a design change to resolve this item. Confirmatory FSAR changes will be provided after engineering of the change is more complete.
55 Complete 56 Complete 57 Complete 58 Resolved by ICSB position # 10 59 See response to Q420.2 (FSAR Rev. 5) 60 This item will be addressed later.
Expected submittal: 8/31/81 61 Complete 62 Complete 63 See response to ICSB position # 8; SLNRC 81-67 64 Complete 65 Complete 66 See response to ICSB position # 2; SLNRC 81-67 67 See SLNRC 81-63 68 See enclosure C to this letter RLS/3b23 D
6
ENCLOSURE B ISCB Agenda Item # SO BOP Scope Comment "a":
Provide a reference for the methodology used. Discuss any differences between the reference methodology and the methodology to be used by the applicants.
Response
The nominal setpoints ar.d toleraces for the actuation of the balance of plant engineered safety features will include margin to ensure proper operation despite the statistical uncertainties of parameter measurement and of instrument trip points.
The uncertainty limit estimates will be based upon the following components:
a) basic inaccuracy (unrepeatability, nonlinearity, hysteresis, etc., as appropriate) b) drift (bistables and associated cabinet-mounted devices will be calibrated monthly, all other devices will be calibrated every 18 months) c) normal envitunment effects (assuming calibration at the lower environmental limits and operation at the upper limits) d) power supply fluctuation effects e) DEB effects: effects of eitht:r:
- 1) additional environmental changes beyond the limits addressed in "c",
or
- 2) one SSE
--whichever would result in the greater uncertainty.
It is not necessary to con-sider the -linultaneous existence of seismic effects and a design basis accident.
These uncertainty components will be individually addressed for each device in each instrument loop to be evaluated. As a first--and most conservative--estimate of the net uncertainty, the magnitudes of the components will simply be added together.
If, in consideration of the parameter range, the normal and limiting parameter values, and other pectinent information, the resultant maximum uncertainty limit is found to be overly conservative, the uncertainty components will be evaluated to determine which result from statistically independent and which from coamon-mode phenomena.
These components resulting from independent phenomena will be combined as the square root of the sum of the squares, and the remaining components will be added to the result.
Calibration uncertainties will be taken into account later by the individual SNUPPS Utilities.
]
Page 2 ENCLOSURE B l
ISCB Agenda Item # 50 BOP Scope i
Comment "b":
Verify that the environmental error allowances are based on the highest value determined in qualification testing.
Response
The environmental error allowances ("DBE effects" as defined in the response to comment "a") for BOP instruments will be,
based upon one of the following, as appropriate:
1) target specifications for maximum DBE-induced calibration change, if these specifications were met in qualification testing 11) actual worst case calibration shifts measured in qualification testing lii) adequately documented analysis and prediction of maximum calibration chifts Comment "c":
List the protection channels where the Technical Specifications sclpoint, with allowance for channel statistical error, falls within 5% of the instrument range limit cr within 5% of the range between level measurement taps.
For those cases specify the remaining margin to the end of the range.
Response
When the parameter measurement uncertainty evaluations have been completed for the appropriae BOP protection channels, the resultant setpoints will be investigated.
Those protection channels having setpoints without a margin of at least 5% of span to each range limit will be listed and reported to the NRC.
At this time, no BOP protection enannel is expected to fall into that category.
Comment "d":
Document the enviromnental error allowance that is used for each reactor trip and engineered safeguards setpoint.
Response
The environmental error allowances for BOP engineered safeguards setpoints will be documented in the parameter measurement uncertainty evaluations.
See the response to item "a".
Comnent "e":
Identify any time limits on environmental qualification of instuments used for trip, post-accident monitoring or engineered safety features actuation.
Where instruments are qualified for only a limited time specify the basis for the limited time.
Response: -
The qualified life (this life will include consideration of the time for which each device will be required to function following a DBE) of the safety-related BOP instrumentation will be specified in FSAR Table 3.ll(B)04. It is noted that nearly all of the safety related BOP instrunentatica is located in plant areas that are not subject to hostile envoirnments.
l l
l Page 3 ENCLOSURE B ISCB Agenda Item # SO BOP Scope Comment "f":
Address the ef fect of test equipment accuracy or. setpnint errors.
Response
Test equipment accuracy will be taken into account by the individual SNUPPS Utilities and appropriate adjustments will be made to safety-related BOP instrument setpoints.
N
l ENCLOSURE C ISCB Agenda Item # 68 No credit is taken for shunt coil circuts of the reactor trip breakers.
~
They are used only for additional assurance when the breakels are tripped with the manual trip switches at tae control board.
Each breaker is automatically tripped by de-energizing the undervoltage coil through the solid state protection system (SSPS).
Independent de power for two series-connected breakers is provided from the vital ac buses.
The breakers and associated undervoltage circuits are Class 1E and meet all applicable criteria including on-line testability. Undervolta ;e coils are continuity tested using the semi-automatic test features of the SSPS as well as a functional (actual opening) test through the SSPS la accordance with surveillance test requirements of the plant Technical Specifications.
In addition, the shunt and undervoltage power circuits are independent, and acceptable safety evaluations have taken no credit for existence of a shunt trip of the breakers.
RLS/3b26 4
1 l
Er2.nwsr a.
C 106 SNUPPS L (, t4 12 the reactor if the power level is above P-7.
The coincidence logic and interlocks are given in Table 7.2-1.
e.
Steam generator low-low water level trip The specific trip function generated is low-low steam generator water level trip.
This trip protects the reactor from loss of heat sink.
This trip is actuated on two out of four low-low water level signals occurring in any steam generator.
The logic is shown on Figure 7.2-1 (Sheet 7).
f.
Reactor trip on a turbine trip (anticipatory)
The reactor trip on a turbine trip is actuated by two-out-of-three logic from emergency trip fluid pressure signals or by all closed signals from the turbine steam stop valves.
A turbine trip causes a direct reactor trip above P-9.
The reactor trip on turbine trip provides additional protection and con-servatism beyond that required for the health and safety of tre public.
This trip is included as part of good engineering practice and prudent design.
The turbine provides anticipatory trios to the reactor protection system from contacts which change position when the turbine stop valves close or when the turbine emergency trip fluid pressure goes below its setpoint.
Components specified for use as sensors for input signals to the reactor protection system for " emergency trip oil pressure low" and " turbine stop valves close" will conform to the requirements of IEEE 279-1971 and be environmentally qualified.
- However, seismic criteria are not included in qualification regarding mounting and location for that portion of the trip system located within nonseismic Category I structures.
Evaluations indicate that the functional performance of the protection system would not be degraded by credible electrical faults such as opens and shorts in the circuits associated with reactor trip or the generation of the P-7 interlock.
The contacts of redundant sensors on the steam stop valves and the trip fluid pressure system are connected through the grounded side of the ac supply circuits in the solid state protection system.
A ground fault would, there-fore, produce no fault current.
Loss of signal caused by open circuits woulo produce either a partial or full 7.2-9 Rev. 6 8/81 l
?
Ics6 SNUPPS ygQ reactor trip.
Faults on the first stage turbine pressure circuits would result in upscale, conservative output for open circuits and a sustained current, limited by circuit resistance, for short circuits.
Multiple failures imposed on these redundant circuits could potentially disable the P-13 interlock.
In this event, 3
the nuclear instrumentation power range signals would provide the P-7 safety interlock, Refer to functional diagram, Sheet 4 of Figure 7.2-1.
Evaluations provided in Section 7.6.1 for the trip fluid pressure transmitter loops indicate that credible electrical faults would not degrade the functional performance of the safety-related BOP instrumentation.
In addition, the following measures will be taken to ensure the integrity of the cabling to the reactor protection system (RPS):
1.
Inputs from the turbine steam stop valves will originate from four separate limit switches (one per valve), each of which is dedicated to providing an input to one channel of the RPS.
Cables carrying these signals will be routed in individual conduits.
The four circuits will be separated from one another, from non-Class IE circuits, and identified according to the criteria imposed on Class IE circuits from their source up to
~
their terminations with the RPS cabinets.
2.
Inputs from the emergency trip oil pressure instrumentation will be routed in a similar manner as are the turbine stop valve inputs.
The logic for this trip is shown on Figure 7.2-1 (Sneet 16).
d 7.2-9a Rev. 6 8/81 l
(S$
SNUPPS
'fJG-M 11 g.
Safety injection signal actuation trip A reactor trip occurs when the safety injection system is actuated.
The means of actuating the safety injection system are described in Section 7.3.
This trip protects the core following a loss of 3
reactor coolant or a steam line rupture.
Figure 7.2-1 (Sheet 8) shows the. logic for this trip'.-
h.
Manual trip The manual trip consists of two suitches with two outputs on each switch, one output is used to actuate the train A reactor trip breaker; the other output actuates the train B reactor trip breaker.
Operating a manual trip switch removes the voltage from the undervoltage trip coil and energizes the shunt trip coil of each breaker.
There are no interlocks which can block this trip.
Figure 7.2-1 (Sheet 3) shows the manual trip logic.
The design conforms to Regulatory Guide 1.62, as shown in Figure 7.2-3.
7.2.1.1.3 Reactor Trip System Interlocks See Table 7.2-2 for the list of projection system interlocks.
a.
Power escalation permissives The overpower protection provided by the out-of-core nuclear instrumentation consists of three discrete, but overlapping, ranges.
Continuation of startup operation or power increase requires a permissive E
7.2-10 Rev. 6 8/81
LTEM *6 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6.1 INSTRUMENTATION AND CONTROL POWER SUPPLY SYSTEM The instrumentation and control power supply system is described in Section 8.3.1.1.5.
Safety-related BOP transmitters not powered directly from the-system described in 8.3.1.1.5 are powered by input buffers in the BOP analog equipment cabinets.
Each BOP electronic analog input buffer is able to withstand an open circuit, a short circuit, or a single or multiple-point ground on the field wiring, without affecting any other instru-ment loop in any separation group.
An open circuit would interrupt the field current and drive the buffer output offscale " low."
The field bus power supply voltage is not high enough to cause any damage if it were suddenly unloaded.
There would be no consequential damage to the electronics.
A short circuit would apply the full field bus voltage across on-board current-limiting resistors designed and provided to limit such current to a safe value.
The buffer output would be driven to the high limit with no consegaential damage to the electronics.
A single ground on an input buffer field line would connect one side of the field bus power supply to system ground through an on-board, curient-limiting resistor designed and provided to limit the resultant current to a safe value.
The buffer output would take on some arbitrary value, with no consequential damage to the electronics.
A' ground on both field lines of an input buffer would result in a condition similar to an input line short circuit.
The buffer output would be driven to the high limit, but there would be no consequential damage to the electronics.
7.6.2 RESIDUAL HEAT REMOVAL SYSTEM ISOLATION VALVES 7.6.2.1 Descriptiot.
The residual heat removal system (RHRS) isolation valves are normally closed and are opened only for residual heat removal system operation after system pressure is reduced to approxi-mately 425 psig and system temperature has been reduced to approximately 350 F.
7.6-1 Rev. 6
)
8/81 l
A D(2p SNUPPS 5-i._ r:,a 14.
There are two motor-operated valves in series in each of the two residual heat removal pump suction lines from the reactor coolent system (RCS) hot legs.
The two valves nearest the RCS (valves 8702A and 8702B) are designated as the inner isolation valves, while the two valves nearest the residual heat removal pumps (valves 8701A and 8701B) are designated as the outer isolation valves.
The interlock features provided for the outer isolation valves, shown on Figure 7.6-1 (Sheet 1), are identical to those provided for the inner isolation valves, shown on Figure 7.6-1 (Sheet 2), except that equipment diversity is employed by virtue of the fact that PT 405 is of a different manufacture than PT
'03.
Each valve is interlocked so that it cannot be opened unless the RCS pressure is below a preset pressure.
This interlock prevents the valve from being opened when the RCS pressure plus the residual heat removal pump pressure is above the RHRS design pressure.
A second pressure interlock is provided to close the valve automatically if the RCS precsure subsequently iacreases to above a preset value.
In addition, the valves cannot be opened unless the isolation va'.ves in the following lines are closed:
a.
Recirculation line from the residual heat exchanger outlet to the suction of the high head safety injection pumps.
b.
RHR pump suction line from the refueling water storage tank.
c.
RHR pump suction line from the containment sump.
i 7.6-la Rev. 6 l
8/81 u_
SNUPPS 10$6 1-TG2v1 l V DISCUSSION:
The recommendations of this regulatory guide are mat.
Refer to Section 3.3.
REGULATORY GUIDE 1.118 REVISION 2 DATED 6/78 Periodic Testing of Electric Power and Protection Systems DISCUSSION:
For the systems not provided with the NSSS, the reco.nmenda-tions of this regulatory guide are met as described in Table 7.1-7.
For systems provided with the NSSS. Westinghouse follows the recommendations of the regulatory guide with the following exceptions:
Westinghouse defines " Protective Action Systems" to mean the electric instrumentation and controls portions of those protection systems and equipment actuated and controlled by the protection system.
Equipment performing control functions, but actuated from protection system sensors, is not part of the safety system and will not be tested for time response.
Status, annunciating, display, and monitoring functions, except those related to the post-accident monitoring system
'(PAMS), are considared by Westinghouse to be control func-tions.
Reasonabi.
By checks, i.e.,
comparison between or among similar such display functions, will be made.
Response time testing for control functions operated from system sensors will not be performed.
Moreover, NIS detectors will not be tested for time response, since l
their worst case response time is not a significant fraction of the total overall system response (i.e., less than 5 percent).
Despite the fact that this exemption is no longer permitted by IEEE-338 (1977 version), Westing-house believes that it is valid.
Refer to Section 7.1.2.6.2 for additional discussions on response time testing of protection sensors.
g REGULATORY GUIDE 1.119 REVISION NA DATED NA Surveillance Programs for New Fuel Assembly Designs 3A-40 Rev. 6 8/81
SNUPPS m4 g.
Reactor coolant pump seal water return valves (close)'
Seal water return line isolation valves are routinely
- tested during refueling outages.
Closure of these valves during operation would cause the seal water system relief valve to lift, with the possibility of valve chatter.
Valve chatter could damage this relief valve.
Testing of these valves at power could cause equipment damage.
Therefore, these valves will be tested during scheduled refueling outages.
As above, additional containment penetrations and contain-ment isolation valves introduce additional unnecessary potential pathways for radioactive release following a postulated accident.
Thus, the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22 are met.
7.1.2.6 Confornance to IEEE Standards 7.1.2.6.1 Conformance to IEEE Standard 379-1972 The principles described in IEEE Standard 379-1972 were used in the design of the Westinghouse protection system.
The system complies with the intent of this standard and the additional guidance of Regulatory Guide 1.53, although the formal analyses have not been documented exactly as outlined.
Westinghouse has gone beyond the required analyses and has performed a fault tree analysis (Ref. 1).
The referenced report provides details of the analyses of the protection systems previously made to show conformance with the single failure criterion set forth in Section 4.2 of IEEE Standard 279-1971.
The interpretation of the single failure criterion provided by IEEE Standard 379-1972 does not indicate substantial differences with the Westinghouse interpretat' ion of the criterion, except in the methods ased to confirm design reliability.
The RTS and ESFAS are each redundant safety systems.
The required periodic testi.Tg of these systems will disclose any failures or loss of redur.dancy which could have occurred in the interval between tests, thus ensuring the availability of these systems.
7.1.2.6.2 Conformance to IEEE Standard 338-1971 The periodic testing of the RTS and ESFAS conforms to the e
requiremerts of IEEE Standard 338-1971 with the following comments:
The surveillance requirements of Chapter 16.0 for the a.
p_rotection system ensure that the system functional operability is maintained comparable to tae original design standards.
Periodic tests at the established intervals demonstrate this capability for the system.
7.1-15 Rev. 6 8/81 y
i,
SNUPPS JeE/HIf For sensors, the method used will function on the principle that,.in the protection system, sensors
.are sensitive to process noise created by natural
-perturbations in variables, including temperature, pressure, and flow.
Nuclear instrumentation detec-tors are excluded since delays attributable to them are negligible in the overall channel response time required for safety.
The noise method testing system is designed to mea-sure sensor response time and/or assess degradation by measurement of the sensor's efficiency to detect high-frequency noise.
Data collected from each sensor is conditioned, amplified, digitized, and analyzed by dn on-board microcomputer.
Two analyses are performed.
One compares the obtained frequency signature with a baseline signature for checking degradation, the other compares the cutoff frequency of the power density spectrum to estimate response time.
The sensor response time testing system is mobile and can collect and analyze data from four primary or secondary system detectors at the same time.
RTDs, pressure transmitters, and DP cells can be tested with the reactor between 50- and 100-percent power.
The measurement of response time at the specified time intervals provides assurance that the protective and engineered safety feature action function asso-ciated with each channel is completed within the time limit assumed in the accident analyres.
b.
The reliability goals specified in Section 4.2 of IEEE Standard 338-1971 are consistent with the test frequency in Chapter 16.0.
c.
The periodic time interval discussed in Section 4.3 of IEEE Standard 338-1971, and specified in Ch&pter 16.0, is selected to ensure that equipment associated with protection functions has not drifted beyond its minimum performance requirements.
The adequacy of the interval will be verified by results of testing or the interval will be reevaluated on the basis of actual experience.
d.
The test interval discussed in Section 5.2 of IEEE Standard 338-1971 is developed primarily on past o'erating experience and modified, if necessary, to p
ensure that system and subsystem protection is reliably provided.
Analytic methods for determining reliability are not used to determine test interval.
7.1-16 Rev. 6 8/61
bIh_____________ _
SNUPPS
_76de 4 L
.7.
1.3 REFERENCES
1.
Gangloff, W.C.
and Loftus, W.D.,
"An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients,"
WCAP-7706-L (Proprietary) and WCAP-7706 (Non-Propri".:tary),
July, 1971.
2.
- Marasco, F.W.
and Siroky, R.M.,
" Westinghouse 7300 Series Process Control System Noise Tests," WCAP-8892-A, June, 1977.
3.
Letter dated April 20, 1977, R.L. Tedesco (NRC) to C. Eicheldinger (Westinghouse).
k I
7.1-17 Rev. 6 l
8/81 L.._
SNUPPS h '&
1 T E M it.
Plant systems and equipment which are available to mitigate the effects of the accident are discussed in Section 15.0.8 and listed in Table 15.0-6.
No single active failure in any of these systems or equipment will adversely affect the conse-quences of the accident.
Results Figures 15.5-1 through 15.5-3 show the transient response to inadvertent operation of ECCS during power operation.
Neutron 7
flux starts decreasing immediately due to boron injection, but steam flow does not decrease until later in the transient when the turbine throttle valve goes wide open.
The mismatch be-tween load and nuclear power causes Tavg' pressurizer water level and precsurizer pressure to drop.
When the low pres-sure trip set point is reached, the reactor trips and control rods start moving into the core.
Departure from nucleate boiling ratio (DNBR) increases throughout the transient.
The calculated sequence of events is shown on Table 15.5-1.
After reactor trip, pressure and temperature slowly rise since the turbine is tripped and the reactor is producing some power due to delayed neutron fissions and decay heat.
Recovery from this accident is discussed in Section 15.5.1.1.
15.5.1.3 Conclusions Results of the analysis show that spurious ECCS operation without immediate reactor trip presents no hazard to the integrity of the RCS.
If the reactor does not trip immediately, the low pressurizer pressure reactor trip will be actuated.
This trips the tur-bine and prevents excess cooldown, thereby expediting recovery from the incident.
15.5.2 CHEMICAL AND VOLUME CONTROL SYSTEM MALFUNCTION THAT INCREASES REACTOR COOLANT INVENTORY 15.5.2.1 Identification of Causes and Accident Description Increases in reactor coolant inventory caused by the chemical and volume control system may be postalated to result from operator error or a false electrical signal.
Transients examined in this section are characterized by increasing pressurizer level, increasing pressurizer pressure, and con-stant boron concentration.
The transients analyzed in this section are done to:
demonstrate that there is adequate time for the operator to take corrective action to prevent 15.5-4 Rev. 6 8/81
T1.-
W$Ib SNUPPS LT[5.M Y filling the pressurizer.
An increase in reactor coolant inventory, which results from the addition of cold, unborated water to the RCS, is analyzed in Section 15.4.6, chemical and volume control system malfunction that results in a decrease in boron concentration in the reactor coolant.
An increase in reactor coolant inventory which results from the injection of highly borated water into the RCS is analyzed in Section 15.5.1, inadvertent operation of the emergency core cooling system during power operation.
Transients postulated as a result of operator error or failure of the charging pump controller which increase primary side inventory will be automatically terminated by a high pressurizer level reactor trip before the pressurizer can be filled, thus these are not the worst cases.
The most limiting case would result if charging was in automatic control and the pressurizer level channel being used for charging control failed in a low direction.
This would cause maximum charging flow to be delivered to the RCS and letdown flow would be isolated.
The worst single failure for this event would be another pressurizer level channel failing in an as is condition or a low condition.
This will defeat the reactor trip on two out of three high pressurizer level channels.
To prevent filling the pressurizer the operator must be relied upon to terminate charging.
15.5.2.2 Analysis of Effects and Consequences Method of Analysis The charging malfunction is analyzed by employing the detailed digital computer program LOFTRAN (Ref. 1).
The code simulates the neutron kinetics, RCS, pressurizer, pressurizer relief and safety valves, pressurizer spray, steam generator, steam generator safety valves, and the effect of the SIS.
The program computes pertinent plant variables, including tempera-tures, pressures, and power level.
Four cases were analyzed; a.
Minimum reactivity feedback with automatic pressurizer spray b.
Minimum reactivity feedback without automatic pressurizer spray c.
Maximum reactivity feedback with automatic pressurizer spray d.
Maximum reactivity feedback without automatic pressurizer spray 15.5-4a Rev. 6 8/81 u
SNUPPS j-- '(% l/3 V
The assumptions incorporated in the analyses were as follows; a.
Initial Operating Conditions The initial reactor power, RCS temperature, and pressurizer level are assumed at their maximum values consistent with steady state full power operation, including allowance for calibration and instrument errors.
Pressurizer pressure is assumed to be initial'-
ly at its minimum value.
b.
Reactivity Coefficients 1.
Minimum Reactivity Feedback Case A least negative moderator e.emperature coefficient and a least negative doppler >nly power coefficient.
2.
Maximum Reactivity Feedback Case A conservatively large negative moderator tempera-ture coefficient and a most negative doppler only power coefficient.
c.
Reactor Control The reactor was assumed to be in manual control.
As shown in Figures 15.5-4 through 15.5-11, core power and average RCS temperature change very little, thus the effects of automatic rod control would be neg-ligible.
d.
Charging System Maximum charging system flow based on RCS back pressure from one centrifugal charging pump is delivered to the RCS.
The charging flow is assumed to have the same boron concentration as the RCS.
e.
Reactor Trip The transient is initiated by the pressurizer level channel which is used for control purposes failing low.
As a worst single failure, another pressurizer level channel fails low, defeating the two out of three high pressurizer level trip.
RESULTS Figures 15k5-4through15.5-11showthetransientresponsedue to the charging system malfunction.
In all the cases analyzed, core power and RCS a" rage temperature remain relatively constant.
15.5-4b Rev. 6 8/81
J4T6 SNUPPS LT(iAsf(,
Cases where the pressurizer spray is inoperable show the pressurizer level increases at a relatively constant rate.
This is because the pressurizer pressure initially rises very quickly to the pressure at which the relief valves open and remains there.
Cases where the pressurizer spray is operable show the pressurizer level increases with varying rates.
Spray actuatio., tends to keep the pressurizer pressure lower for several minutes,
..'hi ch -,
allows the charging pumps to deliver more flow.
Eventually, pressurizer pressure does increase enough to open the relief valves.
Times at which the operator would receive alarms are listed in Table 15.5-1.
15.5.2.3 Conclusions Results show none of the operating conditions during the transient approach core limits.
Because the high pressurizer level trip has been defeated by failures, the transient must be terminated by the operator.
The sequence of events presented in Table 15.5-1 show the operator has sufficient time to take corrective action.
i l
s T_
l l
ab l
15.5-4c Rev. 6 8/81
)
MSh SNUPPS p{g ;/,
TABLE 15.5-1 (cheet 1)
TIME SEQUENCE OF EVENTS FOR INCIDENTS WHICH RESULT IN AN INCREASE IN REACTOR COOLANT INVENTORY Time Accident Event (sec)
Inadvertent actuation of the ECCS during power Spurious SIS gen-0.0 operation erated; two cen-I trifugal charging pumps begin in-jecting borated water Turbine throttle 21.5 valve wide open; load begins to drop with steam pressure Low pressurizer pres-30.5 sure reactor trip netpoint reached Control rod motion 32.5 begins Chemical and volume Two pressurizer level 0.0 control system malfunc-channels fail low tion, minimum reactivity feedback, without pres-Maximum charging flow surizer spray from one centrifugal charging pump is begun Letdown is isolated Lo-lo-pressurizer level alarm HI pressurizer pres-105 sure alarm e
Pressurizet relief 130 valve setpoint reached HI pressurizer level 1,223 alarm from the one working level channel Pressurizer fills 1,532 Rev. S 8/81
h"43 1;T (i,v 162 SNUPPS V
TABLE 15.5-1 (Sheet 2)
Chemical and volume Two pressurizer level 0.0 control system malfunction, channels fail low minimum reactivitv feed-back, with pressurizer Maximum charging flow spray from one centrifugal charging pump is begun Letdown is isolated Lo-lo pressurizer level alarm Pressurizer spray 55 actuated Hi pressurizer level 739 alarm from the one working channel Hi pressurizer pres-958 sure alarm Pressurizer re]ief 1,057 valve setpoint reached Pressurizer fills 1,473 Chemical and volume Two pressurizer level 0.0 contr<>l system malfunction, channels fail low maxiraum reactivity feed-back, without pressurizer Maximum charging flow from one centrifugal charging pump is begun Letdown is isolated Lo-lo pressurizer level alarm Hi pressurizer pressure 65 alarm Pressurizer relief 78
^
valve setpoint reached l
Hi pressurizer level 951 l
alarm from the one l
working level channel Pressurizer fills 1,346 l
Rev. 6 8/81
IL%
U(b rH l Y TABLE 15.5-1 (Sheet 3)
Chemical and volume Two pressurizer level 0.0 control system malfunction, channels fail low maximum reactivity feed-back, without pressurizer Maximum charging flow spray from one centrifugal charging pump is begun LetJown is isolated Lo-lo prescurizer lev-alarm Pressurizer spray 40 actuated Hi pressurizer level 693 alarm from the one working level channel Hi pressurizer pres-906 sure alarm Pressurizer relief 1,013 valve setpoint reached Pressuri?.er fills 1,429 I
c e
e Rev. 6 8/81
evy
' (- M 590.8 12 a
a E
lE g
1.0 u.
O 2
9 0.8 U<
E 5 0.6 w
3:
2 0.4
=
8z 0.2 620 600 580 g
o a
6 560 i40 520 "4
0 250 500 750 1000 1250 1500 1750 TIME (SECONDS)
Rev.6 8/81 SNUPPS w
FIGURE 15.5-11 CHEMICAL AND VOLUME CONTROL SYSTEM MALFUNCTION MAXIMUM REACTIVITY FEEDBACK, WITH PRESSURIZER SPRAY
aL'
-(
19,590 1900 l
l l
l
_ 1750 "w
S.
y 1500 3
O>
c 1250 N
$ 560 540 520 0
250 500 750 1000 1250 1500 1750 TIME (SECONDS)
Rev.6 8/81 SNUPPS FIGURE 15.5-9 CHEMICAL AND VOLUME CONTROL SYSTEM MALFUNCTION MAXIMUM REACTIVITY FEEDBACK, WITHOUT PRESSURIZER SPRAY
L. '. f.H 19,590.5 1900 l
I I
I I
1750
">b w
2 1500 3
a O>
cc 1250 m
H<
3:
m 1000 ee D
750 w
E 500 2500 2
vi b 2400 mma w
W c-2300 1w
$x D
$ 2200
,x n.
b.
2100 l
0 250 500 750 1000 1250 1500 1t50 au TIME (SECONDS)
Ra. 6 n
l 8/81 l
SNUPPS
~
FIGURE 15.5-8 w
CHEMICAL AND VOLUME CONTROL l
SYSTEM MALFUNCTION MAXIMUM l
REACTIVITY FEEDBACK, WITHOUT PRESSURIZER SPRAY l
t
es i
9 1
3'*
I I
I l
l l
l 4
E
- E g 1.0 u.
O z
y 0.8 o<
E E 0.6 w
3:
2 j 0.4 "i
O3 0.2 620 600 580 g
c>
h 560 540 I
520 O
250 500 750 1000 1250 1500 1751 TIME (SECONDS P
B SNUPPS J
FIGURE 15.5-7 j
CHEMICAL AND VOLUME CONTROL I
SYSTEM MALFUNCTION MINIMUM l
REACTIVITY FEEDBACK, WITH l
PRESSURIZER SPRAY
18 3
19.
i 1900 l
l l
l 6
4 1750
_">b
$ 1500 s
So>
x 1250 N<3 x 1000 u
1 Dg 750 E
a.
500 2500 2
To 9:. 2400 wx S
W E 2300 5e 1
D
$ 2200 E
I I
I I
I I
I 2i00 O
250 500 750 1000 1250 1500 17E TIME (SECONDS)
SNUPPS FIGURE 15.5-6 CHEMICAL AND VOLUME CONTROL
~
SYSTEM MALFUNCTION MINIMUM REACTIVITY FEEDBACK, WITH PRESSURIZER SPRAY
DC.niG 19,590.2 1.2 l
l j
4 1
2 E
o 1.0 Z
u.
O Z
9 0.8 U<
Ey 0.6 w
3:
2 g
0.4
~
UD Z
0.2 620 600 580 o'
C>
$ 560 540 l
520 0
0 250 500 750 1000 1250 1500 1750 1900 Rn. 6 TIME (SECONDS) 8/81 SNUPPS FIGURE 15.5-5 o
CHEMICAL AND VOLUME CONTROL
{
SYSTEM MALFUNCTION MINIMUM REACTIVITY FEEDBACK, WITHOUT
}
PRESSURIZER SPRAY
SY6 ai lie 19,590.1 I
I I
I i
_. 1750
">S
$ 1500 3
O>
c 1250 3l:
e 1000 ue D
E 750 Ec. 500 2700 2600 2
05S 2500 D
y 2400 E
e y 2300 e
d
$ 2200 n.
2100
=
0 250 500 750 1000 1250 1500 1750 1900 Rn. 6 TIME (SECONDS) 8/81 SNUPPS FIGURE 15.54 CHEMICAL At ' VOLUME CONTROL SYSTEM MALFUNCTION MINIMUM REACTIVITY FEEDBACK, WITHOUT PRESSURIZER SPRAY
l SNUPPS 14602 ITEM T 7.3.2 CONTAINMENT PURGE ISOLATION SYSTEM 7.3.2.1 Description The containment purge isolation system detects any abnormal amount of radioactivity in the containment atmosphere or in the containment purge effluent, and initiates appropriate action to ensure that any release of radioactivity to the environs is controlled.
The containment purge systems are also isolated by CIS.
7.3.2.1.1
System Description
a.
Initiating circuits Redundant and independent gaseous radiation monitors measure the radioactivity levels of the containment atmosphere and of the containment purge effluent.
These monitors provide analog radioactivity signals to bistable units in the ESF actuation system.
The bistables generate redundant trip signals, and transmit them to the automatic actuation logic.
Since the dampers also close on CIS, the initiating logic for CIS shown in Figure 7.2-1 (Sheet 8) is also applicable.
b.
Logic A logic diagram for tha ESF actuation system is provided as Figure 7.3-1.
This diagram siews only the actuation systems; it does not detail the bypass, bypass interlock, or test provisions.
The logic for the containment purge isolation actuation subsystem is included in this figure.
The ESFAS hardware consists of solid-state bista'bles and logic elements, with electromechanical relays as the final output devices.
The output relays are all energize-to-actuate, with contact operation as required for each actuated device.
The ESFAS is divided into three input-logic-output channels.
These channels all meet the independence and separation criteria, as described elsewhere in this chapter.
The logic channels are uniquely asso-ciated with the output channels.
The input signals from all three input channels are isolated as necessary, and the isolated signals are transmitted to the logic channels as shown in Figure 7.3-1.
Interconnection of differing separation groups within the BOP ESFAS is by means of digital signal isolation modules.
Analog signal isolation modules are included to provide isolated analog signals to the BOP computer.
Adequate physical separation or barriers are provided 7.3-8 Rev. 6 8/81 l
6&>
f SNUPPS LTCin1 O i
between differing separation groups, and wiring is routed in separated wireways, where appropriate.
The wiring is color-coded with regard to separation group.
The digital signal isolation modules utilize optical isolators with appropriate signal and power condition-ing circuits.
The output circuits are powered by the devices receiving signals from the isolation modules, so no power isolation is required.
There are no connec-tions between the input and output circuits, except for the optical coupling in the isolation devices.
The analog signal isolation modules utilize transformers as the isolation devices.
The analog input signals and the input power are converted to pulse trains and applied to the primary windings, and then they are reconstructed by circuits connected to the transformer secondaries.
There are no connections between the input and output circuits, except fcr the magnetic coupling in the transformers.
Both the analog and the digital signal isolation modules are tested to ensure a minimum isolation potential of 1,500 Vac rms between the input terminals and the output terminals (all input terminals shorted together and all output terminals shorted together), and between the ter-minals and ground (all terminals shorted together).
The 1
1,500 Vac rms test voltage was applied for at least 60 sec-onos for each test.
Once generated, any actuation signal remains present until it is manually reset.
Each bistable automatically resets when its input signal returns to the " safe" side of the setpoint-deadband region.
7.3-8a Rev. 6 8/81
.hd bb)
SNUPPS
{}Q gf reactor when two out of four channels trip becomes a one out of three trip when one channel is placed in the trip mode.
Both trains of the logic protection system remain in service during this portion of the test.
2.
Check of logic matrices Logic matrices are checked, one train at a time.:
Input relays are not operated during this portion of the test.
Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semiautomatic test panel in the train.
At the completion of the logic matrix tests, one bistable in each channel of process instrumentation or nuclear instrumen-tation is tripped to check closure of the input error inhibit switch contacts.
The logic test scheme uses pulse techniques to check the coincidence logic.
All possible trip and nontrip combinations are checked.
Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts.
Thus there is an overlap between the input relay check and the logic matrix check.
Pulses are fed back from the reactor trip breaker undervoltage coil to the tester.
The pulses are of such short duration that the reactor trip breaker under-voltage coil armature cannot respond mechanically.
Test indications that are pro \\'.ded are an annunci-ator in the control room indicating that reactor trips from.he train have been blocked and that the train is being tested and green and red lamps on the semiautom:4 tic teater to indicate a good or bad logic matrix test.
Protection capability provided during this portion of the test is from the train not being tested.
3.
General warning alarn reactor trip Each of the two trains of the solid state protec-tion system is continuously monitored by the general warning alarm reactor trip subsystem.
The warning circuits are actuated if undesirable train conditioas are set up by improper alignment of testing systems, circuit malfunction or failure, etc., as listed below.
A trouble condition in a log c train is indicated in the control room.
i 7.2-28 Rev. 6 8/81 1
i
aLC Di$
~
I
.ITE M ?A I
SNUPPS However, if any of the conditions exist in both trains at the same time, the general warning alarm circuits will automatically trip the reactor.
a.
Loss of either of two 48 vrit dc or either of two 15 volt de power R.splies.
b.
Printed circuit card improperly inserted.
c.
Input error inhibit switch in the INHIBIT position.
d.
Slave relay tester mode selector in TEST position.
Multiplexing selector switch in INHIBIT e.
position.
f.
Loss of ac power in relay cabinets.
g.
Opposite train bypass breaker racked in and closed.
h.
Permissive or memory test switch not in OFF position.
i.
Logic function test switch not in OFF position.
The testing capability meets the requirements of GDC-21 (refer to Section 3.1).
Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB s in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service).
In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers, thereby eliminating the need to bypass them during this testing.
The following procedure describes the method used for testing the trip breakers:
7.2-28a Rev. 6 l
8/81
?
3;Tc34 el 3>
5 """ S The error between the programmed reference temperature (based on turbine impulse chamber pressure) and the highest of the Tavg measured ~ temperatures (which is processed through a lead-lag compensation unit) from each of the reactor coolant loops con-stitutes the primary control signal, as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown in Figure 7.2-1 (Sheet 9).
The system is capable of restoring coolant average temperature to the programmed value following a change in load.
The programmed coolant temperature increases linearly with turbine load from zero power to the full power condition.
The T also supplies a signal to pressurizer level avg control and steam dump control and rod insertion limit monitoring.
The temperature channels needed to derive the temperature input signals for the reactor control system are fed from protection channels via isolation amplifiers.
An additional control input signal is derived from the reactor power versus turbine load mismatch signal.
This additional control input signal improves system performance by enhancing response and reducing transient peaks.
The core axial power distribution is controlled during load follow maneuvers by chang ig (a manual operator action) the boron concentration in the RCS.
The control board A$ displays (sce Section 7.7.1.3.1) indicates the need for an adjratment in the axial power distribution.
Adding boron to the reactor coolant will reduce T,yg and cause the rods (through the rod control system) to move toward the top of the core.
This action will reduce power peaks in the bottom of the core.
Likewise, removing boron from the reactor coolant will move the rods further into the core to control power peaks in the top of the core.
7.7.1.2 Rod Control System 7.7.1.2.1 Description l
The rod control system receives rod speed and direction signals from the T c ntrol system.
The rod speed demand signal varies avg over the corresponding range of 3.75 to 45 inches per minute 7.7-4 Rev. 6 8/81
16 %
suures gg g c.
The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank which continues to move toward its fully withdrawn position.
When the second bank reaches a prcset position, the third bank begins to move out, and so on.
This withdrawal sequence con-tinues until the unit reaches the desired power level.
The control bank insertion sequence is the opposite.
d.
Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of 11 step.
e.
Rod speeds for either the shutdown banks or manual operation of the control banks are capable of being controlled between a minimum of 6 steps per minute and a maximum of 72 (+0, -10) steps per minute.
7.7.1.2.2 Features credible rod control equipment malfunctions which could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap, or malpositioning of the rods are the following:
a.
Failures in the manual rod controls:
1.
Rod motion control switch (in-hold-out) 2.
Bank selector switch b.
Failures in the overlap and bank sequence program control:
1.
Logic cabinet systems 2.
Power supply systems c.
Failures in the manual rod controls 1.
Failure of the rod motion control switch The rod motion control switch is a three-position lever switch.
The three positions are "In,"
" Hold," and "Out."
These positions are effective when the bank selector switch is in manual.
Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to prodt.ce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position which selects one of the banks.
7.7-6 Rev. 6 8/81 i
bib SNUPPS 37., g g,.j g y When the bank selector switch is in the automatic position, the rods would obey the automatic commands and failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch is in "In,"
" Hold," or "Out."
In the case where the bank selector switch is celecting a bank and a failure occurs in the rod-motion switch that would command the bank "Out" even when the rod motion control switch was in an "In" or " Hold" position the selected bank could inadvertently withdraw.
This failure is bounded in the safety analysis (Chapter 15.0) by the uncontrolled bank withdrawal subcritical and at power transients.
A reactivity insertion of up to 75 pcm/sec is assumed in the analysis due to rod movement.
This value of reactivity insertion rate is consistent with the withdrawal of two banks.
Failure that can cause more than one group of four mechanisms to be moved at one time within a power cabinet is not a credible event because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply).
The drive mecha-nism is designed so that it will not operate on half current.
A second feature in this scenario would be the multiplexing failure detection circuit included in each power cabinet.
Tais circuit would stop rod withdrawal (or insertion).
The second case considered in the potential'for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position.
Such a case could produce, with a failure in the rod motion control switch, a scenario where the rods could inadvertently withdraw in a proctammed sequence.
The overlap and bank sequence mse programmed when the selec-tion is in either automatic or manual.
This scenario is also bounded by the reactivity values assumed in the SAR accident analysis.
In this case, the operator can trip the reactor, or the protection system would trip the reactor via power range neutron flux-high, or overtemperature AT.
2.
Failure of the bank selector switch A failure of the bank selector switch produces no consequences when the "in-hold-out" manual switch 7.7-6a Rev. 6 l
8/81
1f50 SNUPPS y{.y (3 V
is in the " Hold" position.
This is due to the following design feature:
The bank selector switch is series wired with the in-hold-out lever switch for manual and individual control rod bank operation.
With the in-hold-out lever switch in the " Hold" position, the bank selec-tor switch can be positioned without rod movement.
d.
Failures in the overlap and bank sequence program control I
The rod cor: trol system design prevents the movement of the groups out of sequence as well as limiting the rate of reactivity insertion.
The main feature that performs the function of preventing malpositioning produced by groups out of sequence is included in the block stiervisory memory buffer and control.
This circuitry accepts and stores the externally generated command signals.
In the event of out of sequence input command to the rods while they are in movement, this circuit will inhibit the buffer memory from accepting the command.
If a change of signal command appears, this circuit would stop the system after allowing the slave cyclers to f:taish their current sequencing.
Fai'are of the components related to this system will also produce rod deviation alarm and insertion limit alarm.
Failures within the system such as failures of supervisory logic cards, pulser cards, etc., will also cause an urgent alarm.
An urgent alarm will be followed by the following actions:
Automatic de-energizing of the lift coil and reduced current energizing of the stationary gripper coils and movable grpper coils Activation of the alarm light (urgent failure) on the power supply cabinet front panel Activation of rod control urgent failure annunciation window on the plant annunciator The urgent alarm is produced in general by:
Regulation failure detector Phase failure detector Logic error detector Multiplexing error detector
~
Interlock failure detector 7.7-6b Rev. 6 l
8/81 l
a
WAh SNUPPS
.- 9 (3 y
1.
Logic cabinet failures The rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control reci driving mechanism at 72 steps per minute.
If a failure should occur in the pulses or the reactor control system, the highest step-ping rate pessible is 77 steps per minute, which -
corresponds to one step every 780 milliseconds.
j A commanded stepping rate higher than 77 steps per minute would result in "GO" pulses entering a slave cycler while it is sequencing its mech-anisms through a 780 millisecond step.
This con-dition stops the control bank motion automatic-ally, and alarms are activated locally and in the 1
control room.
It also causes the affected slave cycler tc reflect further "GO" pulses until it is reset.
Failures that cause the 780 millisecond step sequence time to shorten will not result in higher rod speeds, since the stepping rate is propor-tional to the pulsing rate.
Simultaneous failures in the pulser or rod control system and in the clock circuits that determine the 780 millisecond stepping sequence could result in higher CRDM speed; however, in the unlikely event of these simultaneous multiple failures the maximum CRDM operation speed would be no more than approxi-mately 100 steps per minute due to mechanical limitation.
Tnis speed het been verified by tests conducted on the CRDMs.
The positive reactivity insertion rates for these failure modes, including the 100 steps per minute, are bounded by the Chapter 15.0 SAR analysis assumptions.
Failures causing movement of the rods out of sequence:
No single failure was disco'ered (Ref. 2) that v
would cause a rapid uncontrolled withdrawal of Control Bank D (taken as worst case) when operat-ing in the automatic bank overlap control mode with tne reactor at near full power output.
- The, analysis revealed that many of the fcilures pos-tulated were in a safe direction and that rod movement is blocked by the rod urgent alarm.
7.7-6c Rev. 6 l
8/81
$th f)
SNUPPS ggg 1
2.
Power supply system failures Analysis of the power cabinet disclosed no single component failures that would cause the uncon-trolled withdrawal of a group of rods serviced by the power cabinet.
The analysis substantiates
. that the design of a power cabinet is " fail-preferred" with regard to a rod withdrawal acci-m.
dent if a component fails.
The end results of the failure is either that of blocking rod movement or that of dropping an individual rod or rods or a group of rods.
No failure, within the power cab-inet, which could cause erroneous drive mechanism operation will remain undetected.
Sufficient dlarm monitoring (including " Urgent" alarm) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mecha-nisms.
As noted in the foregoing, diverse moni-toring systems are available for detection of failures that cause the erroneous operation of an individual control rod drive mechanism.
In summary, no single failure within the rod control system can cause either reactivity insertions or mal-positioning of the control rods resulting in core thermal conditions not bounded by analyses contained in Chapter 15.0.
7.7.1.3 Plant Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation System The power range channels are used to measure power level, cxial flux imbalance, and radial flux imbalance.
These channels ero ccpable of recording overpower excursions up to 200 percent of full power.
Suitable alarms are derived from these signals, cs described below.
Basic power range signals are:
a.
Total current from a power range detector (four signals from separate detectors); these detectors are vertical and have a total active length of 10 feet.
e b.
Current from the upper half of each power range detector (four signals).
c.
Current from the lower half of each power range detector (four signals).
7.7-6d Rev. 6 l
8/81 l
SNUPPS 7/$b I
3it..a45l l
The following (including standard signal processing for cali-l bration) are derived from these basic signals:
a.
Indicated nuclear power (four signals).
b.
Indicated axial flux imbalance ( A$ ), derived from upper half flux minus lower half flux (four signals).
i l
i i
1 1
t
?
I i
i i
7.7-6e Rev. 6 l
l 8/81 l
hbCbh
~
SNUPPS 176t9 trip from full power.
This heat sink is provided by the combination of centrolled release of steam to the condenser-and by makeup of feedwater to the steam generators.
The steam dump system is controlled from the ret tor coolant avertg-temperature signal whose setpoint values are programmed as a function of turbine load.
Actuation of the steam dump is rapid to prevent actuation of the steam generator safety valves.
With the dump valves open, the average coolant temperature starts to reduce quickly to the no-load setpoint.
A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is bypassed.
The feedwater flow is cut off following a reactor trip when the average coolant temperature decreases below a given temperature or when the steam generator water level reaches a given high level.
Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value.
Residual heat removal is maintained by the steam header pressure controller (manually selected), which controls the amount of steam flow to the condensers.
This controller operates a portion of the same steam dump valves to the condensers, which are used during the initial transient following turbine and reactor trip.
The pressurizer pressure and level fall rapidly during the transient because of coolant contraction.
The pressurizer water level is programmed so that the level following the turbine and reactor trip is above the heaters.
However, if the heaters become uncovered following the trip, the chemical and volume control system will provide full charging flow to restore water level in the pressurizer.
Heaters are then turned on to restore pressurizer pressure to normal.
The steam dump and feedwater control systems are designed to prevent the average coolant temperature from fali'ng below the programmed no-load temperature following the trip to ensure adequate reactivity shutdown margin.
7.
7.3 REFERENCES
1.
- Lipchak, J.
B.,
" Nuclear Instrumentation System,"
WCAP-8255, January, 1974.
(For additional background information only.)
2.
- Shopsky, W.
E.,
" Failure Mode and Effects Analysis (FMEA) of the Solid State Full Length Rod Control System," WCAP-8976, August 1977.
7.7-27 Rev. 6 8/81
.A SNUPPS NF TABLE 1.6-2 (Sheet 16)
Ek ; Westinghouse FSAR Report s
i-Topical Revision Section Submitted ReviewII}
l f4 Report No.
Title Number Reference to the NRC Status I
" Design, Inspection, Operation Rev. 0 12.1 4/27/77 B
and Maintenance Aspects of the Westinghouse NSSS to Maintain
+
Occupational Radiation Exposures as Low as neasonably Achievable."
" Westinghouse 7300 Series Rev. 0 7.1 6/15/77 A
i Process Control System Noise Tests"
+
" Benchmark Problem Solutions Rev. 0 3.9(N) 5/26/77 U
l Employed for Verification of the WECAN Computer Program" WCAP-8963 (P)
" Safety Analysis for the Rev. 0 4.2 3/31/71 A
WCAP-8964 Revised Fuel Rod Internal 8/11/77 Pressure Design Basis" WCAP-8976
" Failure Mode and Effects Rev. 0 4.6, 10/26/77 U
Analysis (FMEA) of the 7.7 Solid State Full Length Rod Control System" WCAP-9168 (P)
" Westinghouse Emergency Core Rev. 0 15.6 9/27/77 U
^
WCAP-9150 Cooling System Evaluation Model - Modified October 1975 Version" WCAP-9179 (P)
" Properties of Fuel and Core Rev. 1 4.2 8/2/78 U
~
Component Materials" O'
e e
Rev. 6 8/81
SNUPPS M$h ZM M 44 15.3.2 COMPLETE LOSS OF FORCED REACTOR COOLANT FLOW 15.3.2.1 Identification of Causes and Accident Description A complete loss of flow accident may result from a simultane-
~
ous loss of electrical supplies to all reactor coolant pumps.
If the reactor is at power at the time of the ac cident, the immediate effect of loss-of-coolant flow is a r apid increase in the coolant temperature.
This increase could result in a DNB with subsequent fuel damage if the reactor were not tripped promptly.
Normal power for the reactor coolant pumps is supplied through busses from a transformer connected to the generator.
When a generator trip occurs, the busses are automatically trans-ferred to a transformer supplied from external power lines, and the pumps will continue to supply coolant flow to the core.
Following any turbine trip where there are no electri-cal faults which require tripping the generator from the network, the generator remains connected to the network for approximately 30 seconds.
The reactor coolant pumps remain connected to the generator, thus ensuring full flow for 30 seconds after the reactor trip before any transfer is made.
A complete loss of flow accident is classified as an ANS Condition III event (an infrequent fault), as defined in Section 15.0.1.
The follouing signals provide protection against this event:
a.
Reactor coolant pump power supply undervoltage or underfrequency b.
Low reactor coolant loop flow The reactor trip on reactor coolant pump undervoltage is provided to protect against conditions which can cause a loss of voltage to all reactor coolant pumps, i.e.,
station black-out.
This function is blocked below approximately 10-percent power (Permissive 7).
The reactor trip on reactor coolant pump underfrequency is provided to trip the reactor for an underfrequency condition, resulting from frequency disturbances on the power grid.
Reference 3 provides analyses of grid frequency disturbances and the resulting NSSS protection requirements which are applicable to the SNUPPS units.
Reference 3 shews that the underfrequency trip of the reactor coolant pump breakers is not required for grid decay rates up to 5 hz/sec.
Grid stability and transient analyses for both the Wolf Creek and Callaway sites show maximum grid decay rates of less than 5 hz/sec.
Therefore, the reactor coolant pump breaker trip on under frequency (Figure 7.2-1, Sheet 5) is not a safety function in the SNUPPS design.
15.3-4 Rev. 6 8/81
.SNUPPS 16$h
.ZTL d' fI-The reactor trip on low primary coolant loop flow is provided to protect against loss of flow conditions which affect only cne reactor coolant loop.
This function ir generated by two cut of three low flow signals per reactor coolant loop.
Above Parmissive 8, low flow in any loop will actuate a reactor trip.
Between approximately 10-percent power (Permissive 7) f an-A e
m 15.3-4a Rev. 6 8/81
V10 SNUPPS fQ 7.1.2.1 Design Bases The design baseo for the safety-related systems are provided in the respective sections of Chapter 7.0.
i 7.1.2.2 Independence of Redundant Safety-Related Systems The safety-related systems are designed to meet the indepen-dence and separation requirements of GDC-22 and Section 4.6 of IEEE Standard 279-1971.
The electrical power supply, instrumentation, an'd control conductors for redundant circuits of a nuclear plant have physical separation to precerve the redundancy and to ensure that no single credible event will prevent operation of the associated function.
Critical circuits and functions include power, control, and analog instrumentation associated with the operation of the safety-related systems.
Events considered credible and considered in the design include the effects of short circuits, pipe rupture, missiles, and fire.
7.1.2.2.1 General The physical separation criteria for redundant safety-related system sensors, sensing lines, wireways, cables, and compo-nents on racks meet the recommendations contained in Regulatory Guide 1.75 with the following comments:
The protection systems use redundant instrumentation l
a.
channels and actuation trains and incorporate physical and electrical separation to prevent faults in one channel from degrading any other protection channel.
b.
Where no redundant circuits share a single compartment of a safety-related instrumentation rack and these redundant safety-related instrumentation racks are physically separated, the recommendations of Position C.16 of Regulatory Guide 1.75 do not apply.
c.
Redundant, isolated control signal cables leaving l
the protection racks are brought into close proximity elsewhere in the plant, such as the control board.
It could be postulated that electrical faults, or interference, at these locations might be propagated into all redundant racks and degrade protection circuits because of the close proximity of protection i
7.1-5 Rev. 6 8/81
1al$ b5 SNUPPS
.T7GM h and control wiring within each rack.
Regulatory Guide 1.75 (Regulatory Position C.4) and IEEE Standard 384-1974 (Section 4.5(3)) provide the option to demonstrate by tests that the absence of physical separation could not significantly reduce the avail-ability of Class IE circuits.
Westinghouse test programs have demonstrated that Class IE protection systems (nuclear instrumentation system, solid state protection system, and 7300 process control system) are not degraded by non-Class IE circuits sharing the same enclosure.
Conformance to the requirements of /EEE Standard 279-1971 and Regulatory Guide 1.75 has been established and accepted by the NRC, based on the following which is applicable to these systems at the SNUPPS sites.
Tests conducted on the as-built designs of the nuclear instrumentation system and solid state protection system were reported and accepted by the NRC in support of the Diablo Canyon application (Docket Nos.
50-275 and 50-323).
Westinghouse considers these programs as applicable to all plants, including SNUPPS.
Westinghouse tests on the 7300 process contrcl system were covered in a report entitled, "7300 Series Process Control System Noise Tests,"
subsequently reissued as Reference 2.
In a letter dated April 20, 1977 (Ref. 3), the NRC accepted the report in which the applicability of the SNUPPS pl. ants is estaolished.
d.
The physical separation criteria for instrument I
cabinets within the NSSS scope meet the recommenda-tions contained in Section 5.7 of IEEE Standard l
384-1974.
Compliance with specific positions of Regulatory Guide 1.75 is given in Chapter 8.0.
7.1.2.2.2 Specific Systems i
Independence is maintained throughout each system, extending from the sensor through to the devices actuating the protective function.
Physical separation is used to achieve separation of redundant transmitters.
Separation of field wiring is achieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant protection channel set.
Redundant analog equipment is separated by locating modules in different protection rack sets.
Each redundant channel set is energized frcu a separate ac power feed.
l There are four separate protection sets.
Each pr)tection set contains several channels, each channel sensing a different variable.
Separation of redundant analog channell begins at the process sensors and is maintained in the field wiring, 7.1-6 Rev. 6 l
8/81
.