LD-89-107, Forwards Addl Info Re CESSAR-DC Chapter 7
| ML20248B348 | |
| Person / Time | |
|---|---|
| Site: | 05000470 |
| Issue date: | 09/28/1989 |
| From: | Scherer A ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| PROJECT-675A LD-89-107, NUDOCS 8910030174 | |
| Download: ML20248B348 (27) | |
Text
_
1 - es
- .T l
I l:
i COMBUSTION ENGINEERING September 28, 1989 LD-89-107 i
i 1
1 Project No. 675 l
U. S. Nuclear Regulatory Commission j
Attn: Document Control Desk Washington, D.C.
20555
Subject:
Response to NRC Request for Additional Information c
l Concerning Chapter 7, Reactor Safeguards Branch j
Reference:
Letter, G. S. Vissing (NRC) to A. E. Scherer (C-E),
i dated November 2,1988 l
1
Dear Sirs:
i The Reference requested that Combustion Engineering provide i
additional information concerning CESSAR-DC, Chapter 7. Enclosure I to this letter provides our responses and Enclosure II provides the proposed corresponding revisions to CESSAR-DC.
Should you have any questions, please feel free to contact me or Mr. S. E. Ritterbusch of my staff at (203) 285-5206.
Very truly yours, COMBUSTION ENGINEERING, INC.
Director Nuclear Licensing N
90 AES:jeb
Enclosures:
As Stated cc:
F. Ross (DOE-Germantown)
I R. Singh (NRC)
Power Systems 1000 Prospect Hill Road (203) 688 1911 Combustion Engineenng, Inc.
Post Office Box 500 Telex: 99297 Windsor, Connecticut 06095-0500 h
V1$
FDC j
Enclosure I to LD-89-107 i
.I Page 1 of 9 l
1 l
~
l RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION CONCERNING CHAPTER 7, REACTOR SAFEGUARDS BRANCH f
Enclosure I 5
P ge 2 of 9 Quest'on 500.7 Reference in 7.1.2.16 to Regulatory Guide 5.7, " Control of Personnel Access to Protected Areas, Vital Areas and Material Access Areas", which primarily pertains to 10 CFR 73.45 and 73.46, should be replaced instead with reference to NUREG-0908, " Acceptance Criteria for the Evaluation of Nuclear Power Reactor Security Plans", which pertains to 10 CFR 73.55 and 73.70.
However, C-E will have to define additional criteria since neither of these contain criteria useful for defining what " separate plant locations" means in the context of 7.1.2.16.
Respense 500.7 The reference to Regulatory Guide 5.7 will be repaced with NUREG-0908. The specific " separate plant areas" will be clearly defined in Chapter 13, Appendix 13A, Section 7.
The requisite " separate plant areas" were derived from the following criteria:
The channelized safety-related equipment shall be located within separate rooms to ensure that channel separation is maintained and to enhance the I&C sabotage resistance. Each room shall contain only equipment associated with a specific channel and shall be designed with a separate entry point; there shall be no entry point common to more than one room.
Each of the equipment rooms shall be designed to maintain a fire barrier between itself and the other I&C equipment rooms to minimize fire damage to the I&C.
Each of the equipment rooms shall contain a single controlled access point to restrict entry and incorporate measures to impede forced entry.
The Main Control Room (MCR) and the Remote Shutdown Control Room (RSCR) shall be located in vital areas sepa ate from each other and separate from the equipment rooms which house the I&C equipment. These rooms also shall have restricted entry and incorporate measures to impede forced entry.
~a-,.~-
..:.. a
,s Enclosure I 2.
Pege 3 of 9 Considering the above criteria, the following separate vital plant areas are defined:
o Main Control Room o-Remote Shutdown Control Room o
Channel A Equipment Room o
Channel B Equipment Room o
. Channel C Equipment Room o
Channel D Equipment Room In addition, the following separate plant areas are also provided and contain restricted plant entry:
o Computer Room o
Channel X Equipment Room o
Channel Y Equipment Room Section 7.1.2.16.A will be revised to reference Chapter 13, Appendix 13A, Section 7. Chapter 13, Appendix 13A, Section 7 will be revised to reflect this response.
9
.. ~.
..-....m..
._ m Enclosure I s
Page 4 of 9 Question 500.8 C-E's response to Question 500.5 stated that criteria for physical separation will be presented in Chapters 9 and 13 of CESSAR-DC Submittal Group E.
Why
'shouldn't those criteria also affect the discussions of instrumentation and control system separation interface requirements and system component arrangement interface requirements contained in 7.1.2.16. A and 7.1.3.E, F.
and M7
' Response 500.8 General criteria for sabotage protection are presented in Chapter 13, Appendix 13A', Section 2 (see Amendment E of CESSAR-DC). Specific criteria for protection of instrumentation and controls are provided in the response to Question 500.7. Those specific criteria will be added to Chapter 13, Appendix
.13A, Section 7, while Section 7.1.2.16.A will reference this material.
y a
-~n
..~.a..--.--.
~.
u..
.n'
.N.
Enclosure I
~'
Page 5 of 9 Question 500.9 7.1.2.16 states that the trip function calculation cannot be altered by operating or maintenance personnel but that they can change the setpoints.
What provisions are being considered to prevent a single insider from being -
able to intentionally alter setpoints without control room knowledge and permission?
Response 500.9 As explained in the response to Question 500,7, each channel of a multichannel safety related system ( A, B,. C, D), is located in a separate equipment room which is independent from the other safety related equipment rooms. Access' to l
each of these equipment rooms is controlled. Further, within each room, cabinets which contain safety related equipment (such as the Plant. Protection System, Core Protection Calculators and ESF-Component Control System) are locked and annunciate an alarm in the control room when entered. Thus, two levels of protection are provided against unauthorized access to setpoint equipment.
In addition, the digital based safety / control systems utilize the memory protection features of their processors, in which the software setpoints are locked out and made unaccessible within the software itself. With memory
. protection activated (the normal condition), the system will not accept software changes / updates to the designated protected memory area.
As a further measure of protection against unauthorized alterating of setpoints, the Data Processing System (DPS) continuously monitors the safety related systems for changes to the setpoints. This is accomplished via
- dedicated DPS programs which either directly monitor the individual safety system setpoints for deviations from their established values or which monitor checksum values that are computed within the safety systems (based on the current setpoint values) and periodically transmitted to the DPS where they are compared against a reference value. In either case, any deviations are detected and alarmed within the control room.
Chapter 13, Appendix 13A, Section 8 will be added to reflect this response.
Section 7.1.2.16.B will be revised to reference Chapter 13, Appendix 13A, Section 8.
l
~
. ~. _.....
Enclolure I Page 6 of 9 Question 500.10 7.1.2.16 states that the transfer switches that determine whether the Main Control Room or the Remote Shutdown Panel has control of critical valves and pumps are "under key lock administrative control with built-in alarms."
Because of the damage that could be done from the Remote Shutdown Panel controls listed in Tables 7.4-1 and 7.4-2, these alarms should meet security standards for false and nuisance alarm 1ates, tamper indication, line supervision, testing, and timeliness of response appropriate to protection against the design basis threat (i.e.,10 CFR 73.1[a][1]). Please discuss the importance of the " door open" alarms on vital instrumentation cabinet doors, and the component inoperable or bypass alarms, and whether or not they do or should meet these standards.
Response 500.10 All vital instrumentation cabinets are located in four separate equipment rooms ( A, B, C, D). Transfer of control from the main control room panels to the remote shutdown control room panels requires activation of transfer switches located in these separate equipment rooms.
Each equipment room has a single controlled access entry point. In addition, each vital instrument cabinet, within each of the four separate equipment rooms, is itself locked and equipped with an internal entry (open door) alarm.
Master transfer switches, which transfer control of the I&C systems between the main control room and remote shutdown control room, are located in each of the separate equipment rooms.
In order to adversely affect a plant process from the remote control room, at least two (2) of the four (4) safety associated rooms (A, B, C, D) must be entered in addition to the remote shutdown control room.
It is unlikely that all three of these rooms could be entered before a threat would be detected and thwarted.
Component inoperable and bypass alarms are intended to convey component / system operability information to the operations staff. Inoperable / bypassed components are alarmed within the control room to alert the operating staff to the inoperable / bypassed condition.
._____--____-_-___._m-.
_..~...._.__m__...._
Encicsure I Page 7 of 9 The Component Control System (CCS) which monitors for and generates the inopemble/ bypass conditions is composed of multiple channels which are distributed among the aforementioned separate equipment rooms.
Security is provided in ach room via controlled access to the rooms and cabinet entry alarms as noted previously. The CCS is further protected against tampering via utilization of the " memory protection" feature of the CCS processors (see Response 500.9 for further details).
In addition, the CCS incorporates a high degree of continuous automatic on-line testing. This testing ensures CCS operability. Further, setpoints within the CCS are continuously monitored by the DPS for alteration via a cheaksum value which is periodically computed and transmitted to the DPS (see Response 500.9 for additional details).
In summary, each vital equipment room has separate access requirements and each vital I&C eqalpment cabinet has access requirements which are different from those of the rooms. Entry to any room or cabinet is immediately annunciated.
Since multiple rooms and cabinets must first be entered before a safety system / function can be defeated or adversely affected, there is ample time to respond to the threat.
The equipment rooms and the I&C cabinets contained therein fully meet the alarm security requirements of 10 CFR 73.
Chapter 13, Appendix 13A, Section 8 will be added to reflect this response.
Section 7.1.2.16.B will be revised to reference Chapter 13, Appendix 13A, Section 8.
p '
.x.--..
..a Enclosure I Page 8 of 9 Question 500.11 Discuss what measures C-E proposes for protection against bypass of the shutdown cooling system suction line valve interlocks (7.6.1.1.1), and manipulation of the valves, by a' single knowledgeable insider at the valve motor control centers.
Response 500.11 Bypassing of the shutdown cooling system suction line valve interlocks requires altering the appropriate.setpoints in the Component Control System.
Access to these setpoints is controlled via separate controlled-access equipment rooms,. locked equipment cabinets, and memory protection within the control processors. Further, protection against setpoint tampering is-provided by the.DPS which continually monitors and alarms the safety related systems for changes to setpoints (these features are explained in detail in Response 500.9).
The Motor Control Centers (MCC) are located in physically separate rooms according to control channel assignment (A, B, C, D). Each room has a single-controlled access point to restrict entry.
The shutdown cooling system design utilizes two (2) separate and independent Luid paths for redundancy.
Each path contains suction valves which are associated with two of the IEC. channels in a mutually exclusive manner (A/C for one train and B/D for the other train).
This design preludes any adverse impact to shutdown cooling due to an intruder within a single MCC. Since an intruder would have to enter two separate and locked rooms to impact shutdown cooling, there is sufficient time to detect and respond to the threat.
Chapter 13, Appendix 13A, Sections 7 and 8 will reflect this response.
Section 7.6.1.1.1 will be revised to reference Chapter 13, Appendix 13A, Sections 7 and 8.
a.
_ a.~
.m,.,,_.
Enclosure I Page 9 of 9 I
. Question 500.12 7.1.1.4 includes the Emergency Diesel Generator but net Station Service Water System as safe shutdown systems required to place the reactor in hot shutdown.
At many current power plants the Station Service Water System is required for Diesel Generator cooling. What is the cooling system for the CESSAR Diesel Generators?
Response to Question 500.12 The Diesel Generator Engine Cooling Water System is described in Section 9.5.5 (Amendment E). A separate and complete closed-loop cooling water system is provided for each diesel generator engine. This closed cooling water system receives makeup from the Demineralized Water Makeup System (Section 9.2.3) and is cooled by the Component Cooling Water System (Section 9.2.2) which, in turn, is cooled by the Station Service Water System (Section 9.2.1).
Section 7.1.1.4 will be revised to add the Station Service Water System; Component Cooling Water Eystem; and the Heating, Ventilating, and Air Conditioning System to the list of systems required to place the reactor in hot shutdown. This section will also be revised to remove the designations of l-which safety systems are in Combustion Engineering's scope of design - the System 80+ Standard Design encompasses an essentially complete plant.
___.________.--____.-_________-._____-_-2__--___-____-__
",, ;.7: R.,.; r.
J Enclosure II:toi w
.. LD-89-107 -
^
Page 1 'of.17
\\
l.
l a,
i L
li.
1' l:-
PROPOSED REVISIONS TO THE
' COMBUSTION ENGINEERING STANDARD SAFETY ANALYSIS' REPORT -
DESIGN CERTIFICATION
Enclosure II
,CESt.,AR Mili,le,re, page 2 or 17 7.0 INSTRUMENTATION.AND CONTROL 5 7.1 INTRODUCTIQM The System 80+* Standard Design includes the Nuplex 80+" Advanced Control Complex (ACC).
The design integrates both NPM and BOP instrumentation and control interfaces into the ACC design.
The ACC design consists of the following major interdependent systems:
Main Control Panels (MCP), Remote Shutdown Panel (RSP),
Discrete Indicator and Alarm Sytem (DIAS),
an expanded Data Processing System (DPS),
ESF and Process Component Control D
Systems (CCS), Megawatt Demand Setter (MDS) and all the systems which were in the previous System 80 design as described in CESSAR-F.
The Nuplex 80+
design takes advantage of modern digital processing equipment to implement the
- safety, control and l
information display systems.
These systems are implemented in I
accordance with the Human Factors Engineering design criteria and process as described in Chapter 18.
7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS C
The safety-related instrumentation and
- controls, including supporting systems, are identified below.
5 _ _
r,----I'i fr r
___u
.. u,,,
4, 4,__.1,3_f
~
500./A C-m Aon m.ngineer my r _,
nut
>~
7.1.1.1 Plant Protection System (PPS)
The PPS includes the electrical and mechanical devices and circuitry required to perform the protective functions defined below.
A.
Reactor Protective System (RPS)
The RPS is the portion of the PPS that acts to trip the reactor when required.
The RPS is described in Section 7.2.
B.
Engineered Safety Features Actuation System (ESFAS)
The ESFAS is the portion of the PPS which activates the Engineered Safety Feature systems listed in Section 7.1.1.3 and described in Section 7.3.
Amendment D 7.1-1 September 30, 1988
-. = -. ~....
. _ _ :.~ _ -
x
(.y.
.g Enclosure II tESSAR nui?.cu,..
7.1.1.1.1 Alternate Protection System (APS)
The Alternate Protection System (APS) augments reactor protection and emergency feedwater actuation by utilizing non-1E trip logic D
which is separate and diverse from the Plant Protection System.
Refer to Section 7.7.1.1.11 for a description of these ATWS mitigation systems.
7.1.1.2 Reactor Trin System (RTS)
(
The RTS includes the RPS portion of the PPS, Reactor Trip Switchgear System (RTSS) and the arrangement of components that perform a reactor trip after receiving a signal from the RPS either automatically or manually by the operator.
The RTS initiates a reactor trip based on the signals from the sensors which monitor various NSSS parameters and the containment pressure.
7.1.1.3 Encineered Safety Feature Systems (ESF Systems)
The ESF Systems include the ESFAS and the arrangement of components that perform protective actions after receiving a signal from the ESFAS or the operator.
500 / A The ESF Systems are:
/(
l A.
Containment Isolation System B.
Main Steam Isolation System
(
C.
Safety Injection System (C
)
D.
Emergency Feedwater System (C-: f/(O D
E.
Containment Spray System (C E /(O; F.
Safety Depressurization System
-E)
G.
Supporting Systems (0)
The instrumentation and controls for ESF Systems are described in Section 7.3.
7.1.1.4 Systems Recuired for Safe Shutdown Systems required for safe shutdown are defined as those essential for pressure and reactivity control, coolant inventory makeup, and removal of residual heat once the reactor has been brought to a subcritical condition.
These systems are categorized according to the following shutdown modes:
Amendment D 7.1-2 September 30, 1988
__a
- 7.... g.. _. _..
.l j,
Enclosure IX i
' CESSAR %!nificuio,.
A.
Hot Shutdown Systems required for maintenance of the primary system at, or near, operating temperature and pressure.
1 i
B.
Cold Shutdown
{
j Systems required to cool down and maintain the primary system at, or near, ambient conditions.
C.
Safe Shutdown The systems required for safe shutdown are listed below and described in Section 7.4.
The safe shutdown systems required to place the reactor in hot shutdown include:
g,/ A A.
Emergency Diesel Generator Fuel Storage and Transfer System
('
C.
Emergency Power Storage System (0)
D D.
Emergency On-site Power Distribution System (O)
E.
Safety Injection System (C- )
kl F.
Emergency Feedwater System (C. )
(O l G.
Atmospheric Steam Dump System l0 H.
Safety Depressurization System ld-E) addition, Remote Shutdown Panel (RSP) equipment and systems are provided to allow emergency shutdown from outside the control room.
The safe shutdown systems or portions of systems required to place the reactor in cold shutdown include those in A. through H.
above, plus the following:
9 M'
0) g.
wmem.. _ L_~__ M
(
[,K Shutdown Cooling System (f-D l
Amendment D 7.1-3 September 30, 1988
77 nn-
. : a u x.,
=-.
... w;. u : ::
- . ;.a...,,.i...a.
__a
,c.,._
u_.
- j@ o+..
Enclosure II Page 5 of 17 L
INSERT 1 p
I.:
Component Cooling Water' System J.
Station Service Water System Heating, Ventilating, and Air' Conditioning System Kr e'
i l
i h
l i
- l I
i l
t i
1 1
I j
i t
g
47, g
CESSAR aL"ic.no.
t 7.1.1.5 Safetv-Related Disclav Instrumentation The safety-related display instrumentation provides information to the operator to allow him to adequately monitor plant operating conditions and to perform any required manual safety functions.
Safety-related display instrumentation is described in Section 7.5.
Safety-related displays are provided for:
k 800*
A.
Safety-Related Plant Process Display Instrumentation T y, m,
T B.
Reactor Trip System Monitoring j -E)
C.
Engineered Safety Features Actuation System Monitoring (C-
/ o)
D.
CEA Position Indication C-E E.
Post-Accident Monitoring Indication (C- ) (0)
F.
ESF Systems Performance and Availability
(
E)/ 0)
Indication G.
Critical Functions Monitoring Indication j C-E)/(
3 7.1.1 6 All Other Systems Recuired for Safety other systems required for safety include thi interlocks required to prevent overpressurization of the Shutdowr. Cooling System and to ensure safety injection availability.
Thes e are provided as listed below and described in Section 7.6.
A.
Shutdown Cooling System Suction Line Isolation Valve Interlocks B.
Safety Injection Tank Isolation Valve Interlocks 7.1.1.7 Desian Comearison The Reactor Protective System (RPS) is designed by Combustion Engineering.
The system will be functionally identical to the system provided for the Palo Verde Nuclear Generating Station (PVNGS, NRC Docket No. 50-528) with the following exception:
D The Supplementary Protection System (SPS) is replaced by the Alternate Protection System (APS), as described in Section 7.7.1.1.11.
The APS is specifically designed to increase the reliability of reactor trip initiation and address ATWS Amendment D 7.1-4 September 30, 1988
.;l, j
+ j.
.p..,.
44,
-..w. 4..
3 _ ;_,,,
._a Enclosure II
- (t gre e A D FESIGN Page 7 of 17 wEGGMEt CERTIFICATION 7.1.2.16 Conformance to Reculatory Guide 1.17 (Rev.
1.
6/73)
The following design features address the requirements of 3
" Protection of Nuclear Power Plants Against Industrial Sabotage":
A.
Separate Geographic Locations for Equipment 1.
Redundant channels of safety-related instrumentation and control cabinets are designed to be located in j
separate plant locations.A Th- : epr e _t 1_; tion; 4R c - r= :;
..c.;: r
- - -1t er.r;t; te a;;t ne--1;t;:y
/
[
4.;;;,
C"ida R 7 "re*r:1 ef Ter;;nn;l A;;;;; t; rzetouted g,7
'?it el A..a= and Fm erial A;;;;; Ar;;;."
B.
Limited Ability to Change System Hardware and Software Configurations 1.
Portions of systems are designed to limit the ability of operating and maintenance personnel to change basic system functions (e.g.,
setpoints can be changed, but the trip function calculation cannot be altered).
h*$
2.
The transfer of control between the Main Control Room and Remote Shutdown Panel is under key lock d/
administrativecontrolwithbuilt-inalarms.f 50010 4'.
3 The PPS design does not permit bypassing either the RPS or ESFAS signals at the system level.
Bypasses can be initiated in only one of the four redundant protection channels at a time.
Attempts to bypass additional channels will automatically put the channel in a trip state, as discussed in Sections 7.2.1 and 7.3.1.
4.
Vital instrumentation cabinet doors are locked and equipped with " door open" alarms.
C.
Fail-Safe Design Philosophy 1.
Systems are generally designed to fail safely upon de-energization, removal of printed circuit boards and disconnection of cables and data links.
2.
Test modes are designed such that they do not prevent system actuation.
Amendment D 7.1-11 September 30, 1988
._. ~ ~ - -
r~:.
Enclosure II Pege 8 of 17
_, INSERT A These equipment locations are designed consistent with the intent of NUREG-0908 (Reference 5) and are described in Chapter 13, Appendix 13A Section
.7.
-INSERT B Further details on the protection features of the I&C system, relative to on setpoint security, are contained in Chapter 13, Appendix 13A, Section 8.
INSERT C Further details of the protection features of the I&C system, relative to impeding unauthorized transfer from.the Main Control Room to the Remote Shutdown Panel, are contained in Chapter 13, Appendix 13A, Section 8.
.7 Enclosure II l
" S* 8 ' 27 I
CESSAR Ennncuno.
F.
The containment subsphere crea contains many of the components highly ranked for protection against sabotage.
The access control for this region of the plant is strictly controlled.
G.
'The Emergency Feedwater Storage Tanks will be located (e.g.,
inside the auxiliary building) so as to make them less susceptible to sabotage.
H.
The Nuplex 80+
instrumentation and controls design incorporates semi-automated and on-line testing features for the Plant Protection System as well as on-line monitoring of fluid and electrical systems making detection of sabotage attempts more-likely.
E I.
The Nuplex 80+ instrumentation and controls design provides channel separation for many of the safety systems with adequate physical access control to each channel to make sabotage more difficult.
7.o PLANT LAYOUT FOR SABOTAGE RESISTANCE The layout of the components in the suosphere of the containment building and for selected other plant regions has proceeded according to the access control design criteria contained in Section 2.2 above and in view of the protection prioritization provided in Section 4.0 above.
The plant layout is provided in Chapter 1 of CESSAR-DC.
It is important to note that the subsphere area provides for complete train separation of safety systems.
There is also significant component compartmen-talization to provide additional access
- control, thereby permitting the deployment of a
variety of access control strategies as discussed in Section 3.0 above.
k
$@S g.o psre. wen remon Ah coareot. rearuees roe sesorAGE REsisTAKE
@p 5o0.9 Ql9 60.@
0 Amendment E 13A-16 December 30, 1988
~
Enclosure II Page 10 of 17 r
INSERT Al Specific criteria for the location of safety-related instrumentation and controls to increase sabotage resistance are as follows:
o The channelized safety-related equipment shall be located within separate rooms to ensure that channel separation is maintained and to enhance the I&C sabotage resistance.
Each room shall contain only equipment associated with a specific channel and shall be designed with a separate entry point; there shall be no entry point common to more than one room.
4 o
Each of the equipment rooms shall be designed to maintain a fire barrier between itself and the other I&C equipment rooms to minimize fire damage to the I&C. Each of the equipment rooms shall contain a single controlled access point to restrict entry and incorporate measures to impede forced entry, o
The Main Control Room (MCR) and the Remote Shutdown Control Room (RSCR) shall be located in vital areas separate from each other and separate from the equipment rooms which house the I&C equipment. These rooms also shall have restricted entry and incorporate measures to impede forced entry.
Considering the above criteria, the following separate vital plant areas are defined for the System 80+ Standard Design:
o Main Control Room o
Remote Shutdown Control Room o
Channel A Equipment Room o
Channel B Equipment Room o
Channel C Equipment Room o
Channel D Equipment Room In addition, the following separate plant areas are aisc provided and contain restricted plant entry as well as measures to impede forced entry:
o Computer Room o
Channel X Equipment Room o
Channel Y Equipment Room The Motor Control Centers (MCC) are similarly located in physically separate rooms according to control channel assignment (A, B, C, D).
Each room has a single controlled access point to restrict entry.
The shutdown cooling system design utilizes two separate and independent fluid paths for redundancy.
Each path contains suction valves which are associated with two of the 18C channels in a mutually exclusive manner (A/C for one train and B/D for another train).
This design preludes any adverse impact to shutdown cooling due to an intruder within a single MCC.
Lince an intruder would have to enter two separate and locked rooms to impact shutdown cooling, there is sufficient time to detect and respond to the threat.
x -.c.u...
w ~....u.., a.
.~.
u.;. w.w
.V+
Enclosure II Page 11 of 17 INSERT B1 As part of the I&C sabotage resistance features, several levels of protection against unauthorized changes to setpoints are provided.
First, as was noted above in Chapter 7, each channel of a multichannel safety related system (A, B, C, D), is located in a separate equipment room which is independent from the other safety related equipment rooms. Access to each of these equipment rooms is controlled. Second, within each room, cabinets which contain safety related equipment (such as the Plant Protection System, Core Protection Calculators and ESF-Component Control System) are locked and annunciate an alarm in the control room when entered. Thus, two levels of protection are provided against unauthorized access to setpoint equipment.
In addition, the digital based safety / control systems utilize the memory protection features of their processors, in which the software setpoints are locked out and made unaccessible within the software itself. With memory protection activated (the normal condition), the system will not accept software changes / updates to the designated protected memory area.
As a further measure of protection against unauthorized alterating of setpoints,.the Data Processing System (DPS) continuously monitors the safety related systems for changes to the setpoints. This is accomplished via dedicated DPS programs which either directly monitor the individual safety system setpoints for deviations from their established values or which monitor
. checksum values that are computed within the safety systems (based on the current setpoint values) and periodically transmitted to the DPS where they are compared against a reference value.
In either case, any deviations are detected and alarmed within the control room.
a__
-- - - l J
Enclosure II Pcge 12 of 17 INSERT C1 j
i 1
Plant control is provided frori; either the Main Control Room or the Remote Shutdown Control Room. Master transfer switches,.which transfer control of the I&C syster.s betweer the main control room and remote shutdown control room, are located in each of the separate equipment rooms.
In order to adversely affect a plant process from the remote control room, at least two of the four safety associated rooms (A, B, C, D) must be entered in addition to the remote shutdown control room.
It is unlikely that all three of these rooms could be entered before a threat would be detected and thwarted.
Component inoperable and bypass alarms are provided by the I&C system to convey component / system operability information to the operations staff.
Inoperable / bypassed components are alarmed within the control room to alert the operating staff to the inoperable / bypassed condition.
The Component Control System (CCS)'which monitors for and generates the inoperable / bypass conditions is composed of multiple channels which are distributed among the aforementioned separate equipment rooms.
Security is provided in each room via controlled access to the rooms and cabinet entry alarms as noted previously. The CCS is further protected against tampering via utilization of the " memory protection" feature of the CCS processors as described previously.
In addition, the CCS incorporates a high degree of continuous automatic on-line testing. This testing ensures CCS operability.
Further, setpoints within the CCS are continuously monitored by the DPS for alteration via a checksum value which is periodically computed and transmitted to the DPS.
In summary, each vital equipment room has separate access requirements and each vital I&C equipment cabinet has access requirements which are different from those of the rooms.
Entry to any room or cabinet is immediately annunciated. Since multiple rooms and cabinets must first be entered before a safety system / function can be defeated or adversely affected, there is ample time to respond to the threat. Additional protection is provided via " Memory Protection" within the I&C processors as well as the monitoring of setpoints via the OPS.
The equipment rooms and the I&C cabinets contained therein fully meet the alarm security requirements of 10 CFR 73.
.2._.~.....
, y. J. *,
Encic;ure II
'CESSAREnnne-I qN 500 9 i
i D.
Safety System Status Monitorin 1.
Critical safety system setpoints can be determiaed manually an are automatically monitored via the plant Data Processing System.
2.
Reactor trip and ESFAS initiation trip channel bypass j
alarms are provided.
3.
Component level bypasses in the ESF systems result in system level inoperable alarms for the affected systems, as described in Section 7.1.2.21.
E.
Diverse Manual vs Automatic Reactor Trip and ESFAS Initiation 1.
Reactor Trip and ESFAS are automatically initiated by the PPS.
These same functions can be manually p
[
p,7 initiated by the operator.
The RTSS and ESF-CCS manual initiation trips do not rely on any PPS components for actuation.
Therefore, these functions can be manually lh initiated with a complete failure of the PPS automatic
.kW 8
initiation logic.
ii The above features are designed to impede sabotage.
See Chapter E
1R2- ' th: cit e- ""e 4 N - E.T for a more comprehensive discussion on protection against sabotage.
7.1.2.17 Conformance to Reculatory Guide 1.22 (Rev. 0: 2/721,
.s The PPS, ESF-CCS, and the RTSS, as described in Section 7.1.1, conform to the gu idance of Regulatory Guide 1.22, "Perdodic Testing of Protet: tion System Actuation Functions."
This conformance is described below.
A.
Provision =
are made to permit periodic testing of the complete PPS, ESF-CCS, and RTSS with the reactor operating at power or when shutdown.
These tests cover the trip D
action from sensor input to actuated devices.
Those ESF actuated devices which could affect operations are not tested while the reactor is operating but,
- instead, are tested while the reactor is shutdown.
l B.
The provisions of this position are incorporated in the testing of the
- PPS, from sensor to actuation
- device, including the ESFAS and ESF-CCS and the RTSS as designed by D
Combustion Engineering and as implemented in the site-specific SAR.
Amendment E I
7.1-12 December 30, 1988
w.
c 2 *. 7, 7
CESSAR an*nemo.
I.
Operational Controls The RPS and ESFAS manual actuation devices are located in l D the control room.
The instrumentation and control components of the safe shutdown systems on the Remote
{
Shutdown Panel or at local locations shall be manually i
Most BOP auxiliary and supporting system controls required to be operated from the Main Control and/or Remote Shutdown Panels shall be interfaced through the ESF-CCS and Process-CCS to satisfy Chapter 18 HFE design criteria.
All D
other control modules supplied by the site operator for installation in these panels shall be designed to be compatible with the HFE design assumptions, criteria and task analyses identified in Chapter 18.
J.
Insoection and Testina The PPS, including sensors, shall be capable of being periodically tested in accordance with the Technical Specifications of Chapter 16.
Those portions which could adversely affect reactor operations shall be capable of being tested when the reactor is shut down.
All other
~)
safety-related instrumentation shall be capable of being tested during normal operation.
K.
Chemistrv/Samolina The components of the safety-related equipment shall be located so as not to exceed the chemistry limits specified
~
in Section 3.11.
L.
Materials Not applicable to the safety-related instrumentation and controls equipment.
M.
System comoonent Arrangement safety-related components shall be located so as to conform to the separation, independence, and other criteria specified in this chapter.
The safety-related components shall be located to provide access for maintenance, testing JcLs 4equired.ddmed Aa.h Cc_ locofed a.c. cord;33,not % 7 #
k E
i to O
thnd,ogerptio go0.o o,4 f c
e, f
I S D /edEndant channels and divisions of safety-rela ed Tinstrumentation and control cabinets shall be located in separate plant control complex locations.
These locations Amendment %
7.1-24 September 30, 1988
p
- GD;;
.........w..=.:-,.-
'I"
' I*
o Enclosure II
.CESSAR ;!n*ncan:
Page 15 of 17
}
REFERENCES FOR SECTION 7.1 1.
" Description of the C-E Nuclear Steam Supply System Quality Assurance Program,"
Combustion Engineering, Inc.,
CENPD-210-A, Revision 04, January 1987.
lD 2.
" Qualification of Combustion Engineering Class 1E Instrumentation,"
Combustion Engineering, Inc.,
CENPD-255-A-1983, Revision 03, October 1985.
lD 3.
" Seismic Qualification of Instrumentation Equipment,"
Combustion Engineering, Inc., CENPD-182, May 1977.
(
4.
"CPC Protection Algorithm Software Change Procedure,"
Combustion Engineering, Inc.,
CEN-39(A)-P, Revision 03, D
,}
November 1986.
% y k G,L.~ L L evd L -
9 s.
Ltw an e
6
.scJ y pw;'
_ a.s.e x g,.
a,~,_
r yo rt A/g4 E.G-- 4 Sog, A
.sf lyga.
Amendment D 7.1-28 September 30, 1988
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ - _ _ _ _ _ _ _ _ _ _ _ ~
s :,
.g Enclosure II
.CESSAR annnemo,.
Page 16 of 17 am The RCS pressure signals used are provided by pressurizer p
pressure safety channels.
(See Figures 7.6-la, 7.6-lb and 7.6-Ic for this logic).
These interlocks are redundant so that any single failure will not cause a suction line and heat exchanger to be subjected to pressures greater than design pressure.
The interlock cannot be 4I&overriddensothat operator action cannot inadvertently subject SCS to RCS pressure.
In addition, no single failure can
.f @ g the prevent the operator from aligning the valves, on at least one suction
- line, for shutdown cooling after RCS pressure requirements are sacisfied.
p Redundant relief valves are provided on the suction lines to prevent or mitigate overpressurization from pressure transients.
These transients can be caused by inadvertent starting of safety D
injection pumps, charging pumps, inadvertent energization of pressurizer backup heaters, or a combination of these.
The relief valves are set at the values shown on Table 7.S-1 to insure the system stays below its design limits.
7.6.1.1.2 Safety Injection Tank Isolation Valve Interlocks The SIS is designed to inject borated water into the RCS upon receipt of an SIAS (refer to Section 7.3) and to provide long term cooling in conjunction with other systems following an accident.
The Safety Injection Tanks (SITS) inject borated water into the RCS if system pressure drops below their internal pressure.
During normal operation, each tank has a
motor D
operated isolation valve that is open with power removed from its motor circuit to eliminate the possibility of spurious actuation.
As the RCS pressure is reduced during plant shutdown, the low pressurizer pressure trip setpoint is reduced to avoid inadvertent initiation of safety injection, the SITS are depressurized to a value below the SCS design pressure, and the valves have their power restored and are closed.
'The SIT interlocks are used to prevent the SITS from inadvertently pressurizing the SCS while maintaining SIT availability in case of a IfCA.
Refer to Figure 7.6-2 for the interlock logic.
The isolation valves are manually closed when RCS pressure drops below the value shown on Table 7.6-1 such that the SITS cannot cause overpressurization of the SCS while the SITS are maintained at some pressure above atmospheric.
As RCS D
pressure increases, the valves will automatically reopen at the pressure indicated in Table 7.6-1.
This opening of the SIT Amendment D 7.6-2 September 30, 1988 L
_ _.. "^ ' ~ * '
~ '" ~ ^'~~
~ ' ~ ~ '
~
"" ' ' ~'
" ~~"'
Y,f f [
v
~ ~ ~ ~ '
- 7_
"/"
Enclosure II W~
i Page 17 of 17
. INSERT D l.
.Further' details-on the' protection' features for the Shutdown Cocling System are
}providedinChapter13, Appendix 13A,. Sections 7and8.
L
( -.
j..
l
g. ;
9 I
_ _ _ _ _ _ _. _ _ _. _ _ _ _ _ _,. _ _ _ _ _. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _