LD-91-066, Forwards Response to NRC 910805 Request for Addl in on CESSAR Design Certification

From kanterella
Jump to navigation Jump to search
Forwards Response to NRC 910805 Request for Addl in on CESSAR Design Certification
ML20086P185
Person / Time
Site: 05200002
Issue date: 12/17/1991
From: Erin Kennedy
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LD-91-066, LD-91-66, NUDOCS 9112260243
Download: ML20086P185 (49)
v  d  e


Text

c %.4 4 a -2 4 u. 1 _ a , z am4 u- 2 #... w ..u... ..a , .- ,,.4 ; -,4.a ,, ..-s.m+

1 ABB

. ASEA BROWN BOVERI December 17, 1991 LD-91-066 .

Docket-No.52-002 U. S. Nucitar Regulatory Commission Attn: Document Control Desk j Washington,=DC 20555

Subject:

. Response to MRC Requests for Additional Information i Reference Letter, Reactor Safeguards Branch RAIs, T. V. Wambach (NRC)-to E. H. Kennedy (C-E), dated August 5, 1991 1

I Dear Sirs - i i

The-rcforence requested. additional information for the NRC staff review of thel Combustion Engineering Standard' Safety Analysis -

Report Design Certification (CESSAR-DC).- Enclosure I to this-letter provides our responses to a number of these questions, and Enclosure II =provides corresponding revision to CESSAR-DC.

Enclosure III provides a list of questions to'which responses will be.frovided separately.

Should you have any qaestions on' the _ enclosed material, please ,

contact me or Mr. Stan Ritterbusch of my staff at (203) 285-5206.

Very truly yours, ,

COMBUSTION ENGINEERING, INC.

a E. H. Kennedy Manager Nuclear Systems Licensing; L EHK:gh'

~

Enclosures:

As Stated. ,

l .' .

cc: J. Trotter (EPRI).

p 1. Whmbach (NRC)

d .

' ~l e, V

^BB Combustion Engineering Nuclear Power

. .n 3 ' fi f Combustton ENQ*eenny inC 1000 Pnnpect Hrit Road Teer Acr t? (203) 6681911

.911226024R 912217

? Post Offre Box 500 M ux,C ne m d e m @

Fae 6033 285 9512 l Tew W297 COMBEN WSOR {-

1 PDR ADOCN:052OOOO2

/, . PDR

5 Enclosuro I to LD-91-066 c.

?

RESPONSE TO NRC REOUESTS FOR ADDITIONAL INFORMATION REACTOR SAFEGUARDS BRANCH h

i l

_ _ _ = _ _ - _ - - _ _ _ _ _

l 500.15 In its staff requirement memorandum (SRM) for SECY-90-353, the Commission asked to be advised of a vendor's reasons for deviating from the EpRI ALWR Utilities Requirements Document (URD) and informed whether and how the vendor and EPRI resolve the differences. For each of the security system requirements of Section 5 of Chapte" 9 of the bRD Volume II (Rev. 1), identify where 1- CESSAR-DC the requirement is addressed. If CESSAR-DC does not conform to the requirement, provide the reason for nonconformance.

Response: Much of a security plan will be either site specific or will depend on identification and procurement of specific components and is thus beyond the scope of System 80+" work. To dcto, we have identified no deviations from the FPRI requirements for security systems for systems and components within the scope of CESSAR-DC.

The response to RAI 500.18 identifies criteria and interface requirements in CESSAR-DC that provide assurance that the plant design will facilitato prevention and mitigation of sabotage during construction and operation. Further, the response to RAI 500.21 notes that safeguards mechanical and electrical components are located in the Nuclear Annex and subsphere regions to which access is controlled. The use of physical separation and barriers between redundant safeguards equipment in the System 80* design facilitates protection against sabotage. The arrangement of safeguards equipment is shown in CESSAR-DC Figures 1.2-1 through 1.2-10.

l

i ,

500.16 (a) How would the location of non-critical control room operator support facilities close to, but outside of, the control room security boundary affect the habitability of the control room following a severe accident (or release of hazardous material such as chlorine) because of the necessity for frequent opening of the boundary to allow use of these facilities?

(b) Is the security boundary of the control room the same as its pressure boundary?

(c) Include in the building design the 10 CFR 73.55(c) (6) requirement regarding bullet resistance of the control room boundary.

Response

(a) A room labeled " Emergency Supplies" is provided adjacent to the main control room, within the pressure, security, and bullet-resistant boundary, in which items will be stored for use by operators in an emergency. Such things as respirator equipment, anti-contamination clothing, and emergency tools will be provided. In addition, emergency food and water supplies could bt provided along with self-contained sanitation facilities (options of chemical, electrical, and " portable" toilet facilities are available).

(b) The control room pressure boundary and control room vital area boundary will coincide.

(c) The control room design wil] include bullet resistance requirements of 10 CFR 73.55 (c) (6).

l

500.17 (a) Response 500.7 noted that each of the equipment rooms shall contain a single controlled access point to restrict entry anc incorporate measures to impede forced access. Appendix 13A indicates that there is significant component compartmentalization to provide additional access control. " Measures to impede forced access" imply locked doors. Discuss what consideration has been given in decisions- regarding compartmentalization of safety equipment to tre possible need for operators to rapidly access vital equipment in emergency situations, considering that access control card readers may unexpectedly fail or cause delays. Consider whether an interface requirement is needed for users of System 80+" to have plant equipment operators carry hard keys to over>ide any card reader controlled locks (including locks oat fail open on loss of power).

(b) Section 5.2.4.2 of Chapter 9 of the URD specifies that the design of the security system include an evaluation of its impact on plant operation, testing, and maintenance, considering all operational modes and/or emergency conditions. CESSAR-DC Appendix 13A, Section 2.1, item J, does not provide for an evaluation but states conditions on security access control restrictions. Is it intended that users of Systela 80+" perform such an evaluation? Since CESSAR-DC Section 13.6 merely states that information on the site operator's security program is within the site operator's scope, how will procedural guidance to perform the evaluation or to comply with the general sabotage design criteria in Appendix 13A be passed on to users of System 80+".

Response

(a) A premise of the System 80+" design is to provide the site operators flexibility to incorporate into the site security plan many options to support their preference in security system hardware and operations.

The intention is to allow : the . Owner- Operator to incorporate subcompartr.entalization techniques to protect vital equipment-(using barriers provided for other purposes such as fire and flood protection) or-to protect larger areas or' groups of components, as-may. be necessary to meet the site-specific security program in a balance with maintenance functions.

Several options would be available for emergency over-ride of failed security system components.

The- system selected will be addressed in the site-specific security program developed by_ tho owner-Operator.

(b) It is intended that the System 80+ Owner-Operator parform the analysis. A proposed revision to CESSAR-DC has been made to require that such an evaluation be included in'the site-specific security plan.

500.18 At the time of C-E's response to Question 500.2, the C-E application was limited to the nuclear in3und and C-E intended that interface criteria for site specific security plans would be provided in Standardized Functional Descriptionn to be provided in Section 13.6 of the SSAR. Subsequently, the scope of C-E's application was expanded and the concept of Standardized Functional Descriptions was dropped. Consider whether 13.6 should specify as interface criteria those portions of the security plan that either (1) could or should be standard for all users of System 80+" (e.g., provisions for card reader or other access control system cabling), (2) might be necessary to validate assumptions .nade in Appendix 13A, or (3) would be required for conformance with security related guidance of the URD.

Response: Appendix 13A provides security plan guidelines for the System 80+*. Much of the station security program will be site specific and is thus beyond the current sco of System 80+" security plan.

The System 8 0+'pe design allows a great deal of flexibility in meeting security objectives. Design criteria are presented in Appendix 13A, Sections 2.1 and 2.2, and section 1.8 discusses regulatory guides which will be met by the site security plan.

Interface requirements addressing the security plan are included in Chapter 13. This documentation provides assurance that design features which facilitate prevention and mitigation of sabotage during construction and operation are incorporated.

The interface requirements in Chapter 13 will be relocated to CESSAR-DC Section 1.9 as comitted in C-E letter LD-91-054 dated October 22, 1991, e,

500.19 Table 1.0-1 lists Regulatory Guide (RG) 5.65 as applicable to CESSAR-DC Sections 13.6 and Appendix 13A only. Decause the building design portion of RG 5. 6 F-deals with heating, ventilation and air conditioning (HVAC) and cable tray penetrations of vital area barriers, Table 1.8-1 should also list CESSAR-DC Section 9.4. Similarly, Section 9.4 should include reference to RG 5.65 where appropriate, and ventilation openings and ducts be sized to account for flow resistance that these barriers could introduce. (Staff recognizes the difficulty in securing penetrations in such a manner that the integrity of the wall is not lossened by the penetration, as specified in 10 CFR Part 73.2, and would find normal penetration resistance of ventilation openings and ducts acceptable if supplemented with tataper indicating devices that would alert the alarm stations o' barrier intrusion.)

Response: A proposed CESSAR-DC change has revised Table 1.8-1 to list Regulatory Guide 5.65 as applicable to Section 9.4.

A proposed revision to Section 9.4 has add 3d the following.

"HVAC penetrations through the security barriers are designed to provide security protection to n.eet the intent of Regulatory Guide 5.65."

.500.20 Request:

Sections 2.3 and 8.4 of URD Chaptar 11 include guidelines for supplying power to permanent non-safety loads required to remain operational at all times. The URD lists security systems among the typical loads in this category. CESSAR-DC Section 9.5.3.2.2 includes the security lighting system as part of the permanent non-safety systems. Will other security loads be included among the CESSAR-DC Permanent Non-safety "X" loads discussed in CESSAR-DC Section 8.3.1.1.1.3, or will they be provided by a separate site-specific uninterruptible power supply? Note that 10 CPR 73.55 (e) (1) requires the on-site secondary power supply systems for alarm annunciator and non-portable communications equipment to be located within a vital area.

Response

onsite supply systems for recurity alarm annunciators and non-portable communications equipment will be powered from an uninterruptible power source consisting of dedicatcd batteries, which in turn, will be powered from the permanent non-safety buses and the AAC Source (Combustion Turbine). .Tne AAC Source will be protected in a secure vital area. - other security loads will be powered from the permanent non-safety buses directly from the AAC or normal power, depending on availability. These requirements are specified, .where applicable, in Appendix 13. A of CESSAR-DC, Section 2.1.N; CESSAR-DC Sections 8. 3.1.1. 5, 9. 5. 3. 2. 2 and will be included in the site-specific security plan (when prepared by the owner-operator).

i l

l

~!

E , ,c (j 1 p- ~

, ,, r >

l500e21- Considering the guidance 'of- NRC Review Guideline 17 3 and- URD Chapter 9 Section 5.2.3', include,in CESSAR .  !

DC: Section 13.6 a ' standard ' list of vital . systems -

- and. vital areastfor System 80+" to be. incorporated

'into site specific security plans in place of'the- '

list-provided=in response 500.7.- Provide a sound.

- technical' basis for any Seismic Category I systems

.that would not:be containcd within vital areas.

Response: ' Section 12.3.1. 3 of - CESSAR-DC lists the control ^

room,-the Technical Support Center-and:the' diesel generator rooms as vital areas. This is not a-  :

c o m p l e t e l i s t . -' T h e list of' vital areas will be expanded- and . confirmed ;upon . completion of the '

emergency procedure guidelines for System . 80+,

scheduled 1for May, 1992, and included in a future amendment to CESAR-DC..

3 .

i

+

t

[

.r i

9 b

f e e-w w e *br----*,-----*,r v s- m+-w r h m--w e t m- - *-it- w -erwww Paw--- v-r--- ---a-v v weea--wr-=47-+-seze h -v s '+ '-Tg- rg w w ey-w-- w-*7='y T- y

500.22 Responses 500.7, 500.9 and 500.10 included changes to Section 7.1.2.16 and also indicated that a Section 8 would be added to Appendix 13A.these changes were not included through Amendment I. What is the current status of those responses?

Response: The changes indicated in this RAI are included in Enclosure II of this letter and they will be included in the next amendment of CESSAR-DC.

x .

-500.?.3 10 CFR Part 73.5S(f) -reqvires -plant security officers to be capable of continuous communication with- the central and secondary alarm stations.

Security response forces of operating reactors rely upon -individual mobile radios of communications during tactical movements. CESSAR-DC Section 9.5. 2

-provides only for telephones for intraplant communications. It addresses a security radio system for offsite communications, but not for or. site communicetions with security of ficers. Item 18 - of C-S's letter dated December 21, 1990, or.

differences between the URD and the System 80+"

Standard Design, states that' wireless communications can be used where needed but that sound-powered phones avoids problems such as interference with control systems and continuity of coverage. However, Section 4.6.3 of URD Chapter 10 specifies that the plant designer include provisions to insure that effective communications are not prevented by problems of transmission through thick concrete walls, high noise areas, personnel protective equipment, too few communication lines, or interference with or from other electronic or electrical equipment. (Design provisions such as shielding of instrument transmitters and logic cabinets from . radio frequency interference, fiber optic cabling, and radio repeaters- within buildings might prove suitable.) What consideration has been given to assuring the capability for security of ficers to be in continuous intraplant communication at System 80+" standard plants?

Response: The System 80+ design does not prevent the use of wireless communication systems. It is expected that plant security will use wireless communications at the plant to maintain continuous intraplant communication. However, choice of security communications systems will be decided by the System 80+" Owner- Operator.

i  :

-500.26 CESSAR-DC Sections 1. 2.11.11 and 9. 5. 3.1 state "The security lighting system complies with the intent of NUREG CR-1327." However, the security lighting description, CESSAR-DC Section 9.5.3.2.2, makes no mention of that NUREG.

Response: See response to request for additional information 500.20 - for discussion of security lighting power supplies.

l

[gM;S, f500.27l - Section 9. 5. 3.2. 2 : states "The - :- security lighting system:- _is: designed to. -provide _a -minimum illumination of 0.2 foot-candles when -measured

-. horizontally at ground level. " _ Table' 9'. 5.3-1. lists 2_'to 5 foot-candles as-typical illuminance ranges for normal exterior __. area -- lighting. . Those

illumination levels.would give a range of ratios of -

typical to minimum illumination of 10 : 1. to 2 5.1. -

However, NUREG/CR-1327 recommends that for security lighting _ of - the; protected area's isolation zone, -

i the: average - to: minimum illumination ratio to not exceed _4:1,_with less that.3:3-_. preferred._~ Discuss whether the minimum and/or typical illumination-levels specified in CESSAR-DC should be adjusted te

insure that the lighting within the iso)ation zone-is sufficiently -uniform to _ provide for prompt assessment of intrusion alarms by closed circuit W television (CCTV).

Response: -Actual:' design of CCTV systems as part of security u systems is site specific. A- proposed change to

-- CESSAR-DC has been made- to- require - that, within-

-cameri viewing areas,-illumination will. meet CCTV -

requirements -- to provide for' prompt assessment of

. intrusion alarms.

.i 4

500.28 CESSAR-DC Section 1.1.3 indicates that Appendix 13A will analyze both insider and outsider sabotage threats, llowever, Appendix . 13 A states, "One of the primary assumptions of the analysis is that the sabotage is performed by an insider working without explosives."

Include and interface requirement for the System 80+*

user to perform the outsider sabotage analysis as part of its security response planning.

Response: .The following proposed requirement has been added to Appendix 13A of CESSAR-DC:

The site specific security plan shall include an outsider sabotage analysis as part of its security response planning.

500.29(a) Assumption F in Section 2.1 of Appendix 13A, that the presence of several persons precludes acts of sabotage in the control room, should be modified to 1

-note .that maintenance areas out of sight of the

-control room _ operator are not a concern because vital cabinets are locked and equipped with " door open" alarms and that the plant protection system does not permit bypassing more than one of the four redundant protection channels at a time (see Section 7.1.2.16).

-(b) Assumption G in that same section, thrt a security area can be de-vitalized during unit shutdown if justified in the physical security plan, will require plant specific review and approval.

Response: (a) 'A proposed change to Section 2.1 ' of Appendix 13 A has been made to reflect this comment.

(b)- Yes, devitalizing of security areas during plant shutdown will require review and approval of the site-specific physical security plan.

t

4 . .

h 500.30 GL 89-07 requests power reactor licensees, as a matter of prudence, to address the possibility of a vehicle bomb in their contingency planning. Although a vehicle bomb is nat part of the NRC's design basis throat, has any consideration been given in the t*lt,1 cal site plan (Figure 1.2-1) or to layout or Lesign of building exteriors as to limit standoff distances to the protected area boundary?

Response

GL 89-07 has been included in CESSAR-DC as a d".;cument to be addressed by the owner-Operator in developing the site-specific security plan. Conceptually, it is expected that GL 89-07 will be met through stand-off ,

distances using natural and/or man-made features at .c the owner-controlled area boundary. There is nothing in the typical site plan (Figure 1.2-1) which would prohibit the owner-operator from implementing the '

guidance of GL 89-07.

W M

l' _. .

i l

l 500.31 Request: 1 The startup tect program described in CESSAR-DC Section 14.2 i includes security lighting system and security radio system tests.

(CESSAR-DC Section 9.5.2 provides a security radio system for offsito communications.) Security "lockdown" of the protected area and startup testing of the rest of the security system (i.e.,

intrusion detection system, alarm assessment system, access control system, etc.) is not addressed. The security lighting system test described is incomplete in that it does not address testing on loss i of normal power nor testing of its adequacy for support of CCTV security functions.- The communications test does not address verifying ' communication capability and non-interference with equipment from'all locations within the plant. Discuss whether these tests should be included in the standard design documentation, and if not, clarify that these tests remain within the scope of the utility's license application.

l .

l Fesponse:

Security "lockdown" of the protected area and startup testing of the rest of the security system (i.e. intrusion detection system, alarm assessment system, access control system, etc.) is considered sensitive information which may be withheld from the public by the directive or 10 CFR 2.790(d). Full disclosure and descriptions of

.these sensitive systems and their prerequisite testing will, l

however, be a part of'the site security plan to be submitted by the utility.

L The Test Method of the Security Lighting System will be modified by l adding new Subsection 3.3 and by amending Subsection 3.4 of Section 14.2.12.1.85 to read:

l

! "3.3 Demonstrate that loss of normal pover results in proper L activation of the' Security Lighting System for each affected room.

3.4 Demonstrate the Security Lighting ' System provides adequate illumination levels, including, but not limited to, those

, required to support plant Closed Circuit TV security I functions."

l Although a prerequisite to the Communications Systems tests is that

" plant equipment that contributes to the ambient noise should be in operation," the test description does not specifically state that all locations be tested. " Locations" may be taken to mean telephone terminals throughout the plant, however, in the case of the Security Radio System, " locations" may be taken in the most i

+

.= ..

conservative sense to mean throughout the entire plant. To rectify this, subsection 3.4 of-Section 14.2.12.1.87 will be changed in a-future Amendment of CESSAR-DC to read:

"3.4 Verify - the Security Radio System functions properly at all locations throughout the plant."

o .. .

500.33  : Inadequate attention to the design of the protected area portal (PAP) has the potential to result in a-PAP that interferes with access of offsite personnel.- Is the PAP design included in the standard CESSAR-DC scope? If so, address considerations given to traffic flow and search requirements, including separation of searched and unsearched individuals, and to the bullet resistance requirement of 73.55(d) (1) .

Response

The design of the Protected Area Portal is site-specific and not in the-scope of standard CESSAR-DC.

8

I +'

l 500.34 Define the acronym "CAS" used in Figure 1.2-6. Is it the central alarm station (CAS) - required by 10 CFR Part 73.55(e) to be located within the plant protected area? Is the central alarm station design included in-the standard CESSAR-DC scope? If so, address requirements for it to be a bullet resistant structure ot- room, and for its connections to interior and exterior intrusion detection and access control devices.

Response

The acronym "CAS" is the " central alarm station":as required by 10 CFR 73.55(e). The provision of the space for the CAS is within the standard CESSAR-DC scope.- The detailed design of the bullet resistant barriers and- its connections to intrusion detection and ' access control devices is beyond the scope of CESSAR-DC and will be site-specific, C

l l

i

=_-._- _. _

500.35 In the third paragraph on page A-84 of Volume 17 (the discussion of Generic Safety Issue. A-29) change " protected areas" to " building . interiors."

Tanks for. similar functions are within plant protected areas, as defined in 10 CFR Part 73.2, at current reactors.

Response: A proposed change to Page A-84 of volume 17 has been made to reflect this comment.

P a

^

PROPOSED REVISIONS TO THE COMBUSTION ENGINEERING STANDARD SAFETY ANALYSIS REPORT l

... . . . . . . . . _ . . . . . . .. - m._ .. .

CESSAR nainemon t

'A a

7.1.2.16 Conforwance to RequlAtory Guide 1 11

,[Rev . 1, 6/73)

The fol' Towing design features address the requirements of p Regulatory Guide 1.17, " Protection of Nuclear Power Plants

,Against Industrial Sabotage":

A. Separate Geographic Locations for Equipment

1. Redundant channels of safety-related instrumentation and control cabinets are designed to be located in separate plant locations.A *here r~"ipment lacetiens c ?" le ec gcc b'j* cite eparata te acct Regulatory M/k Gelda " "rmnteci of Tcrocr.r.cl ?.ccccc t-o Protucted

[ A eas,

~7 g,7 '?it:1 Atusraud listerial- ?.ccess Arcac,"

B. Limited Ability to Change System Hardware and Software Configurations

1. Portions of systems are designed to limit the ability of operating and mrintenance personnel to change basic system functions (e.g., setpoints can be changed, but go.g g. the trip function calculation cannot be altered).

'- 2. The transfer of control between the Main Control Room and Remote Shutdown Panel is under kev lock dI administrative control with built-in alarms. f '

500*IO 3. The PPS design does not permit bypassing either the RPS or ESFAS signals at--the system level. Bypasses can be initiated in only one of the four redundant protection channels at a time. Attempts to bypass _ additional channels will automatically put the channel in a trip state, as discussed in Sections 7.2.1 and 7.3.1.

4. Vital instrumentation cabinet doors are locked and equipped with " door open" alarms.

C. Fail-Safe Design Philosophy

1. Systems are generally designed to fail safely upon de-energization, removal of printed circuit boards and disconnection of cables and data links.
2. Test modes are designed such that they do not prevent system actuation.

Amendment D 7.1-11 September 30, 1988

_ _ ~ . _ , . . . .

e er h e 1 = 4

% duer g ,e g

{ INSERT A These equipment locations are designed consistent with the intent of Nt1 REG-0908 (Reference 5) and are described in Chapter 13, Appendix 13A Section 7.

INSERT B Further details on the protection features of the I&C system, relative to on setpoint security, are contained in Chapter 13, Appendix 13A, Section 8.

INSERT C Further details of the protection features of the 1&C system, relative to impeding unauthorized transfer from the Main Control Room to the Remote Shutdown Panel, are contained in Chapter 13, Appendix 13A, Section 8.

G -

e s

3-,.,.... q . . _ :. . . ,. . _ ,

. . .- . . ,, s .

UESSAR ane.cmon 2

F. The : containment subsphere area contains many of the components highly ranked 'for protection against sabotage.

The access control for this region of the plant is strictly

~ 7 cutrolled. . . . .

G. The Emergency Feedwater Storage Tanks will be located (e.g.,

inside the' auxiliary building) so as to make them less susceptible to sabotage. ,

H. The- Nuplex 80+ instrumentation and controls design incorporates semi-automated and on-line testing features for the Plant Protection System as well as on-line monitoring of fluid. and electrical systems making detection of cabotage attempts more likely.

I. 'The Nuplex.80+ instrumentation and controls design provides E channel separation for many of the aatety systems with adequate physical access control to each channel to make '

sabotage more difficult. -

.7.0 PLANT LAYOUT FOR GADOTAGE RESISTAN @

The layout of the components in the subsphere of the containment

{O building .and for selected - other plant regions has proceeded

according' to - the access control design criteria . contained in Section 2.2 above and in view: of the protection prioritization provided in Section-4.0 above. The plant lafout is provided in i Chapter 1 of CESSAR-0C. It is important to note that the subsphere area prcvides ' for complete train separation.of safety systems.- .There is also significant component- compartmen-talization t o. + provide additional access control, ~. thereby permitting, the (eployment of a variety of access control strategi'es as. discussed,.in Section 3.0 above, b

3009

%.o ysTRu. MEAT ATlod Adh CDMRou FERTueES Fog SAsaTAGE REsisTAkE

.300.3 Ql%

po.w Amendment E 13A-16 December 30, 1988

.., (. .. -. . .. . , .- + ~ < -

i

'( ' INSERT A1 '

Specific criteria for the location of safety-relateel instrumentation and controls to increate sabotage resistance are as follows:

o

  • ine thannelized safety-related equipment shall be located within separate rooms to ensure that cht.ael separation is maintained and to enhance the 180 sabotage resistance. Each room shall contain only equipment associated with a specific channel and shall be designed with a separate entry point; there shall be no entry point connon to more than one room.

o Each of the equipment rooms shall be designed to maintain a fire barrier between itself and the other I&C equipment rooms to minimize fire damage to the 18C. Each of the equipment rooms shall contain a single controlled access point to restrict entry and incorporate measures to impede forced entry, o_ The Main Control Room (MCR) and the Remote Shutdown Control Room (RSCR) shall_ be located in vital-areas separate from each other and separate from the_ equipment rooms which house the I&C equipment. These rooms also shall have restricted entry and; incorporate measures to impede- forced entry.

Considering the above criteria, the following separate vital plant areas are p- . defined for the System 80+ ftandard Design:

o . Main Control Room o . Remote Shutdown Control Room o Channel A Equipment Room

=o Channel B Equipment Room

.o Channel C'Eqc pment Room o . Channel-:0_ Equipment Room LIn addition,.the following_ separate plant areas are .also provided .and contain restricted plant entry as well as measures to impede forced entry:

1 o" Computer. Room o- Channel X_ Equipment Room

.g =o- ' Channel-Y Equipment Room The Motor Control Centers (MCC) are similarly located in physically separate rooms according to control channel assignment (A, B, C, 0). Each room has a-single controlled access point to restrict entry.

. The shutdown cooling system design utilizes two separate and independent fluid paths for redundancy. Each path contains suction valves which are associated with two-of the I&C channels-in a mutually exclusive manner ( A/C for one train and B/D for another train).

-This design preludes any adverse impact to shutdown cooling due to an intruder yhr within a single MCC. Since an intruder would have to enter two separate and locked rooms to impact shutdown cooling, there is sufficient time to detect and respond to the threat.

._. ..,_.-g..,

. -- , .4 . . . ., . . ,

e

( INSERT B1 A's part of the I&C sabotage resistance features, several levels of protection '

against unauthorized changes to setpoints are prJvided. First, as was noted

- above in Chapter 7, each channel of a multichannel safety related system (A, B, c. DJ,ils located in a separate equipmentiroom which is independent from the other safety related equipment rooms, Access to each of these equipment '

rooms is controlled. Second, withiu each room, cabinets which contain safety related equipment (such as the Plant Protection System, Core Protection .

Calculators and ESF-Component Control System) are locked and annunciate an alarm in the control room when entered. Thus, two levels of protection are +

provided against unauthorized access to setpoint equipment.- >

In addition, the' digital based safety / control systems utilize the memory protection features of their processors, in which the software setpoints are locked out and made unaccessable within zhe software itself. With memory protection activated (the normal condition), the system will not accept

.sof tware changes/ updates to t he des gnated i protected memory area.

As a further_ measure of protection against unauthorized alterating-of setpoints, the Data Processing System-(DPS) continuously monitors the safety related systems for changes to the setpoints. This:is accomplished via

- dedicated DPS programs which either directly monitor the. individual safety

. system setpoints for deviations from their established values or which monitor

- - . -(d; checksum values that are computed within the safety systems (based on the ,

current setpoint values) and periodically transmitted to the .DPS where they

- are compared against a: reference value. In either case, any deviations are detected and alarmed within the control room.

=

5 c

l n

i --

l l-

INSERT C1

(

Plant control is provided frota either the Main Control Room or the Remote Shutdown Control Room. Master transfer switches, which Nansfer control of the !&C systems between the main control room and remote shutdown control roomr-art-located in each of the separate equipment rooms. In. order to sdversely affect a plant process from the remote control room, at least two of the four safety associated rooms (A, ti, C, 0) must be entered in addition to the remote shutdown control room. It is unlikely that all three of theso rooms could be entered before a threat would be detected and thwarted.

Cowiponent inoperable and bypass alarms are provided by the I&C systen to convey component / system operability information to the operations staff. '

Inoperable / bypassed components are alarmed within the control room to alert the operating staff to the inoperablo/ bypassed condition.

The Component Control System (CCS)'which monitors for and generates the inoperable / bypass conditions is composed of multiple channels which are distributed among the aforomantioned separate equipment roomt. Security is provided in each room via controlled 2ccess to the rooms and cabinet entry alarma as noted previously. The CCS is further protected against tampering via utilization of the " memory protection" feature of the CCS processors as described previously.

In 6ddition, the CCS incorporttes a high degree of continuous automatic W on-line testing. This t uting ensures CCS operability. Further, ..tpoints Wthin the CCS are continuously monitored by the DPS for alteration via a cri.cksum value which is periodically computed and transmitted to the DPS.

In summary, each vital equipment room has separate accest, requirements and each vital I&C equipment cabinet has access requirements which are different -

from those of the rooms. Entry to any roo;n or cabinet is iirrnediately annunciated. Since multiple rooms and cabinets must first be entered before a a fety system / function can be defeated or adversely affected, there is ample dme to resp'ond to the threat. Additional protection is provided via " Memory Drotection" within the I&C processors as t.911 as the monitoring of setpoints via the DPS.

The equipn; ant rooms and the I&C cabinets contained therein fully meet the alarm security requirements of 10 CFR 73.

c ..,_, _.. ,,y- , - .- . -~- ,

. , . i

'CESSAR En!%mou -

(~ #/fSm? ) l D. Safety System Statuu Honitoring ,

1. Critical safety system setpoints can be datermined

-nanually an are automatica1'y monitored via the plant Data Processing System.

2. Rep.ctor trip and ESPAD initiation trip channel bypass alarms are provided.
3. Component level bypasses in the ESF systems result in system level inoperable alarms for the affected systems, as described in Section 7.1.2.21.

E. Diverse Manual vs Automatic Reactor Trip and ESPAS Initiation

1. Hoactor Trip and ECFAS are automatically initiated by the PPS. These same functions can be manually

,7 initiated by the operator. The RTSS and ESF-CCS manual n

k initiation trips du not rely on any PPS components for actuation. Therefore, these functions can be manually

\M initiated with-a complete failure of the PPS automatic

.M initiation logic.

The above teatures are Jesigned to impede sabotage. See Chapter u 14 e d the cite-epe4f4" S.M for a more comprehenuive discussion E-on protection against sabotage.

7.1.2.17 .C.AnigIng ce to Rgiulaigry., Guide 1.21 (Rev. O. 2/72) ~

  • The PPS, ESF-CCS, and the RTSS, as described in Section 7.1.1,

, conform -to' the guidance of Regulatory Guide 1.22, " Periodic

. Testing of Protection Systein Actuation Functiono." This conformance is described below.

A. Provisions **e made to permit periodic testing of the complete PFS , EST-CCS , and RTSS with the reactor operating 8 at power or when shutdown. These tests cover the trip D action from - sensor input to actuated devices. Those ES P ,

actuated devices which could affect operations are not tested while the reactor is operating but, instead, are tested while the reactor is shutdown.

D. The provisions of this position are incorporated in the testing of the PPS, from sensor to actuation device, including the ESFAS and ESF-CCS and the RTSS as designed by Combustion Engineering and as implemented in the D site-specific SAR.

Amendment E 7.1-12. December 30, 1988

4 .,-.r. . . ,

'CESSARnnLm. _

c I. 223 rational Controls The RPS and ESFAS n =_ control room. manual The actuation devices are instrumentation and located in l 0 components of the safe shutdown systems ofi~ he control Remota Shutdown Panel or at local locations shall be manually l operable. '

Most 80P aux 'liary and supporting system controls required to be operated from the Main Control and/or Remote Shutdown Panels shall be interfaced through ths ESF-CC3 and Process-CCS to satisfy Chapter 18 HFE design criteria. All D other control modules supplied by the site operator for install 1ttion in these panels shall be- designed to be compatible with the HFE design assumptions, criteria and task analyses identified in Chapter 18.

J. Insoectign and Testina t

The PPS, including sensors, shall be capable of being

_ periodically tested in accordance with the Technical specifications of Chapter 16. Those portions which could adversely affect reactor operations shall be capable of being ...

.h' tested- when the reactor is shut down. All other ')

safety-related instnunentation shall be capable of being ,

tested during normal operation.  !

. K. Chemistry /Samplina The components of the safety-related equipment shall be

, located so as-not to exceed the chemintry limits s'pecified in Section 3.11. ,

L.

Mater ,

Not applicable to the safoty-related instrumentation and controls equipment.

l' N. ' Syst1m comoonent Arranaement t- Safoty-related components shall be located so as to conform to the separation, independencc, and c,ther critoria l-  :

I() - specified' in this chapter. The safety-related components l

6 testing

-@shall dolarati be _ located to provide . access for maintenance,

-(O 0* 8 caq crio dCCh"Guirad 0, A f d4 (3 A, Sect A 7 to r'e'we.c, Motyc,"be# Al\

f N-I TE N o"dSndant channels _ and divisions of safety-related instrumentation and control cabinets shall be located in fy separate plar.t control complex locations. These locations

(

Amendment %

7.1-24 September 30, 1988

_ . _ _ _ . _ ~ , , _ _ _ . _ . _ _ _ _ - , . . _ _ , _ _-, _ .-... --

-_ - - ---._ _ ~ . . _ _

'CESSAR E!MLuun

(

REZEBERrds FOR..BBCTION S.1

1. "Desc!iption of the C-E Nuclear Steam Supply Systi.m Quality

~~ KNulttance Program," Combustion Engineering, Inc.,

Ce$FL-210-A, Revision 04, January 1987. D.

2. " Qualification of Combustion Engineering Class .it Combustion Engineerung, '

Instrumentation," Inc.,

L'ENPD-255-A-1983, Revision 03, October-1985. l0

3. " Seismic- Qualification of Instrumentation Equipment,"

Combustion Engineering, Inc., CENPD-182, May 1977.

( 4.. "CPC Protection Combustion Engineering, Algorithm Inc.,

Software CEN-39 ( A) -F, Change Procedure,"

Revision 03, 0 November 1986.

f00*7-

s. %yka 6L.~ L %- %LL n of Lt~ e~n M, wdyow; Gs IA 5 u k 49 - ce n, s s.,w '

r~efM rk A/M.R CG-- d TOG, // if i18x.

4 p

I l

Amendment D 7.1-28 September 30, 1988

'CESSAR ME"icmon

}

The RCS pressure signals used ar9 provided by pressurizer pressure safety channels. p (Sea Figures 7.6-la, 7.6-lb and 7.6-1c for this logic).

These interlocks are redundant no that any s. ingle 'fallure will not cause a suction line and- heat exchanger to be subjected to The interlock cannot be 4I&pressuresgreaterthandesignpressure.

overridden so that operator action cannot inadvertently subject the SCS to - RCS pressure. In addition, no single failure can

- fM? N p revent the - operator fron aligning the valves, on at least one suction line, for shutdown cooling after RCS pressure requirements are satisfied.

y Redundant relief valves are provided on the suction lines to prevent 'or mitigato overpressurization from pressure transients.

These transients can be caused by inadvertent starting of safety injection pumps, charging pumps, inadvertent energization of D pressurizer backup heaters, or a combination of these. The rel'ief valves are set at the values shown on. Table 7.6-1 to insure tho system stays below its design limits.

7.6.1,1.2 Safety Injection Tank Isolation Valve Interlocks

' h* The SIS is designud to inject borated water into the RCS upon' ,

receipt of an SIAS (refer to Section 7.3) and to provide long term cooling in conjunction with other systems following an accident. The Safety Injection Tanks (SITS) inject borated water

- into the RCS if systes pressure drops below their internal pressure. During normal operation, each tank has a motor operated isolation valve that is open with power removed from its D i

motor, circuit to eliminate the possibility of spurious _ actuation.

As the RCS pressure is reduced during plant shutdown, the low pressurizer. pressure -trip setpoint . is reauced to inadvertent initiation of safety injection, the SITS avoid are depressurized to a value below the SCS design pressure, and the valves have their power restored and are closed.

'The SIT interlocks are used to prevent 'the SITS from inadvertently pressurizing the SCS while maintaining SIT availability _ in case of a 14CA. Refer to Figure 7.6-2 for thn interlock logic. The isolation valves are manually closed when RCS pressure drops below the value shown on Table 7.6-1 such that the SITS cannot cause overpressurization of the SCS while - the SITS are - maintained at some pressure above atmospheric. As RCS pressure increases, the valves will automatically reopen at the pressure indicated D

in- Table 7.6-1. This opening of the SIT 1 -

i Amendment D 7.6-2 September 30, 1988

.. _ . _ . . _ ._ . _ _ _ --_ . . . _ - _ _ . . _ _ _ . _ . - -_. . . __ _ . _ ____m_._______.___

. . . - -- . . . . . . . . .. .. -- . ..t

, , +

. f, l

INSERT 0 Further details on the protection features for the Shutdown Cooling System are

!' provided in Chapter 13, Appendix 13A Sections 7 and 8.

+ e -e

,e.~...e I

i f

t a.

4 t

0 t

t 4.,

s T g- m er-- +7 t-+m- -wim.-swr--c v4w> y ye igy epw.+ y y-y,-gyy- g.ag -

CESSAR anWiemon kW SOOo Ib I. The control room layout shall be such that access to the controls and instruments for vital components and systems shall be exposed to the minimum non-essential traffic.

Routine administrativo activity, such as signing'tagouts and radiation work permits requiring interface with other than control room operations staff, shall be provided outsido the pring security boundary.

< IF)S E AT* I 3.0 - K ROACHED TO ACCESS CONTRQL There are a variety of access control approaches availabic, doponding on stuffing, the loval of protection required, the location of the equipment, amount of traffic required, plant modo (e.g., refueling, power operations, etc.) and other considerations. All the approaches indicated below assume that each individual entering a controlled access area must positively identify himself or horself to obtain access (i.e., no

" tailgating"). The various options are:

A. Team Zoning An approach used in security programs in the military, there E implemented as the two-man rule. Entry to vital areas is permitted only when two equivalently knowledgeable persons are recognized and granted access by the knowledgeable individuals dators sabotage.

B. Area Zoning Redundant vital systems and/or components are segregated in different vital areas with separato access controls. Access opposing redundant system or component trains is

~

to controlled on a team basis, whero one team only has access to one train (e.g., team A has access to train A only and team B has accces to train B only).

C. Operational Zoning Sequential access to vital components and systems necessary for performanco of a particular safety function is restricted until operability of the system or component is demonstrated. For example, access to a second component in a safety injection train is restricted until operability of the first accessed component is demonstrated.

D. Time Zoning Access to vital equipment is restricted to a certain timo periods, e.g., day shift, when sabotage is less likely or more likely detected.

i Amendment C  !

13A-5 December 30, 1988

CESLAR KNm ,.

Rar soo.n In the event of a firo, area fire detectors will cound an alarm in the control room and the supply manually if required.

fan may be deactivated Smoko removal is then manually initiated from tho Control Room or the Remoto Shutdown Room by a smoko exhaust fan, outnido makeup air and associated ductuork and control damporn.

The Containment, the Subsphere area, the Fuel Building, the 11uclear Annox, and the two Diocol Buildings are ventilated, heated and cooled with 100% outsido air nyate.ac. The supply and oxhaust fans are available for smoke control.

The Control Building area has dedicated amoke control fans. TSo Turbino Bu diDU.Jentilating f ans are available for smoke control.

VSCCT &

Ta le :/ . sr3 tabulates the RCS insulation heat loads within the Containmc7t.

1 Tabic 9.4-4 tabulatos the data used for Chapter 15 offnito and control room doso analyain.

Tablo 9.4-5 tabulates the heat loads from NSSS Support Structurca within the containment.

9.4.1 CONTROL DUILDING VI:NTIIATION SYSTF.M 9.4.1.1 Donign Danin The Control Building Ventilation and Air Conditioning Syctoms are designed to maintain the environment in the control room envelopn and balance of control building within acceptablo 1,imita for the operation of unit controls, for maintenanco and testing of the controls as controA required, and for uninterrupted safe occupancy of the building g area during post-accident chutdown. Those cystems are doulgned in accordance with the requiremonta of General Design Critoria 2, 4, 5, 19, and 60.

Refer to Section 6.4 for furtherbuilding The control information regarding control room habitability.

consista of technical the main control room, the cupport contor, the computer room, the switchgoar roe' s, officos, and mechanical support equipment electric as chown on F ure 9.4-2.

areau The control room, and other nupport arcan are maintain approximately 73'P to 70'F and 20% to 601 danigned to relativo humidity. maximum approximately 77'F.

The battery room is designed to maintain The mechanical equipment room iu donigned to maintain a maximum temperature of 104'F All other areas are designed to maintain a maximum temperature conditions aco maintained continuously during all of 85*F. These modos of Amendment I 9.4-2 December 21, 1990

CESSAR neincui.

IApj,E1.8-1(Cont'd) kg7 gg n (Shoot 19of19) .

i EgyLMDAY GUE)11 Original or Revision Reference pggyqent/ Title GRC__3eferencet Issue Date E }AR Section Reg. Guide 1.153 - 12/85 5.1.4, 7.1.2.13 Criteria for Power,. Instrumentation, ,

and Control Portion of Safety Systems

. Reg. Guido 1.154 - Not Applicablo Format and Cnntent of Plant Specific (Plant $peeffic)

Pressurized Thermal Shock Safety Analysis Reports for PWRs Reg. Guide 1.155 - 8/88 8.1, 10.4.8, 10.4.9  !

Station Blackout Reg. Guide 1.156 - 11/87 7.1.2.33 Environmental Qualification of ,

Connection Assemblies for Nuclear '

Power Plants 1 Reg. Guide 5.65 -

  1. 9/86 L 5. App. 13A Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls 9*k d[

Reg. Guide 8.8 - Revision 3 12 E Information Relevant to Ensuring 6/78 the, Occupational Radiation Exposures at Nuclear Power Stations will be ALARA Reg. Guide 8.12 - Revision 2 7.1.2.34, 7.7,1,1,10 Criticality Accident Alarm 10/88 Systems Reg. Guide 8.19 - Revision 1 12 Occupational Radiation Dose 5/79 Assessment in Light-Water Reactor Plants-Design Stage Jian-Rem Estimates I

o Amendment. E December 30, 1988

. CESSAR nuba F  %.Ts s oo, p s co. m E. While access Got) < 17 to containment during power operations for maintenance and tanting la permittod, such accono in non-routino and controlled. Thoroforo, it may be annumod i-that equipment insido the containment is inaccessible to a saboteur during operation at power.

F. The continuous presence of coveral employees procludon acts of sabotage in the control room. However, the control room in a vital area and will be protected in accordance with 10 CFR 73.55. p G. Equipment and nyatoma designated as vital for full power operation shall also be maintained an vital in other modos of plant operation. :fowever, during unit chutdown, a nocurity area can be do-vitalized if justiflod in the physical security plan.

11 . In ovaluation of sabotago protection and mitigation, aabotago eventn nced not be accumod to occur coincidentally g with como initiated other independent cingle failure or indopondently event.

I.

Osdgn, procuremont, construction and operation of the plant nogurity nyaton nood to bo in accordance with 10 CFR 50, Appendix B Quality Assuranco requirements, except where the coeurity system interfacon with a safety syntom (e.g., power system) and thoro can be advorce system interaction.

J.

The nocurity restrictions for accesa to equipment and plant regions must be compatible with losa of sito power, acconc requirements, firo protection, health phyoica and local operator actions required for ovent mitigation. Security

'accana control restrictions should not excessively impodo par._aloL_ functions during operating modos.

2.2

-> TNSE RT 2) 7 CF,SS CONTROI, DSDIGN CRITERIA A. Type I arean chall be minimized. Type I areas are those which, if access is obtained, would parmit nabotage to be offected without accoca to another area.

B. Sorial accosa through one or more vital areas to obtain accons by to alayout.

the plant vital or non-vital area should not be permitted

c. Area protection of vital arcan shall be prioritized consistent with the ranking vf systems and components identified in the ranking below.

Amendment E 13A-3 December 30, 1988

IImert 1 J. The control room design will includo bullet ronistance requirements of 10 CFR 73.55 (c) (6).

IDrcr_t_.2 K. The sito specific security plan will identify all vital areas and equipment and identify protection systems that have boon solocted to protect those areas and equipment.

L. The site specific security plan developed by the site operator systems shall include an evaluation of the security impact on plant operation, testing, and maintenance, considering all operational modos and/or emorgency conditions.

M. The site specific security plan shall include an outsider sabotage planning. analysis as part of its security responso InMLt_1 Maintenance areas out of site of the control room operators are not a concern becauso vital cabinots are locked and equipped with " door opon" alarms, and the plant protection system does not permit bypassing more than one of the four redundant safety channels at a time.

Ll1ERCL A HVAC penetrations through security barriors are designed to provide security protection to moot the intent of Regulatory Guido 5.65.

... _ __ _ ___ - - - - - - - - - - - - - - - ~ ~

CESSAREneem

~

I fD tIO P. 20 E. While access to containment for maintenance and testing during power operations is permitted, such access is non-routine and controlled. Therefore, it may be assumed that equipment inside the containment is inaccessible to a saboteur during operation at power.

F. The continuous presence of coveral employees precludes acts of sabotage in the control room. Ilowever, the control room is a vital area and will be protected in accordance with 10 CFR 73.55.

G. Equipment and systems designated as vital for full power operation shall also be maintained as vital in other modes of plant operation. Ilowever, during unit shutdown, a security area can be de-vitalized if justified in the physical security plan.

H. In evaluation of sabotage protection and mitigation, sabotage events need not be assumed to occur coincidentally .,

with some other independent singic failure or independently '

initiated event.

I. Design, procurement, construction and operation of the plant security system need to be in accordance with 10 CFR 50, Appendix B Quality Assurance requirements, except where the security system interfaces with a safety system (e.g., power system) and there can be adverse system interaction.

J. The security restrictions for access to equipment and plant regions must be compatible with loss of site power, access requirements, fire protection, health physics and local operator actions required for event mitigation. Security access control restrictions should not excessively impede operator functions during operating modes.

2.2 AccEJs CONT".0L DESIGN CRITERIL A. Type I areas shall be minimized. Type I areas are those which, if access is obtained, would permit sabotage to be effected without access to another area.

B. Serial access through one or more vital areas to obtain access to a vital or non-vital area should not be permitted by the plant layout.

C. Area protection of vital areas shall be prioritized consistent with the ranking of systems and components identified in the ranking below.

\

Amendment E l 13A-3 December 30, 1988 l E __ ~

i CESSAREnnnena _

l 1

R A 5 'Ioo.10 j l

The circuits to the individual lighting fixtures are staggered as )

- much as possible to ensure some 1Jghting is retained in a room in the event of a circuit failure.

9.5.3.2.2 Security Lighting Gyatem %swt S l

The security lighting system in considered part of the. permanent i non-safety systems and is fed from Cn-%mintenupt-1Mc-powee i supply-connected tc : ncn-ea fety-bat-tery . - The-sceuelty-44gheig systemy---therefore , rer.c4ne-energleed-es-4cng _ cc pcucr= from---en l effsits poucr sourcc, e atendby non-eafety ccEcc, -c e---n ,

non-sa fe ty-ba t-tery-le-evai-le ble .

E The security _. lighting system is designed to provide a minimum illumination of 0.2 foot-candles when measured horizontally at ground level. .

9.5.3.2.3 Emergency Lighting ,

The emergency lighting system achieves illumination units of at least 10 foot-candles _in those areas of the plant where emergency operations are performed which could require reading _of printed or written material or the reading of scales and_ legends. These e areas are typically control rooms or local control stations. In other areas of the plunt, the emergency lighting ach; aves a

- minimum illumination level of 2 foot-candles. >

The emergency lighting is accomplished by two systems:

A. Conventional AC fixtures fed _from clans 1E AC power sources,

< and-B.- DC se'lf contained, battery-operated lighting units.

Both systems are qualified Class 1E. For all emergency conditions both systems - are considered operational except in emergencies involving .some loss of class 1E power, adequate l:

illumination in those. areas which could be involved in recovery, ',

e.g., electrical distribution control pr.ncis and tho emergency

. generators- and _ _ their_ _ contents, depend only- on the DC-self-contained battery operated lights.

The _ DC self contained, battery-operated light units meets the following requirements:

A. The-battery life is-at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> at rated load.

B. The loading is not greater than 80% of the rated capacity I with additional dorating for temperature variations, where -

appropriate.

1 L

Amendment E 9.5-48 December 30, 1988

'--W* * + = - ge g - - emm *=--9--y-,-er*- y er emurum.-Mg -y e-et.,. y +-

... _ . _ . . _ . _ _ _ - _ . . _ . _ . _ _ _. . _ . _ - - _ ._ _ . . _ . . ~ .

I L

Insert A:

"H. Security alarm annunciators and security non-portable l communications equipment - will be. powered from an uninterruptible power source, consisting of dedicated batteries, which in turn will be powered from the permanent non-safety buses and the AAC Source (Combustion Turbino) .

Other security loads will be powered from the permanent non-safety busos directly from the AAC or normal power, depending on availability. The AAC will be located in a nocuro vital ,

area for protection."

Insert B "the A1tornato AC (AAC) Source (Combustion Turbino), which in  ;

located in a secure vital area for protection."

The owner-Operator shall provido a security lighting system that  ;

will moot CCTV illumination requirements within camera viewing areas to permit prompt assassinent of intrusion alar is.

4

\ l t

i r

7cy. y.w .s4..yp,_m. ,.g. ,p.-.i 4y-, -g,,,..-..,-m. ,7 ., 9p.g. -.y ,.hg.,,,,,,..+-, , - 7 ,.,o  % --.y., ,,9 e79, gy-

CE.5SAR UMicua

.Y '500, 20

6. Regulatory Guido 1.137, Ucction C.1.c.
7. ANSI 11195, 1976, Section 6.1.

These prooperational testa conf orm with the provisions of Regulatory Guido 1.108, C.2.a and C.2.b regarding tosts to bo performed on emergency diesol generators. lt B. periodic Testing lg Periodic testing of the emergency diesel generator moots tho lg intent of Regulatory Guide 1.108 and NRC Conoric Letter 84-15. [

The cmorgency dicsol generator is removed from service accordance with approved procedurco. Any maintenanco work on thein l1 diosols is performed and inspected by qualified personnel in accordance with approved procedures. Upon completion of maintenance work, approprieto touts are corr.ple ted to annure operability of the diesel generator. Upon completion of testing, E appropriate operating proceduros restore the diesrsla to standby readiness.

8.3.1.1.4.12 125V DC Emergency Diesel Control Power lg 125V DC control power for cach emergoney diesel generator is provided by the Class 1E 125V 'C power system batteries as described in Section 8.3.2.1.2. g 8.3.1.1.5 Non-Class 1E Alternato AC Sourco Standby Power

. Supply The Alternato AC Source (AAC) is a non-safety gas turbino power I t source provided to copo with Loss of Offsite Power (LOOP) and i Station Blackout (SBO) scenarios. This standby unit in E independent and diverso from the Class 1E standby omr,rgency diesel generators. Th A A C- is larded 'W A S e c -c. V i t a l a ,-c m fr .- f rof ect,'oa.

The AAC is sized with suf ficient ccpacity to accommodate either of the following load configurations:

A. Both ssts of X and Y Permanent tion-nafety loads; or B. One set of Permanent Non-Satoty loads and otto set of a Safety Division's loads as indicated below:

1. Permanent Non-Safety X with Divisina I only, or,
2. Permanent Non-Saf ety Y with Division II only.

Amendment I 8.3-12 Decembur 21, 1990

CESSARH%bmu 500.2.6 restricted to casos where the use of standard materials is demonstrated impractical. l personnel discomfort from lighting, e.g., glare, is minimized by coordinating the design features of the lightino system with the characteristjes of illuminated objects.

The lighting system components are selected to minimize the potential for danger to pornonnel or damage to equipment. In particular, the potential for and consequences of lamp breakage are evaluated.

Each lighting panel is provided with a main circuit breaker with sparo switching capability of at least 40% to support the possible expansion of the panel's loads.

The lighting panels are located in areas that are easily accessible for installation,_maintenanco, testing, and operation.

Similarly, the lighting fixturcs are designed and located so that maintenance and relamping can be accornplished efficiently and safely, provisions are made to allow the removal and rainsta11ation of lighting equipment in order to support room, space, or c. . c a modifications.

The design of the plant lighting systems is in accordance with E applicable industry standards for illumination fixtures, cables, grounding, panotrations, conduit, controls.

The n'ormal station lighting system is used to provide normal illumination under all plant operation, maintenance and test conditions.

The -security. lighting system provides the illumination required to monitor isolation zones and all outdoor areas within the plant protected periuotor, under normal conditions as well as upon loss of all AC power. h-security lighMmj-nystem-oomphies-eth- te i-nteat--of-WMCr-Git-H iH%

The emergency lighting system is used to provide acceptable levels of illumination throughout the station and particularly in areas whero emergency operations are performed, such as control rooms, battery rooms, containment, etc., upon loss of the normal lighting system.

A description of these systems is prosented in Section 9.5.3.

Amendment E 1.2-24 Deconber 30, 1988

CESSAR SH!ificuie:

Rhz soo. v 14.2.12.1.85 Normal and Security Lighting Systems Test 1.0 OBJECTIVE I

1.1 To demonstrate that t h e N o r r.a 1 and Security Lighting Systems provide adequate illumination for plant operations. ,

l

>r 2.0 PREREQUISITES i

2.1 Construction activities on the Normal Lighting System have been completed. t 2.2- Construction activities on the Security Lighting System have been completed.

2.3 Test Instruments are properly calibrated and available. ,

3.0 TEST METJJOD 3.1 Place the plant lighting in service and check that illumination levels are adequate. H 3.2 Demonstrate ' hat a single circuit failure will not cause the loss of all lighting in a room which requires normal access.

Ad,L EMui h 3.p/--- .

Lcmonstratedlig__Secursity- tight'ingMystem-providas-w dequata-iFiumination-lavaloc 4.0 DATA REQUIRED 4.1 Illumination levels in designated areas.

5.0 ACCEPTANCE CRITERIA 5.1 The Normal and Security Lighting Systems operate as described in Section 9.5.3.

I Amendment H 14.2-161 August 31, 1990

.. =. - _

,g'. 4 '4

-l Insert At "3.3 Demonstrate that loss of normal power results in proper activation of the Security Lighting System for each affected i room.  ;

3.4 Demonstrate the Security Lighting- System provides adequate illumination levels, including, but not limited to, those required to support plant closed Circuit- TV security functions."  !

I I

a e

i.

I k

,t i

I i

  • >c w m .+ u m,, a w y ,,, , ,m,- w- ~ w , ,w,w-

7 L CESSAR nnha hp $O0.31 i

14.2.12.1.87 Communications System Tcat

~~

1.0 OBJECTIVE 1.1 To demonstrato the adequacy of the Intraplant communications System to provide communications between vital plant aroan.

1.2 To demonstrate the offnito Communication System provido communications with exterior entition.

2.0 PREREQUISITES i i<

2.1 Construction activition on the Inplant Communications q['

System-have boon completed.

]

2.2 Support systems required for operation of the Inplant '

communications System are complete and operational.

2.3 Plant equipment that contributes to the ambient noise level should be in operation.

3.0 TEST METHOD 3.1 Verify that the Intraplant Tolophono System functions H properly, that each station is assigned to the curront restriction class.

3.2 Verify the Intraplant Sound Powered Phone system functions properly.

3.3 Verity the Intraplant Public Address System functions properly.

1 3.4 Verify the Security Radio System functions properlyaf att t* s Hons itsro 9h out the t im f .

3.5 Verify the normal offsite telephone system functions properly.

3.6 Verify the Emergency Telephone System- (Emergency Notifit:ation System, Health Physics Network and Ringdoyn Phone System) function properly.

4.0 DATA REQUIRED 4.1 Record the results of all communication attempts from each system and its locations.

l l

L Amendment H i 14.2-163 August 31,-1990

L . .. . CESSA0nu b a It AI soo. x A-29t NUCLEAR POWER PLANT DEQ10N_FQE THE REDUCTIOE QF VULNERARILITY TO IHRpJIRIAL BAB0TAGE IEEEE Generic Safety Issue (GSI) A-29 in NOREG-0933 (Referenco 1),

addroucos the susceptibility of nuc1 car power plants to inductrial sabotage, the resulting risk to plant safety, and the countermonsures to assure an acceptable level of protection.

Consideration shoult be given to sabotago during the design phano of the plant. The goal would be to achieve an acceptable level of protection of a plant to industrial cabotage by emphasizing design features which reduce the likolihood of the plant incurring damage from

  • induntrial cabotage, both internal and external. gyl , n ( g ,., m New design features (e.g., relocating omergency foodwater tanks to p e rth? m, increasing the monitoring, separation and independence of plant protection systems, providing additional back-up sources of power) which provido countermoacures to sabotage must be consistent with plant safety requirenents.

h9_REETAE91 9AITIBIA The acceptanco critorian for the resolution of G3I A-29, ir that plants shall be designed to be resistant to the effecro of internal and external sabotage through prevention, deterrence, and mitigation.

Specifically, plant safetf-related systems and components required for the safe operation and shutdown of the plant shall be designed for protection against and mitigation of sabotage.

BIEQLUTION The system 80+ Standard Design is configured to be sabotage resiatant (See CESSAR-DC Chapter 13, Appendix 13A).

This is accomplished in various ways including:

1. locating safety-related equipment in secure areas and controlling personnel access;
2. designing for separation, independence, and redundancy of safe shutdown and support systems;
3. monitoring of equipment status continually (e.g.,

automated-testing of equipment) ;

Amendment F A-84 December 15, 1989 L

a.

Enclosure III to  !

LD-91-066 e

. QUESTIONS FOR WHICH RESPONSES WILL BE PROVIDED SEPARATELY ,

500.24 500.25 500.32 I

b p

q. -. , , e y .,..- ,.- <-,c. --- nn~-
Retrieved from "https://kanterella.com/w/index.php?title=LD-91-066,_Forwards_Response_to_NRC_910805_Request_for_Addl_in_on_CESSAR_Design_Certification&oldid=3586004"