Forwards Draft Technical & Safety Evaluations of SEP Topic VII-2, ESF Sys Control Logic & Design. Requests Sufficient Info within 30 Days to Complete Safety Evaluation

ML13317A741
Person / Time
Site:	San Onofre
Issue date:	11/17/1981
From:	Crutchfield D Office of Nuclear Reactor Regulation
To:	Dietch R Southern California Edison Co
References
TAC-62079, TASK-07-02, TASK-7-2, TASK-RR LSO5-81-11-032, LSO5-81-11-32, NUDOCS 8111200816
Download: ML13317A741 (18)
v • d • e

Text

November 17, 1981 Docket No. 50-206 LS05 11-032 Mr. R. Dietch, Vice President Nuclear Engineering and Operations Southern California Edison Company 2244 Walnut Grove Avenue Post Office Box 800 Rosemead, California 91770

Dear Mr. Dietch:

SUBJECT:

SEP TOPIC VII-2, ENGINEERED SAFETY FEATURES (ESF) SYSTEM CONTROL LOGIC AND DESIGN, DRAFT SAFETY EVALUATION FOR SAN ONOFRE UNIT 1 is our contractor's draft technical evaluation of this topic for your plant. is the staff's draft safety evaluation report on this topic.

Our evaluation is based on our contractor's report. We wish to bring to your attention the fact that the docketed information with regard to the design and use of isolators for inputs to the subject logic systems and the design of containment spray system is inadequate for an independent safety review.

Accordingly, we request that you supply sufficient information for our review within 30 days of receipt 9'A this letter, so that we may prepare our final safety evaluation on this topic. Unless you can demonstrate the adequacy of the present isolation scheme, the staff recommends that isolators between the input signal channels and the s'afeguard load se quencing system, containment spray and the containment isolation system be replaced with units demonstrated to meet our acceptance criteria.

The need to actually implement these changes will be determined during 5

the integrated safety assessment. This topic assessment may be revised in the future if your facility design is changed or if NRC criteria relating to this topic are modified before the integrated assessment is completdd.

.s Sincerely,

17.

9DR ADOCk050 06 AkAD Dennis M. Crutchfield, Chief PDR GL nas Operating Reactors Branch No. 5 I____

/81Division of L ensing OFFICEO....

Enclosures....

As..stated.

...L SEPB:L.

SEPB:DL 0 B :DL:PM R 5:D C SURNAME 11:dk RHermanrdx WRussell SNowicki utchfihid DATER 318.(10.80).NRCM 0240

.OIC L RECORDC PY....

US:

1....9 -....

9 NRC FORM 318 (10-80) NRCM 0240 OFFICIAL RECORD COPY USGPO: 1981-3a.,-960

Docket No. 50-206 LS05-81 Mr. R. Dietch Vice President Nuclear Engin ring and Operations Southern Calif o;nia Edison Company 2244 Walnut Grov Avenue Post Office Box 800 Rosemead, California 91770

Dear Mr. Dietch:

SUBJECT:

SEP TOPIC VI 2, ENGINEERED AFETY FEATURES (ESF) SYSTEM CONTROL LOGIC ND DESIGN, DRAFT SAFETY EVALUATION FOR SAN ONOFRE UNIT 1 is our contract r's dr ft technical evaluation of this topic for your plant. is the staff's dra safety evaluation report on this topic.

Our evaluation is based on our cntractor's report. We wish to bring to your attention the fact that the Iocketed information with regard to the design and use of isolators or inputs to the subject logic systems and the design of containment spray system is inadequate for an independent safety review. The discrpancies are noted in Section 4.0 of the con tractor's report.

Accordingly, we reques that you supply syfficient information for our review within-30 days of receipt of this Ietter, so that we may prepare our final safety eva uation on this topic. Unless you can demonstrate the adequacy of the present isolation scheme the staff recommends that isolators between he input signal channels and the safeguard load se qjuencing system, ontainment spray and the containment isolation system be replaced with nits demonstrated to meet our'acceptance criteria.

The need to ac ally implement these changes will be determined during the integrated safety assessment. This topic assessR ent may be revised in the future if your facility design is changed or i NRC criteria relating to his topic are modified before the integrat d assessment is' complete Sincerely, AD* SA* DL e

h Dennis.M. Crutchfield, Chie 10ainas 1Operating Reactors Branch No. 5 Division o icensing SEPB:DL SEPB:DL SEPB:DL ORB#5:DL:PM ORB#5: L:C oFF~~cE..

... Efls r

t a-s a ed -...-...-.

r----------

SScho11 RHermann WRussell SNowicki OCrutc jeld DRATE ~.................................................................................................~....

R NAME 0.0.....I R O...R P...

U O

NRC FORM 318 (10-80) NRCM 0240 OFFICIAL RECORD CO PY USGPO: 1981-335-960

Dockt No 5020 10 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 November 17, 1981 Docket No. 50-206 LS05-81-11-032 Mr..R. Dietch, Vice President Nuclear Engineering and Operations Southern California Edison Company 2244 Walnut Grove Avenue Post Office Box 800 Rosemead, California 91770

Dear Mr. Dietch:

SUBJECT:

SEP TOPIC VII-2, ENGINEERED SAFETY FEATURES (ESF) SYSTEM CONTROL LOGIC AND DESIGN, DRAFT SAFETY EVALUATION FOR SAN ONOFRE UNIT 1 is our contractor's draft technical evaluation of this topic for your plant. is the staff's draft safety evaluation report on this topic.

Our evaluation is based on our contractor's report. We wish to bring to your attention the fact that the docketed information with regard to the design and use of isolators for inputs to the subject logic systems and the design of containment spray system is inadequate for an independent safety review. The discrepancies are noted in Section 4.0 of the con tractor's report.

Accordingly, we request that you supply sufficient information for our review within 30 days of receipt of this letter, so that we may prepare our final safety evaluation on this topic.

Unless you can demonstrate the adequacy of the present isolation scheme, the staff recommends that isolators between the input signal channels and the safeguard load se quencing system, containment spray and the containment isolation system be replaced with units demonstrated to meet our acceptance criteria.

The need to actually implement these changes will be determined during the integrated safety assessment. This topic assessmen-t may be revised in the future if your facility design is changed or if NRC criteria relating to this topic are modified before the integrated assessment is completed.

Sincerely, Dennis M.

Crutchfield, Chief Operating Reactors Branch No. 5 Division of Licensing

Enclosures:

As stated

.1.

Mr. R. Dietch cc Charles R. Kocher, Assistant General.Counsel James Beoletto, Esquire Southern California Edison Company Post Office Box 800 Rosemead, California 91770 David R. Pigott Orrick, Herrington & Sutcliffe 600 Montgomery Street San Francisco, California 94111 Harry B. Stoehr San Diego Gas & Electric Company P. 0. Box 1831 San Diego, California.92112 Resident Inspector/San Onofre NPS c/o U. S. NRC P..0. Box 4329 San Clemente, California 92672 Mission Viejo Branch Library 24851 Chrisanta Drive Mission Viejo, California 92676 Mayor City of San Clemente San Clemente, California 92672 Chairman Board of Supervisors County of San Diego San Diego, California 92101 California Department of Health ATTN: Chief, Environmental Radiation Control Unit Radiological Health Section 714 P Street, Room 498 Sacramento, California 95814 U. S. Environmental Protection Agency Region IX Office ATTN: Regional Radiation Representative 215 Freemont Street San Francisco, California 94111 0543J SEP TECHNICAL EVALUATION TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN SAN ONOFRE Docket No. 50-206 August 1981 D. J. Morken EG&G Idaho, Inc.

Draft 8-26-81

CONTENTS

1.0 INTRODUCTION

..................................................1 2.0 CRITERIA......................................................1 3.0 DISCUSSION....................................................

2 3.1 General............................

2 3.2 Safety Injection System...................................

2 3.3 Containment Spray System.................................. 5 3.4 Containment Isolation System.............................

6 4.0

SUMMARY

7

5.0 REFERENCES

........ 7 APPENDIX A--NRC SAFETY TOPICS RELATED TO THIS REPORT...................

9

SEP TECHNICAL EVALUATION TOPIC VII-2 ESF SYSTEM CONTROL LOGIC AND DESIGN SAN ONOFRE

1.0 INTRODUCTION

The objective of this review is to determine if non-safety systems which are electrically connected to the Engineered Safety Features (ESF) are properly isolated from the ESF and if the isolation devices or tech niques used meet current licensing criteria. The qualification of safety related equipment is not within the scope of this review.

Non-safety systems generally receive control signals from ESF sensor current loops. The non-safety circuits are required to have isolation devices to ensure electrical independence of the ESF channels. Operating experience has shown that some of the earlier isolation devices or arrange ments at operating plants may not meet current licensing criteria.

2.0 CRITERIA General Design Criterion 22 (GDC 22), entitled, "'Protective System Independence," requires that:

The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or that they shall be demonstrated to be acceptable on some other defined bases. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. 1 General Design Criterion 24 (GDC 24), entitled, "Separation of Protec tion and Control Systems," requires that:

1

The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system that satisfies all reliability, redun dancy, and independence requirements of the protection system. Inter connection of the protection and control systems shall e limited so as to assure that safety is not significantly impaired.

IEEE-Standard 279-1971, entitled, "Criteria for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2, states:

The transmission of signals from protection system equipment for con trol system use shall be through isolation devices which shall be classified as part of the protection system and shall meet all the requirements of this document. No credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in t.he design bases.

Examples of credible failures include short.circuits, open circuits, grounds, and the application of the maximum credible AC or DC poted tial. A failure in an isolation device is evaluated in the s me man ner as a failure of other equipment in the protection system.

3.0 DISCUSSION AND EVALUATION 3.1 General.

The Engineered Safety Features (ESF) as defined by the Standard Review Plan Section VII.1-III are those.systems which are required to operate to mitigate the consequences of a postulated accident. The ESF systems for San Onofre Unit No. 1, as identified in the "Operating History and Design Verification"4 are the Safety Injection System (SIS) and the containment isolation system (CIS).

Integral to the SIS are the containment spray and the emergency power systems.

3.2 Safety Injection System. The SIS delivers borated water to the reactor core following a loss of coolant accident. The system, comprised of two trains, includes redundant safety injection pumps, feedwater pumps, charging pumps, the refueling water storage tank, redundant valves and piping and the actuation logic circuitry.

.2

The SIS initiation logic consists of two redundant logic trains, A and B. Each train is comprised of a Safeguard Load Sequencing System (SLSS) sequencer which is divided into two redundant subchannels, X and Y.

SIS initiation is from low pressurizer pressure or high containment pressure.

Initiation of either sequencer may also be by manual control.

The low pressurizer pressure signals are derived from the three reactor protection system pressurizer pressure current loops.6 Foxboro bistables, model M/66S-BR, monitor the loop current and actuate two relays at two dif ferent level setpoints. Contacts of one relay provide an actuation signal to the SLSS. A contact of the other relay is configured in a two-out-of three logic with the output from the other two current loops to initiate an alarm signal and a safety injection actuation system (SIAS) manual block permissive circuit in the SLSS.7 The low pressurizer pressure signals from the three bistable relay?

feed all four subchannels of the two sequencers. The three input signals to each subchannel each pass through an isolation device (the type of isolation device was not identified) and into a two-out-of-three solid.

state 1.ogic matrix where it is combined with the SIS block signal to initiate or block SIAS.

High containment pressure (above 2 psig) will also initate SIAS.

Six containment pressure monitors provide input signals for two channels of the containment isolation system (CIS) logic.' (This is discussed in detail in Section 3.3.)

The current output from each pressure transmitter is con verted to a 0 to 10 V signal in the CIS. Parallel circuits from each 0 to 10 V signal feed the CIS and the SLSS sequencers. Three containment high pressure 0 to 10 V signals feed SLSS sequencer No. 1 (train A).

The other three feed SLSS sequencer No. 2 (train B).

Each signal is again divided to feed subchannels X and Y of each sequencer..Each group of three input sig nals to the four subchannels pass through isolation devices to the solid state two-out-of-three logic. The output of the two-out-of-three logic enters an 'OR' gate common to the high pressurizer pressure two-out-of-three 3

e 9

signal.

Either function will initiate relay drivers and relays to start SIS action.

The SLSS also monitors undervoltage conditions on the 4160 V buses 1C and 2C. Two undervoltage relays on each bus feed each of the four subchan nels of the two sequencers. The two undervoltage signals of each bus are combined in an 'OR' gate, then combined with the SIAS logic. The output of this logic will initiate relays (Westinghouse type WL) to load SIS function, start diesels, shed unessential loads and load the SIS upon the loss of off site power (LOP).

Redundant switches in each sequencer permit manual SIS and LOP initia tion. Reset-test switches in the pressurizer pressure bistables permit injecting test signals to the SLSS. Test jacks are used for testing the containment high pressure logic. Separate switches permit manual operation of individual valves and pumps in the SIS.

Valve position indication and annunication is by position limit switches on the valves. Auxiliary contacts on the pump starters indicate pump status. Flow instrumentation monitors SIS flow and is displayed on instruments in the control room separate from the SIS control logic.

,Power for the pump and valve actuation for train #1 is from the 4160 V bus IC, the 480V switch-gear No. 1 and from motor control center (MCC)

No. 1. Power for train #2 functions is from the 4160 V bus 2C, 480 V switchgear No.'s 2 and 3 and 480 V MCC 2 and 3. The 125 VDC system 1 provides power to SLSS sequencer No. 1, the SIS/LOP lockout relays and train #1 HV valves. The 125 VDC system 2 supplies power to SLSS sequencer 8

No. 2, SIS/LOP lockout relays and train #2 HV valves.

Isolation between functions on the same bus is by circuit breaker with thermal-magnetic trip.

Evaluation. The RPS current loops feeding the low pressurizer pres sure bistable are not isolated from the remote meters or the process recorders.

(This is evaluated in more detail in SEP Topic VII-1.A).9 Separation of the input signals in the SLSS two-out-of-three logic and the type of isolation devices used at the input to the two-out-of-three logic could not be determined from the logic diagrams available. Isolation 4

between the two sequencer units and the output signals to.the SIS is ade

• quate. Isolation of power systems from other safety and non-safety func tions on the same bus is adequate.

3.3 Containment Spray. The Operating History and Design Verifica 4

tion, par. 3.1.2.5, states containment spray is not an ESF function.

However, since it is an automatic system used to reduce temperature and pressure in the containment sphere, it is included in the ESF evaluation.

The containment spray system includes the refueling water pumps, hydrazine additive pumps, spray header control valves, spray bypass valves, piping and the actuation logic. The containment spray actuation signal (CSAS) is initiated by a two-out-of-three high containment pressure signal (PT 501, PT 502 and PT 503) coincident with an SIAS signal. It can also be intiated manually. Manual blocking of SIAS will also block the CSAS. Man ual switches in the control room permit bypassing individual core spray functions.

Drawings of the CSAS were not available for review. Using the single 10 failure analysis report the system logic was developed and analyzed.

The conditioned signal from each of the three containment pressure trans mitters drives two relays, one for each of the two CSAS logic trains (A and B).

In train A, the relay output contacts from the three containment pres sure signals are arranged in a two-out-of-three configuration. The. output signal is then summed with the SIAS sequencer output signals. An output from this logic drives relays in the two subchannels X and Y. Subchannel X relays actuate valve functions and subchannel Y pump function in train A of the containment spray system. The CSAS logic for train B is identical and independent of train A.

Valve limit switches and pump starter contacts provide status informa tion of the containment spray components. Flow indicating switches monitor recirculation pumps flow and actuate closure of flow control valves CV517 or CV518 upon low flow indication from either pump..

5

Power for the pressure transmitters and signal conditioning equipment is from vital bus #1 for PT 501 and 125 VDC Bus #2 for PT 502 and PT 503.

CSAS logic trains receive power from vital bus #1 or #3 for train A and 125 VDC bus #2 for PT502 and PT503. CSAS logic trains receive power from vital bus #1 or #3 for train A and 125 VDC bus #2 for train B.

Evaluation. Based on information developed from the single failure analysis, isolation between trains of the CSAS and from non-safety sys tems is by relay contact which is acceptable. Isolation of power systems by separate buses and by thermal magnetic breakers on the same bus is acceptable.

3.4 Containment Isolation System.11 The Containment Isolation System (CIS) consists of two valve actuation trains, train F and train G.

Initiation of the CIS is from containment high pressure or from an SIS actuation signal.

Either train may also be initated by a manual control switch. The containment high pressure signal for each train is generated from three pressure switches (PT1120A, 1120B and 1120C for train F and PT1121A, 1121B and 1121C for train G).

The three pressure transmitters each output a 4 to 20ma signal which is conditioned to a 0 to 10V DC signal and combined in a two-out-of-three logic circuit. The output of the two-out-of-three logic is combined in an 'OR' gate with the SIS actuation signal. The output of the 'OR' gate is again combined in a second 'OR' gate with manual actuation which feeds a latching memory circuit. The output of the memory circuit initiates relays in the CIS relay panel for valve closure actuation. The 0 to 1OV DC signals from the three pressure transmitters are also fed directly to the SLSS sequencers for containment high pressure actuation of the SIS (see section 3.2 above). SIS initation of CIS is by relay contact output of two subchannels (X and Y) from the SLSS sequencers. One sequencer system provides the actuation signal for each CIS train.

A reset switch for each logic system permits resetting of that valve train only after the containment high pressure has dropped below 2 psig-and the SIS is reset. Separate control switches permit manual overide of individual valves and selected valve groups. The purge and vent valves in 6

the CIS are also actuated by the containment high radiation signal (R-1212).

These valves cannot be individually opened by their override switches as 12 long as there is a high radiation signal present The two actuation trains use logic systems developed by Foxboro com pany. Valve actuation is from relays (Potter Brumfield models MDR 406-7, MDR 138-8 and MDR 134-1) actuated by the CIS logic circuits. Power to the logic and valve trains is divided between the two 125 VDC power supplies No. 1 and No. 2. Isolation of the CIS power on the OC buses from other functions on the same bus is by thermal-magnetic circuit breaker. Valve relay actuation and position indication circuits are fused separately or in select valve groups. Valve position indication is by limit switches on the control valves and actuation relay contacts for the solenoid valves.

Evaluation.

Information was not available on the Foxboro logic sys tems to permit evaluating the isolation between containment pressure signal channels to the two logic trains. Isolation between the CIS trains is 'ade quate. Isolation of the power to the two trains by separate power buses and by thermal-magnetic breakers on the individual buses is adequate.

4.0

SUMMARY

Based on current licensing criteria and review guidelines, the ESF system complies with all current licensing criteria listed in Section 2 of this report except for the following:

1. Insufficient information to evaluate the isolation between the input signal channels in the SLSS two-out-of-three logic.

2.

Insufficient information to evaluate the isolation between the input signal channels in the Foxboro CIS logic.

5.0 REFERENCES

1. General Design Criterion 22, "Protection System Independence," of Appendix A, "General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, "Domestic Licensing of Production.and Utilization Facilities."

7

2. General Design Criterion 24, "Separation of Protection and Control Systems," of Appendix A, "General Design Criteria of Nuclear Power Plants," 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities."

3.

IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations."

4. San Onofre Nuclear Generating Station (SONGS) Unit 1, Part 1, "Operat ing History and Verification of Design Objectives," Volume 1, page 3-12.

5. SONGS Drawings 5149180-Rev. 7, 5150874-Rev. 9, and 5150875-Rev. 9.

6. SONGS Drawings 63715-Rev. 6 and 63716-Rev. 2.

7. Letter, Southern California Edison Company to R. H. Engelken, Director Region V, dated September 16, 1980.

8.

SONGS Drawings.5149957-Rev. 5, 5149958-Rev. 4, 5102173-Rev. 16 and 5149348-Rev. 6.

9. SEP Technical Evaluation, Topic.VII-1.A, "Isolation of Reactor Protec tion System from Non-safety Systems," dated August 7, 1981.

10.

San Onofre Nuclear Generating Station Unit #1, Single Failure Analysis, dated December 1976, Docket 50206-645.

11.

Letter J..C.

Hayes to D. L. Zimmerman, "Implementation of Catagory A Lessons Learned Requirements," dated March 25, 1980.

Letter K. P. Baskin to D. M. Crutchfield, "Systematic Evaluation Program,"

dated June 23, 1980.

SONGS Drawings 451355, Rev. 1 5149890-Rev. 5, 235220 through 235409, 5102173-Rev. 18 and 5149348-Rev. 7.

. 12.

Letter K. P. Baskin to D. M. Crutchfield, "Systematic Evaluation Pro gram," dated October 2, 1980.

8

APPENDIX A NRC SAFETY TOPICS RELATED TO THIS REPORT

1. III-1 "Classification of Structures, Components, and Systems"

2. VI-7.A3 "ECCS Actuation System"

3. VI-10.A "Testing of Reactor Trip Systems and Engineered Safety Fea tures, Including Response Time Testing"

4. VII-l.A "Reactor Protection System Isolation"

5.

VII-3 "Systems Required for Safe Shutdown"

6. VII-4 "Effects of Failures of Nonsafety-Related Systems on Selected ESFs" 9

SYSTEMATIC EVALUATION PROGRAM TOPIC VII-2 SAN ONOFRE TOPIC:

VII-2, ENGINEERED SAFETY FEATURES (ESF) SYSTEM CONTROL LOGIC AND DESIGN I. INTRODUCTION During the staff review of the Safety Injection System (SIS) reset (issue

1. 4 in NUREG-0138) the staff determined that the Engineered Safety Features Actuation Systems (ESFAS) at both PWRs and BWRs may have design features that raise questions about the independence of redundant channels, the interaction of reset features and individual equipment controls, and the interaction of the ESFAS logic that controls transfers between on-site and off-site power sources. Review of the as-built logic diagrams and schematics, operator action required to supplement the ESFAS automatic actions, the startup and surveillance testing procedures for demonstrating ESFAS performance appeared to be required.

Several specific concerns exist with regard to the manual SIS -reset fe't ure following a LOCA. They are: (1) If a loss of offsite power occurs after reset, operator action would be required to remove normal shutdown cooling loads from the emergency bus and re-establish emergency cooling loads. Time would be critical if the loss of offsite power occurred within a few minutes following a LOCA. (2) If loss of offsite power oc curs after reset, some plants may not restart some essential loads such as diesel cooling water. (3) The plant may suffer a loss of ECCS delivery for some time period before emergencypower picks up the ECCS system.

It was also decided to review the ESF system control logic and design, in cluding bypasses, reset features and interactions with transfers between onsite and offsite power sources.

Since these decisions were made in early 1977, the staff's plans for re solving these issues have changed. Two generic reviews of the diesel generator problems have been conducted by Inspection and Enforcement.

The second review includes consideration of bypasses and resets.

In ad dition, Task Action Plan Generic Task 8-24 is involved with reset and by pass concerns. Accordingly, this SEP Topic has been modified to reduce duplication of effort.

As a result of the staff's review of the scope of the several related

,generic efforts and the other SEP Topics, it was decided that the only area that had not been covered was the independence of redundant logic trains.

Independence might be compromised by sharing input signals and the use of common controls such as mode switches, reset switches, and logic test facilities.

-2 II. REVIEW CRITERIA The current licensing criteria are presented in Section 2 of EG&G Report 0543J, "ESF System Control Logic and Design."

III. RELATED SAFETY TOPICS AND INTERFACES The scope of review for this topic was limited to avoid duplication of effort since some aspects of the review were performed under related topics.

The related topics and the subject matter are identified below.

Each of the related topic reports contain the acceptance criteria and review guidance for its subject matter.

111-6 Seismic Qualification III-11 Seismic Qualification 111-12 Environmental Qualification IV-1.A Operation with Less than All Loops in Operation VI-4 Bypass and Reset of Engineered Safety Features (B-24)

VI-7.A.3 ECCS Actuation System V-I-7.B ESF Switchover from Injection to Recirculation VI-1.C.l Independence of Onsite Power VI-7.C.2Failure Mode Analysis-ECCS YS-7.C.3 The effect of loop isolation valve closure on ECCS performance YI-7.D Long Term Cooling Passive Failures (e.g. flooding)

VI-7.F Accumulator Isolation Valves VI-Bp.A Testing of Reactor Protection Systems VI-.B CShared System s VII-l.A Reactor Trip System Isolation VII-3 Systems Requiied for Safe Shutdown VIII-2 Onsite Emergency Power Systems VIII-3 Emergency dc Power Systems VIII-4 Electrical Penetrations IX-3 Ventilation IX-6 Fire Protection The conclusion that suitable isolation devices are provided is a basic assumption for Topics VI-7.C.2 and VI.I-3.

IV. REVIEW GUIDELINES The review guidelines are presented in Section 3 of Report 0543J, "ESF System Control Logic and Design."

V. EVALUATION.

A description of the isolation devices employed in the San Onofre Unit 1 and a comparison with current design criteria are presented in Report 0543J "ESF System Control Logic and Design."

-3 VI.

CONCLUSION As a result of our review of our contractor's work the staff concludes that San Onofre Unit 1 may not conform to current licensing criteria for electrical isolation of redundant safety features because the isolation of the redundant ESF channels may not satisfy the requirements of GDC 22 detailed in Section 2 of the report.

The licensee should demonstrate the suitability of the isolation devices between the input signal channels and the safeguard local sequencing system, containment spray, and the containment isolation system or the isolators should be replaced with qualified units that meet our acceptance criteria.