Forwards Summary of 36 SEP Topics W/Unresolved Differences. Proposed Corrective Actions & Basis for Actions Should Be Submitted within 90 Days of Receipt of Ltr

ML14138A122
Person / Time
Site:	San Onofre
Issue date:	02/07/1983
From:	Crutchfield D Office of Nuclear Reactor Regulation
To:	Dietch R SOUTHERN CALIFORNIA EDISON CO.
References
TASK-***, TASK-RR LSO5-83-02-012, LSO5-83-2-12, NUDOCS 8302180466
Download: ML14138A122 (43)
v • d • e

Text

February 7, 1983 Docket No. 50-206 LS05-83 012 Mr. R. Dietch, Vice President Nuclear Engineering and Operations Southern California Edison Company 2244 Walnut Grove Avenue Post Office Box 800 Rosemead, California 91770

Dear Mr. Dietch:

SUBJECT:

SUMMARY

OF UNRESOLVED DIFFERENCES SAN ONOFRE NUCLEAR GENERATING STATION, UNIT 1 The SEP topic reviews for San Onofre I have identified 36 topics with unresolved differences which are listed in Enclosure 1. A summary of each difference is provided in Enclosure 2. Four incomplete topics are not included in these lists. They are Topics III-3.A, III-5.A, III-5.B, and 111-6. A difference summary (if needed) for each of these topics will be issued along with the corresponding safety evaluation reports when the topic reviews have been completed.

Some of the enclosed difference summaries are based on draft topic safety evaluations. The status of some of these topics and the summary of differences may be revised should you identify any factual errors that would affect the bases used by the staff to reach its conclusions.

In order to assure a timely completion of the integrated assessment for your facility, we intend to begin the integrated assessment for :the differences identified thus far. Consequently, we request that you submit your proposed corrective actions, if any, and the basis for the proposed action for each of the identified Afferences within 90 days of receipt of this letter. This request affect fewer than ten respondents and therefore does not require an OMB clearance, in accordance with PL 96-511.

Sincerely, 8302180466 830207 gna Sined by

/

PDR ADOCK 05000206 P D Dennis M. Crutchfield, Chief Operating Reactors Branh #5 Division of Licensing

Enclosures:

OFFICE)

SEPB:DS SEPB:DL OFFICE..........................

Ec en d

....... mE.

W RNR M 31(cc1w0encosures: J20OFCIenALdk RCR DCOP.Y f

USP: 9133-6 DATE...........................................

/S//

3..........

j..12 Se 83.

.. 1 83..... j /8 NRC FORM 318 (10-80) NRCM 0240 OFFICIAL. RECORD COPY USGPO: 1981-335-960

.'ir. R. Dietch, Vice Pres nt, Docket No. 50-206 Nuclear Engineering and Operations San Onofre 1 Southern California Edison Company 2244 Walnut Grove Avenue Post Office Box 800 Rosemead, California 91770 cc Charles R. Kocher, Assistant General Counsel James Beoletto, Esquire Southern California Edison Company Post Office Box 800 Rosemead, California 91770 David R. Pigott Orrick, Herrington & Sutcliffe 600 Montgomery Street San Francisco, California 94111 Harry B. Stoehr San Diego Gas & Electric Company Post Office Box 1831 San Diego, California 92112 Resident Inspector/ San Onofre NPS c/o U.S. Nuclear Regulatory Commission Post Office Box 4329 San Clemente, California 92672 Mayor City of San Clemente San Clemente, California 92672 Chairman Board of Supervisors County of San Diego San Diego, California 92101 California Department of Health ATTN:

Chief, Environmental Radiation Control Unit Radiological Health Section 714 P Street, Room 498 Sacramento, California 95814 U.S. Environmental Protection Agency Region IX Office ATTN:

Regional Radiation Representative 215 Freemont Street San Francisco, California 94111 Robert H. Engelken, Regional Administrator U.S. Nuclear Regulatory Commission, Region V 1450 Maria Lane Walnut Creek, California 94596

San Onofre 1 ENCLOSURE 1 TOPICS WHICH DO NOT MEET CURRENT CRITERIA OR EQUIVALENT II-1.C Potential Hazards or Changes in Potential Hazards due to Transportation, Institutional, Industrial, and Military Facilities II-3.A Hydrological Description II-3.B Flooding Potential and Protection Requirements II-3.B.1 Capability of Operating Plants to Cope With Design Basis Flood Conditions II-4.F Settlement of Foundations and Buried Equipment III-1 Quality Group Classification of Components and Systems 111-2 Wind and Tornado Loadings III-3..C Inservice Inspection of Water Control Structures III-4.A Tornado Missiles I.II-7.B Design Codes, Design Criteria, Load Combinations, and Reactor Cavity Design Criteria III-8.A Loose Parts Monitoring and Core Barrel Vibration Monitoring III-10.A Thermal-Overload Protection for Motors of Motor-Opera ed Valves III-lO.B Pump Flywheel Integrity IV-2 Reactivity Control Systems Including Functional, Design and Protection Against Single Failures V-5 Reactor Coolant Pressure Boundary (RCPB) Leakage Detection

-2 V-6 Reactor Vessel Integrity V-10.A RHR Heat Exchanger Tube Failures V-1l.A Requirements for Isolation of High and Low Pressure Systems V-11.

RHR Interlock Requirements VI-1 Organic Materials and Post-Accident Chemistry VI-4 Containment Isolation System VI-6 Containment Leak Testing VI-7.B ESF Switchover from Injection to Recirculation (Automatic ECCS Realignment)

VI-7.C.2 Failure Mode Analysis ECCS VI-10.A Testing of Reactor Trip System and Engineered Safety Features, Including Response Time Testing VII-1..A Isolation of Reactor Protection System from Non-Safety Systems, Including Qualification of Isolation Devices VII-2 Engineered Safety Features (ESF)

System Control Logic and Design VII-3 Systems Required for Safe Shutdown VIII-l.A Potential Equipment Failures Associated with Degraded Grid Voltage VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation VIII-4 Electrical Penetrations of Reactor Containment IX-3 Station Service and Cooling Water Systems IX-5 Ventilation Systems

-3 XV-1 Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve XV-2 Spectrum of Steam System Piping Failure Inside and Outside of' Containment (PWR)

XV-7 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break

W U ENCLOSURE 2 TOPIC NO.

TITLE II-1.C Potential Hazards on Changes in Potential Hazards Due to Transportation, Institutional, Industrial, and Military Facilities 10 CFR Part 50 Appendix (GDC 4) as implemented by SRP Section 2.2.1-2.2.2 requires that nuclear power plant structures, systems and components important to safety be appropriately protected against events and conditions that.may occur outside the plant.

The licensee has not demonstrated that the San Onofre 1 facility is protected in accordance with current licensing criteria from the following potential hazards:

(1) Liquified petroleum gas (LPG) that is shipped on the Atchison, Topeka and Santa Fe railroad line running beside the plant.

(2) Military ordnance and LPG that are transported by truck on Interstate 5 which parallels the plant.

(3) A toxic gas cloud being swept into the control room air vent.

As part of TMI TAP III.D.3..4, the control room HVAC is being replaced and the new system will have toxic gas monitors to automatically isolate the control room. The implementation schedule for these modifications will be finalized during the integrated assessment.

The licensee should also confirm that the expected number of military shipments past the plant, based on the shipping route changes planned in 1980, is as assumed in the analysis.

S TOPIC NO.

TITLE II-3.A Hydrologic Description 10 CFR 50 (GDC 2), as implemented by SRP Section 2.4.1, requires that structures, systems and components important. to safety be designed to withstand the effects of natural phenomena such as flooding. The descriptions of hydrological characteristics must be sufficiently complete to allow evaluation of the impact on-the plant.

At.San Onofre 1, the design basis for low water and rooftop ponding are not adequately described. Measurements of groundwater elevation at the site are not sufficient to allow an accurate identification of probable maximum ground water level.

TOPIC.NO.

TITLE II-3.B Flooding Potential and Protection Requirements 10 CFR 50 (GDC 2), as interpreted by SRP Section 2.4.2, 2.4.5 and Regulatory Guide 1.59, requires that structures, systems and components important to safety be designed to withstand the effects of natural phenomena such as flooding.

For San Onofre 1, it was found:

1. San Onofre does not meet current criteria for flooding from local PMP.

Under conditions which can be reasonably foreseen to occur (both seawall culverts blocked,yard drainage system blocked), ponding will rise to elevation 15.5 ft. MLLW in the plant yard during PMP.

Safety-related equipment would be flooded.

Due to the lack of detailed topographic information necessary to accurately define runoff, conservative assumptions were used in the analysis and the resulting levels may be conservatively high.

2. Thefuel storage building and ventilation building rooftops will be subject to 46.6 psf and 38.9 psf respectively over the low points of the roof. This is an input to Topic III-3.A.

3. Normal high groundwater elevation for use with coincident seismic loads is +10.0 ft MLLW. Probable maximum groundwater elevation is plant grade. This is an input to Topic III-3.A.

4. The forces used by the licensee to analyze the tsunami wall are appropriate; however, the stability analysis of the seawall will be reviewed under Topic III-3.A.

TOPIC NO.

TITLE II-3.B.1 Capability of Operating Plants to Cope With Design Basis Flood Conditions 10 CFR 50 (GDC 2), as implemented by SRP Section 2.4.10 require that structures, systems and components important to safety be designed to withstand the effects of natural phenomena such as flooding.

The operating procedures provided by the licensee should be changed as follows:

1. The procedure for predicted tsunami warning should include instructions for dealing with seawater in-leakage at the screenwell, the storm drains and the intake structure.

2. The procedure for predicted tsunami should be modified so that the instruction to close the intake and outlet hydraulic stop gates.is an immediate operator action rather than a subsequent one.

In addition, the licensee should address:

1.

The time required to close the stop gates versus the time available based on a locally generated tsunami.

2.

The disposition of plant cooling and waste water during the period of time the gates are closed and an estimate of how long the gates would be closed.

TOPIC NO.

TITLE II-4.F Settlement of Foundations and Buried Equipment 10 CFR 50 (GDC 2, 44) and 10 CFR 100, Appendix A as implemented by Regulatory Guides 1.132 and SRP 2.5.4 require that foundations and buried equipment important to safety be adequately designed to perform their intended function.

The licensee should provide the following:

1. Updated information concerning the areal extent and in situ properties of backfill materials adjacent to seismic Category L and safety related facilities founded partly or entirely upon backfill materials which has been obtained by means of appropriate field investigation techniques.

2. Up-to-date settlement data related to seismic Category I and safety related facilities founded partially or entirely upon backfill materials to supplement available retords through 1970.

3. Shear moduli and damping characteristics of backfill materials including the variation of moduli and damping values with strain for backfield materials at appropriate relative densities and confining pressures.

4.

An estimate of potential static and dynamic settlements and differential settlements of structures, manholes, piping ducts and other facilities founded partially or entirely upon or within backfill materials.

TOPIC NO.

TITLE III-1 Quality Group Classification of Components and Systems 10 CFR 50 Appendix A (GDC 1), as implemented by Regulatory Guide 1.26, requires that structures, systems and components important to safety be designed, fabricated, erected and tested to quality standards commensurate with the importance of the safety functions to be performed.

The following areas are considered to have differences because sufficient information was not available to conclude adequacy as discussed in the staff's safety evaluation:

1. Fracture toughness

2. Radiography requirements

3. Pressure vessels

4.

Piping

5. Valves

6. Pumps

7. Storage tanks

TOPIC NO.

TITLE 111-2 Wind and Tornado Loadings 10 CFR Part 50 Appendix A (GDC 2) as implemented by SRPs 3.3.1 and 3.3.2 and Regulatory Guides 1.76 and 1.117, requires that nuclear power facilities be designed to withstand the effects of natural phenomena.

The existing design and construction of portions of some structures and systems important to safety does not meet current licensing criteria of remaining within acceptable stress limits for the design basis wind and tornado loadings.

The licensee should: 1) implement modifications for the following structures in order to meet the design basis tornado loads, 2) demonstrate that the consequences of failure if subjected tornado loads are acceptable or 3) demonstrate adequate resistance for smaller tornado loadings and that the risk associated from larger tornado loadings is acceptable.

1. Storage building (portion of the Reactor Auxiliary Building which is above grade)

2. Turbine building

3. Fuel storage building

4. Portions of the control and administration building other than the control room

5. Ventilation equipment room

6. Turbine building gantry crane For the numerous safety-related components not inside structures, the licensee should demonstrate the acceptability for tornado loads or that the consequences of failure are acceptable.

The licensee should determine the effects of pipe reaction loads and thermal loads in conjunction with wind loads in order to show that the original wind design is comparable to present wind criteria and to use the higher stress allowables. The licensee should determine whether any anchor bolts exist in exterior masonry walls and assess whether calculated wall capacity should be decreased to assure their function.

Extreme fiber stress comparisons, base connection adequacy and the effects of vortex shedding need to be addressed in order to establish vent stack adequacy.

TOPIC NO.

TITLE III-3.C Inservice Inspection of Water Control Structures 10 CFR 50 (GDCs 2 and 45) andAppendix A to 10 CFR 100, as implemented by SRPS 2.5.4 and 2.5.5 and Regulatory Guide 1.127, require that water control structures by provided as needed to protect plant systems from the effects of natural phenomena. Adequate and timely inspections are required to ensure that such structures remain functional.

A formal inspection program, as outlined in Regulatory Guide 1.127, has not been established for site flood control structures or the service water reservoir.

TOPIC NO.

TITLE III-4.A Tornado Missiles 10 CFR 50 Appendix A (GDC 2), as implemented by Regulatory Guide 1.117 and SRP 3.5.1.4 prescribes that structures, systems and components should be designed to withstand the effects of a tornado, including tornado missiles without loss of capability to perform their safety function.

The following do not meet current criteria for tornado missile protection.

1. Masonry wall structures

a. Parts of control building

b. Fuel storage building

c. Turbine building

d. Ventilation equipment building

2. Condensate storage tank

3. RWST

4. Auxiliary feedwater pumps

5. Portions of chemical and volume control system (CVCS), component cooling, salt water cooling systems

6.

Steam dump valves

7. Instrument air system

8. Spent fuel pit storage and cooling system

9.

Boron injection system

10. Control room and ventilation system

11. Safety injection system

12. Instrumentation for shutdown

13. Emergency power (AC and DC)

14. Main steam and main feedwater system Functions provided by systems serviced by the component cooling system such as the residual heat removal (RHR) system may not be available.

TOPIC NO.

TITLE III-7.B Design Codes, Design Criteria, Load Combinations and Reactor Cavity Design Criteria 10 CFR 50 (GDC 1, 2 and 4), as implemented bySRP 3.8, requires the plant to be designed and constructed to various design codes, criteria, loads and load combinations.

The staff has concluded after comparing design codes, criteria, loads and load combinations that a number of changes.have occurred which could potentially impact margins of safety. These differences between plant design and current licensing criteria should be resolved as follows:

1. Review Seismic Category I Structures at San Onofre 1 to determine if any of the structural elements for which a concern exists are a part of the facility design of San Onofre 1. For those that are, assess the impact of the code changes on margins of safety on a plant specific basis.

2. Examine on a sampling basis the margins of safety of Seismic Category I Structures for loads and load combinations not covered by another SEP topic and denoted by Ax in Enclosure (1) to the staff topic safety evaluation. (The load tables should be reviewed to assure their technical accuracy concerning applicability of the loads for each of the structures and their significance. The Category I Structures considered should be reviewed to ensure completeness.)

It is concluded that the licensee should perform a more refined analysis of the San Onofre 1 containment in order to determine if it is adequate to resist the combined seismic and LOCA loads described in Enclosure (2) to the staff topic evaluation.

TOPIC NO.

TITLE III-8.A Loose Parts Monitoring and Core Barrel Vibration Monitoring The requirements of 10 CFR 50 (GDC 13),

as implemented by Regulatory Guide 1.133, Revision 1, and SRP Section 4.4, prescribe a loose-parts monitoring program for the primary system of light-water-cooled reactors.

San Onofre 1 does not have a loose-parts monitoring program that meets the criteria of Regulatory Guide 1.133.

TOPIC NO.

TITLE III-10.A Thermal-Overload Protection for Motors of Motor Operated Valves 10 CFR 50.55a(h) as implemented by IEEE Std. 279-1971 and 10 CFR 50 Appendix A (GDC 13, 21, 22, 23, and 29) require that protective actions be reliable and precise and satisfy the single failure criterion using quality components. Regulatory Guide 1.106 presents the staff position on how thermal overloads can be made to meet these requirements.. Safety related valves with thermal overload protection should be provided with circuits that bypass the thermal overload protection under accident conditions; such bypasses should be designed to IEEE 279 criteria.

At San Onofre 1, two motor-operated valves in the component cooling water system have thermal overloads which are not bypassed under accident conditions.

TOPIC NO.

TITLE III-10.B Pump Flywheel Integrity Appendix A to 10 CFR Part 50 (GDC 4), as implemented by Regulatory Guide 1.14, requires that integrity of the reactor coolant pump flywheel be maintained to prevent failure at speeds that might be reached under accident conditions and to preclude generation of missiles. Use of suitable materials, adequate design and inservice inspections will provide reasonable assurance of flywheel integrity. The inservice inspections that have been performed on the San Onofre 1 flywheels show compliance with the guidelines of R.G. 1.14. However, the Technical Specifications should be modified to include the flywheel inspections.

TOPIC NO.

TITLE.

IV-2 Reactivity Control System Including Functional Design and Protection Against Single Failures 10 CFR 50 (GDC 25), as interpreted by SRP 7.7, requires that the reactor protection system be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems.

For San Onofre 1, the staff concluded that the following could occur as a result of single failures:

1. Two banks of control rods may move simultaneously instead of one bank.

2. A cluster, group, or bank of shutdown rods may not move when movement is commanded.

3. A cluster, clusters, group, bank, or banks of control rods may not move when movement is commanded.

4. A group of shutdown rods could move inadvertently.

5. A group, bank or banks (out of overlap region) of control rods could move inadvertently.

6. An individual shutdown rod, cluster, group, or bank of shutdown rods could fall into the core.

7. An individual control rod, a cluster, clusters, group, bank, or banks of control rods could fall into the core.

8. A cluster of control rods could move opposite to the commanded direction.

The licensee should show that the consequences of these events have been addressed in Topic XV-8.

TOPIC NO.

TITLE V-5 Reactor Coolant Pressure Boundary Leakage Detection 10 CFR 50 (GDCs 2 and 30), as implemented by SRP 5.2.5 and Regulatory Guide 1.45 requires the measurement of leakage from the reactor coolant pressure boundary (RCPB) to the containment and interfacing systems and states design criteria for the systems employed for such.

For systems employed for measurement of leakage from the RCPB to the con tainment, R.G. 1.45 states that:

1) one system should be an airborne par ticulate radioactivity monitor that is SSE qualified, 2) a minimum of two others should be present which are OBE qualified, and 3) all systems should have a sensitivity to detect leakage of 1 gpm within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Those employed for measurement of intersystem leakage should include sensors for things such as radioactivity, flow, level, pressure, temperature, etc. and be OBE qualified.

All the above systems should 1) have alarms and indicators in the main control room, 2) be readily testable and calibrated during normal operation, and have their availability in the technical specifications.

For San Onofre 1, the following were noted in the topic review:

1. There are no requirements in the San Onofre Technical Specifications concerning operability of the reactor coolant pressure boundary to the containment leakage detection system.

2.

Information concerning the leakage detection systems for the detection of inter-system reactor coolant pressure boundary leakage and the CVCS Makeup Flowrate is incomplete. Therefore, we cannot determine the extent to which Regulatory Guide 1.45 is met.

3. The reactor coolant inventory balance is only capable of 1 gpm sensi tivity in a matter of hours, not 1 gpm within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as would be required for reliance on this system.

By letter dated January 20, 1983, the licensee noted the following:

1. Several of the leakage detection systems are not testable during normal operation.

2. Seismic capability of the systems has yet to be reviewed.

3. Information on sensitivity and time required is in the process of being verified.

TOPIC NO.

TITLE V-6 Reactor Vessel Integrity Appendices G and H to 10 CFR Part 50, and 10 CFR 50.55a (g), as implemented through Regulatory Guide 1.99, require that reactor vessel integrity be assumed by review of aspects such as fracture toughness, surveillance pro grams, neutron irradiation.

Detailed information on vessel and surveillance weld materials, such as the type and heat of weld wire and flux used, the chemical composition, and the results of any Charpy tests conducted on these materials is not available. The licensee should attempt to obtain such information.

TOPIC NO.

TITLE V-10.A Residual Heat Removal Heat Exchanger Tube Failures 10 CFR 50 (GDC 45 and 60) as implemented by SRP 9.2.1 and 9.2.2 require in part that leakage in cooling water system heat exchangers be limited to prevent radioactive release to the environment or introduction of impurities into the primary coolant system.

For San Onofre 1, the following differences are noted:

1. The Technical Specifications do not specify limits on leakage of component cooling water into the primary system, or the sampling frequency.

2. The salt water cooling system discharge does not have a -radiation monitor to detect leakage from the componeht cooling water system.

3. As noted in the topic review for Topic VI-7.A.3, the recirculation heat exchangers are not required to be tested for leakage.

TOPIC NO.

TITLE V-11.A Requirements for Isolation of High and Low Pressure Systems V-11.B RHR Interlock Requirements 10 CFR 50 (GDC 34) as implemented by SRPs 5.4.7 and 7.6 and BTP RSB 5-1 and ICSB 3 require that low pressure systems be provided with suitable interlocks so that a single failure will not subject the low pressure system to high pressure.

1. The chemical and volume. control system (CVCS) isolation valve do not have pressure-related interlocks to ensure that low pressure portions of the system are not subject to coolant pressures that exceed design limits.

2. The safety injection system (SIS) and long-term recirculation system motor-operated isolation valves have no pressure-related interlocks.

3. None of the residual heat removal (RHR) isolation valves automatically close if reactor coolant system (RCS) pressure increases above RHR system design pressure and the outboard isolation valves have no pressure related interlocks to prevent opening until RCS pressure is below RHR design pressure. The interlocks for the inboard isolation valves are neither diverse nor independent.

The staff proposes that:

1. The SIS MOVS be modified.to include interlocks or an acceptable check valve test program be implemented.

2. CVCS discharge valves be modified, or a redundant relief valve, or demonstrate releases satisfy 10 CFR 100.

3. Independent interlocks be provided for the RHR valves to prevent opening until RCS pressure is below RHR system design pressure.

4. Technical Specification changes be made to require OMS to be operable whenever the RHR system is in operation to protect RHR integrity.

TOPIC NO.

TITLE VI-1 Organic Materials and Post-Accident Chemistry Appendix A to 10 CFR 50 (GDC 1) and Appendix B to 10 CFR 50, as implemented by Standard Review Plan Sections 6.1.2 and 6.1.3 and Regulatory Guide 1.54 requires that structures and systems important to safety be designed, fabricated, erected, inspected, maintained and tested to quality standards commensurate with the importance of the safety function being performed.

The organic materials used in containment must not interfere with the operation of engineered safety features under accident conditions. To assure that degradation of the coatings, such as flaking, cracking and peeling, does not result in clogging of sump screens, the TiateriaTs should be periodically inspected, and if necessary repaired. San Onofre 1 has not committed to a periodic inspection. The staff recommended frequency is three times in ten years.

TOPIC NO.

TITLE VI-4 Containment Isolation System Appendix A to 10 CFR 50 (GDC 54 to 571), as implemented by Standard Review Plan Section 6.2.4, and Regulatory Guides 1,11 and 1.141, requires that piping systems penetrating the primary containment be provided with isolation capabilities having redundancy, reliability and performance characteristics which reflect the importance to safety of isolating these systems.

1. The isolation valving arrangements for the following penetration lines do not meet the requirements of GDC 56 from the standpoint of valve location:

15 (purge intake) and 16 (purge exhaust).

The acceptability of isolation valve arrangements where valves are located outside containment is contingent on the acceptability of piping design criteria. This matter is discussed under SEP Topic III-1.

The licensee should discuss the unique characteris tics of the valves closest to the containment to terminate valve shaft or bonnet seal leakage, or the provisions in the plant for controlling leakage.

2. The following penetration lines have been provided with remote manual Valves, which differ from the explicit requirements of GDC 55 and 56 from the standpoint of valve:actuation: 1, (refueling water supply),

22.(letdown), 24 (seal return), 46 (pressurizer sample), 47 (reactor cycle sample), 48 (RCSS) and 49 (RCSS). The remote manual actuation provisions for the isolation valves in lines 1, 22 and 24 were found to meet the GDC.on some other defined basis.

However, the licensee should discuss the provisions made to allow the operator in the,control room to know when to isolate fluid system lines equipped with remote manual valves (SRP 6.2.4, Item II.11).

For lines 46, 47, 48, and 49, remote manual valves are not appropriate. Since these lines are non essential, automatic isolation valves should be provided.

3. The isolation valving arrangements of the following penetration lines differ from the explicit requirements of GDC 56 from the standpoint of valve type by using a simple check valve outside containment:

1 (refueling water supply) and 13 (instrument air header).

A simple check valve outside containment is not an appropriate automatic isolation valve.

4. The licensee has classified the following penetration lines as being associated with closed systems inside containment:

28 (CCW to RHR HX),

29 (CCW from "A" RHR HX),

30 (CCW to RHR HX),31 (CCW from.HR HX),

32 (CCW to pump "A" bearing oil coolers)', 33 (return), 34 and 35 (pump B), 36 and 37 (pump C), 38 (CCW to reactor shield cooling),

39 (return), 40 (CCW to excess letdown HX), 41 (return). In order for GDC 57 to apply, the closed system should neither be part of the reactor coolant pressure boundary nor connected directly to the contain ment atmosphere, and should be of safety grade design (see SRP 6.2.4),

The licensee should provide additional information regarding the design of the closed systems inside containment for these penetration ines.

-2

5. Penetration lines 7, 8 and 9 are the steam generator feedwater supply lines.

Each line is provided with a simple check valve and a flow control valve in series outside containment. There are also two bypass lines in each feedwater line and each one is provided with a check valve in series with either a manual valve or a power operated control valve outside containment, Since the check valve outside containment is not an acceptable automatic isolation valve, the acceptability of designating the flow control valves and the manual or power operated valves in the bypass lines as containment isolation valves will be addressed in the integrated assessment of the plant.

6. Penetration lines 54 and 55 are the main steam lines. The turbine stop valves and turbine control valves are used for automatic/remote manual isolation of the main steam lines in lieu of the manual con tainment isolation valves. However, upsteam of the turbine stop valves, there are numerous branch lines, which also should satisfy GDC 57 requirements. Therefore, the licensee should justify the isolation provisions for these branch lines.

7. There are several instruments, test connections and branch lines connected to penetration line 1, the refueling water supply line, outside containment. 'The licensee should identify all branch con nections and justify the adequacy of the isolation provisions for these lines in light of GDC 54 and 56 requirements.

8. Penetration line 2, the refueling water return line, branches into four lines inside containment.. Since there is only a singleline penetrating the containment, and because of its safety function, containment isolation valves, per se, are not provided. There are numerous system valves that can be closed to effectively isolate the containment. The acceptability of the system design from the standpoint of their being able to effectively accomplish stated safety functions will be evaluated during the integrated assessment of the plant.

9. GDC 55 and 56 specify that automatic isolation valves should, upon loss of actuating power, take the position that provides greater safety. The position of an isolation valve for normal and shutdown operating conditions, and post-accident conditions, depends on the fluid system function. In the event of power failure to a valve.

operator, the valve position should be consistent with the line func tion. In this regard, separate power supplies for isolation valves in series may be required to assure the isolation of non-essential system lines.

The licensee should provide the information in Table 1 on the staff evaluation (March 3, 1982) on valve positions, whether or not the line is essential, and the isolation signal (including parameters sensed to actuate the signals) for each isolation valve.

The licensee commitments described in Topic VI-4(e) will also affect some of the above differences.

TOPIC NO.

TITLE VI-4 Containment Isolation (Electric)

Appendix A to 10 CFR 50 (GDC 54), as implemented by BTP CSB 6-4, requires that lines which can provide an open path from the containment to the environs (such as purge and vent lines) should be designed with considera tions of minimizing release of containment atmosphere to the environs following a postulated loss of coolant accident.

10 CFR Part 100 provides guideline values for accident dose against which calculated results may be compared.

The staff has determined in its review under multi-plant action B-24 that subject to implementation of the modifications listed below, the plant design is acceptable. The licensee has committed to the following:

1. Lock closed a valve on each containment purge line during MODES 1, 2, 3, and 4. A Technical Specification change will be proposed.

2. Key control and control panel access procedures for sequencer doors will be implemented prior to resumption of power from the next refueling outage.

3. The Block SIS Signal annunciator window will be redesigned prior to resumption of power operations from the next refueling outage.

4. The diesel generator radiation fans will be made a load on emergency power to be placed on line with a delay after SIS/LOP or immediately due to SIS with no loss of offsite power during the next refueling outage.

5. The capability to override the isolation of valves CV-949, 957 and 997 will be eliminated prior to resumption of power operation from the next refueling outage. At the same time, six inside-containment valves of the Reactor Coolant sampling system will be provided with -capability for automatic isolation.

6. During the next refueling outage inside-containment isolation valves with capability for automatic isolation and override provisions will be provided for the steam generator sample lines.

TOPIC NO.

TITLE VI-6 Containment Leak Testing 10 CFR 50, Appendix J, requires periodic leak testing of the primary containment and specifies criteria for the performance of such tests.

The review of this topic is being handled generically through multi-plant action item A-04. At San Onofre 1, the licensee has requested exemptions from certain requirements of the containment leak tests. The staff has granted the requested exemptions with the exception of:

(1) Excluding airlock test requirements during training startups and low power physics tests.

(2) Type A tests to be performed at each refueling or approximately every 18 months if two consecutive Type A tests fail to meet criteria.

Any facility modification necessary as a result of this multi-plant review will be coordinated to the extent possible with other SEP top'ics (e.g., Topic VI-4, Containment Isolation System).

TOPIC NO.

TITLE VI-7.B ESF Switchover from Injection to Recirculation (Automatic ECCS Realignment) 10 CFR 50 (GDC 35), as implemented through SRP 6.3, Regulatory Guide 1.62 and Branch Technical Positions ICSB 20 and RSB 6-1, require in part that the ECCS function not be disabled by a single failure or single operator error.

The staff currently requires some automatic features to realign the ECCS from injection to recirculation modes in order to increase the reliability of long-term core cooling by not requiring operator action to change system realignment to the recirculation mode.

At San Onofre 1, the switchover is performed manually. The procedure is intolerant of small time delays in performing the steps or operator errors.

The RWST level instrumentation is not adequate to assure timely completion of the switchover. The staff recommends automatic features. be provided to terminate full injection flow in a timely manner when low tank level is reached.

TOPIC NO.

TITLE VI-7.C.2 Failure Mode Analysis ECCS 10 CFR 50 (GDC 35), as implemented by SRP 6.3,requires that the systems provided for emergency core cooling (ECCS) be designed so that a single failure will not prevent performance of the safety function.

The ECCS single failure review for San Onofre identified several modifica tions that were desirable for alleviating potential failure modes.

Interim procedures and modifications were made, but permanent solutions were deferred for consideration in the integrated plant safety assessment. The following modifications are included:

1. Installation of a redundant valve in series with valve MOV/LCV 1100C.

2. Installation of redundant control power and instrument air for flow control valves FCV 1115D, E, F.

3. To meet requirements of Topic IX-4, modifications to provide independent and redundant hot leg recirculation flow control capability.

Additional recommendations for design modifications to be considered are:

1. Relocate Air Horn above elevation 4' and provide a drip-proof cover.

2. Provide the following items with a power interrupt device actuated upon SIS operation or replace with qualified units:

Pumps G20A and B, G56, Emergency Thermal Barrier Pump Valves CV276, CV287, CV288, CV412, CV413, CV102,

CV104, CV106, CV542, CV956, MOV822 A and B, HCV602 Misc. Items SV36 and SV73 for Pumps G21A and B, SV37 and SV38 for Pumps G45A and B, SV71 for Pump G39, PC600, TIC 604A and B.

3. Reroute power cables for the following items to provide cable separation:

Pumps G8A and B, G50A and B, G27A and B, G15A, B and C Valves MOV 720A and B

4. Reroute control cables for the following items to provide cable separation:

Pumps G15A, B and C, G3A and B,.G45A and B, G50A and B, G27A AND B, G8A and B, G13A and B Valves MOV/LCV1100B and D, MOV 720A and B, POV 5/SV24 and 6/SV25, and SV 81 and 82

5. Relocate the following items to provide adequate separation or provide the required barriers:

Arrange Vital buses 1, 2, 3, 4 and Utility bus and associated transfer switches to provide.physical separation between the units. Also provide for the physical separation of the input and output cables to those buses.

-2 Separate the vital bus regulators in accordance with the vital bus division established.

6. Provide missile barriers between the following pumps or confirm that the probability of missile impact or the energy of such a missile is sufficiently low:

G50A and B, G15A, B and C, G8A and B

7. Provide missile barriers between the RWST and the following pumps or confirm that the probability of missile impact or the energy of such a missile is sufficiently low:

G50A and B, G27A and B

8. Bypass thermal overload cutout switches for valves MOV 720A and B during SIS condition.

9. Provide isolation relays for PIC 1111X and PC605X controllers, and LS 54 switch contacts.

10. Provide separation and isolation for the pressurizer level and pressure instrumentation in the control room console.

11. Provide separation and isolation for the bistable output relays associated

• with the SIAS.

12. Rewire station lighting system to eliminate presence of both power trains in a transfer switch. Also separate emergency lighting to provide a connection to each of the dc buses while maintaining circuit independence.

13. Remove DC1 power from breaker 12002 on 4160 volt bus 2C and all breakers on 4160 volt bus lB.

Isolate the cabling between breaker positions llCll on 4160 volt bus 1C and 12C11 on 4160 volt bus 2C.

14. Align 480 volt SWGR3 to the power associated with 4160 volt bus 2C and remove the DC1 power from the switchgear. Isolate the cabling between breakers 1103 on 480 volt SWGR I and 1203 on 480 volt SWGR2.

15. Obtain environmental qualification data or replace the following components with qualified units:

LC951, PIC1111A, FCV1115D,

FCV1115E, FCVlll5F, PC605X, I

SV81, SV82, LT1100, POV-5, POV-6

16. Modify breaker circuitry for circulating Air Fans A-10, A-11 and A-12 to ensure they are locked out by the sequencer in the event of an SIS or modify ducting to eliminate possibility of sucking water into fan units.

Many of these recommendations are related to other SEP topics and ongoing NRC.

programs.

TOPIC NO.

TITLE.

VI-lO.A Testing of Reactor Trip System and Engineered Safety Features, Including Response Time Testing 10 CFR 50.55a(h) through IEEE Std. 279-1971, Sections 3(9) and 4.10 require that response time testing be performed on a periodic basis. In addition, Section 4.10, as implemented by Regulatory Guide 1.22 and 1.118, requires periodic functional testing of systems required for safety.

At San Onofre 1,

1. Some reactor trip channels are not checked, tested or'calibrated (manual, startup rate excessive,.safety injection and turbine trip).

2. Channel response time between channel trip and operation of the reactor trip is not tested.

3. Surveillance requirements do not exist in the technical specifications for systems that are required to operate in support of engineered safety features (e.g., component cooling,. salt water cooling systems).

4. One reactor trip signal is not subjected to a channel functional test as frequently as required in standard technical specifications (loss of flow).

5. Power range neutron flux channels do not have a channel functional test and the intermediate and source range.neutron flux channels are not required to be calibrated.

TOPIC NO.

TITLE VII-l.A Isolation of Reactor Protection System from Non-Safety Systems, Including Qualification of Isolation Devices 10 CFR 50.55a(h), as implemented through IEEE Std. 279-1971, requires that safety signals be isolated from non-safety signals and that no credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases. These isolation devices should be safety grade. 10 CFR Part 50 Appendix A (GDC 24) requires that the protection be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection system leaves intact a system satisfying all reliability, redundancy and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

At San Onofre, the following were noted during the topic review:

1. For several RPS circuits there is no isolation between the remote meters, process recorders and the circuit.

a. Pressurizer pressure

b. Pressurizer level

c. Steam to feedwater flow mismatch

d. Startup rate neutron monitor

e.

High flux level

2. There is no isolation between the steam to feedwater flow mismatch system and the Optimac computer that controls steam generator flow and level.

3. There is.

insufficient isolation between the data logger and the nuclear instrument systems.

The staff's position is that suitably qualified isolators should be provided or that the acceptability of the present design be justified by the licensee.

As a part of any justification, the "action pak" and multi-pen recorders should be described to the level suggested in Sections 7.2 and 7.3 of Regulatory Guide 1.70. Also, the licensee should provide a comparison between the standards applicable to the designs of the meters and those used in the design of the remainder of the reactor protection system.

S TOPIC NO.

TITLE VII-2 Engineered Safety Features (ESF) System Control Logic and Design 10 CFR 50 (GDC 22 and 24) and IEEE 279-1971, as implemented by SRP Sections 7.1 to 7.3,requires that the protection systems be designed such that failure of a single control system component does not impair the protection system function. Isolation devices should be provided on protection system signal transmissions to control systems, Independence of redundant logic trains is needed.

Insufficient information was available to evaluate the isolation between the input signal channels in the safeguard load sequencing system logic.

- Insufficient information was available to evaluate the isolation between the input signal channels in the Foxboro containment isolation.system logic (containment pressure).

TOPIC NO.

TITLE VII-3 Systems Required for Safe Shutdown 10 CFR 50.55a(h), through EEE Std. 279-1971, as implemented by SRP Section 7.1, requires, tn part, that vital instrumentation should not be impaired by a stngle failure.

The component cooling water surge tank level indication does not satisfy the stngle failure criterion.

10 CFR 50 (GDC 19 and 34), as implemented by SRP Section 5.4.7, BTP RSB 5-1 and Regulatory Guide 1.139, require that the plant can be taken from normal operating condittons to cold shutdown using only safety-grade systems assuming a single failure and only onsite or only offsite power. This capability should exist both in the control room and from outside the control room with suttable procedures.

In addition, the seismtc Class I auxiliary feedwater inventory should be sufficient to cooldown to RHR system initiation under the above conditions.

For San Onofre 1, the following are noted:

1. The Technical Specification limits do not ensure that sufficient water is stored in Seismic Category:I supplies to perform a cooldown in accordance with the review criteria.

2. A failure of the single pump suction from the condensate storage tank would prevent the auxiliary feedwater system from supplying feedwater to the steam generators even without a concurrent single failure. A fire hose is connected from the CST to the pump suction as a backup.

Also, the main feedwater system could be used to feed the generators.

The licensee has proposed conceptual system design modifications to the auxiliary feedwater system. The implementation schedule is still under review.

TOPIC NO.

TITLE VIII.-l.A Potential Equipment Failures Associated with Degraded Grid Voltage 10 CFR 50 (GDC 17) requires an onsite and offsite electric.power system to provide functioning of structures, systems and components important to safety. The topic is being evaluated generically through multi-plant actions B-23, "Degraded Grid Voltage Protection for Class 1E Power Systems" and B-48, "Adequacy of Station Electrical Distribution Voltages."

Class 1E equipment should be protected from degraded voltage or loss of voltage conditions.

The existing under-voltage protection system at San Onofre 1 does not meet staff requirements for:

1. Coincidence logic-for the voltage protection to preclude spurious trips.

2. Technical Specifications that include limiting conditions -for opera tion, surveillance requirements, trip setpoints with minimum and maximum limits and allowable values for the second-level voltage protection monitors.

The licensee has proposed modifications and Technical Specifications which are acceptable to the staff subject to completion of review of the verification testing results.

The implementation schedule has not been established.

TOPIC NO.

TITLE VIII-3.B DC Power SystemBus Voltage Monitoring and Annunciation 10 CFR 50.55a(h), through IEEE Std. 279-1971, as implemented by SRP 8.3.2, requires in part that the operations be provided with timely indication of operating status and availability under accident conditions of dc power systems.

As noted in the staff safety evaluation of this topic, the San Onofre 1 control room has no indication of battery current, battery charger current and dc bus voltage (for bus #2) or breaker/fuse status.

TOPIC NO.

TITLE VIII-4 Electrical Penetrations of Reactor Containment 10 CFR 50 (GDC 50) as implemented in Regulatory Guide 1.63 and SRP 8.3.1 and 8.3.2, requires that the containment penetration assemblies be designed so that they can withstand, without exceeding design leakage,rate, the calculated temperature and pressure conditions resulting from any loss of-coolant accidents.

Some penetrations at San Onofre 1 may exceed limiting material temperatures due to post LOCA environment and presence of a fault current.

The staff proposes that the design of backup protection for most low voltage ac and all dc penetrations be modified to provide adequate coordinated protection against all postulated faults inside of containment assuming the failure of the primary protection device.

Removal of power, tripping on ESF initiation and provision of additional interrupting devices are acceptable alternatives.

TOPIC NO.

TITLE IX-3 Station Service and Cooling Water Systems 10 CFR 50 Appendix A (GDC 44) as implemented by SRP Sections 9.2.1 and 9.2.2 requires a system to transfer heat from structures, systems and components important to safety, to an ultimate heat sink; this system shall have suitable redundancy in components and features, and suitable interconnections, leak detection and isolation capabilities to assure that for onsite or offsite power system operation the system safety function can be accomplished, assuming a single failure.

The staff notes the following:

1. The licensee should demonstrate that required component cooling water (CCW) and salt water cooling (SWC) system realignment can be performed prior to exceeding the CCW temperature design limit following a main steam line break with failure of diesel generator 2.

2. The licensee should demonstrate independence of CV-737A and B, including physical routing of controls, power supplies, separation.

3. The licensee should show that postulated passive failures in the CCW system will not prevent accomplishment of the system s.afety functions.

4. The licensee should provide an evaluation addressing closure of the tsunami or stop gates in a post-accident scenario, or proposed corrective measures.

5. The licensee should verify that no single failure of the controls (including the interlocks) of POV5, POV6, MOV720A, and MOV720B will result in a loss of cooling to essential systems considering past experience (see SER).

6. The licensee should provide the results of an evaluation addressing the effects of loss of bearing flow on SWC pump performance.

7. The licensee should justify why the present SWC design is acceptable without check valves downstream of the individual pump discharges.

TOPIC NO.

TITLE IX-5 Ventilation Systems 10 CFR 50 Appendix A (GDC's 4, 60 and 61) as implemented by SRP Sections 9.4.1, 9.4.2, 9.4.3, 9.4.4, and 9.4.5 requires that the ventilation systems shall have the capability to provide a safe environment for plant personnel and for engineered safety features.

Insufficient information has been provided for the staff to conclude that the ventilation system for the following safety-related equipment is adequate.

(1) 480V switchgear room (2) 4160V switchgear room (3) Battery room (for removal of hydrogen)

(4) Equipment in reactor auxiliary building (effects of loss of supply air handler)

TOPIC NO.

TITLE XV-1 Increase in Feedwater Flow, Decrease in Feedwater Temperature, Increase in Steam Flow and Inadvertent Opening of a Steam Generator Relief or Safety Valve 10 CFR 50 (GDC 10, 15, 26) as implemented by SRP 15.1.2 requires that the reactor core and associated protection systems be designed with sufficient margin so that acceptable fuel design, limits and design conditions of the reactor coolant'pressure boundary are not exceeded during anticipated opera tional occurrences.

The analyses of the increase in feedwater flow event depends on operator action to-terminate the feedwater flow to prevent overfilling the steam generator. The consequences of such overfilling have not been evaluated.

Task A-47 of the USI program is also considering this issue.

The licensee should show that a delay in operator action for ten minutues would not result in.violation of design limits;

TOPIC NO.

TITLE XV-2 Spectrum of Steam System Piping Failure Inside and Outside Containment 10 CFR 50 (GDC 27 and 28 and Section 50.34) require that systems be designed so that postulated reactivity addition events do not impair the capability to cool the core. GDCs 14 and 31 require that the reactor coolant pressure boundary be designed with sufffcient margin to assure that under postulated accident conditions, the probability of rapidly propogating fracture is minimized.

The simultaneous blowdown of all three generators can cause a pressurized thermal shock to the reactor pressure vessel. The staff is still evaluating the effects of thermal shocks as a generic issue USI (A-49).

A single failure of the motor-driven auxiliary feedwater pump could disable decay heat removal via the steam generators and require a primary feed and bleed cooldown method. The emergency procedures address operator realign ment of a main feedwater pump from safety injection mode to feed the steam generators; however, the qualification of the main feedwater path to function under accident conditions has not been shown.

TOPIC NO.

TITLE XV-7 Reactor Coolant Pump Rotor Seizure or Shaft Break Appendix A to 10 CFR Part 50 (GDC 27, 28 and 37) as implemented by Standard Review Plan Sections 15.3.3 and 15.3.4, require that the effects of postulated reactivity events can neither result in damage to the reactor coolant pressure boundary greater than limited local yielding nor sufficiently disturb the core, its support structures of other reactor pressure vessel internals to impair significantly the capability to cool the core. 10 CFR Part 100.11 provides dose guidelines for reactor siting against which calculated accident dose consequences may be compared.

For San Onofre 1, a transient analysis of the effects of a pump rotor seizure or shaft break has not been performed.

In addition, the staff was unable to conclude that peak reactor coolant pressure during a loss of forced coolant flow would remain below 110% of design pressure.