ML17054A200
| ML17054A200 | |
| Person / Time | |
|---|---|
| Site: | Nine Mile Point  |
| Issue date: | 10/24/1983 |
| From: | Schwencer A Office of Nuclear Reactor Regulation |
| To: | Rhode G NIAGARA MOHAWK POWER CORP. |
| References | |
| NUDOCS 8311080451 | |
| Download: ML17054A200 (64) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 OCT 24 1983 Docket No. 50-410 Mr. Gerald K. Rhode Senior Vice President Niagara Mohawk Power Corporation 300 Erie Boulevard West
- Syracuse, New York 13202
Dear Mr. Rhode:
Subject:
Nip'e Mile Point 2,0L Safety Review - Request for Additional Information on Instrumentation and Control V
We have completed our initial review of the Instrumentation and Control Systems Section (Chapter
- 7) for Nine Mile Point Unit 2 FSAR.
In order to complete our review of this area, additional information as indicated in the enclosure is required.
The enclosed request for information is designed to be used as the basis of discussions between the NRC staff and your staff and consultants at a series of meetings.
As a result of the meetings and continuation of our
- review, we anticipate that other.questions and concerns will arise.
Thus, the enclosed items should not be considered a complete enumeration of items to be resolved prior to issuing a Safety Evaluation Report.
During the first meeting to be held, the requests for information are to be discussed and clarifications will be provided as required.
For subsequent
- meetings, the items should be grouped in sets so that each set can be discussed at an individual meeting lasting between one and five working days.
During these meetings you should also be prepared to discuss instrumentation and control interfaces.
Within 10 days of receipt of this letter you should contact the Licensing Project Manager to arrange a schedule for the first meeting.
Within 21 days of receipt of this letter a proposed schedule f'r the meetings to discuss the requests for information should be provided.
This schedule should include the request numbers to be discussed at each meeting.
The schedule for formal responses to these requests will be determined during these meetings.
E
'322080452'3202'DR ADOCK 05000420
'A PDR
l P
,;ir
Mr. Gerald K. Rhode To aid us in our preparation for these
- meetings, please provide the identifi-cation numbers of the drawings to be used in the discussion of each item two weeks in advance of each meeting.
If you have any questions concerning the above information or the enclosed request for additional information, please call the Licensing Project Manager, Mary F. Haughey, at (301) 492-7897.
Sincerely,
Enclosure:
As stated Ot'anginal signed by A. Schwencer, Chief Licensing Branch No.
2 Division of Licensing cc w/enclosure:
See next page DISTRIBUTION:
Document.Control~~
NRC PDR L
EHylton MHaughey MVirgilio BBordenick, OELD ACRS (.16)
- ELJordan, DEJA:IE
- JMTaylor, DRP:IE Region I, RA DL:LB 2/PM MHaughey:kw 10//p /83
/83 10/
DL:LB¹2/BC ASchwencer
~
7
, I o
t
,TP(gh~
)
I ""y lf C(<
~<<)~f; ll I'lh vI'P1
+liti
>> il
- Il
<<It f'I~
< "'f I
I'TW I ti,
~
'h I
T
>)~C',
'T yt 'S E
<<7.'t
' i,'i,
'A
~
I t't
'I tt I I
t'h T I I I I
'ine Mile Point 2
Mr. Gerald K. Rhode Senior Vice President Niagara Mohawk Power Corporation 300 Erie Boulevard West
- Syracuse, New York 13202 CC:
Mr. Troy B. Conner, Jr.,
Esq.
Conner 8 Wetterhahn Suite 1050 1747 Pennsylvania
- Avenue, N.W.
Washington, D. C.
20006 Mr. Richard Goldsmith Syracuse University Col.lege of Law E. I. White Hall Campus
- Syracuse, New York 13210 Mr. Jay Dunkleberger, Director Technological Development Programs New York State Energy Office Agency Building 2 Empire State Plaza
- Albany, New York 12223 Ezra I. Bialik Assi stant Attorney General Environmental Protection Bureau New York State Department of Law 2 World Trade Center New York, New York 10047 Resident Inspector Nine Mile Point Nuclear Power Station P. 0. Box 126
- Lycoming, New York 13093 Mr. John W. Keib, Esq.
Niagara Mohawk Power Corporation 300 Erie Boulevard West
- Syracuse, New York 13202 Jay M. Gutierrez, Esq.
U. S. Nuclear Regulatory Comnission Region I 631 Park Avenue King of Prussia, Pennsylvania 19406
0
.- =Nine=Mile Point 2
.L~
1
> Request for Additiori'al Information- --
='...:Instrumentation and Controls
'~=
Following are items for discussion at one or more meetings with the applicant to provide the NRC staff with information required to better understand the design bases and design implementation for the instrumentation and control systems of the Nine Mile Point-Unit 2 facility.
The applicant's staff should be prepared to use instrumentation and control schematics, functional control diagrams and P
8 I diagrams at the meetings in explaining system designs and to provide verification that design bases and regulatory criteria are met.
During the meetings, specific items requiring additional documentation in the FSAR will be identified.
421. 1 FSAR Section
- 7. 1 does not address the Branch Technical Positions (7.1)
(BTPs) related to instrumentation and control systems listed in the SRP Table
- 7. 1 and provided in Appendix 7-A to Chapter 7 of the SRP.
Provide a detailed discussion using drawings (schematics, PIEDs, etc.)
to demonstrate that the Nine Mile Point-Unit 2 design conforms to the
. guidance provided in the BTPs applicable to the design or the basis for the alternate solution provided for the particular design problem identified in the BTPs.
421.2 Table 3.2-1 of the FSAR provides a "g-List" of structures, systems (7.1)
(7.2)
(7. 4) and components whose safety functions require conformance to appli-cable quality assurance requirements of 10 CFR Part 50, Appendix B.
7.5) 7.6)
Verify that all safety-related instrumentation and controls
( 18C) described in Section
- 7. 1 thru 7.6 and other safety-related 18C
J Si '
fl')
t S
l1 I
I xf 1
'lk
equipment used in safety-related systems are subject to your Appendix B gA program.
In addition, indicate conformance to this requirement by annotation to Table 3.2-1.
421. 3
'7.1)
(7. 2)
(7. 3 (7-4)
- 7. 5)
(7.6)
Identify any "first-of-a-kind" instruments used in or providing inputs to safety-related systems.
Identify each application of a microprocessor, multiplexer or computer system where they are in or interface with safety-related systems.
421.4 Section 7.1.2.3 of the FSAR provides a brief discussion on conformance (7.1)
(7.2 to Reg.
Guide 1.47.
Discuss in detail the design of the bypassed and (7 3) 7.4 inoperable status indication using detailed schematics.
Include the 7.5 (7.6)
<following information in the discussion:
1.
Compliance with the recommendations of Reg.
Guide 1.47 and Reg.
Guide 1.22 Position D.3a and 3b.
2.
The design philosophy used in the selection of equipment/
systems to be monitored, including auxiliary and support systems.
3.
How the design of the bypass and inoperable status in-dication systems comply with Positions Bl through B6 of ICSB Branch Technical Position 21.
4.
The list of system automatic and manual bypasses as it pertains to the recommendations of Reg.
Guide 1.47.
5.
Discuss hardware features employed to provide a
consolidated, human factored, display of the bypassed and inoperable status of ESF equipment.
'1 421.5 Section 7.1.2.3 of the FSAR references Section 8.3 for a descrip-(7.1) tion'of the Nine Nile Point-Unit 2 physical and electrical separa-tion criteria.
Section 8.3.1.4 includes a brief discussion on the physical separation provided within panels, instrument racks and control boards for the instrumentation and control circuits of different divisions.
Describe in detail how physical separation is maintained within the panels, racks and boards for those cases where a
6 inch air space cannot be maintained.
Provide a summary of the analysis and testing performed to support this lesser separa-
< tion.
Include in the discussion the separation provided for associ-ated circuits, internal wiring identification and the use of common terminations.
.421.6 Identify any safety systems that are shared by both units.
Discuss (7.1) design criteria for instrumentation and controls shared between units.
421.7 Provide an overview of the plant electrical distribution system with (7.1) emphasis on the reactor protection system (i.e., reactor trip, engi-neered safety features actuation and supporting features) instrumenta-tion including the sensors, logic, and actuation relay power supplies and divisional separation as a background for addressing FSAR Chapter 7 concerns.
Use one-line diagrams and other drawings as appropriate.
421.8 10 CFR-Part 50, Appendix A, states in (footnote 2) the definition (7.1) of a single failure that "single failures of passive components in electrical systems should be assumed in designing against single
I
failure."
Confirm that the assumptions of the transient and accident analyses performed for Nine Mile Point-Unit 2 include single failures of passive components in electrical systems.
421.9 Table 7. 1-2 of the FSAR provides a listing of the safety related (7.1) systems similarity to licensed reactors.
Correct the typographical error under the heading "Similarity of Design" for the high pressure/
low pressure interlocks.
421. 10 Section 1.10 of the FSAR provides a response to NUREG-0737.
The dis-(7 1) cussion on item II.D. 3 does not mention alarms associated with the valve position indication.
Confirm that alarms are provided in con-junction with the position monitoring system.
The discussions on items II.K.3. 13, II.K.3.21 and II.K.3. 22 briefly address modifications that will be made to the RCIC and HPCS systems.
Provide a detailed dis-cussion on the design modifications proposed for these systems.
Use one-line diagrams and other drawings as appropriate.
421.11 Table 7. 1-3 of the FSAR provides a listing of regulatory requirements, (7.1)
Reg.
Guides and IEEE Standards and the safety systems to which they pertain.
Table
- 7. 1-3 indicates that Reg.
Guide 1.53 is not a design
- basis, and that the FSAR text provides a description of the extent of design agreement.
From a review of the Chapters
- 7. 2 thru 7.6 the staff has not found sufficient information to identify the differences
between the Nine Mile Point-Unit 2 and the provisions of the Reg.
Guide.
Therefore, provide a detailed description of the conformance to each Regulatory Position of Reg.
Guide 1.53 for those systems addressed in Chapters 7.2 thru 7.6 of the FSAR.
421.12 Table 7.3-1 of the FSAR includes the following notation; "(3) The (7. 1) extent of implementation for the requirements of Regulatory Guide 1.75 for NSSS are as follows:
a.
Isolators or physical separation may be provided without affecting building or control room arrangement.
b.
Physical separation between divisions of essential systems and between essential systems and essential circuits must be maintained for all essential NSSS systems except the
Provide a discussion clarifying the intent of these statements.
421. 13 Various instrumentation and control system ci rcuits in the plant (7.1)
- 7. 2)
- 7. 3) 7.4)
- 7. 5)
(7. 6 rely on certain devices to provide electrical isolation capability in order to maintain the independence between redundant safety-re-lated ci rcuits and between safety-related circuits and nonsafety-related circuits.
Provide the following information:
( 1)
Identify the types of isolation devices which are used as boundaries to isolate nonsafety-related ci rcuits from the safety-related circuits'r to isolate redundant safety-related circuits.
(2)
Provide a summary of the purchase specifications for each isolation device identified in response to part (1) above.
ck ib"
'~~
l'">
gH~,'f'j'fftg n
0
( "i~< 'j">> '~pc'j tion devices to ensure adequate protection against the effects of electromagnetic interference, short-circuit failures (line to line and line to ground), voltage faults, and/or surges.
~(2)
Provide a summary of the performance characteristics from the purchase specifications for each isolation device identified in response to part
(,1) above.
(3)
Describe the type of testing that was conducted on the isolation devices to ensure adequate protection against the effects of electromagnetic interference, short-circuit failures (line to line to ground), voltage faults, and/or surges.
421.14 Section 7.2.1.2.2 of the FSAR includes a discussion on the (7. 1)
(7.2) scram discharge volume water level scram input.
The discussion provided is not consistent with the reactor protection system elementary diagram (807E166TY) incorporated by reference in the FSAR.
Revise the FSAR text or diagram to,resolve this discrepancy.
Either confirm that the other drawings listed in Tables
- 7. l-,l, and
- 7. 1-2 of the FSAR reflect the design of Nine Nile Point - Unit 2 or provide the revised drawings for the staff's review.
421. 15 Table 7. 1-2 of the FSAR provides a listing of the safety related (7.1)
( 7. 3) systems similarity to licensed reactors.
Eleven systems are shown (7.7) to have no similarity.
For these systems sufficient design details have not been provided to enable the NRC staff to verify conformance to the acceptance criteria of the Standard Review Plan (NUREG-0800).
For each of these systems provide a detailed comparison of the design to the applicable requirements and recommendations delineated in Table 7-1 of NUREG-0800.
Specifically identify and justify devi-ations from these provisions.
421. 16 Section
- 7. 2. 1.2 of the FSAR includes a brief discussion on the (7. 2) solenoid-operated back-up scram valves that provide a second means of controlling the air supply to the scram valves for all control rods.
Provide a discussion on this portion of the pro-tection system design including:
power supplies, control room indication of valve position, periodic testing, and electrical independence from the scram pilot valve solenoids actuation circuits.
421.17 Section 7.2.2 of the FSAR states that the turbine scram inputs (7 2)
(7.3 are not guaranteed to function during a seismic event.
The NRC staff recognizes that full conformance to IEEE 279 and associated standards is not possible in those plants where the turbine build-ing is not a seismic Category I structure.
The acceptability of these limitations is subject to the implementation of a system which is as reliable as reasonably achievable.
To assure adequate reliabil-ity, verify that the design up to the trip solenoids conforms to those Sections of IEEE 279 concerning single failure (Section 4.2), guality (Section 4.3),
Channel Integrity (Section 4.5 excluding seismic),
Chan-nel Independence (Section 4.6),
and Testability (Section
- 4. 10).
Further:
(I)
Verify that the design includes a highly reliable power source which assures availability of the system.
(2)
Using detailed drawings, describe the routing and separation for this trip circuitry from the sensor in the turbine building to the tinal actuation in the reactor trip system.
(3)
Discuss how the routing within the non-sessmically qualitied turbine ouilding is such that the effects of credible fau1ts or failures in the area on these circuits wi 11 not challenge the reactor trip system and/or degrade the reactor trip system performance.
This should include a discussion of isolation devices.
(4)
Identify any other sensors or circuits used to provide input signals to the reactor protection system (reactor trip, engin-eered safety features and supporting features, RCIC) or perform a safety-related function which are located or routed through non-seismically qualified structures.
Discuss the degree of conformance to IEEE 279 and associated standards.
l
421.18 Provide a detailed discussion on the methodology used to establish (7 2)
(7.3) the technical specification trip setpoints and allowable values for the Reactor Protection System (including Reactor Trip and Engineered Safety Feature channels) assumed to operate in the FSAR accident and transient analyses.
Include the following information:
(1)
The trip setpoint and allowable value for the technical specifications.
(2)
The safety limits necessary to protect the integrity of the physical barriers which guard against uncontrolled release of radioactivity.
The safety limits should be the limits established for licensing purposes, for example the technical specification safety limits on minimum critical power ratio (1.06),
and reactor coolant system pressure (1325 psig).
(3)
The values assigned to each component of the combined channel error allowance (e.g.,
modeling uncertainties, analytical uncertainties, transient overshoot, response time, trip unit setting accuracy, test equipment
- accuracy, primary element
- accuracy, sensor drift, nominal and harsh en'vir onmental allowances, trip unit drift), the basis for these
- values, and the method used to sum the individual errors.
Where zero is assumed for an error a justification that the error is negligible should be provided.
(4)
The margin (i.e, the difference between the safety limit and the setpoint less the combined channel error allowance).
(5)
Identify any trip for which the setpoint and allowable value in the technical specifications will be assigned best estimate values and for which you do not have an analysis of errors and/
or uncertainties to confirm that the trip function will occur before the actual value of the measured parameter exceeds that assumed in the plant safety analysis.
Provide justification for this nonanalytical approach.
421. 19 No description of the instrumentation and controls has been provided in Chapter 7 of the FSAR relating to the Anticipated Transient With-out Scram (ATWS) recirculation pump trip.
Provide a discussion on the ATWS mitigating features of the Nine Nile Point Unit-2 design.
421.20 Operating reactor experience indicates that a number of failures have (7. 2) 7.3) occurred in BWR reactor vessel level sensing lines and that in most cases 7.4) the failures have resulted in erroneously high reactor vessel level indica-tion.
For
- BWRs, common sensing lines are used for feedwater control and as the basis for establishing vessel level channel trips for one or more of the protective functions (reactor
Failures in such sensing lines may cause a reduction in feedwater flow and consequential defeat of a trip within the related protective channel.
C If an additional failure, perhaps of electrical nature, is assumed in a protective channel not dependent on the failed sensing line, protective
~ action may not occur or may be delayed long enough to result in unaccept-able consequences.
This depends on the logic for combining channel trips to achieve protective actions.
Identify each case where a reactor vessel water level tap or sensing line failure concurrent with an additional random single electrical failure induces a transient and precludes the automatic operation of reactor scram and/or engineered safety feature system.
For each case identified provide an evaluation which demonstrates how the redundancy or diversity of the plant design provides for reactor scram or safety system operation within acceptable limits.
Where'manual action is required by the
I operators discuss the instrumentation and time available for the operator to take such corrective action.
To reduce the consequences of sensing line failures in combination with a single failure in a protection channel not dependent on the failed sensing line, a modification of the protection system logic may be required.
Logic configurations which may be considered for NRC approval on this plant are described in the BWR owners group study entitled "Review of BWR Reactor Vessel Water Level Measurement Systems"-,
SLI-8211, prepared by S.
Levy Inc.
421.21 Identify each case where instrument sensors or transmitters supplying (7.2)
- 7. 3) information to more than one protection channel are located in a common instrument line or connected to a
common instrument tap.
Verify that a
single failure in a
common instrument line or tap (such as break or blockage) cannot defeat required protection system redundancy.
421.22 Section 7.5.1.1.1 of the FSAR discusses the transmitter trip unit (7. 2)
(7.3) main control room indication.
The FSAR states that each monitored (7.4) variable for the reactor protection system (including the reactor trip, engineered safety features actuation and supporting features, and the RCIC) is sensed by an analog transmitter that continually transmits a signal proportioned to the variable, to a trip unit located in the main control room.
Confirm that the trip units used at Nine Mile Point - Unit 2 are those described in the General Electric Topical Report NED0-21617, "Analog Transmitter/Trip Unit
- 11 System for Engineered Safeguard Sensor Trip Input", or provide the details of the design of the trip units used.
Define the designation "master trip unit" used in Section 7.5.1.1.1 of the FSAR.
421. 23 (7.2)
(7.3)
(7.4)
(7 5)
Provide an evaluation of the effects of high temperatures on reference legs of water level measuring instruments subsequent to high-energy line
- breaks, including the potential for reference leg flashing/boil off, the indication/annunciation available to alert the control room operator of erroneously high vessel level indications resulting from high tempera-
- tures, and the effects on safety systems actuation (e.g., delays).
421. 24 (7. 2)
(7.3)
(7. 5)
- 7. 6)
The design of the instrumentation
- channels, logic and actuation devices of nuclear plant safety systems should include provisions for surveillance testing.
Guidance is included in Reg.
Guide 1. 118 and IEEE Standard 338 for implementing the requi rements of IEEE Standard 279, which requires in part that systems be designed to permit periodic testing during reactor oper ation.
Section 3.1.2.21 includes a brief description of the at-power testing capability of the reactor protection system.
However, sufficient in-formation has not been provided to determine the acceptability of the at-power testing capabilities provided in the Nine Mile Point - Unit 2 design.
Provide a detailed discussion with illustrations from applicable
0 1
( wjffir,". i'P,.)fy,".') f '!~g '8 jg.'
drawings on the at-power testing capability of the reactor trip
- system, engineered safety features actuation system'and auxiliary supporting features, the actuation instrumentation for the reactor core isolation cooling system, and the instrumentation and controls that function to prevent accidents (i.e., high pressure/low pressure interlocks) or terminate transients (i.e., level 8 - turbine trip).
This discussion should include the sensors, signal conditioning ci r-cuitry, voting logic, actuation devices and actuated components.
In-clude in the discussion those design features that will initiate pro-tection systems automatically, if required during testing, upon re-cei pt of a valid initiation signal.
421. 25 (7. 2',
(7. 3)
- 7. 4)
(7. 6)
(7. 7)
Reg.
Guide 1. 118, which provides guidance with respect to periodic testing of the reactor protection system (reactor trip, engineered safety features and supporting
- systems, RCIC) excludes lifting of leads to perform surveillance tests and accepts opening of a breaker to perform surveillance tests only if opening of the breaker causes the trip of the associated channel.
Confirm that the Nine Mile Point-Unit 2 surveillance tests will conform to the above sited guidance.
421.26 Section 7.3.1.2.2 of the FSAR references Chapter 16 for the minimum (7. 2)
(7.3) number of sensors required to monitor safety-related variables.
The final (7. 4)
(7.5)
( vepsio0 of, Chapter>'l6.::(Technical",Specifications),;"has not yet/been"submitted.
(7.6)
'7.7) For each monitored variable that provides an input to a safety-re-lated system (i.e., reactor trip, engineered safety features,
~ K 1
, II "N
reactor core isolation cooling, recir.
pump trip, control rod block) list the total number of channels provided and the minimum number of channels required to be operable that will be proposed in Chapter 16.
Confirm that the single failure criterion can be satisfied for each case where the minimum number of operable channel requirement that will be proposed is less than the total number of channels provided.
421.27 Mode switch contact and mode switch operating mechanism malfunctions 7.2)
- 7. 3) have caused inadvertent protective actions.
Similar malfunctions (7. 7) could have rendered redundant channels of protective functions inoper-able.
IE Information Notice 83-42 provided notification of potenti-ally significant events concerning mode switch malfunctions.
Section 7.2. 1 of the FSAR indicates that the reactor mode switch is used to bypass and enable protective functions, rod withdrawal interlocks and refueling equipment interlocks.
Provide a detailed discussion on how the mode switch is incorporated into the overall design, supplemented with detailed drawings and schematics.
Please include the following:
(1)
Identification of the reactor protection
- system, rod block, re-fueling interlock and other functions important-to-safety that are dependent on proper mode switch contact operation.
(2)
Identification of the analyzed transients and accidents where credit is taken for the operation of any function identified in
'(1) above.
(3)
The surveillance actions necessary to positively verify mode switch contact positions, detect mode switch contact failures and detect mode switch operating mechanism failures for each function identified in (1) above.
421.28 Provide a detailed response to the concerns addressed by IE Bulletin (7. 3) 80-06 (Engineered Safety Feature (ESF)
Reset Controls) issued to operating reactors March 13, 1980.
For all safety-related-equipment which does not remain in its emergency mode following an ESF reset, provide adequate justification for the change of state of each piece of equipment or proposed corrective actions to prevent such changes (e.g.,
equipment returning to its normal operational status).
421. 29 (7. 2)
(7. 3)
(7.4
- 7. 5)
Regulatory Guide 1.70, Section 7.3.2 recommends that a failure mode and effects analysis (FMEA) be provided.
In addition to postulated accidents and failures Reg.
Guide 1.70 recommends that the analysis consider'loss of plant instrument air systems and loss of cooling water to vital equipment.
Verify that the FMEA performed meets the recommendations of Reg.
Guide 1; 70 and 'ddr ess,the fol 1 owing:,'r::) ",', '.'"~.'re;
.~
~ ~, i'.
j
~ 4 a)
Applicability of the FMEA to all ESF equipment.
b)
Applicability of the FMEA to all design changes and modi-fications to date.
c)
Provisions which exist to assure that future design changes or modifications are included in the FMEA.
~421.30 Section 7.3.2.1.3 of the FSAR includes a discussion on how the (7. 3)
Nine Mile Point-Unit 2 design conforms to the recommendations of Reg.
Guide 1.62.
This discussion does not include the permissive logic.
From the staff's review, it appears that the logic for manual initiation for several Engineered Safety Feature (ESF)
~
~
~
t systems is interlocked with permissive logic from various sensors.
In some cases it appears that the permissive logic is dependent upon the same sensors as those used for automatic initiation of the system.
It is the staff's position that the capability to manually initiate each safety system should be independent of permissive logic, sensor s, and circuitry used for automatic initiation of that system.
Identify each safety system at Nine Mile Point-Unit 2 which is interlocked as described above and provide proposed modifications or justification for the existing design.
421. 31
~~ection
- 7. 3. l. 1. 3 of the FSAR addresses the RHR Containment Spray (7. 3)
Cooling Mode.
The conditions (permissives) that must be satisfied to initiate spray include an LPCI initiation signal, drywell high pressure signals and LPCI injection valves closed signals.
Pro-vide a discussion on the capability to initiate containment spray independent of these permissives.
421.32 FSAR Section 7.3.2. 1.2 discusses the engineered safety features (7. 3) actuation instrumentation's conformance to IEEE Standard 279.
Paragraph
- 4. 12 of FSAR Section
- 7. 3. 2. 1. 2 identifies the low con-denser vacuum bypass as an operating bypass imposed and removed
- manually, but provides no justification for this deviation from the regulatory requirements.
Provide a detailed discussion on the design of this operating bypass including justification for not providing automatic removal of the bypass whenever permissive conditions are not met.
421.33 Section 7.3.1.1.2 of the FSAR discusses the high ambient and (7 3) high differential temperature inputs to the PCRVICS.
From a review of the schematics referenced in FSAR Table 1.7-1 (807 E152TY and 807E154TY) it appears that the isolation function is accomplished by high ambient temperature switches only.
Revise the FSAR text or FSAR referenced schematics to resolve this dis-crepancy.
421. 34 Section 7.4. 1.4 of the FSAR provides information on the Remote (7. 4)
Shutdown System (RSS).
Attachment 1 provides the Instrumentation and Control Systems Branch
( ICSB) guidance for remote shutdown capability.
The attachment provides guidance for meeting the requirements of GDC 19.
Provide supplemental information to identify the extent that the design of the RSS at Nine Nile Point-Unit 2 conforms to the guidance provided in Attachment 1.
Include the following information in your discussion using drawings as appropriate:
a)
Design criteria for the remote control station equip-ment including the transfer switches and separation requirements for redundant functions.
b)
Discuss the separation arrangement between safety related and nonsafety-related instrumentation and controls on the auxiliary shutdown panel.
c)
Location of transfer switches and the remote control stations.
d)
Description of isolation, separation and transfer/override provisions.
This should include the design basis for pr e-venting electrical interaction between the control room and remote shutdown equipment.
e)
Description of the administrative and procedural control features to both restrict and to assure
- access, when necessary, to the displays and controls located outside the control room.
f)
Description of any communication systems required to co-ordinate operator actions, including redundancy and separation.
g)
Means for ensuring that cold shutdown can be accomplished.
h)
Description of control room annunciation of remote control or override status of devices under local control.
i)
Discuss the proposed start-up test program to demonstrate remote shutdown capability in accordance with the guidance provided in R.G. 1.68.2.
j)
Discuss the testing to be performed during plant operation to verify the capability of maintaining the plant in a safe shutdown condition from outside the control room.
k)
Discuss the equipment classification using the guidelines contained in FSAR Table 3.2-1.
421.34 ATTACHMENT 1 ICSB GUIDANCE FOR I
I OF GENERAL DESIGN RI RI 19 RNIN OU N
R R
TE SHU D
WN I
NS A.
BACKGROUND GDC 19 requires that equipment at appropriate locations outside the control room be provided to achieve a safe shutdown of the reactor.
Recent reviews of remote shutdown station designs have demonstrated that some designs cannot accommodate a single failure in accordance with the guidance of SRP Section 7.4
( Interpretation of GDC-19).
The following provides supplemental guidance for the implementation of the requirements of GDC-19 concerning remote shutdown stations.
Requirements for remote shutdown capability following a fire are detailed in Appendix R to 10 CFR 50.
It should be noted that although GDC 19 and Appendix R requirements are complementary, the potential exists that modifications to bring a design into conformance with GDC 19 will violate Appendix R criteria and vice versa.
For example, remote manual devices for a second division of instrumentation and controls added to satisfy single failure re-quirements would not be acceptable if the added devices were located in the same fire area as existing transfer switches in the redundant division.
In addition, transfer switches added to isolate the remote shutdown equipment from the control room fire area would not be acceptable if they disable ESF actuation, unless this is done in accordance with item B6 below.
The acceptability of remote shutdown
station designs given a fire is determined by the Auxiliary Systems Branch (ASB) as outlined in Section 9.5.1 of the SRP.
B.
ICSB GUIDANCE To Meet GDC-19 As Inter reted In SRP Section 7.4 1)
The design should provide redundant safety grade capability to achieve and maintain hot shutdown from a location or locations remote from the control room, assuming no fire damage to any required systems and equipment and assuming no accident has occurred.
The remote shutdown station equipment should be capable of maintaining functional oper-ability under all service conditions postulated to occur (including abnormal environments such as loss of ventila-tion), but need not be environmentally qualified for accident conditions unless environmental qualification is required for reasons other than remote shutdown.
The remote shutdown station equipment, including indicators, should be seismically qualified.
2)
Redundant instrumentation (indicators) should be provided to display to the operator(s) at the remote shutdown location(s) those parameters which are relied upon to achieve and verify that a safe shutdown condition has been attained.
3)
Credit may be taken for manual actions (exclusive of continuous control) of systems from locations that are reasonably accessible from the Remote Shutdown Stations.
Credit may not be taken for manual actions involving jumpering, rewiring, or disconnecting circuits.
4)
The design should provide redundant safety grade capability for attaining subsequent cold shutdown through the use of suitable procedures.
5)
Loss of offsite power should not negate shutdown capability from the remote shutdown stations.
The design and procedures should be such that following activation of control from the remote shutdown location, a loss of offsite power will not re-suit in subsequent overloading of essential buses or the diesel generator.
Manual restoration of power to shutdown loads is acceptable provided that sufficient information is available such that it can be performed in a safe manner.
6)
The design should be such that if manual transfer of control to the remote location(s) disables any automatic actuation of ESF equipment, this equipment can be manually placed in service from the remote shutdown station(s).
Transfer to the remote location(s) should not change the operating status of equipment.
7)
Where either access to the remote shutdown station(s) or the operation of equipment at the station(s) is dependent upon the use of keys (e.g.,
key lock switches) access to these keys shall be administratively controlled and shall not be precluded by the event necessitating evacuation of the control room.
8)
The design should comply with the requirements of Appendix R to 10 CFR 50.
421.35 Section 7.4.1.2 of the FSAR states that the Standby Liquid Control (7. 4)
System (SLCS) is separated both physically and electrically from the Control Rod Drive system.
The discussion does not address separa-tion between redundant portions of the SLCS.
Provide a detailed discussion on the electrical and physical separation provided between the redundant portions of the SLCS.
-421.36 The NRC staff has recently issued Revision 2 to Regulatory Guide 1.97, (7.5)
"Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" via Supplement 1 to NUREG-0737.
This Reg.
Guide revision reflects a
number of major changes in post-accident instrumentation.
Supple-ment 1 to NUREG-0737 includes specific Reg.
Guide 1.97 implementation requirements for plants in the operating license review stage.
Provide a description of how the Nine Mile Point-Unit 2 design conforms to the provisions of Reg.
Guide 1.97, Revision..2.
This description should be in the form of a table that includes the follow-ing information for each Type A, 8, C,
D, E variable shown in Regu-latory Guide
- 1. 97:
(1) instrument range (2) environmental qualification (as stipulated in guide or state criteria)
(3) seismic qualification (as stipulated in guide or state criteria)
(4) quality assurance (as stipulated in guide or state'riteria)
(5) redundancy and sensor(s) location(s)
(6) power supply (e.g.,
Class lE, non-Class lE, battery backed)
(7) location of display (e.g., control room board,
- SPDS, chemical
'laboratory Deviations from the guidance in Reg.
Guide 1.97 should be explicitly
- shown, and supporting justification or alternatives should be presented.
421.37 If reactor controls and vital instruments derive power from common (7. 5) electrical distribution systems, the failure of such electrical dis-tribution systems may result in an event requiring operator action concurrent with failure of important instrumentation upon which these operator actions should be based.
IE Bulletin 79-27 addresses several concerns related to the above subject.
You are requested to provide information and a discussion based on each IE Bulletin 79-27 concern.
Also, you are to:
1)
Confirm that all a.c.
and d.c. instrument buses that could affect the ability to achieve a cold shutdown condition were reviewed.
Identify these buses.
2)
Confirm that all instrumentation and controls required by emergency shutdown procedures were considered in the review.
Identify these instruments and controls at the system level of detail.
3)
Confirm that clear, simple unambiguous annunciation of loss of power is provided in the control room for each bus addressed in item 1 above.
Identify any exceptions.
4)
Confirm that the effect of loss of power to each load on each bus identified in item 1 above, including ability to reach cold shutdown, was considered in the review.
5)
Confirm that the re-review of IE Circular No. 79-02 which is required by Action Item 3 of Bulletin 79-27 was extended to include both Class 1E and non-class lE inverter supplied instrument or control buses.
Identify these buses or con-firmm that they are included in the listing required by Item
,1 above.
421.38 Section 7.6.1.2 of the FSAR provides a brief discussion on (7.6) the high pressure/low pressure interlocks.
Discuss in detail the high pressure/low pressure interfaces and associated inter-locks.
Discuss how each of the high pressure/low pressure in-terfaces in your design conforms to the requirements of Branch Technical Position ICSB 3, "Isolation of Low Pressure Systems from the High Pressure Reactor Coolant System."
Also, discuss how the associated interlock circuitry conforms to the require-ments of IEEE 279.
The',discussion should include illustrations from applicable drawings.
421.39 Section 7.6. 1.2 of the FSAR discusses the interlocks on the (7.6)
LPCI and LPCS that are provided to prevent overpressurization of these low pressure systems that interface with the reactor coolant system.
The FSAR states that the LPCI and LPCS dis-charge valves are prevented from opening until differential pressure across the valves is low enough to prevent system overpressurizations.
It is the staff's concern that for a small break event the LPCI/LPCS pumps will quickly develop a
discharge head sufficient to satisfy the permissive even though the reactor vessel pressure can still be at normal operating pressure.
A single fail.ure of the downstream check valve could then conceivably result in a LOCA outside contain-ment.
It is the NRC staff's position that redundant protection against overpressurization of the low pressure ECCS systems be provided in accordance with the provisions of Branch Tech-nical Position ICSB 3.
This may be satisfied at Nine Mile Point-Unit 2 by modifying the current design such that the motor oper-ated valves that interface between the low pressure ECC systems and the reactor coolant system are interlocked to prevent opening unless the reactor vessel pressure is lower than the design pres-sure of the systems involved.
421.40 Section 7.6. 1.4.3 states that there are six channels of APRMs (7.6) with provisions for manually bypassing one APRM at a time.
Provide a discussion on the proposed use of this bypass.
In-clude in this discussion confirmation of the systems capability to generate a trip signal prior to damaging fuel with one channel in bypass and the assumption of a single random failure.
Include in this discussion the bypassing of the two APRM channels (C and F) that provide input to more than one protection logic channel.
421.41 Section 7.6. 1.4. 1 of the FSAR provides a brief discussion on the (7 6)
IRM subsystem.
Section 7.6. 1.4. 1 does not mention the IRM bypass feature shown on FSAR Figure 7. 6-6.
Provide a discussion on the IRM bypass addressing the concerns stated in question 421.40.
421.42 The transient and accident analyses included in the FSAR are in-(7. 7) tended to demonstrate the adequacy of safety systems in mitigating anticipated operational occurrences and accidents.
Based on the conservative assumptions made in defining these "design bases" events and the detailed review of the analyses by the staff, it is likely that they adequately bound the con-sequences of single control system failures.
To provide assur-ance that the design basis event analysis for Nine Mile Point 2~
adequately bounds other more fundamental credible failures, pro-vide the following:
( 1)
Identify those control systems whose failure or mal-function could seriously impact plant safety.
(2)
Indicate which, if any, of the control systems identi-fied in
( 1) receive power from common power sources.
The power sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction of more than one control sys-tem and should extend to the effects of cascading power losses due to the failure of higher level dis-tribution panels and load centers.
(3)
Indicate which, if any, of the control systems identi-fied in (1) receive input signals from common sensors.
The sensors considered should include common taps, hy-draulic headers and impulse lines feeding pressure, temperature, level or other signals to two or more control systems.
(4)
Provide justification that any malfunctions of the con-trol systems identified in (2) and (3) resulting from failures or malfunctions of the applicable common power source or sensor including hydraulic components are bounded by the analyses in Chapter 15 and would not require action or response beyond the capability of operators or safety systems.
421.43 If control systems are exposed to the environment resulting from the rupture of reactor coolant lines, steam lines, or feedwater lines, the control systems may malfunction in a manner which would cause consequences to be more severe than assumed in safety analyses.
,Cii Information Notice 79-22 discusses certain non-safety grade or control equipment, which if subjected to the adverse environment of a high energy line break, could impact the safety analyses and the adequacy of the protection functions performed by the safety-related systems.
The staff is concerned that a similar potential may exist at light water facilities now under construction.
You are, therefore, re-quested to perform a review per the I8E Information Notice 79-22 concern to determine what, if any, design changes or operator. actions would be necessary to assure that high energy line breaks will not cause control system failures to complicate the event beyond the FSAR analyses.
Provide the results of your review including all identified problems and the manner in which you have resolved them.
The specific "scenarios" discussed in the above referenced Information Notice are to be considered as examples of the kinds of interactions
- which might occur.
Your review should consider analogous interactions as relevant to the BWR design.
421.44 Table 7. 1-1 of the FSAR lists the safety-related instrumentation and (7.7) control systems.
Nonsafety-related systems are identified in Table 7.7-1.
From a review of Chapter 15 of the FSAR the staff has deter-mined that the analysis of certain anticipated operational occurrences (i.e., the feedwater controller failure-maximum demand) and design basis accidents (i.e., recirculation pump seizure) take credit for
the operation of nonsafety-related instrumentation and control systems.
It is the staff's position that for events classified as anticipated operational occur rences, credit can be taken for nonsafety-related systems to mitigate the event provided only high availability nonsafety-related systems are being relied upon.
Therefore, identify each instrumentation and control system/component which is not classified as safety-related but assumed in the FSAR analyses to mitigate the consequences of transients.
Provide a justification for the assumption of operability of this equipment based upon system design, equip-ment quality, and proposed technical specifications.
In addi-tion, provide a discussion on the interfaces with the safety-related portions of the Nine Nile Point-Unit 2 design.
It is the staff's position that no credit may be taken for nonsafety-related instrumentation and control systems/com-ponents in mitigating the consequences of design bases accidents.
Therefore, identify each instrumentation and control system/component which is classified as nonsafety-related but assumed in the FSAR analyses to mitigate the consequences of accidents.
Either redo the analysis assum-ing no credit for the operation of this equipment, or pro-pose modifications to upgrade the equipment to safety-re-lated status.
421.45 Provide a discussion on the plant process computer system.
(7. 7)
Include in the discussion the instrumentation and control functions that have a significant impact on plant safety.
421.46 Section
- 7. 7 of the FSAR discusses instrumentation and control systems (7. 7) that are not relied upon to perform essential safety functions following anticipated operational occurrences or accidents but are used for plant processes having a significant impact on plant safety.
Section 7.7 of the Nine Mile Point-Unit 2
FSAR addresses the following systems:
1.
Reactor Manual Control
- System, 2.
Recirculation Flow Control
- System, 3.
Feedwater Control System 4.
Refueling interlocks, and 5.
Steam bypass and pressure regulation
- system, From a review of other plants of similar design the NRC staff has identified other systems having a significant impact on safety.
For example, the following systems have been considered in the review of other facility designs:
Neutron Monitoring System, Process Computer
- System, Reactor Water Cleanup
- System, Process Radiation Monitoring
- System, Area Radiation Monitoring System, Radwaste
- Systems, Spent Fuel Pool Cooling and Cleanup
- System, Leak Detection
- System, Rod Sequence Control System and Containment Instrument Gas System.
Therefore, revise Section 7.7 of the FSAR to include these systems or provide a detailed justification supporting your assertion that these systems do not have a significant impact on plant safety.