Text

NUREG 75/087 fy aeog%

3' U.S. NUCLEAR REGULATORY COMMISSION

)vl S

~

i STANDARD REVIEW PLAN

/

OFFICE OF NUCLEAR REACTOR REGULATION SECTION 7.3 ENGINEERED SAFETY FEATURES SYSTEMS PEVIEW RESPONSIBILITIES Primary - Instrumentation and Control Syster s Branch (ICSB) l Secondary - Auxiliary Systems Branch (ASB)

Containment Systems Branch (CSB)

Power Systems Branch (PSB) l Reactor Systens Branch (RSB)

I.

AREAS OF REVIEW This SRP se: tion describes the review for the portion of the protection systm used to j

initiate and control operation of the engineered safety features systems and essential auxiliary supporting systems. This portion of the protection system is called the engineered safety features actuation system (ESFAS).

Typical engineered safety features (ESF) systens are:

Containment and Reactor Vessel Isolation Systems Emergency Core Cooling Systens (ECCS)

Containnent Heat Renoval and Depressurization Systens Pressurized Water Reactor (PWR) Auxiliary Feedwater Systems (see SRP Section 7.4 for l review of the safe shutdown functions of this system)

Boiling Water Reactor (BWR) Standby Gas Treatment Systems Containment Air Purification and Cleanup Systems Contairrent Combustible Gas Control Systms Typical essential auxiliary supporting systems are:

Electric Power Systems (see the SRP section in Chapter 8 for these systens) l Diesel Generator Fuel Storage and Transfer Systens Instrument Air Systens Heating. Ventilating, and Air Conditioning (HVAC) Systems for ESF Areas Essential Service Water Systms 7907120ul The descriptive information. functional control diagrams, piping and instrument diagrams.

electrical schematics (operating license stage only), and physical arrangement drawings.

USNRC STANDARD REVIEW PLAN

.._..=.................c.._.... _..._.._.. _ _ _..,....

_..._.__......._...__._...._.._....,._...c._._..__._.

c_,_,............

c _ _.......__...-. _,.......

.....c._...

e..m...-.....1 ! 8 0 5 9 t

. nc _

Rev. I

as presented in the applicant's safety analysis report (SAR), are reviewed. The cbjectives are to detemine that each engineered safety features actuation systm satisfies applicable design criteria and will perfom as intended during all plant operating conditions and accident conditions for which its function is required. The most significant difference between the review performed for a construction permit (CP) application and that performed for an operating license (OL) application is that +he CP review can be based on a preliminary design. The depth of detailed information need only be "sufficiet.t to provide reasonable assurance that the final design will conform to the design bases with adequate margin for safety" (Ref. 1).

In addition, "a construction permit..will not constitute Comission approval of any design feature or specification with regard to safety unless the applicant l specifically requests such approval and such approval is incorporated in the pemit" (Ref. 2).

The review of the infomation presented and referenced in Section 7.3 of an SAR is primarily directed to the engineered safety features actuation system (ESFAS),

i.e., the instrumentation and controls used to initiate and control the operation of the engineered safety features.

The scope of the ICSB review of Section 7.3 of an SAR includes:

l 1.

The descriptive infomation, including single line diagrams (CP) and schematic diagrams (OL) pertaining to the ESFAS. The ESFAS includes all electric and electromechanical equipment involved in detecting a plant condition requiring operation of an ESF systen and in initiating the operation of the ESF system.

2.

The descriptive information pertaining to the instrumentation and control systens for those auxiliary supporting systems that are essential to the operatior, of either the ESFAS or the ESF systers.

3.

The applicant's proposed design criteria for the ESFAS and the instrumentation and controls of essential auxiliary supportir.g systems.

4 The applicant's analysis of the adequacy of the proposed design criteria and design bases for the ESFAS and the instrumentation and controls of auxiliary supporting systems.

S.

The applicant's analyses of how the design of the ESFAS and auxiliary supporting systems confom to the design criteria for these systens.

The RSB and the CSB review, for those ESF systens within their review responsibilities, the following aspects of ESFAS:

(1) The adequacy of the raonitored variables, i.e., the suit Wility of parameters, such as pressure, for initiating operation of a given ESF systcc.

(2) The acceptability of the proposed trip setpoints.

/8 060 Rev. 1 7.3-2

The PSB will assess the adequacy of physical separation criteria for cabling and electrical power equipment and determine *. hat control and notive power supplied to redundant systems is from appropriate redundant sour ces. The PSB review includes the instrumentation ar.1 controls associated with the proper functioning of the onsite and offsite power systems Detailed review procedures are set forth in Chapter 8.0 of the SRP.

The ASB will advise ICSB of any corrections to the SAR descriptions of auxiliary support-ing systems essential to ESF systems and of time intervals available to initiate operation of auxiliary supporting systens.

II.

ACCEPTANCE CRITERIA Acceptance criteria for the review areas of this SRP section are referenced in Table 7-1 (Ref. 3), and include the General Design Criteria, industry standerds, regulatory guides, and branch technical positions that are applicable to the ESFAS and the instrumentation and controls of essential auxiliary supporting systens. These documents either establish design requirements or describe acceptable nethods of implenenting design requirements.

In each of these categories, some documents set forth nandatory design criteria and others descr,be acceptable methods of design.

The General Design Criteria and IEEE Std 279set forth requirements that rust be met by all designs for the ESFAS. In additior., these are also used for the instrumentation and contrc's for the essential auxiliary supporting systems. One purpose of the review is to verify that the applicant has connitted to designing the ESFAS and the essential auxiliary supporting systen instrumentation and controls in accordance with these mandatory criteria.

The regulatory guides are not mandatory and only set forth acceptable rethods of imple-menting the mandatory criteria. The branch technical positions are used when a particular design problem has an identified and acceptable solution; they also are not nandatory.

Industry standards that are not endorsed by regulatory guides or incorporated in regu-lations or technical positions, or that have not been previously used and accepted in the licensing process, nust be reviewed t;efore they can be accepted as a sole basis for approval of a design. They are useful as guidance for identifying the subjects of importance to be considered in the review of the ESFAS. In all cases, the primary basis for acceptance of an ESFAS design is conformance to the mandatory criteria of the regulations.

For those areas of review identified in subsection I of this SRP section as being the responsibility of other branches, the acceptante criteria and their methods of application are contained in the SRP sections corresponding to those branches.

III. REVIEW PROCEDURES This sut,section describes the general procedures to be followed in reviewing the ESFAS. For l simplicity, it is written for the ESFAS for a single ESF system comprised of two identical, redundant subsystems. The same procedure should be applied to each ESF system and to each essential auxiliary supporting system.

Qh}

7.3-3 Rev. 1

Background information of interest in the review of the ESFAS is found in a number of SAR sections. A list of these is given below for reference purposes. Most of these reference sections also provide background information for other SRP sections in Chapter 7.

l 9

Chapter 1: for familiarization with the general operation of the plant, both safety and l

nonsafety aspects.

Chapter 3: for a general understanding of the principal architectural and engineering designs of those structures, components, equipment, and systems important to safety.

Section 3.1:

for exceptions to criteria applicable to the ESFAS, and for structures suitable for housing ESFAS equipnent.

Chapters 4 and 5: for an understanding of the reactor and the reactor coolant systen and its interconnections with the ESF systens.

Chapter 6: for the design bases, design features, and functional performance requirements of the ESF system.

Chapter 7: for a detailed understanding of the design and operation of the ESFAS.

Chapter 9: for the design bases, design features, and functional performance requirements of essential auxiliary supporting systems.

Chapter 15: for the courses of accidents for which the ESF system provides protective functions, the effects of failures of the protective functions, and the assumptiens and initial conditions that form the bases of the accident analyses.

Chapter 16: for the proposed limiting conditions for operation for the ESF and the ESFAS.

It should be noted that reference to the above sections of the SAR is made to gain an unu ?rstanding of the purpose of the ESF and an understanding of how the ESF system and the ESFAS are designed and are supposed to function. No " evaluation" should te made of these sections, ).e., the SAR description is taken at face value.

The next step is to evaluate the design against the require ents of IEEE Std 279. This procedure is detailed in Appendix A to this SRP section. The procedures in Appendix A address only those design requirements that are specific in nature. For example, paragraph 4.9 of IEEE Std 279 requires that the design include means for checking the availability l

of each system input sensor during operation. Appendix A outlines a straightforward pro-cedure that can be used to determine whether or not this requirement is met.

Appendix A discusses the requirements of IEEE Std 279 and how they are used in the review l

of the ESFAS and the essential auxiliary supporting systms instrumentation and controls.

Although the primary emphasis is on the equirrent corprising the ESFAS, the reviewer should consider the protective functions on a systems level. It is necessary that the ESFAS l

ita 062 Rev. I

7. 3-4

design be compatible with the ESF systems and auxiliary supporting systems and that the ESFAS design and the accident analysis are compatible. It is not sufficient to judge the ddcquacy of the ESFAS only Oh the basis of the design reeting the specific requirements of IEEE Std 279.

It is also necessary to judge the functional relationship between the ESFAS and the ESF systens themselves.

Other requirements for the ESFAS and the instrumentation and controls of essential auxiliary supporting systeras are listed in Table 7-1.

Many of these requirenents are l

generH in nature, permitting the acceptability of various designs. For example, General Design ' iterion 20 requires, in part, that the protection systen be designed to sense accident conditions and to initiate the operation of (ESF) systems important to safety.

A cursory exanination of the descriptive information would be suf ficient to determine whether or not the ESFAS is designed to sense accident conditions and initiate the ESF systems. The specific review procedures for such general requirements are nat detailed here. Specific design features and approaches are described in the ICSS technical positions in Appendix 7-A to Chapter 7 of the SRP.

Upon request fron the primary reviewer, the secondary review branches will provide input for the areas of review stated in subsection I.

'he primary reviewer obtains and uses such input as required to assure that this review procedure is complete.

In certain instances, it will be the reviewer's judgment that for a specific case under revicw, emphasis should be placed on specific aspects of the design, while other aspects of the design need not receive the same emphasis and in-depth review. Typical reasons for such a nonuniforn placerent of emphasis are the introduction of new cesign features or the utilization in the design of design features previously reviewed and found acceptable.

IV.

EVALUATION FINDIES The reviewer verifies that suf ficient information has been provided and that his review supports conclusions of the following type, to be included in the staff's safety evaluation report:

"7.3 Engineered Safety Feature Actuation Systens (ESFAS)

"The engineered safety features actuation systems inclu"e the instrumentation and con-trols used to detect a plant condition requiring operation of an engineered safety features (ESF) systen, to initiate action of the ESF, and to control its operation.

The scope of review of the ESFAS for the plant included single line diagrams (CP and OL) and schematic diagrams (OL) and descriptive information for the ESFAS and for those auxiliary supporting systems that are essential to the operation of either the ESFAS or the engineered safety features systems themselves. The review has included the applicant's proposed design criteria and design bases for the ESFAS and the instrumentation and controls of auxiliary supporting systems, and his analysis of the adequacy of those criteria and bases. The review also has included the applicant's analyses c 7 the manner in which the design of the E Ff 5-7 and the auxiliary supporting systems conform to the proposed design crith, UO 7.3-5 Rev. I

"The basis for acceptance in the staff review has been conformance of the applicant's designs, design criteria, and design bases for the engineered safety features actuation systems and necessary auxiliary supporting systems to the Commission's regulations as set forth in General Design Criteria, and to applicable regulatory guides, branch technical positions, and industry standards. These are listed in Table 7-1.

"The staff concludes that the design of the engineered safety features artuation systems conform to all applicable regulations, guides, branch technical positions, and industry standards and is acceptable."

V.

REFERENCES 1.

10 CFR 5 50.34(a)(3)(iii), " Contents of Applications: Technical Informa tion; Prelimi-nary Safety Analysis Report. "

2.

10 CFR 5 50.35(b), " Issuance of Construction Pemits."

3.

Standard Review Plan Table 7-1, " Acceptance Criteria for Instrumentation and Control Systems "

4 Standard Review Plan Appendix 7-A, " Branch Technical Positions (ICSB)."

O Rev. I 7.3-6 148 064

APPLNDIX A STANDARD RLVIEW PLAN SECTION 7.3 l

USE OF IEEE Std 279 IN THE REVIEW OF THE ESFAS AND INSTRUMENTATION AND CONTROLS OF ESSENTIAL AUXILIARY SUPPORTING SYSTEMS This appendix discusses the requirements of IEEE Std 279, Sections 3 and 4, as they are used in l

the review of the ESFAS and instrumentation and controls of essential auxiliary supporting systems.

1.

Section 3 - This section requires that a specific protection system design basis be prcvided for each protection system.

(A protection system is defined by General Design Criterion 20.)

Much of the material in Section 3 is stated as requirements in Section 4.

However, extra attention should be paid to Section 3(9), ninimum performance requirement 3, because this nas been historically a problem area.

a.

Systen response times - The naximun and/or ninimum response times must be stated so that cc::'pliance with IEEE Std 279, Section 4.10, can be assured.

b.

System accuracies - See Regulatory Guide 1.105.

c.

Ranges - See Regulatory Guides 1.29, 1.89 and 1.105.

2.

Section 4.1 - This section requires that the ESFAS perform automatically and with precision and reliability. These requirements must be ret over the full range of transient and steady-state conditions of the energy supply and environment during all plant conditions in which the applicant's accident analyses take credit for functions performed by the ESFAS. Other criteria which set forth similar requirements are General Design Criteria 2, 4, 10, 13, 20, 21 and 29.

a.

Automatic initiation is required for all protective functions that must be started within a short tire of the indicated need for tha function. Although General Design Criterion 20 aprears to require automatic initiation nf all protective functions, initiation solely by manual neans has bee acceptable. However, automatic initiation is preferable for all protective functions, even though they are not needed (according to the accident analyses) for a relatively lon" time. Where the protective action is initiated solely by manual means, all the actions that need or may need to be performed by the operator during the time interval are reviewed, as are the applicant's basis for not providing automatic initiation. In this latter regard, the cost of automatic initiation is not, of itself, sufficient justification for using manual initiation. If in the reviewer's judgment manual initiation is sufficiently reliable, then the l

equipment used by the operator to detect the need for the protection function, and to verify that the prote'tive function has been completed, must also meet all the l

d 065 e

aev. i 7.3-7

requirements applicable to automatically initiated protective functions. See also Branch Technical Position (BTP) ICSB 20.

l 9 b.

The precision required in the ESFAS is at least that assumed in the accident analyses, There are no quantitative requirements established for the reliability of the ESFAS.

c.

The design is reviewed to identify any unusual or unicue equipment that has not previ-ously been used in nuclear plants. The " type testing" (as defined in IEEE Std 323) l that demonscrates such equipment is capable of performing its function is reviewed.

The design is also reviewed to assure that no unnecessary interlocks, time delays, or other complexities are introduced in the ESFAS circuits. Where such features do exist, the applicant's design bases and performance analyses should be reviewed to deternine that the reliability of the ESFAS is not significantly reduced by the inclusion of such features.

3.

Section 4.2 - This is the most fundamental of all the requirements that the ESFAS must meet.

It is inherent in other criteria such as General Design Criteria 21, 22, 24, 34, 35, 38, 41, 44, 54, 55 and 56.

In evaluating ESFAS conformance with this requirerent, the reviewer must examine several different aspects of each single failure to determine its effect. The time of occurrence of the failure and the plant conditions prevailing at that time can significantly alter the effects of any single failure.

The first step in a single failure analysis is to identify components in the ESFAS l

a.

that are not seismic Category I, those that are not qualified for accident and post-accident environments, and those that serve both safety and nonsafety systems and whose failure can affect the perfcrmance of or create the need for the EFSAS.

Each of the nonqualified and nonsafety-grade systens and components are assumed to fail to function if failure adversely affects ESFAS performance and are assumed to function if functioning adversely affects ESFAS performance. However, multiple independent failures are not assuned to occur simultaneously.

b.

Next, the consequmnces of the events for which the ESFAS is designed to provide protective functions are examined. All failures that can be predicted to occur as a direct or consequential result of an event are assumed to occur if such failures adversely affect ESFAS perforrance. In general, lack of adequate environmental or seismic qualification testing is sufficient basis to assume a direct or consecuential failure of equipment.

Af ter assuming the failures of nonsafety-grade, nonqualified equipment and those c.

failures caused by an event, any other single failure in the ESFAS or its auxiliary supporting systems is arbit.arily assumed and the resultant performance of the ESFAS is analyzed to assure that sufficient equipment is available to perfonn the minimum protective function.

148 066 Rev. 1 7.3-0

d.

In choosing the postulated failure to be analyzed, no distinction is made between active and passive components in electrical systems. Further, electrical equipment serving mechanical ponents that are not required to function in a given event is treated the same as :ectrical equipment serving " active" mechanical compnees.

i.e., those that must function. (See also BTP ICSB 18 (PSB).)

f e.

The meaning of redundancy is discussed in IEEE Std 379 and Regulatory Guide 1.53.

Basically, to be considered redundant there must be no comunication, either directly or indirectly, between two systems that can perform the same function. Thus, two systems, each of which can perform a protective function, are not redundant (and therefore do not meet the single failure criterion) if the failure of one system affects in any way the performance of the other system. This includes starting (or not starting) one systen by sensing the failure (or operation) of the other system.

4 Section 4.3 - There are at present no specific criteria to judge the quality of the equip-ment used in the ESFAS. However, Appendix B to 10 CFR Part 50 provides some guidance from which a judgment may be made of the quality of equipment required for the ESFAS.

5.

Section 4.4 - SRP Sections 3.10 and 3.11 discuss the evaluation of equipment qualification.

l In reviewing the ESFAS, check that each corponent or module of the ESFAS has been qualified for normal, accident, and post-accident environments at its installed location. This applies to all normal conditions but only to those accident conditions where the component or module provides a protectivo function.

6.

Section 4.5 - This requirement is similar to Section 4.4 discussed above. No credit should be given for " safe" failure modes in meeting this requirement. For example, if the most probable effect of a given accident is a loss of energy supply to an ESFAS, it does not matter, in meeting this requirement, whether or not the loss of energy causes the ESFAS to perfom its protective function. Even though General Design Criterion 23 requires that the ESFAS be designed to " fail-safe," acceptance of the ESFAS design should not be based on an dCCident causing a failure, even if that accident-induced failure accomplishes the protective function.

7.

Section 4.6 - The requirement for channel independence applies to all porticns of the ESFAS that are designated as redundant channels. Verification of compliance with this requirement and the recomendations of Regulatory Guide 1.75 and IEEE Std 384 concentrates on points l

of interface between redundant ESFAS components and interfaces between the redundant portions of the ESFAS and nonsafety-grade systems. For example, switches comon to redun-dant portions of the ESFAS are reviewed for physi al independence between redundant switch sections and for the effects on redundant systems caused by a single malpositioned switch.

Also reviewed are the functional performances of isolation devices to assure that no failure in nonsafety circuits can disable safety functions.

8.

Section 4.7 - The interaction of control systems and the ESFAS involves more than examining tne electrical interconnection of control systems with the ESFAS. Compliance with the diversity requirements of subsection 4.7.4.1 is a requirement for the initiation of 148 067 7.3-9 Rev. i

angineered safety features and the _nterlocks for valves between the reactor ccolant system and low pressure systems. In addition, the functional performance of appropriate control systems must also be reviewed to determine whether their effect on plant conditions can indirectly affect the performance of the ESFAS or the ESF. For example, if a cooling water system is used to supply both safety and nonsafety equipment, the controls for the cooling water system must be examined to determine whether failure cnold lead to insuffi-cient cooling water being supplied to the ESF or the ESFAS during an accident. (Also see Regulatory Guide 1.106.)

l Note that if failure of a system ser',ing both safety and nonsafety systems can lead to a condition requiring action by the safety system, then in addition to the failure creating the need f or safety action, the ESFAS must be designed to withstand any other simultaneous single failure.

9.

Sectin 4.8 - This re ;uirement is self-explanatory. In addition, it must be verified that the measured variable is the variable that is used in the accident analyses.

10.

Section 4.9 - Tne most conren method used to verify the availability of the ESFAS input sensces is by cross checking between redundant channels that have readout available. When only two channels of readout are provided, the applicant's analysis of the effect of the operator choosing the incorrect readout rust be evaluated as a basis for this action.

Where ncn-indicating sensors are used, check the test procedure to see whether a bypass indication is provided when the sensor is discor.nected f m the process system.

11.

Section 4.10 - The extent of test and caiitration capability that is provided bears heavily on whether the design meets the single failure criterion.

a.

Any failure that is not detectable must be considered concurrently with any postulated, detectable, single failure, b.

Periodic testing should duplicate, as closely as practical, the integrated performance required from the ESFAS, ESF systems, and their essential auxiliary supporting systems.

If such a " system level" test can be performed cnly during shutdown, the testing done during power operation must be reviewed in detail. Check that " overlapping" tests do, in fact, overlap from one test segnent to another. For example, closing a circuit br,aker with the manual breaker control switch may not be adequate to test the ability of the ESFAS to close the breaker.

c.

Test frequencies are acceptable if identical to frequencies recently approved on other identi :al plants. Any changes made in design or test procedure are not an adequate basis for reducing test frequencies until after experience is gained and the results submitted for review. For new designs, test frequencies should confom to Section 6.5 of IEEE Std 338.

Rev. 1 7.3-10 148 068

d.

Test procedures that require disconnecting wires, maailing jumpers, or other similar modifications of the installed equipment are not acceptable test procedures for use during power operation. Check that periodic tests conducted during power operation use 9

only pemanently installed test equipment. See also Regulatory Guides 1.22 and 1.118, BTP ICSB 22 and 25, and IEEE Std 338.

12.

Section 4.11 - Verify that tests can be conducted without initiating a protective action at the system level, and that tests can be conducted without preveating the initiation of a protective action at the system level. In general, it is an operational rather than a safety problem if testing causes the initiation of a protective action. For those parts of the ESFAS with a degree of redundancy greater than one, testing should not result in a loss of ESFAS function even if a single failure exists in one of the redundant channels which are not under test. For one-out-of-two systems, one channel may be bypassed only if initiation of the protective action would disrupt plant operation and the other channel remains operable. In these cases, verify that an interlock is provided that pre-vents, even with a single failure in the interlock circuits, bypassing both channels and that the single bypass is indicated. See also Regulatory Guides 1.22 and 1.118, and IEEE Std 338 13.

Section 4.12 - The requirement for automatic removal of operational bypasses means that the reactor operator shall have no role in such removal. The operator ray be required to take action to prevent the unnecessary initiation of a protective action and this is acceptable.

Under no circumstances should a design be approved where action of the reactor operator l

is required to make available the protective actions needed in any operational or shutdown mode of the plant.

14 Section 4.13 - See Regulatory Guide 1.47 and BTP ICSB 21 for an explanation of this require-l nent as it pertains to the ES"AS, ESF systems, and auxiliary supporting systems.

15.

Section 414 - In practice, administrative control is used as the basis for assuring that access to the means for bypassing is linited to qualified plant personnel and that permission of tne control room operator is obtained to gain access.

16.

Section 4.15 - This requirement is similar to Section 4.12.

The phrase " positive means" can be interpreted as either autonatic or manual. In the case of manual neans, the design must be such that inaction on the part of the reactor operator will not prevent the more restrictive setpoint from being available when it is required. It is acceptable for the design to be such that incorrec. action or inaction by the operator will cause an unnecessary protective action or prevent placing the plant in an operating mode for which there is inadequate protection (as defined by the accident analyses). See BTP ICSB 12 for l

specific guidance on cetpoint changes required with a reactor coolant pump out of service.

17.

Section 4.16 - Tor the ESFAS, "conpletion of a protective action" must be defined by the applicant for each ESF system. This information should be supplied as part of the design basis informatica required by Section 3.0 of IEEE Std 279.

l 140 069 7.3-11 Rev. 1

Generally, completion consists of starting or energizing the components in the ESF system.

Verify that once initiated, the protective action will continue until teminated by deliberate actions of the operator and that operator action cannot prevent the initiation of the protective action when the ESFAS determines the need for that ac+'on.

Exception:

" pull-to-lock" control switches have been acceptable even though their manipulation could prevent the protective action from going to completion provided that the requirements of Section 4.13 are met.

18.

Section 4.17 - Regulatory Guide 1.62 describes an acceptable method of implementing the requirement for manual initiation of protective actions. For th ;e designs that take no credi* (in the accident analysis) for manual initiation of protective actions, confomance with Regulatory Guide 1.62 is an adequate basis for acceptance.

For those protective actions which are initiated solely by manual means, there are no specific criteria to judge acceptance at present. In practice, the requirements of IEEE 279 ace applied to all equipment used by the operator to detect the need for the protective action, to accomplish the protection action, and to confirm completion of the protective actions. However, it first should be established that autonatic initiation need not or cannot be provided. Cost is not sufficient justification for the lack of automatic initiation. In judging the adequacy of any ranual initiation features, the other tasks that the operator may be required to perform shoulf be determined and then a judgment made as to whether it is reasonable to rely on the operat)r to perform all necessary actions. In most situations automatic actuatici, backed up by pr ovisions for ranual initiation or manual termination, is more reliable tran manual initiltion alone, no matter how much time is available to take the protective action.

19.

Section 4.18 - See procedure above for Section 4.14.

20.

Sections 4.19 and 4.20 - Other th3n the requirements for indication and identification of channel and system level protective actions, there are no specific inplementation guidelines by which to judge the adequacy of a design with respect to the requirements for status indication. Evaluate the applicant's discussion of how the ESFAS designs conforms to these requirenents. Acceptance is based on the reviewers's engineering judgment.

See also SRP Section 7.5 for a discussion of review procedures for safety-related display l instrumentation.

21.

Section 4.22 - This requirement is self-explanatory. The preferred identification method is color-coding of components, cables, and cabinets. See also Regulatory Guide 1.75.

148 0/0

~

Rev. 12 7.3-12