Text

NUREG 75/087 fg..s ag%

+

0 0%

• t U.S. NUCLEAR REGULATORY COMMISSION M;,+< !

STANDARD REVIEW PLAN

%... #s OFFICE OF NUCLEAR REACTOR REGULATION SECTION 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FGR SAFETY REVIEW RfSPONSIBILITIE_5 Primary - Instrumentation and Cnntrol Systems Branch (ICSB) l Secondary - Core Performance Branch (CPB)

Reactor Systems Branch (RSB)

Containment Systems Brancn (CSB) l Auxiliary systems Branch (ASB)

Mechanical Engineering Branch (MEB)

Quality Assurance Branch (QAB) l Power Systems Branch (PSB)

ARFAS OF RFVIEW The group of instrumentation systems reviewed under this SRP section are t ?se required l

for safety that are not identified as part of the reactor protection system, en(iaeered safety features systems, safety-related display instrumentation systems, or systems required for safe shutdown.

They consist of fire protection and detection systems and l

groups of interlocks intended to protect other vital systems from potentially damaging transients during normal operation and under accident conditions. E2amples of such interlocks are told water interlocks, refueling interlocks, interlocks that prevent overpressurization of low pressure systems, reactor vessel instrumentation, and accumulator valve interlocks. They also include the process and effluent radiological monitor < which should be reviewed for the adequ3cy of their seismic design, environmental design, redun-dancy and emergency power (See SRP Section 11.5).

The review of these systems encompasses the sensors, initiating circuits, logic elements, bypasses, interlocks, redundancy and diversity features, actuated devices, testing pro-visions, power supply, separation and equipment qualifications.

The ICSB has primary responsibility f or the review of these sys' ems with the exception of fira protection systems for which the ASB t.as primary responsibility. The review should confirm that these systems and essential supporting systems will perform design functions when required during all applicable opetational and emergency conditions of the plant, and that the desigr. of these systems conforms to all apolicable acceptance criteria.

The descriptive information contained in the applicant's safety cr'alysis report (SAR),

including single line diagrams, electrical and instruirentation schematics, piping and l

instrumentation diagrams (P&lDs), and physical arrangenent diagr ms, s reviewed to USNRC STANDARD REVIEW PLAN

.. _. _ _ _.. _. _.._..._...._......_.......c_._..

.__._-_._.,..,..._._....__._......_....,......c.__.._._.

_.. _...... _ _. _..... _. _. ~ _ _.. _

. -..... ~.

.._...... _........ c _,_.... _.... -.

e_._-_._............._......__._..._._...._.._..

c__.._..._..__.....__........_,....u._....-.____..._._.

.i. W.

g.

. D C 2Gl85 148'086

ascertain that "other instrumentation systems required for safety" meet the acceptance criteria discussed in SRP Section 7.1 and listed in Table 7-1.

For a construction permit (CP) review, a cummitment to meet these criteria may suffice in cases where the design of these systems has not been completed. For an operating license (OL) review, however, the actual ' sign must be found to meet these criteria.

The primary review responsibility of the ICSB shall be to perform its reviews as assigned below, to coordinate and report the reviews of the portions raviewed by other Dranches as identified below.

1.

The ICSB determines that adequate redundancy of logic and instrumentation has been provided for the operation and status monitoring of "other instrumentation systems required for safety."

The reviews establishes that these systems can perform their necessary functions after sustaining a single failure.

This requires the review of descriptive information containeo in the SAR, functional diagrams, instrumentation schematics and P& ids.

2.

The PSB reviews the adequacy of physical separation criteria for the caoling and electrical power equipment, determines that control and motive power supplied to redundant systems is from the appropriate redundant power source and that the single failure criterion has been met in the design of manually-con; rolled electrically-operated valves.

3.

The ICSB review assures that the instrumentation and control equipment, cabling and structures housing instrumentation portions of "other instrumentation systems required for safety" are designed in accordance with criteria required for Class lE and seismic Category I systems and structures.

4.

ine PSB determines that electrical equipment, cabling, related cable tray systems and structures containing electrical portions of "other instrumentation systems required for safety" are designed in accordance with criteria required for Class IE and seismic Category I systems and structures.

5.

The ICSB and PSB, for their respective areas, verifies that all instrumentation and electrical equipment of "other instrumentation systems required for safety" have been included in the seismic qualification program.

6.

The ICSB review assures that the instrumentation and control equipment and cabling is qualified by tests or analyses or by a cortbination of tests and analysis to perform its safety related functions in environments that may develop as a result of design basis accidents or anticipated operational occurrences The PSB review assures that similiar qualification is accomplished for the power and electrical equipment, cabling and cable tray systems.

9 1ItB 087

-Kev. I 7 E-2 I r

7.

The ICSB determines that on-line testability of the systems and indication of bypassed or inoperable status of these systems required for safety are provided for in the design.

It is the primary responsibility of the ASB to review the acceptability of the fire protection systems. Within this primary responsibility the IC5B reviews the fire detec-tion systems and the initiation and control systems of the fire protection systems.

The PSB similarly reviews the adequacy of the power supply for these systems and the required physical separation and isnlation.

The ASB evaluates the adequacy of those auxiliary systems required for the proper opera-l tion of "other instrumentation systems required for safety."

These include compressed air systems, air conditioning systems, heat tracinq systems, etc.

In addition, the ASB reviews the physical arrangement of components and structures related to "other instru-mentation systems required for safety" and supporting systems, and determines that single events will not disable redundant parts of these systems. The CPB verifies that l

boron dilution rates achievable, or the accidental startup of an unborated or cold reactor coolant loop, result in acceptable reactivity ir,sertion rates as discussed in SRP l

Section 4.3.

The CSB reviews the containment ventilation and atmosphere control systems provided to l

maintain environmental conditions required for operation of electrical and instrumenta-tion equipment associated with "other instrumentation systems renuired f or saf ety" and located inside containment.

The MEB review confirms that the seismic qualification of the instrumentation and elec-trical systems is acceptable. This includes the seismic design criteria, analyses, testing procedures, and restraint measures employed in the seismic design and installation of Category I instrumentation and electrical equipment including trays, control roora hoards, and instrunant racks and panels, as covered in SRP 5ection 3.10.

The RSB review identifies "other instrumentation systems required for safety" and confirms that the configuration and design bases of the systems are correct, and that design parameters such as temperature, pressure, flow rate, and reactivity can be controlled within acceptable limits. Information is provided to the ICSB as to any corrections l

needed in the SAR and any esceptions to acceptance criteria taken by the applicant.

The QAB review verifies that the quality assurance program proposed by the applicant l

includes "other instrumentation systems required for safety."

II.

ACCEPTANCE CRITERIA The design, materials, qualification testing, and surveillance of "other instrumentation systems required for safety" are covered by several General Design Criteria (GDC), IEEE standards, regulatory guides, and branch technical positions which are applicable in O

whole or in part.

A list of the applicable criteria, standards, guides, and branch positions is given in Table 7-1 and Appendix 7-A to this chapter.

148 088 7.6-3 Rev. I

The "other instrumentation systems required for safety" are acceptable when it is deter-mined that these systems satisfy the following requirements; 1.

They have the required redundancy.

2.

They meet the single failure criterion.

3.

They have the required capacity and reliability to perform intended safety functions on demand.

4.

They are capable of functioning during and after certain design basis events such as earthquakes, accidents, and anticipated operational occurrences.

S.

They are testable during reactor operation.

The criteria listed in Table 7-1 are utilized as the bases for determining that these requirements are met and that the "other instrumentation systems required for safety" are acceptable. Hod these criteria are applied during the review process is discussed in subsection III.

Specific points with 7egard to the acceptance triteria are detailed l

below.

1.

System Redundancy Requirements GDC 26 and 33 and IEEE Std 279specify the requirements that "other instrumentation systems required for safety," among others, must meet with regard to all operating conditions (such as loss of offsite power), so that they can perform needed safety functions assuming a single failure.

If a determin= tion is made that these systems meet the requirements of these criteria, they are acceptable with regard to redun-d'ncy requirements.

2.

Conformance with the Single failure Criterion IEEE Std 279, IEEE Std 379, and Regulatory Guide 1. 53 prov ide that saf ety systems should be capable of performing needed safety functions after sustaining a single failure.

Regarding the application of the single failure criterion to the design of manually-controlled electrically-operated valves in safety systems, the acceptability l

of preposed designs is based on Branch Technical Position ICSB 18 (PSB).

This position states that it is acceptable to discornect electric power to a safety-related valve as a means of designing against an active valve malfunction. The requirements for tolerance of single failures in fire detection systems are given in NFPA 720.

3.

Identification of Cables and Raceways The method used for identifying power and signal cables and raceways as safety-related equipment, and the identification scheme used to distinguish between redundant f

cables, raceways, and instrument panels shou!d be in accordance with the recommenda-tions of Regulatory Guide 1.75.

Rev. 1 7.6-4

( t

4.

Vital Supporting Systems The instrumentation, control, and electric equipment associated with auxiliary systems that support "other systems required for saf ety" should freet the same accept-ance criteria as the systems they support.

5.

Testing, Quality Assurance, and System Availability Surveillance CDC 1 and 21, IEEE Stds 279, 336, and 338; and Regulatory Guides 1.22, 1.47, 1.68, and 1.118 contain the applicable acceptance criteria with regard to preoperational and periodic testing, quality assurance, and design provisions for indicating the availability of "other instrumentation systems required for safety."

6.

Fire Pro _tyction System The staff has identified the National Fire Protection Codes (NFPA) as a generally recognized code that provides guidince for use in evaluating the fire detection systems and the supervisory systems for the fire suppression systems.

The following additional requirements and criteria apply specifically to the review by the ICSB of the instrumentation and control portions of the fire protection system.

1.

All plants f or which a construction permit application was docketed on or af ter July 1, 1976, must satisfy the requirements of NFPA 72D for Class A, Class 1 systems and have fire detection and suppression instrumentation and controls which can be manually connected to a Class lE power source or automatically connected to a non-Class lE onsite power sources which satisfies the requirements of NFPA 72D Section 2260.

2.

All plants for which a construction permit application was docketed prior to July 1, 1976, must satisfy either position 1 above or the following minimum requirements, a.

Fire detection and suppression systems instrumentation and controls must be supplied from a Class lE power source if the requirements of NFPA 72D Sections 2222, 2223, and 2224 are not met.

If NFPA Sections 2222, 2223, and 2224 are met the fire detection and suppression systems instrumentation and controls must have the capability of being manually connected to a Class lE source.

b.

The wiring of the fire detection circuits must conform to the requirements of a Class 1 circuit as defined in NFPA 70.

Where voltages exceed 30 volts, energy limiting devices must satisfy the requirements of Regulatory Guide 1.75 for l solation devices or a backup trip device shall be provided with demonstrated fully selective tripping. The purpose of this requirement is to allow older plants to use already purchased non-NFPA 720 equipment provided that:

(i)

Equipment will continue to function during a loss of offsite power.

(ii)

A fault within the equipment will not disable the onsite power source.

148 090 7.6-5 Rev. 1

(iii)

A fault in one fire detection zone (which is assumed to be associated with a division) is not propagated to a second zone (which is assumed to Se in a different division).

(iv)

Actual tests of the installed equipment shall be conducted to demon-strate the capability of the backup fault protection equipment when fuses are used as primary protection, and actual tests of the primary protection shall be conducted when fuses are not used for primary protection.

c.

Unless redundant, electrically isolated and physically separated systems which meet the requirements of Regulatory Guide 1.75 are provided, the detector wiring shall be sufficiently larger than the NFPA-72D minimum sizes, which are:

(i) 22 AWG stranded, 5 or more strands / conductor (ii) 19 AWG stranded, 2 or more strands / conductor (iii) 16 AWG single conductor solid The goal of this requirement is to reduce incipient failures which may result from damage due to tensile stress and would be undetected between systems tests in an unsupervised system.

d.

In order to reduce the possibility of undetected ground faults in unsupervised systems. fire detection circuits shall be run in conduit unless redundant, electrically isolated and physically separated systems which meet the require-ments of Regulatory Guide 1.75 are provided.

e.

Circuits ' hich do not meet the supervisory requirements of NrPA 72D shall be tested no less frequently than mcnthly by causing the detector at the end of each branch circuit to actuate an alarm.

Non-supervised heat detection cable tests shall include resistance measurements of each lead-to ground and lead-to-lead taken at its equipment cabinet with one end of the loop opened.

The design should include this capability without requiring the lifting of leads or the use of jumpers.

f.

The other aspects of testing and system availability surveillance shall be in accordance with the requirements of NFPA 720 and included in the plant's Tech-nical Specifications.

g.

Fire suppression systems which are based on the use of suffocating gases shall sound a pre-discharge alarm in the hazard zone prior to release. The time delay before release shall be based on the actual design of the affected space and shall permit personnel to escape from the most remote point in the space to the most remote exit prior to gas release.

For those areas of review identified in subsection I of this SRP section as being the responsibility of other branches, the acceptance criteria and their methods of application are contained in the SRP sections corresponding to those branches.

i/>0 091 Rev. 1 7.6-6

III. REVIlw PROCEDURF5 The review i3 conducted to ascertain that the designs of "other instrumentation systems required for safety" (or design comrnitments in the case of CP's) are acceptable in terms l

of the acceptance criteria listed in subsection II.

The main objectives of the review of these systems are to determine that they include the required redundancy, meet the single failure criterion, provide the required capacity and reliability to perform intended safety functions on demand, and can function during and after certain design basis events such as earthquakes, accidents, and anticipated operational occurrences.

For a CP application, the descriptive inf ormation contained in the pr-liminary saf ety analysis report (PSAR), including the design bases and their justification with regard to the acceptance criteria, accident analyses, electrical single line and P&ID's, are reviewed to determine that the basic design features and the commitments made at this stage provide assurance that the final design will meet the acceptance criteria. During the OL review, it is verified that the acceptance criteria are met through review of the final electrical and instrumentation drawings and the physical layout drawings, and a site visit during which a spot-check verification of the design is performed.

Upon request from the primary reviewer, the secondary review branches will provide input for the areas of review stated in subsection I.

The primary reviewer obtains and uses such input as required to assure that this review procedure is complete.

The various elements of the review are carried out as follows:

1.

The logic diagrams, electrical one-line diagrams, P& ids (for CP and OL reviews),

I instrumentation and electrical schematics (for the OL review) as described in the SAR, are reviewed to verify that the necessary redundancy is provided. This review includes instrumentation channels used to sense vital parameters such as temperature, pressure, water level, etc., the associated logic and actuated devices, and the motive and control sources.

2.

Conformance with the single failure criterion as specified by IEEE Std 279, IEEE S 379, and Regulatory Dide 1.53 is verified by review of the same information as for redundancy and may be done, to some degree by necessity, at the same time.

The guidance provided by Regulatory Guide 1.53 is excellent fcr ascertaining that a given design is single failure proof. A particularly important point to check is one cited in Position 4 of Regulatory Guide 1.53, where a single d-c source supplies control power for one channel of system logic and for the redundant actuator circuit.

3.

For a multi unit design where electrical systems are shared, resulting in numerous and more complex interaction modes, a fault-tree and decision-tree analysis may be requested from the applicant to show that single failures, or single events result)ng in multiple frilures, will not result in unacceptable consequences with respect to the capabili, of "other instrumentation systems required for safety" to perform safety funct ons when required. Additional guidar e with regard to the single

\\tm C,feH f ailure critermn is given in SRP Sections 7.2 and 7.3.

7.6-7 Rev. 1

4.

For manually-controlled electrically-operated valves in safety-related systems, the acceptability of proposed designs is based on Branch Technical Position ICSB 18 (PSB). This position basically states that it is acceptable to disconnect electric power to a safety-related valve as a treans of removing the possibility of an active failure of that valve. The adequacy of the means for accomplishing such discon-rection of power is reviewed by the PSB.

5.

The PSB has the primary responsibility for reviewing the adequacy of physical separa-tion, electrical isolation and identification of cables, raceways and equipment of redundant systems. Regulatary Guide 1.75 and Sections 5.1.2 and 5.6.3 of IEEE Std 384 provide guidance for satisfying the acceptance criteria with respect to the identification of power and signal cables, raceways, and instrament panels related to "other instrumentation systems required for safety."

The criteria for identification and separation of redundant systems as discus',ed in IEEE Std 384 and Regulatory Guide 1.75 are presented in sufficient detail to make their application self-explanatory. GDC 1 and 21; and IEEE Stds 279, 336 and 338 provide the require-ments that the design of these systems must meet with regard to preoperational and periodic testing supplemented by the guidance provided in Regulatory Guides 1.22, 147, 1.68, and 1.118.

The primary review responsibility for preoperational testing is with the QAB. Ptriodic and downtime restrictions are specified in the technical specifications. The review pi r adores for technical specifications are covered in SRP Section 7.1.

6.

ihe process of aligning various fluid or gaseous systems for certain modes of opera-tion may involve the interconnection of high pressure and low pressure systems.

During normal operation, these systems must be isolated from one another. For example, the residual heat removal (RHR) system of some reactor designs is interfaced with the high pressure reactor coolant system. There should be two isolation valves in series, with diverse interlocks that will prevent operation of these valves unless the primary reactor coolant pressure is below a predetermined value. For a detailed description of the isolation requirements, see Branch Technical Position ICSB 3.

l 7.

The main steam line radiation monitoring system in boiling water reactors is provided to monitor the gross release of fission products in the reactor coolant and to l

initiate protective action if the level of such release exceeds a predetermined level. The ICS3 reviewer should assure that the instrumentation channels provided for this purpose are divided into two redundant and independent groups. Also, the PSB should determine that the two groups are pcwered from independent busses of the Class lE emergency power system.

Normally, four gamma sensitive channels are provided to monitor the radiation level in the main steam lines. TheICSBreviewershouldassurethatthegeometricarrange-l ment and physical location of these is such that a fission product release will be detected with any number of main steam lines in operation, and that it will be detected at the earliest possible time following a fuel failure. It is imnortant n

~

t B u(D k

Rev, 1 7.6-8

that thr failure of any one of these four channels will not result in an inadvertent action.

The initiating logic should be checked to make sure that this is the case.

The ICSB reviewer should verify that the design has provisions for testing and that l cperability can be adequately tested.

8.

The ICSB reviewer ;hould verify that the "other instrumentation systems required for l safety" have been qualified to operate under normai, operational transient, accident, and post-accident environruental conditicos and that they satisfy the recommendations of IEEE Std 323.

The ICSB also coordinates the verification *. hat equipment and struc-tures related to these systems are seismically qualified or designed, and that the seismic qualification and analysis program submitted by the applicant is acceptable to the MEB and PSB.

The environmental qualification of components and cabling of these systems should be the same as for the systems discussed in SRP Sections 7. 3 l

and 3.11.

9.

An important part of the review is the engineeriag drawing review.

A drawing review should include the following:

Verification that a complete set of drawings has been submitted that includes a.

schematics, logic diagrams, P& ids, and location layout drawings for these systems.

b.

Verification that the submitted drawings represent the actual system designs and layouts for the particular plant, and that those intended to be " typical" of a system are so identified.

c.

Verification that the design and layout meet the applicable criteria listed in subsection II.

10.

A site visit and inspection, in accordance with the procedure described in Appendix 7-B,l should be performed before the evaluation findings are written for OL reviews. A site inspection should include spot-check verifications that the design and layout criteria are actually implemented at the hardware assembly stage.

Items to investi-gate during the visit are included in the typical agenda given in Appendix 7-8.

11.

For the fire protection system the ICSB reviews the design of the fire detection instrumentation with the exception of detector sensitivity and detector location.

Also reviewed are the designs of the initiation, control and instrumentation systems for the fire suppression systems. The ICSB also evaluates the consequences of the effects of a failure or failures of the fire protection system on safety-related instrumentation equipment so that spurious initiations of the fire suppression systems do not become a source of common mode failure. In this regard the effects of exposure to the fire fighting medium on the Class lE instrumentation and control equipment shall be considered.

148 094 7.6-9 Rev. I

The PSB reviews the design of power supply equipment and systems, physical separation, electrical isolation and cabling (including identification) as part of its review of fire protection electrical systems.

In certain instances, it will be the reviewer's judgment that for a specific case under review, emphasis should be placed on specific aspects of the design, while other aspects of the design need not receive the same emphasis and in-depth review.

Typical reasons for such a non-uniform placement of emphasis are the introduction of new design features or the utilization in the design of design features previously reviewed and found acceptable.

IV.

EVALUATION FINDINGS ICSB coordinates its own verification and the verifications of the other branches that sufficient information has been submitted and that the review supports conclusions of the following type, to be included in the staff's safety evmluation report:

"The other instrumentation systems required I safety consist of safety related instru-mentation systems not identified as parts o

'he reactor protection system, engineered safety features systems, safety-related display instrumentation systems, or systems required for safe shutdown. They consist o' fire detection, initiation and control for fire suppression and alarm systems, and groups of interlocks intended to protect other vital systems from potentially damaging transients during normal operating, startup, shutdown, and accident conditions.

The review encompassed sensors, initiating units, logic, bypasses, interlocks, redundancy and diversity features, actuated devices, testing provisions, and equipment qualifications.

The review included single line diagrams (CP & OL), schematic diagrams (0L), and descrip-tive information on this group of systems and supporting auxiliaries that are essential for their operation. The review alsa included the applicant's proposed design criteria and design bases, and analyses of the manner in which the design of tnese systems conforms to the proposed design criteria.

The basis for acceptance by the staff is conformance of the applicant's designs, design criteria, and design bases to the Commission's regulations as set forth in the General Design Criteria, and to applicable regulatory guides, branch technical positions, and industry standards. These are listed in Table 7-1.

The staff concludes that the design of these systems conforms to applicable regulations, guides, technical positions, and industry standards, and is accytable."

V.

REFEFJNCES 1.

Standard Review Plan Table 7-1, " Acceptance Criteria for Instrumentation and Control Systems.

2.

Standard Review Plan Appendix 7-A, " Branch Technical Positions (ICSB)."

148 095 Rev. 1 7.6-10

3.

Standard Review Plan Appendix 7-B, " General Agenda, Station Site Visits."

4.

National Fire Protection Code, Section 72D; National Fire Protection Association, 470 Atlantic Ave., Boston, MA.

5.

National Fire Protection Code, Section 70 (National Electric Code); ibid.

148 0 %

7.6-11 Rev. I