ML19270H811

From kanterella
Jump to navigation Jump to search
Responses to Post-TMI NRC Requirements.
ML19270H811
Person / Time
Site: Atlantic Nuclear Power Plant PSEG icon.png
Issue date: 12/21/1979
From:
OFFSHORE POWER SYSTEMS (SUBS. OF WESTINGHOUSE ELECTRI
To:
Shared Package
ML19257A302 List:
References
RTR-NUREG-0578, RTR-NUREG-0585, RTR-NUREG-578, RTR-NUREG-585 36A93, NUDOCS 8001030691
Download: ML19270H811 (85)
v  d  e


Text

Docket No. SIN 50-437 OFFSHOIE IOWER SYSTEMS OFFSHORE IOWER SYSTEMS RESPONSES

'IO IOST 'IMI NRC REQUIREMENTS Topical Report No. 36A93 1677 2A2 '

December 1979 8001030 ' -

CONI'ENIS Section Title A. RESMNSES 'IO IE BULIETIN 79-06A, (including Revision 1)

B. RESPONSES 'IO 'IMI-2 LESSONS LEARNED TASK FORCE STA'IUS REPORT AND SHORT-TERM REQUIREMENTS, NUREG-0578, AS MODIFIED BY D.B. VASSALLO IEITERS DATED 10/10/79 and 11/9/79.

C. RESIONSES 'IO ADDITIONAL SHORT-TERM REQUIREMENTS:

D.B. VASSALIO IEITER DATED OCIOBER 10, 1979 D. RESIONSES 'IO 'IMI-2 LESSONS IEARNED TASK EORCE FINAL REPORT, NUREG-0585 1677 263

A. RESIONSES 'IO TE BULLETIN No.79-06A, (including Revision 1)

Bulletin Iten

1. Review the description of circtwnstances described in Enclosure 1 of IE Bulletin 79-05 and the preliminary chronology of the TMI-2 3/28/79 accident included in Enclosure 1 to IE Bulletin 79-05A.

la. This review should be directed toward understanSing: (1) the extreme seriousness and consequences of the simultaneous blocking of both auxiliary feedwater trains at the Three Mile Island Unit 2 plant and other actions taken during the early phases of the accident; (2) the apparent operational errors which led to the eventual core damage; (3) that potential exists, under certain accident or transient conditions, to have a water level in the pressurizer simultaneously with the reactor vessel not full of water; and (4 ) the necessity to systematically analyze plant conditions and parameters and take appropriate corrective action.

Offshore Power Systens Response Offshore Power Systems formed a IMI Task Team to study the accident at Three Mile Island. The above accident review has been completed by the OPS task team. She task team will continue to evaluate future TMI developments.

Bulletin Item lb. Operational personnel should be instructed to: (1) not override autanatic action of engineered safety features unless continued operation of engineered safety features will result in unsafe plant conditions (see Section 7a.);

and (2) not make operational decisions based solely on a single plant parameter indication when one or more con-firmatory indications are available.

Offshore Power Systens Respons_e This item applies to the plant owner and not to the activities conducted by Offshore Power Systens under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating A-1

License. OPS will support the development of the owner's Emergency Operating Procedures by issuing Emergency Operating Instructions for the ENP.

Bulletin Item Ic. All licensed operators and plant management and supervisors with operational responsibilities shall participate in this review and such participation shall be docmented in plant records.

Offshore Power Systes Response This item applies to the plant owner and not to the activities corducted by Offshore Power Systes urder a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

A-2 3677 265

Bulletin Item

2. Review the actions required by your operating procedures for coping with transients and accidents, with particular attention to:
a. Recognition of the possibility of forming voids in the primary coolant system large enough to comprcmise the core cooling capability, especially natural circulation capa-bility.
b. Operator action required to prevent the formation of such voids.
c. Operator action regaired to enhance core cooling in the event such voids are formed. (e.g. , remote venting) .

Offshore Power Systens Response This item is a3 dressed by recommendations 2.1.3.b and 2.1.9 of NUREG-0578. See Secticn B (following) for the OPS response.

1677 266 A-3

Bulletin Iten

3. For your facilities that use pressurizer water level coincident with pressurizer pressure for autanatic initiation of safety injection into the reactor coolant system, trip the low pressur-izer level setpoint bistables such that, when the pressurizer pressure reaches the low setpoint, safety injection would be initiated regardless of the pressurizer level. 'Ihe pressurizer level bistables may be returned to their rormal operating posi-tions during the pressurizer channel functional surveillance tests. In a3dition, instruct operators to manually initiate safety injection when the pressurizer pressure irdication reaches the actuation setpoint whether or ret the level indication has dropped to the actuation setpoint.

Offshore Power Systems Response This Item is rot applicable to the Floating Nuclear Plant. As stated in Section 6.3.2.2.1 of the Plant Design Report, the injection mode of emergency core cooling is initiated by the safety injection signal ("S" Signal) . This signal is actuated by any one of the following:

1. Low Pressurizer Pressure
2. High Containment Pressure
3. High Differential Pressure Between Any Two Steam Lines
4. High Steam Line Flow Coincident With Either Low T r Low Steam AVG Line Pressure
5. Manual Actuation x_4 1677 267

Bulletin Item

4. Review the containment isolation initiation design and procedures, ard prepare and imp 1 ment all changes necessary to permit contain-ment isolation whether manual or automatic, of all lines whose isolation does not degraPe needed safety features or cooling capability, upon automatic initiation of safety injection.

Offshore Power Systes Resoonse This item is addressed in recommendation 2.1.4 of NUREG-0578. See Secticn B (followirg) for the OPS response.

1677 268 A-5

Bulletin Item

5. For facilities for which the auxiliary feedwater system is not autanatically initiated, prepare ard implenent imediately pro-cedures which require the stationing of an individual (with no other assigned concurrent duties and in direct and continuous connunication with the control room) to promptly initiate a3 equate auxiliary feedwater to the steam generator (s) for those transients or accidents the consequences of which can be limited by such action.

Offshore Power Systems Response This item is not applicable to the Floating Nuclear Plant. See the OPS response to reconmendation 2.1.7.a of NUREG-0578 (Section B, following) for a discussion on automatic initiation of the Auxiliary Feedwater Systen for the FNP.

1677 269 A-6

Bulletin Item

6. For your facilities, prepare and implement imediately procedures which:

6a. Identify those plant indications (such as valve discharge piping temperature, valve position indication, or valve discharge relief tank temperature or pressure indication) which plant operators may utilize to determine that pres-surizer power operated relief valve (s) are open.

Offshore Power Systes Response This item is a3 dressed by recomendation 2.1.3a of NUREG-0578. See section B(following) for the OPS response.

Bulletin Item 6b. Direct the plant operators to manually close the power operated relief block valve (s) when reactor coolant system pressure is reduced to below the set point for normal autmatic closure of the power operated relief valve (s) and the valve (s) remain stuck open.

Offshore Power Systms Response This item applies to the plant owner and not to the activities con-ducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License. OPS will support the development of the owner's Emergency Operating Procedures by issuing Emergency Operating Instructions for the FNP.

1677 270 A-7

Bulletin Item

7. Review the action directed by the operating procedures and trainirg instructions to ensure that:
a. Operators do rot override automatic actions of engineered safety features, unless continued operation of engineered safety features will result in unsafe plant conditions. For example, if continued operation of engineered safety features would threaten reactor vessel integrity then the HPI should be secured (as noted in 7b (2) below).
b. Operating procedures currently, or are revised to, specify that if the high pressure injection (HPI) system has been automatically actuated because of low pressure condition, it must reain in operation until either:

(1) Both low pressure injection (LPI) ptrnps are in opera-tion and flowing for 20 minutes or longer; at a rate which would assure stable plant behavior; or (2) The HPI systen has been in operation for 20 minutes, and all hot and cold leg temperatures are at least 50 degrees below the saturation temperature for the existing RCS pressure. If 50 degrees sutcooling cannot be maintained after HPI cutoff, the HPI shall be reactivated. We degree of subcooling beyond 50 degrees F arr3 the length of time HPI is in operation shall be limited by the pressure / temperature considerations for the vessel integrity.

c. Item 7c has been superceded by a long term action in IE Bulletin 79-06C, as follows:

Propose and subnit a design which will assure automatic tripping of the operating EPs under all circumstances in which this action may be needed.

d. Operators are provided additional information and instruc-tions to not rely upon pressurizer level indication alone, but to also examine pressurizer pressure and other plant parameter indications in evaluating plant conditions, e.g.,

water, inventory in the reactor primary system.

Offshore Power Systems Response 2is item is a$ dressed in the Offshore Power Systems response to recommendation 2.1.9 of NUREG-0578. See section B (following).

A-8 1677 271

Bulletin Item

8. Review all safety-related valve positions, positioning require-ments and positive controls to assure that valves remain posi-tioned (open or closed) in a manner to ensure the proper operation of engineered safety features. Also review related procedures, such as those for maintenance, testing, plant and system startup, anS supervisory periodic (e.g., daily / shift checks) surveillance to ensure that such valves are returned to their correct positions following necessary manip 11ations and are maintained in their proper positions during all operational modes.

Offshore Power Systes Response To the extent that this item may apply to the manufacturing license application, it is duplicated in reconmendation 5 of NUREG-0585. See section D (following) for the OPS response. Note that primary responsi-bility for this item is with the plant owner.

A-9

}6)) 2)2

Bulletin Item

9. Review your operating modes and procedures for all systems designed to transfer potentially radioactive gases and liquids out of the primary containment to assure that undesired pumping, ventirg or other release of radioactive liquids and gases will not occur inadvertently.

In particular, ensure that such an occurrence would not be caused by the resetting of engineered safety features instrtrnentation.

List all such systems and indicate:

a. Whether interlocks exist to prevent transfer when high radiation indication exists, and
b. Whether such systems are isolated by the containment isolation signal.
c. Indicate the basis on which continued operability of the features is assured.

Offshore Power Systens Response The portion of this item dealing with (1) identification of systems which are designed (at least in part) for transfer of radioactive fluids outside containment and (2) isolation of these systems upon activation of the containment isolation signal, is addressed in recommendation 2.1.4 of NUREG-0578. See Section B (following) for the OPS response.

With the exception of the Containment Ventilation System (VCC and VCD Subsystss) , interlocks with high radiation levels are not provided; rather, other parameters which nore reliably detect accident situations and provide for autmatic initiation of containment isolation are provided (as discussed in the response to recommendation. 2.1.4 in Section B). Containment isolation design also precludes automatic opening of containment isolation valves subsequent to resetting the appropriate engineered safety features signal, thereby preventing inadvertent transfer of radioactive liquids and gases.

A-10 }h(( 273

'Ihe Phase "A" signal automatically isolates the Containment Ventilation System. In addition, the contairrnent air particulate and gas radiation monitors automatically transfer the Containment Ventilation System from an external air supply mode to a recirculation mode, if the system is not already isolated.

Operability of the above features is accomplished by periodic testing in accordance with Technical Specification requirements.

1677 274 A-11

Bulletin Item

10. Review and nodify as necessary your maintenance and test pro-cedures to ensure that they require:
a. Verification, by test or inspection, of the operability of redundant safety-related systms prior to the removal of any safety-related system from service.
b. Verification of the operability of all safety-related systems when they are returned to service following maintenance or testing.
c. Explicit notification of involved reactor operational personnel whenever a safety-related system is removed from and returned to service.

Offshore Power Systens Response This item applies to the plant owner and not to the activities corducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

A-12 1677 275

Bulletin Item

11. Review your prcxnpt reporting procedures for NRC notification to assure that NRC is notified within one hour of the time the reactor is not in a controlled or expected condition of operation.

Further, at that time an open continuous comunication channel shall be established and maintained with NRC.

Offshore Power Systens Response This item applies to the plant owner and not to the activities corducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

n-u 1677 276

Bulletin Item

12. Review operating nodes and procedures to deal with significant anounts of hydrogen gas that may be generated durirg a transient or other accident that would either remain inside the primary system or be released to the containment.

Offshore Power Systems Response Available nodes for renoving hydrogen from the Reactor Coolant System are the following:

1. Hydrogen can be stripped from the reactor coolant to the pres-surizer vapor space by pressurizer spray operation if the reactor coolant pump is operating.
2. Hydrogen in the pressurizer vapor space can be vented by power operated relief valves to the pressurizer relief tank.
3. Hydrogen can be removed frce the Reactor Coolant System by the letdown line and stripped in the voltne control tank where it enters the waste gas system. Waste gas system storage consists of 8 tanks of 600 Pr3 ea6.
4. Hydrogen could be released to the pressurizer and/or letdown line ,

by controlled depressurization of the Reactor Coolant System.

5. In the event of a IOCA, hydrogen would vent with the steam to the containment.

Available nodes of removing hydrogen from the containment are the following:

1. Two hydrogen recombiners, each capable of processing up to a maximum of 200 SCFM air with a 100% free hydrogen removal effic-iency, can be utilized to recombine containment hydrogen with available oxygen. Hydrogen is distributed uniformly throughout the containment by automatic operation of the Air Return and Hydrogen Skinmer System.

^-14 1677 277

2. Containment atmosphere can be discharged to the annulus by operation of the Post-Accident Containment Venting System. 'Ihe system provides a controlled and filtered containment purge capability by releasing air at a maximum rate of 50 SCEM to the annulus.

In addition to the above design features, which are currently in-corporated in the FNP, a pressure vessel head vent system will be developed to remove hydrogen or other gases frm the reactor vessel head via remote mar, cal operation frm the Control Rom. This system will discharge into the pressurizer relief tank in the containment (see Response to 2.1.5, Section B followirs) .

In a$dition to the above it should be noted that the NRC recommends a rulmakire regarding design features that would mitigate a severe core damage or a wre melt accident. As a result, further design measures for the control of hydrogen may be suggested. OPS will consider and implement appropriate requirements in the FNP design once the rule-makirg is empleted ard the requirements defined (see Reconinendation 10 of Section D, following).

A-15 1677 278

Bulletin Item

13. Propose changes, as required, to those technical specifications which must be modified as a result of your implementing the above items and identify design changes necessary in order to effect lorg term resolutions of these items.

Offshore Power Systems Response The normal process of technical specification development during review of the final FNP design will certainly include careful consideration of lessons learned at TMI and any design changes required will be included in the FNP.

1677 279 A-16

B. RESIONSES 'IO 'IMI-2 IESSONS IEARNED TASK FORCE STA'IUS REPORT AND SHORT 'IERM REOJPEENDATICNS, NUREG-0578, AS MODIFIED BY D.B. VASSALID IEITERS DATED 10/10B9 AND 11/9/79.

Reumuerdation 2.1.1: Emergency Power Supply Requirenents for the Pressur-izer Heaters, Power-Operated Relief and Block Valves, and Pressurizer Level Indicators in PWR's Statment of NRC Position Consistent with satisfying the requirements of General Design Criteria 10,14,15,17, and 20 of Appendix A to 10 CFR Part 50 for the event of loss of offsite power, the following positions shall be implemented:

Pressurizer Heater Power Supply

1. %e pressurizer heater power supply design shall provide the capability to supply, frcrn either the offsite power source or the mergency power source (when offsite power is not avail-able), a predetermined number of pressurizer heaters and associated controls necessary to establish and maintain natural circulation at hot standby corditions. 'Ihe required heaters and their controls shall be connected to the emergency buses in a manner that will provide redundant power supply capability.
2. Procedures and training shall be established to make the operator aware of when ard how the required pressurizer heaters shall be connected to the mergency buses. If reauired, the procedures shall identify under what conditions selected emergency loads can be shed from the mergency power source to provide efficient capacity for the connection of the pressurizer heaters.
3. The time regaired to accomplish the connection of the pre-selected pressurizer heater to the emergency buses shall be consistent with the timely initiation and maintenance of natural circulation conditions.
4. Pressurizer heater notive and control power interfaces with the emergency buses shall be accomplished through devices that have been qualified in accordance with safety grade reqairements.

Power Supply for Pressurizer Relief and Block Valves and Pressurizer Level Indicators

1. Motive and control components of the power-operated relief valves (PORVs) shall be capable of being supplied from either the offsite power source or the mergency power source when the offsite power is not available.
2. Motive and control components associated with the IORV block valves shall be capable of being supplied from either the 1677 280

offsite power source or the emergency power sources when the offsite power is not available.

3. Motive and control power connections to the emergency buses for the PCRVs ard their associated block valves shall be through devices that have been qualified in accordance with safety-grade requirements.
4. 'Ihe pressurizer level indication instrument channels shall be pwered fran the vital instrment buses. These buses shall have the capability of being supplied frm either the offsite power source or the emergency power source when offsite power is not available.

Offshore Power Systens Response

1. Pressurizer heaters The total pressurizer heater capacity for the FNP is 1800 KW.

Four separate backup heater groups (346 KW each) are supplied directly from 4 independent and redundant safety class 480 V switchgear buses. Each bus is supplied fran its respective standby diesel generator following a loss of offsite power. 'Ihe control group (416 KW) is supplied fran a non-safety class 480 V bus which could be supplied fran a diesel-generator bus within several minutes following a loss of offsite power, in the unlikely event that this should become necessary.

Each independent backup group is large enough to maintain natural circulation in the hot standby condition.

The Class lE circuit breakers supplying each of the backup groups are tripped open on either a safety injection (SI) or loss of offsite power actuation signal.

'Ihe heaters can be manually loaded onto the bus from the main control board after SI is reset and loads required in the initial stages of the incident are no longer required.

Sufficient diesel generator capacity is provided to supply the 8-2 1677 28I

minimum required number of heaters in the time required. Diesel generator instrmentation is provided to prevent overloading a diesel generator with these heater loads.

OPS will provide the owner with the necessary procedures for energizing the pressurizer heaters, including procedures that might be required for load shedding.

2. Power Operated Relief Valves (PORV's)

Each PORV is supplied with operating ait frm a separate Safety Class-3 air system which is available following a loss of offsite power. Each PORV pilot solenoid is supplied from irde-pendent and rslundant 125V DC sources, which are also available following a loss of offsite power. The PORV's are controlled from the main control board. Both PORV's fail closed on loss of motive or control power.

3. IORV Block Valves The PORV block valves are supplied from notor control centers which are readily energized from a corresponding standby diesel generator following a loss of offsite power. 'Ihe PORV block valves are controlled frm the main control board. Thus the PORV block valves can also be operated following a loss of offsite power.
4. Pressurizer Level Indication Channels All of the pressurizer level indication channels are derived (and isolated) from their respective protection channels. The instrument loop power supplies for these protection channels (including the isolated outputs) are supplied from their respective Class lE Instrment buses. Thus level indication is available following a loss of offsite power.

1677 2BZ B-3

Reccmmendation 2.1.2: Performance Testing for IMR and IMR Relief and Safety Valves Statement of NRC Position Pressurized water reactor and boiling water reactor licensees and a@licants shall corduct testing to qualify the reactor coolant system relief and safety valves under expected operating corditions for design basis transients and accidents. He licensees and appli-cants shall determine the expected valve operating conditions through the use of analyses of accidents and anticipated operational occur-rences referenced in Regulatory Guide 1.70, Revision 2. 'Ibe single failures a@ lied to these analyses shall be chosen so that the dynamic forces on the safety and relief valves are maximized. Test pressures shall be the highest predicted by conventional safety analysis procedures. Reactor cx>olant system relief and safety valve qualificatiion shall include qualification of associated control circuitry piping and supports as well as the valves themselves.

Offshore Power Systens Response OPS considers that the integrity and functionability of Reactor Coolant System relief ard safety valves sh3uld be verified through a combined industry effort rather than an individual vendor effort.

This should circumvent the need for redundant testing of specific valve types. 'Ihe Westinghouse Owners' Group has provided input via MPR Associates to the EPRI program for valve testing. This input includes valve descriptions and technical parameters, valve actuation transient characterizations, and qualification program recommend-ations. It is expected that the Westinghouse information will be included in the EPRI program to be subnitted to the NRC on or about 1/1/80. Reactor Coolant System relief and safety valves whicn have been qualified under a testing program will be used in the FNP.

1677 283 B-4

Recm mendation 2.1.3.a: Direct Indication of Power-Operated Relief Valve and Safety Valve Position for PWR's and BWR's Statenent of NRC Position Reactor system relief and safety valves shall be provided with a positive indication in the control rocm derived from a reliable valve position detection device or a reliable indication of flow in the discharge pipe.

Offshore Power Systems Response Positive indication of pressurizer relief valve position is currently provided in the FNP design. Such indication is accomplished in the following manner:

1. Each ERV has indication lights on the control board which are activated by stem-actuated limit switches. In addition, a position disagreement light / alarm prcxninently displays a failure of the PORV to achieve the last position coiTmanded.
2. The temperature downstream of the MRVs and safety valves is displayed on the control board and high temperature alarms are provided.
3. The pressurizer relief tank has temperature, pressure and fluid level irxiication and alarms on the main control board.
4. High pressurizer pressure alarms in the Control Room.

OPS is presently evaluatirg methods to provide safety valve position indication. During FNP final design, safety valve position indica-tien, meeting the requirements of this recomendation, will be provided.

8-s 1677 284

Reccsanendation 2.1.3.b: Instrtunentation for Detection of Inadequate Core Cooling for PWRs and BWRs Statenent of NRC Position:

1. Licensees shall develop procedures to be used by the operator to recognize inadequate core cooling with currently available instrumentation. 'Ihe licensee shall provide a description of the existing instrumentation for the operators to use to recognize these conditions. A detailed description of the analyses needed to form the basis for operator training and procedure develop-ment shall be provided pursuant to another short-term regaire-ment, " Analysis of Off-Normal Conditions, Including Natural Circulation" (see Section 2.1.9 of this appendix) .

In addition, each PWR shall install a primary coolant saturation meter to provide on-line indication of coolant saturation condition. Operator instruction as to use of this meter shall include consideration that is not to be used exclusive of other related plant parameters.

2. Licensees shall provide a description of any aiditional instru-mentation or controls (primary or backup) proposed for the plant to supplement those devices cited in the preceding section giving an unambiguous, easy-to-interpret indication of inade-quate core cooling. A description of the functional design requirements for the system shall also be included. A descrip-tion of the procedures to be used with the proposed equipment, the analysis used in developing these procedures, and a schedule for installing the equipment shall be provided.

Offshore Pcuer Systens Response The portion of this recommendation dealing with procedures using

" existing" instrumentation does not apply to the FNP. Procedures will be developed for the instrumentation provided in the final design.

A primary coolant saturation meter will be installed and will provide on-line indication of molant subcooled conditions. In addition, the FNP will include instrumentation necessary to provide an unambicuous indication of inadequate core cooling. OPS proposes to evaluate options presently being developed by the Westinghouse Owners' Group before deciding on the specific means of saturation and core cooling monitoring.

1677 285 B-6

Westinghouse has performed initial analyses to specify the instru-ments available ard guidelines for detection of inadequate core cooling. 'Ihe core exit thermocouples were identified as the appropri-ate instruments for determining inadequate core cooling. Utilities with operating plants are using the analyses in developing their energency procedures and retraining their operators prior to January 1,1980 as required by NRC. Westinghouse has also been authorized by the Owners' Group to perform additional, more detailed analyses of inadequate core cooling for completion during the first quarter of 1980.

8-7 1677 2R6

Reca mendation 2.1.4: Contaiment Isolation Provisions for PWR's and sir's Statment of NRC Position

1. All containment isolation system designs shall comply with the reconmendations of SRP 6.2.4; i.e., that there be diversity in the parameters sensed for the initiation of containment isola-tion.
2. All plants shall give careful reconsideration to the definitior of essential and non-essential systas, shall identify each system determined to be essential, shall identify each system determined to be non-essential, shall describe the basis for selection of each essential system, shall nodify their con-taiment isolation designs accordingly, and shall report the results of the re-evaluation to the NRC.
3. All non-essential systes shall be autmatically isolated by the containment isolation signal.
4. The design of control systems for automatic containment isola-tion valves shall be such that resetting the isolation signal will not result in the automatic reopening of containment isolation valves. Reopening of containment isolation valves shall regaire deliberate operator action.

Offshore Power Systes Response Tne current Floating Nuclear Plant containment isolation design satisfies all of the provisions of the NRC recommendations as follows:

1. Phase A isolation (T signal) results in the isolation of all non-essential systems penetrating the containment with the exception of component cooling water lines to the reactor coolant pum;s ard the lower compartment coolers which are closed by Phase B isolation (P signal).

Phase A isolation provides for diversity in parameters sensed as well as being automatically actuated any time a safety injection signal (S signal) is initiated. Phase A isolation is initiated from the following process variables:

1677 287 B-8

(a) High steam flow coincident with low steam line pressure or lo-lo T ANG*

(b) High steam line differential pressure (c) Iow pressurizer pressure (d) High containment pressure (e) Manual initiation Phase B isolation is initiated from hi-hi containment pressure or manually. Although it is not autmatically generated by diverse means, the P signal can only be generated af ter the T signal, which is diverse, has been initiated. In addition to initiating Phase B isolation, the P signal also is used to initiate containment spray.

2. Offshore Power Systems has given careful consideration to the systems penetrating the containment which are required to mitigate the consequences of a loss of coolant accident, or any accident calling for containment isolation. 'Ihe systems which are required to operate following the accidents are as follows:

- Safety Injection System

- Residual Heat Removal System (supply lines to cold legs)

- Contairrnent Spray System (including recirculation sump lines)

- Upper Head Injection System

- Auxiliary Feedwater System The above systems are required to supply cooling and/or make up fluid to the Reactor Coolant System, the containment, and the Main Steam System. 'Ihese systems, or parts of these systems required for post-accident cooling, do not receive any con-tainment isolation signal.

B-9 jh7 280

The following systems are not essential to mitigate the conse-quences of a design basis loss of coolant accident but are considered desirable in assisting in plant recovery from accidents of lower magnitude than a design basis accident. They are not part of Phase A isolation, but instead are isolated by the P signal (Phase B isolation) .

- Ccrnponent Cooling Water System (supply and return lines to ICP themal barrier cooling)

- Component Cooling Water System (cooling water flow to the lower compartment fan coolers)

The systems determined to be non-essential are isolated by the T signal (Phase A) . They are as follows:

- Chemical and Volume Control System

- Post-Accident Sampling System

- Radiation Monitoring System (containment air sample lines)

- Nuclear Sampling System

- Containment Ventilation System

- Post-Accident Containment Ventilation System

- Liquid Waste Treatment System

- Service Air System

- Instrument Air System

- Emergency Air System

- Ice Condenser Refrigeration System

- Non-Essential Service Water System Reboiler Condensate Return System

- Reboiler Steam Distribution System Fire Protection Water Spray System

- Safety Injection System (test lines)

- Upper Head Injection System (test lines)

- Contaiment Purge Supply and Exhaust System 1677 289 B-10

3. All non-essential lines are properly isolated following the initiation of a contairment isolation signal. In addition to the systems which are listed as being subject to Phase A isolation, other non-essential systems or lines which penetrate containment have normally closed manual isolation valves, subject to adninistrative control.
4. Containment isolation reset logic requires deliberate and specific operator action before an isolated line can be re-opened. The following control features are provided for contairment isolation valves:
a. The containment isolation signals override all other autanatic control signals.
b. The valves will remaining in the closed position if the initiating signal is reset,
c. Each valve can be opened or closed manually after the appropriate contairrnent isolation signals are reset.
d. Any valves that are normally operated in an automatic mode (for non-safety functions) are also automatically trans-ferred to manual mode by the isolation signal. This precludes automatic opening of containment isolation valves subsequent to reset of the initiating isolation signe:

B-ll 1677 290

Reca mendation 2.1.5.a: Dedicated Penetrations for External Recombiners or Post-Accident Purge Systes Stat m ent of NRC Position Plants using external recombiners or purge systems for pst-accident embustible gas control of the contairrnent atmosphere should provide containment isolation systems for external recombiner or purge systes that are dedicated to that service only, that meet the redundancy and single failure requirements of General Design Criteria 54 and 56 of Appendix A to 10 CFR Part 50, and that are sized to satisfy the flow requirements of the recombiner or purge system.

Offshore Power Syst e s Response This recommendation does not apply to the Floating Nuclear Plant, because the combustible gas control systems are not external to containment.

1677 291 B-12

Recomnendation 2.1.5.b: Inerting BWR ContairInents Statement of NRC Position It shall be required that the Vermont Yankee and Hatch 2 Mark I BWR contairrnents be inserted in a manner similar to other operating BLG plants. Inerting shall also be required for near term OL licensing of Mark I ard Mark II BWRs.

Offshore Power Systems Response This recommendation does not apply to the Floating Nuclear Plant which uses a pressurized water reactor.

1677 292 B-13

Reconnendation 2.1.5.c: Capability to Install Hydrogen Recombiner at Each Light Water Reactor Plant Statenent of NRC Position The majority opinion of the Lessons-Learned Task Force is the following, "...it is the conclusion of the majority of the Lessons Learned Task Ebrce that provisions for the post-accident installation of recombiners should not be required as a short-term action. Such consideration should be part of the long-term reconsideration of the design basis for combustible gas control systems.

Offshore Power Systems Response The present FNP design includes recombiners permanently installed within contairrnent. The subject of a combustible gas control design basis is addressed in NUREG-0585 (see recommendation 10 of Section D, followirg) .

1677 293 B-14

Recanendation 2.1.6.a: Integrity of Systems Outside Contaiment Likely to Contain Radioactive Materials (Engineered Safety Systems and Auxiliary Systems) for PWRs and BWRs Statment of NRC Position Applicants and licensees shall imediately implement a program to raluce leakage frm systes outside containment that would or could contain highly radioactive fluids during a serious transient or accident to as-low-as-practical levels. This program shall include the following:

1. Imediate Leak Reduction
a. Implement all practical leak reduction measures for all systes that could carry radioactive fluid outside of containment.
b. Measure actual leakage rates with system in operation and report them to tho NRC.
2. Continuing Leak Reduction Establish and implement a program of preventive maintenance to reduce leakage to as-low-as-practical levels. This program shall include periodic integrated leak tests at a frequency not to exceed refueling cycle intervals.

Offshore Power Systems Response Most systems which interface with reactor coolant, either directly or indirectly, will be isolated for accidents which release significant radioactivity to the coolant. 'Ihe exceptions (1) are:

1. Residual Heat Removal System (RHR)
2. Safety Injection System (SIS)
3. Containment Spray System (GS)

(1)There is a potential indirect interface through safeguards area sumps between the RCS an:3 the liquid waste treatment systs (See the response to recommendation 2.1.6.b).

B-15 b77 294

For these and other potentially radioactive systems, numerous design features are incorporated in the FNP which minimize the potential for leakage. Rese include careful component selection, proper orienta-tion of valve stens on normally closed valves, and use of valve backseats and/or piped valve leakoffs as appropriate. Failure analyses ard reliability evaluations of safety class systems serve to identify potential leakage paths during the design stage.

As a second line of defense, piping configurations, ventilation systems, floor drains, etc. are designed to minimize the effects of leakage should it occur despite all precautions. This is discussed further in Section 11.6 of the PDR, " Radioactive System Layout, Operation, Maintenance, ard Design Considerations." We designs of the FNP safeguards areas and pipe chases connecting them with contairrnent are important features in limiting the spread of con-tamination as described in the Response to Item 2.1.6.b.

Development and implementation of periodic leak testing programs are the responsibility of the plant owner. None-the-less OPS will carefully review testing programs as they are established by oper-ating utilities and results of generic studies such as those per-formed by the Westirghouse Owners' Grotp. We FNP design will be modified as necessary to accommodate upgraded leakage testing requirements so identified.

1677 295 B-16

Re w .rdation 2.1.6.b: Design Review of Plant Shielding and Environmental Qualification of Equipnent for Spaces / Systems Which May Be Used In Post Accident Operations Statenent of NRC Position With the asstrnption of a post-accident release of radioactivity equivalent to that described in Regulatory Guides 1.3 and 1.4 (i.e.,

the equivalent of 50% of the core radiciodine,100% of the core noble gas inventory, and 1% of the core solids, are contained in the primary coolant) , each licensee shall perform a radiation and shieldirg design review of the spaces around systems that may, as a result of an accident, contain highly radioactive materials. The design review struld identify the location of vital areas and equipment, such as the control rocrn, radwaste control stations, emergency power supplies, motor control centers, and instrtrnent areas, in which personnel occupancy may be unduly limited or safety equipnent may be urduly degraded by the radiation fields during post-accident operations of these systems.

Each licensee shall provide for adequate access to vital areas and protection of safety equipment by design changes, increased permanent or tenporary shielding, or post-accident procedural controls. The design review shall determine which types of corrective actions are needed for vital areas throughout the facility. ,

Offshore Power Systems Response Post-accident release of radioactivity, as described in Regulatory Guide 1.4, has been used to derive source terms for the current design of the FNP shielding around fluid and ventilation systems that may contain highly radioactive fluids or gases as a result of accidents. The existing design includes provision for access to RHR equipment for maintenance following such an accident since long term post-accident operation of this equipment must be assured. Following is a more detailed sumnary discussion of the current FNP post-accident design basis and design features. As part of the detailed design, a canprehensive design review will be conducted to insure that systems which may contain highly radioactive fluids or gases following an accident meet the provisions of this reconnendation.

Most of the systems which normally interface with the Reactor Coolant System (either directly or indirectly) will be isolated from the 1677 296 B-17

Reactor Coolant System following an accident in which significant quantities of radioactivity are released. Release of radioactivity is considered potentially significant if concentrations in the reactor coolant are greater than those associated with 1% failed fuel under normal operating conditions. 'Ihose systems which will be isolated frm the reactor coolant are the following:

1. Gaseous Waste Treatment System (WIG)
2. Sampling System (SSR)
3. Chemical and Voltrne Control System (CVC)
4. Boron Recycle System (BRS) and
5. Liquid Waste Treatment System (WIL)( }

The only systems interfacing with reactor coolant which are not isolated are:

1. Residual Heat Renoval System (RHR)
2. Safety Injection System (SIS) ard
3. Containment Spray System (CSS) .

These three systems (pipirg and ccaponents) are located within four, separate, shielded safeguards compartments in the FNP design.

Shieldire thickness for spaces in which these systems are located were calculated employing a source derived frm Regulatory Guide 1.4.

The source term included 50% of the core equilibritrn halogen in-ventory and 1% of all other fission products uniformily mixed in the contairnent sump water inventory. Noble gases were not included in the fluid sources used for design of shielding for these spaces. 'Ibe sources employed are documented in Table 12.1.4 of the PDR.

(1) Potential indirect interface through safeguards area sumps.

B-18

ne dose rate criterion for shielding of these systems in safeguards empartments is that the dose in occupied areas outside the shield walls not exceed 3 Rem for an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> exposure begining at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after an accident. Access to these spaces at earlier times is not expected to be necessary.

His dose criterion (< 3 Rem for an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> exposure one day after the accident) is the post-accident shield design criterion for all post-accident work locations on the plant except for the control room and emergency relocation area. For the control rom and emergency relocation area, the criterion used for shield design is that of General Design Criterion 19 which is that the dose to personnel inside those spaces be less than 5 Rem for the duration of the accident. Source terms for analysis of the control rom and emergency relocation area are based on Regulatory Guide 1.4 radioactivity release assumptions.

The RHR, SIS and CSS system components within each safeguards empartment are located in a subcompartment which is isolated from the rest of the safeguards compartment during normal operation.

Ventilation is provided by a sealed system such that neither supply nor exhaust air lines ccramunicate the subcompartment to the surround-ing space. In the event of an accident resulting in containment isolation, subcampartment exhaust is lined up to the Annulus Filtra-tion Systs (AFS) . The AFS maintains the subcompartment at a negative pressure, thus assuring that any airborne radioactivity released within the subcampartment is exhausted to the annulus, where it passes through charcoal and HEPA filters before release to the enviroment. Because of this unique design, liquid leaks from the SIS, RHR or CSS systems will rot result in releau of airborne radioactivity within the surrounding spaces in a safeguards com-partment.

Special consideration will be given during final design to post-accident handling of fluids leaking frca pumps in the RHR-SIS-CSS subempartments. In the event of a large leak, recirculation flow 1677 298 B-19

frm the containment sump to the affected subcompartment can be terminated by closire the appropriate sump isolation valve. These valves are notor operated with the motor outside the shield wall. he operator is connected to the valve via a reach rod. Manual valve wheels are also provided at the operator m that the valve may be closed even in the event of motor operator failure.

he ENP has been designed so that post-accident maintenance may be performed on either of the two RHR pumps by draining and flushing the RHR equipment. Drain and flush operations can be performed via reach rod operated valves located outside the shield walls of the RHR pump rooms. Airborne activity released to the RHR subcompartment would be swept out by the annulus ventilation system which maintains a negative pressure in the room. Additionally, the design basis for equipnent important to safety includes a requirement for satisfactory operation following post-accident radiation exposure. The integrated exposure to safety equipment, which is calculated using the source term identified above, is a part of the equipment specification.

'Ib sumnarize, the existing design philosophy for controlling radio-active water and airborne activity following an accident involving core damage is to isolate all systems which could remove radioactive water or air from either the containment or the Reactor Coolant System. Systens outside the contaiment which are needed following an accident for core cooling or containment atmosphere cooling are located within shielded subcompartments, which are part of each separate safeguards compartment. %ese subcompartments are r..aintained at a negative pressure ard are connected to the annulus following an accident. Source terms specified in Regulatory Guide 1.4 were used for design of shielding for post-accident work locations near systems which could potentially contain highly radioactive water.

1677 299 B-20

Recmmendation 2.1.7.a: Automatic Initiation of the Auxiliary Feedwater Systen for PWRs Statenent of NRC Position Consistent with satisfying the requirements of General Design Criterion 20 of Appendix A to 10 CFR Part 50 with respect to the timely initiation of the auxiliary feedwater system, the following requirements shall be implemented in the short term:

1. %e design shall provide for the automatic initiation of the auxiliary feedwater system.
2. he automatic initiation signals and circuits shall be designed so that a single failure will not result in the loss of aux-iliary feedwater system function.
3. Testability of the initiating signals ard circuits shall be a feature of the design.
4. The initiating signals and circuits shall be powered frm the mergency buses.
5. Manual capability to initiate the auxiliary feedwater system frm the control rom shall be retained ard shall be implemented so that a single failure in the manual circuits will not result in the loss of systs function.
6. We a-c notor-driven pumps and valves in the auxiliary feedwater systens shall be included in the autmatic actuation (simultan-eous and/or sequential) of the loads to the emergency buses.
7. he autanatic initiating signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AEWS frm the control rocm.

In the long term, the automatic initiation signals and circuits shall be upgraded in accordance with safety-grade requirements.

Offshore Power Systems Response In the current FNP design, as discussed in Section 10.4.6.7.4 of the Plant Design Report, the four motor driven auxiliary feedwater pumps automatically start on lo-lo level in any steam generator, loss of main feed pumo, safety injection signal, or loss of offsite AC power.

The turbine driven pump starts automatically on lo-lo level in any two steam generators or loss of offsite power. Autmatic initiation signals and circuits for the Auxiliary Feedwater System are Class lE 1677J00 B-21

and can be tested on-line. Manual capability of initiation of the Auxiliary Feedwater System is provided in such a manner that no single failure will result in loss of the system function. No single failure of the autmatic initiation circuitry will prevent manual initiation of the Auxiliary Feedwater System frm the Control Room.

B-22 1677 01

Reca mendation 2.1.7.b: Auxiliary Feedwater Flow Indication to Steam Generators for IWRs Statenent of NRC Position Consistent with satisfying the requirements set forth in GDC 13 to provide the capability in the control room to ascertain the actual performance of the AENS when it is called to perform its intended function, the followire requirements shall be implemented:

1. Safety-grade indication of auxiliary feedwater to each steam generator shall be provided in the control room.
2. The auxiliary feedwater flow instrument channels shall be powered fran the emergency buses consistent with satisfying the emergency power diversity regairements of the auxiliary feed-water systen set forth in Auxiliary Systems Branch Technical Position 10-1 of the Standard Review Plan, Section 10.4.9.

Offshore Power Systems Response Auxiliary feedwater flow channels, with an accuracy of the order of

+10%, will be Class lE ard displayed on the main control board. Each channel of flow instrumentation is powered from its respective Class lE instrument power supply.

1677 302 B-23

Reca mendation 2.1.8.a: Improved Post-Accident Sampling Capability Statement of NRC Position A design and operational review of the reactor coolant and contain-ment atmosphere sampling systs shall be performed to determine the capability of personnel to prceptly obtain (less than 1 bour) a sample under accident conditions without incurring a radiation exposure to any individual in excess of 3 and 18 3/4 Rems to the whole body or extraities, respectively. Accident conditions should assume a Regulatory Guide 1.3 or 1.4 release of fission products. If the review indicates that personnel could not promptly and safely obtain the samples, additional design features or shielding should be provided to meet the criteria.

A design and cperational review of the radiological spectrum analysis facilities shall be performed to determine the capability to promptly quantify (less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) certain radioisotopes that are indica-tors of the degree of core damage. Such radionuclides are noble gases (which indicate cladding failure), iodines and cesiums (which indicate high fuel temperatures) , and non-volatile isotopes (which indicate fuel melting) . We initial reactor coolant spectrum should correspond to a Regulatory Guide 1.3 or 1.4 release. We review should also consider the effects of direct radiation from piping and em.ponents in the auxiliary building and possible contamination and direct radiation from airborne effluents. If the review indicates that the analyses required cannot be performed in a prompt manner with existing ecuipment, then design nodifications or ecuipment procurm ent shall be undertaken to meet the criteria.

In a3dition to the radiological analyses, certain chemical analyses are necessary for monitority reactor conditions. Procedures shall be provided to perform boron and chloride chemical analyses assuming a highly radioactive initial sample (Regulatory Guide 1.3 or 1.4 source term). Both analyses shall be capable of being completed promptly; i.e., the boron sample analysis within an hour and the chloride sample analysis within a shift.

Offshore Power Systes Response During the final design of the FNP, Offshore Power Systems will perform design and operational reviews of the Reactor Coolant and Containment Post-Accident Sampling Systems to determine their capability to meet post 'IMI requirments.

Westinghouse is working with the Owners' Group to develop procedures to obtain and prepare samples for analysis. The effort will result in B-24

recommendations regarding the application of automatic or in-line analyzers, ard alternative manual analysis procedures.

As described in 9.3.2.1 of the Plant Design Report (PDR), the NSSS Sampling System provides means to obtain representative liquid and gas samples frm various fluid systems for chemical and radiochemical laboratory analysis. The sampling system is designed for manual and intermittent operation for conditions ranging frm full power to cold shutcbwn. Access to the contairrnent building is not required for sampling. he sampling system is not required currently to function durire an energency. In the event of an accident, all lines of the system penetrating containment are isolated by the T Signal. Once the T Signal is removed, the isolation valves can be remote-manually opened.

As described in Section 9.3.2.2 of the PDR, the Containment Post-Accident Sampling System currently is designed to provide repre-sentative samples of the containment post-accident atmosphere within 24 trurs after the accident. We sampling system is an engineered safety feature. Lines penetrating the mntainment are closed by isolation valves at all times unless remote-manually opened to take a sample.

These current capabilities will be upgraded to mnform to the results of the design ard operational reviews and to incorporate inputs from Owners' Group Activities.

B-25 1677 304

Recamendation 2.1.8.b: Increased Range of Radiation Monitors Statement of NRC Position The requirements associated with this recommendation should be considered as advanced implementation of certain requirments to be included in a revision to Regulatory Guide 1.97, "Instrmentation to Follow the Course of an Accident," which has already been initiated, and in other Regulatory Guides, which will be promulgated in the near-term.

1. Noble gas effluent nonitors shall be installed with an extended range designed to function during accident conditions as well as during normal operating conditions; multiple monitors are considered to be necessary to cover the ranges of interest.
a. Nogle gas effluent nonitors with an upper range capacity of 10 u Ci/cc (Xe-133) are considered to be practical and should be installed in all operating plants.
b. Noble gas effluent monitoring shall be provided for the total range of concentration extending from norgal con-dition (ALARA) concentrations to a maximtra of 10 p Ci/cc (Xe-133). Multiple nonitors are considered to be necessary to cover the ranges of interest. The range capacity of individual nonitors should overlap by a factor of ten.
2. Since iodine gaseous effluent monitors for the accident condi-tion are not considered to be practical at this time, capability for effluent monitoring of radiciodines for the accident con-dition shall be provided with sampling conducted by absorption on charcoal or other media , followed by onsite laboratory analysis.
3. Ingcontainment radiation level nonitors with a maximum range of 10 rad /hr shall be installed. A minimum of two such monitors that are physically separated shall be provided. Monitors shall be designed ard qualified to function in an accident environ-ment.

Offshore Power Systes Response Noble gas effluent nonitors will be provided on the Floating Nuclear Plant at potential release points. These monitors will comply with this recommendation.

A method for monitoring radiciodine effluents will be determined as part of the plant final design.

1677 305 B-26

'Ihe current ENP design for the redundant containment area monitors specifies a range of 10-1 to 107 Rad /Hr. In order to comply with Recmmendation 2.1.8.6, this range will be changed to 100 to 10 8 Rad /hr. It should be noted that these detectors for the FNP design are nounted on the outer surface of the steel containment but may be considered as "In-contaiment" relative to cmpliance with this reemmendation. 'Ihe attenuation of the steel shell will be factored into the calibration of the monitors. Mountirg the detectors outside the steel containment serves two safety related purposes: 1) the need for contaiment cable penetrations is eliminated, and, 2) the monitors will experience less severe postulated accident environ-mental conditions, (i.e., temperature, 'hmidity, and pressure) .

B-27

Reccamendation 2.1.8.c: Improved In-Plant Iodine Instr mentation Statement of NRC Position Each licensee shall provide equipment and associated training and procedures for accurately determining the airborne iodine concen-tration in areas within the facility where plant personnel may be present during an accident.

Offshore Power Systems Response Sampling methods, counting equipment and other laboratory analytical equipment will be specified aM procured by the plant owner. Offshore Power Systems will provide space, including space for counting rooms and laboratories, where analytical determination of radioicdine concentrations can be performed. 'Ihe location and design of these spaces are such as to permit personnel occupancy for times required to perform necessary analysis following accident conditions including those specified in NRC position 2.1.8.a. Shielding will be provided to insure a low background in the counting rom. Ventilation with clean air at a pressure higher than surrounding spaces will be provided for the counting room to minimize background airborne contamination in this region. Capability for purging of entrapped noble gases frcm charcoal samples using either clean air or nitrogen will be provided in the laboratory area. Residual noble gases will be routed to and vented from the plant stack.

A conraercially available method for discriminating between residual noble gases and radiciodine absorbed on the charcoal filters in the atmospheric sampling devices is counting of the charcoal filters with a gamma ray spectrometer. OPS will recommend to the plant owner that such equipnent be procured for analysis of the charcoal filters used for sampling of areas within the facility. OPS will also recommend to the utility owner that portable sampling devices be procured and available for sampling of occupied spaces within the facility for radiciodine followirg accidents.

1677 ::07 B-28

Reca mende' ion 2.1.9: Analysis of Design and Off-Normal Transients and Accidents Statment of NRC Position Analyses, procedures, and training addressing the following are required:

1. Small break loss-of-coolant accidents;
2. Inadeguate core cooling; and
3. Transients and accidents.

Some analysis requirements for small breaks have already been specified by the Bulletins and Orders Task Force. These should be completed. In Mdition, pretest calculations of some of the Loss of Fluid Test (LOPT) small break tests (scheduled to start in September 1979) shall be performed as means to verify the analyses performed in suIport of the small break mergency procedures and in support of an eventual long term verification of compliance with Appendix K of 10 CFR Part 50.

In the analysis of inadequate core cooling, the following conditions shall be analyzed using realistic (best-estimate) methods:

1. Low reactor coolant system inventory (two examples will be required - IDCA with forced flow, IDCA without forced flow) .
2. Ioss of natural circulation (due to loss of heat sink).

These calculations shall include the period of time during which inadequate core cooling is approached as well as t% oeriod of time during which inadequate core cooling exists. T6 calcuictions shall be carried out in real time far enough that all important phenomena and instrtrnent indications are included. Eact case should then be repeated taking credit for correct operator action. Wese Mditional cases will prcnide the ban 3 for developing appropriate emergency procedures. % ese calculations should also p ovide the analytical basis for the design of any additional inst rmentation needed to provide operators with an unambiguous indication of vessel water level and core cooling adequacy (see See : ion 2.1.3.b in this appendix).

The analyses of transients nd accidents shn11 include the design basis events specified in Section 15 of each FSAR. The analfses shall include a sirgle active failure for each system called upon to functicn for a particular event. Consequentia; failures shall also be considered. Failures of the operators to p rform required control manipulations shall be given consideration %: pernutations of the analyses. Operator actions that could caust the complete loss of function of a safety systs shall also be considered. At present, these analyses need not Mdress passive fai'i ures or nultiple system failures in the short tenn. In the recent analysis of small break IOCAs, complete loss of auxiliary feedwater was considered. We emplete loss of auxiliary feedwater may be added to the failures B-29 1677 308

being considered in the analysis of transients and accidents if it is concluded that more is needed in operator training beyond the short-term actions to upgrade auxiliary feedwaMr system reliability.

Similarly, in the long term, multiple failures and passive failures may be mnsidered depending in part on staff review of the results of the short-term analyses.

The transient and accident analyses shall include event tree analy-ses, which are supplmented by computer calculations for those cases in which the system response to operator actions is unclear or these calculations could be used to provide important quantitative informa-tion not available fr m an event tr ee . For example, failure to initiate high-pressure injection could lead to core uncovery for sme transients, and a computer calculation muld provide information on the anount of time available for corrective action. Reactor simula-tors may provide mme information in defining the event trees and would be useful in studying the information available to the oper-ators. ne transient and accident analyses are to be performed for the purpose of identifying appropriate and inappropriate operator actions relating to important safety considerations such as natural circulation, prevention of core uncovery, and prevention of more serious accidents.

The information derived from the preceding analyses shall be included in the plant emergency procedures and operator training. It is expected that analyses performed by the NSSS vendors will be put in the form of emergency procedure guidelines and that the changes in the procedures will be implemented by each licensee or applicant.

In addition to the analyses performed by the reactor vendors, analyses of selected transients should be performed by the NRC Office of Research, using the best available computer codes, to provide the basis for comparisons with the analytical methods being used by the reactor vendors. These comparisons together with comparisons to data, including IDFT small break test data, will constitute the short-term verification effort to assure the adequacy of the analytical methods being used to generate energency procedures.

Offshore Power Systems Response The objective of this recommendation is to improve the performance of reactor operato'"i during transient and accident conditions. Offshore Power Systems is maintaining cognizance of the work being performed by Westinghouse, through the Westingtouse Owners' Group, which is pertinent to the Floating Nuclear Plant. Wese activities are describa3 below:

1677 309 B-30

1. Small break IOCA analyses have been performed, doc m ented in NCAP-9600/9601, " Report on Small Break Accidents for Westing-house NSSS Systems," and subnitted to the NRC (Bulletins and Orders Task Force) on June 29, 1979. This report presents a comprehensive study of Westinghouse system response to small break IOCAs. The Bulletins and Orders Task Force issued one set of questions on NCAP-9600/9601 on August 13, 1979. These questions were responded to by Westinghouse in September 1979.

Included in the Westinghouse scope of work authorized by the Owners' Group is a complete review and rewriting of the Westinghouse generic mergency operating instructions. Pre-liminary sets cf emergency operating instructions E-O (Imediate Actions and Diagnostics) and E-1 (Loss of Reactor Coolant) were included in NCAP-9600/9601. These preliminary instructions have undergone NRC and Owners' Group review and were subseqJently revised and finalized in November 1979. These finalized in-structions can be utilized by utilities in developing energency procedures and training programs as reqaired by the NRC.

2. An initial analysis of inadequate core cooling utilizing the W-FLASH Computer Code has been performed and was subnitted to the Owners' Group and the Bulletins and Orders Task Ebrce on October 31, 1979. This analysis basically concludes that the core exit thermocouples can be used for detection of inadequate core cooling and contains a preliminary set of guidelines describing necessary operator actions for the detection and mitigation of inadequate core cooling. This information is being utilized by utilities in the development of emergency procedures arrl trainirg programs.

Westinghouse has also been authorized by the Owners' Group to perform additional, more detailed analyses of inadequate core cooling which are scheduled for completion during the first quarter of 1980. These analyses will utilize the NCfrRUMP Computer Code and investigate a spectrum of scenarios and

,_31 1677 310

subsequent operator actions. '1he information available from the N rRUMP analyses is expected to be more realistic than that obtainable from W-FIASH and should lead to a better understand-ing of inadequate core cooling and additional guidance to the operator.

3. He purpose of the transient and accident analyses requirement is to provide an increase in safety by improving the performance of reactor operators during transient and accident conditions.

The primary concern is that the operator training and emergency operating procedures currently in use are based on the conserva-tive SAR Chapter 15 type analyses. Chapter 15 should continue to be used for design basis analyses since these show the nost limiting initial approach to both core thermal and system overpressurization safety limits. Westinchouse is performing a qualitative study for the Owners' Group to assess the informa-tion presented to the operator. We study will include an evaluation of the effects of operator actions (correct or incorrect) where information presented may cause the operator to take such actions. This study is schediled to be completed in December 1979 and it is expected that the results of this study will be incorporated into utility operating procedures and training programs as appropriate.

What is needed to meet the intent of this recocmendation in the long-term is to determine the consequences using realistic assurptions (better estimate modeling) incorporating the effects of the following:

i. Operator's failure to act when reqaired.

ii. Operator's inappropriate actions during an accident.

iii. Additional failures.

iv. Selected system operations (e.g., re-starting of RCPs etc.)

1677 311 B-32

'Ibe results of these analyses can be used to evaluate informa-tion available to the operator and the adequacy of existing procedures. Appropriate changes can be incorporated into the existirg procedures, designs, and trainirg programs. Developnent of the nodels to incorporate such effects is in itself a long-term effort before detailed analyses can be run. Significant interaction between industry and the NRC is required to agree on the assumptions, bases, appropriate actions (correct or in-correct) to be nodeled, and best estimate boundary conditions.

When canpleted, the analyses results using the better estimate modeling tools can enhance the current operator training programs by providir.g additional insight into the course of events the operator will likely encounter during a transient. A schedule for such long-term analyses has not yet been developed.

4. Westinghouse performed a IDFT L3-1 pre-test small break prc-diction and the results were subnitted to the Owners' Group and the NRC on December 15, 1979.

Both operator training and the development of operating procedures are the responsibility of the plant owner / operator. Westinghouse and Offshore Power Systens can, at the option of the plant owner, provide substantial assistance in the areas of operator training and procedure develognent. Well before a prosocctive FNP owner will reach the Operating License stage, the accident and transient analyses cited above will be canplete and the results factored into standard plant procedures and operator training programs.

1677 312 B-33

Recommendation 2.2.1.a: Shift Supervisor's Responsibilities Statement of NRC Position

1. He highest level of corporate management of each license shall issue ard periodically reissue a management directive that emphasizes the primary management responsibility of the shift supervisor for safe operation of the plant under all conditions on his shift and that clearly establishes his m m and duties.
2. Plant procedures shall be reviewed to assure that the duties, respansibilities, and authority of the shift supervisor and control rom operators are properly defined to effect the establishment of a definite line of command and clear delinea-tion of the comand decision authority of the shift supervisor in the control rom relative to other plant management per-sonnel. Particular emphasis shall be placed on the following:
a. Se responsibility and authority of the shift supervisor shall be to maintain the broadest perspective of opera-tional conditions affecting the safety of the plant as a matter of highest priority at all times when on duty in the control rom. Re idea shall be reinforced that the shif t supervisor should not beccrae totally involved in any single operation in times of emergency when multiple operations are required in the control room.
b. Re shift supervisor, until properly relieved, shall remain in the control rocm at all times during accident situations to direct the activities of control room operators.

Persons authorized to relieve the shift supervisor shall be specified.

c. If the shift supervisor is temporarily absent from the control rom during routine operations, a lead control room operator shall be designated to assume the control room comand function. These temporary duties, responsibil-ities, and authority shall be clearly specified.
3. Training programs for shift supervisors shall emphasize and reinforce the responsibility for safe operation and the man-agment function the shift supervisor is to provide for assuring safety.
4. The administrative duties of the shift supervisor shall be reviewed by the senior officer of each utility responsible for plant operations. Administrative functions that detract from or are subordinate to the management responsibility for assuring the safe operation of the plant shall be delegated to other operations personnel not on duty in the control rom.

1677 313 B-34

Offshore Power Systens Response This recommendation applies to the plant owner and not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

1677 M4 B-35

Recwmendation 2.2.1.b: Shift Technical Advisor Statement of NRC Position Each licensee shall provide an on-shift technical dvisor to the shift supervisor. The shift technical advisor may serve more than one unit at a multi-unit site if qualified to perform the Mvisor functicn for the various units.

The shift technical a3 visor shall have a bachelor 's degree or equivalent in a scientific or engineering discipline and have received specific training in the response and analysis of the plant for transients and accidents. 'Ihe shift technical advisor shall also receive training in plant design and layout, including the capa-bilities of instrumentation and controls in the control room. The licensee shall assign normal duties to the shift technical advisors that pertain to the ergineering aspects of assuring safe operations of the plant, including the review and evaluation of operating experience.

Offshore Power Systems Response This recommendation applies to the plant owner and not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

B-36 1677 315

Recortmendation 2.2.1.c: Shift and Relief Turnover Procedures Statement of NRC Position The licensees shall review and revise as necessary the plant pro-cedure for shift and relief turnover to assure the following:

1. A checklist shall be provided for the oncoming and offgoing control rom operators and the oncaning shift supervisor to complete and sign. 'Ihe following items, as a minimum, shall be included in the checklist:
a. Assurance that critical plant parameters are within allowable limits (parameters ard allowable limits shall be listed on the checklist),
b. Assurance of the availability and proper alignment of all systems essential to the prevention and mitigation of operational transients and accidents by a check of the control console (what to check and criteria for acceptable status shall be included on the checklist);
c. Identification of systems and cmponents that are in a degraded mode of operation permitted by the Technical Specifications. For such systems ard components, the length of time in the degraded node shall be compared with the Technical Specifications action statement ( this shall be recorded as a separate entry on the checklist) .
2. Checklists or logs shall be provided for completion by the offgoing and oncoming auxiliary operators and technicians. Such checklists or logs shall include any equipnent under maintenance of test that by themselves could degrade a system critical to the prevention and mitigation of operational transients (what to check and criteria for acceptable status shall be included on the checklist); and
3. A system shall be established to evaluate the effectiveness of the shift ard relief turnover procedure ( for example, periodic independent verification of system alignments) .

Offshore Power Systens Response This recommendation applies to the plant owner and not to the activi-ties corducted by Offshore Power Systems under a License to Manu-facture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

S-37 1677 316

Recomendation 2.2.2.a: Control Rom Access Statement of hT<C Position The licensee shall make provisions for limiting access to the control rom to those individuals responsible for the direct operation of the nuclear power plant (e.g. cperations supervisor, shift supervisor, and control rom operators) , to technical advisors who may be requested or required to support the operation, and to predesignated NFC personnel. Provisions shall include the following:

1. Develop and implent an atninistrative procedure that establishes the authority and responsibility of the person in charge of the control rom to limit access.
2. Develop and implement procedures that establish a clear line of authority and responsibility in the control room in the event of an mergency. We line of succession for the person in charge of the control rom shall be established and limited to persons possessing a current senior reactor operator's license. %e plan shall clearly define the lines of comunication and authority for plant management personnel rot in direct comand of operations, including thhose who report to stations outside of the control room.

Offshore Power Systems Response This recommendation applies to the plant owner and not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

1677.M7 B-38

Recamendation 2.2.2.b: Onsite Technical Support Center Statement of NRC Position Each operating nuclear power plant shall maintain an onsite technical support center separate frm and in close proximity to the control rom that has the capability to display and transmit plant status to those individuals who are knowledgeable of and responsible for engineering and management support of reactor operations in the event of an accident. %e center shall be habitable to the same degree as the mntrol rom for postulated accident conditions. He licensee shall revise his emergency plans as necessary to incorporate the role and location of the technical support center.

Records that pertain to the as-built conditions and layout of structures, systems and components shall be stored and filed at the site and accessible to the technical support center under emergency conditions. Examples of such records include system descriptions, general arrangements drawings, pipirg and instrument diagrams, piping system isometrics, electrical schematics, wire and cable lists, and single line electrical diagrams. It is not the intent that all records described in ANSI N45.2.9-1974 be stored and filed at the site arr3 accessible to the technical support center under emergency conditions; however, as stated in that standard, storage systems shall prcvide for accurate retrieval of all pertienet information without undue delay.

Offshore Power Systems Response The onsite Technical Support Center (TSC) for the FNP consists of the supervisor's office and visitors area adjacent to the Control Room.

This center is provided with the same degree of shielding, environ-mental control, missile protection and security as the Control Room.

This center uses the same ventilation system as the Control Room and also utilizes the Control Room radiation monitoring equipment.

Necessary comunication between the TSC and both the Control Room and onsite operational support center will be provided. Offsite com-munications will be provided by the owner. Plant status can be readily obtained in the TSC during normal as well as emergency cperation. Necessary "as-built" documentation will be filed in the TSC or elsewhere within the shielded control building.

The 'ISC is directly a3jacent to the Control Room and access is through a doorway directly into the Control Rom. Additionally, a

"-3' 1677 318

glass window in the comon wall between the TSC and Control Room provides for easy observation of recovery activities. For these reasons, the instrumentation requirement for the TSC is minimized.

Therefore, Offshore Power Systes is presently considering a CRT terminal to access data frm the plant computer. 'Ihe specific instrumentation required in the TSC will be determined during final detailed design of the ENP.

OPS believes that the tNP concept provides unique advantages e re-gardirg as-built documer.'.ation, including the following:

a. greater level of detail on drawings (dimensioning, part numbers, etc.) because of the manufacturing concept.
b. greater consistency and coordination among as-built documents, since OPS is ultimately responsible for all as-built docu-mentation for the ENP.
c. ENP units and their documentation would be virtually identical, allowing use of other units for full-scale studies regarding recovery operations.

B-40 1677 319

Recmmendation 2.2.2.c: Onsite Operational Support Center Statement of NRC Position An area to be designated as the onsite operational support center shall be established. It shall be separate frm the control rom and shall be the place to which the operations support personnel will report in an emergency situation. Comunications with the control rom shall be provided. The mergency plan shall be revised to reflect the existence of the center and to establish the methods and lines of comunication and management.

Offshore Power Systens Response The Emergency Relocation Area (at Elev.100' and 109' in the control buildirg) beneath the Control Rocm, is provided for this purpose.

This area is designed to the same criteria for shielding, missile protection ard environmental controls as the Control Room. Emergency storage facilities and cxxamunications equipment for onsite operat-ional support are provided. The Emergency Relocation Area is safely accessible from the Control Room via a stairway which is enclosed within the shielded control building.

1677 a20 B-41

Reccanendation 2.2.3: Revised Limited Conditions for Operation of Nuclear Power Plants Based Upon Safety System Availability Statenent of NRC Position All NRC nuclear power plant licensees shall provide information to define a limitirg operational condition based on a threshold of emplete loss of safety function. Identification of a human or operational error that prevents or could prevent the accomplishment of a safety function required by NRC regulations and analyzed in the license application shall require placenent of the plant in a hot shutdown cordition within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and in a cold shutdown condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The loss of operability of a safety function shall include con-sideration of the necessary instrtrnentation, controls, emergency electrical power sources, cooling or seal water, lubrication, operating procedures, maintenance procedures, test procedures and operator interface with the system, which must also be capable of performing their auxiliary or supporting functions. 'Ihe limiting conditions for operation shall define the minimum safety functions for modes 1, 2, 3, 4, and 5 of operation.

The limiting conditions of operation shall require the following:

1. If the plant is critical, restore the safety function (if possible) and place the plant in a hot shutdown condition within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
2. Within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, bring the plant to cold shutdown.
3. Determine the cause of the loss of operability of the safety function. Organizational accountability for the loss of oper-ability of the safety system shall be established.
4. Determine corrective actions and measures to prevent recurrence of the specific loss of operability for the particular safety function and generally for any safety function.
5. Report the event within 24 tours by telephone and confirm by telegraph, mailgram, or facsimile transmission to the Director of the Regional Office, or his designee.
6. Prepare and deliver a Special Report to the NRC's Director of Nuclear Reactor Regulation and to the Director of the appropri-ate regional office of the Office of Inspection and Enforcement.

The report shall contain the results of steps 3 and 4, above, along with a basis for allowing the plant to return to power operation. The senior corporate executive of the licensee responsible and accountable for safe plant operation shall deliver and discuss the contents of the report in a public B-42

meeting with the Office of Nuclear Reactor Regulation and the Office of Inspection and Enforcement at a location to be chosen by the Director of Nuclear Reactor Regulation.

7. A finding of adequacy of the licensee's Special Report by the Director of Nuclear Reactor Regulation will be required before the licensee returns the plant to power.

Offshore Power Systems Response This recommendation applies to the plant owner, and ample time exists to implement the stated requirements before an FNP owner will require an Operating License if such reqairements result frcrn the planned rulemakirg concerning safety system availability.

B-43 1677 322

C. RESPONSES 'IO ADDITIONAL SHORT-TERM REQUIREMENTS: D.B.VASSALID IEITER DMED OCIOBER 10, 1979

1. HRC Requirement (Enclosure 3): Instrumentation to monitor con-taiment conditions durirg the course of an accident.

Statement of NRC Position Consistent with satisfying the requirements set forth in General Design Criterion 13 to provide the capability in the control rom to ascertain containment conditions during the course of an accident, the followirg requirements shall be implemented:

(1) A continuous indication of containment pressure shall be provided in the control room. Measurement and indication capability shall include three times the design pressure of the contairrnent for concrete, four times the design pressure for steel, and minus five psig for all containments.

(2) A continuous indication of hydrogen concentration in the containment atmosphere shall be provided in the control room.

Measurm ent capability shall be provided over the range of 0 to 10% hydorgen concentration under both positive and negative ambient pressure.

(3) A contiriuous indication of containment water level shall be provided in the control rom for all plants. A narrow range instrument shall be provided for PWRs and cover the range from the bottm to the top of the containment sump. Also for PNRs, a wide range instrument shall be provided and cover the range frm the bottm of the containment to the elevation eqJivalent to a 600,000 gallon capacity. For BNRs, a wide range instrument shall be provided and cover the range frm the bottom to 5 feet above the normal water level of the suppression pool.

The containment pressure, hydrogen concentration and wide range containment water level measurements shall meet the design and qualification provisions of Regulatory Guide 1.97, including qualif-ication, redundancy, and testibility. 'Ihe narrow range containment water level measurment instrumentation shall be qualified to meet the requirements of Regulatory Guide 1.89 and shall be capable of being periodicully tested.

Offshore Power Systems Response A. Contaiment Pressure:

The provisions of this recomendation are satisfied in the current FNP design, except that the range currently specified C-1 1677 .

')23

for containment pressure is 0-18 psig (approx.1.15 times design pressure) .

In order to a30pt this part of the recommendation, two addi-tional wide range contaiment pressure channels will be in-corporated into the FNP. %ese additional channels will range frcm minus 5 psig to 60 psig (4 times design pressure), and will be in accordance with this recomendation. We channels will meet the design requirements of Regulatory Guide 1.97, Rev.1.

B. Containment Hydrogen Concentration:

Durirg FNP final design OPS will select hydrogen monitoring instrumentation which is acceptable to the NRC.

C. Contaiment Water Level:

As described in Section 6.2.2.7 of the PDR, the Floating Nuclear Plant design does not incorporate a contaiment sump as such.

Instead, the containment lower compartment will collect a sufficient volume of water following the injection phase of safety injection to allow recirculation. Redundant safety grade contaiment water level (wide range) measurement is currently provided and displayed in the Control Room. We range of these level channels will be increased to cover an elevation equival-ent to an 800,000 gallon capacity, a quantity which includes ice melt and UHI accumulator injection.

In addition, Class lE (narrow range) level diannels will be provided for the local WTL sump at the 103 foot elevation in accordance with this recommendation. Wese channels will also be used as part of the RCS Leak Detection System. These channels will meet the design requirements of Regulatory Guide 1.89.

C-2 1677 324

2. NRC Requirement (Enclosure 4): Installation of Renotely Operated High Point Vents in the Reactor Coolant System Statement of NRC Position Each applicant and licensee shall install reactor coolant system and reactor vessel head high point vents remotely operated from the control rom. Since these vents form a part of the reactor coolant pressure boundary, the design of the vents shall conform to the requirements of Appendix A to 10 CFR Part 50 General Design Criteria.

In particular, these vents shall be safety grade, and shall satisfy the single failure criterion and the requirements of IEEE-279 in order to ensure a low probability of inadvertent actuation.

Each applicant and licensee shall provide the following information concernirg the design and operation of these high point vents:

1. A description of the construction, location, size, and power suoply for the vents along with results of analyses of loss-of-coolant accidents initiated by a break in the vent pipe. The results of the analyses should be demonstrated to be acceptable in accordance with the acceptance criteria of 10 CFR 50.46.
2. Analyses demonstrating that the direct venting of noncondensible gases with perhaps high hydrogen concentrations does not result in violation of combustible gas concentration limits in con-tainment as described in 10 CFR Part 50.44, Regulatory Guide 1.7 (Rev.1), and Standard Review Plan Section 6.2.5.
3. Procedural guidelines for the operators' use of the vents. 'Ihe information available to the operatc,r for initiating or term-inating vent usage shall be discussed.

Offshore Power Syst es Response Methods of removing hydrogen from the reactor coolant system are discussed in the response to Item 12 (See Section A) including operation of a head vent system. 'Ihis system will be designed to remove gases frm the reactor vessel head via remote manual opera-tions frm the Control Room. 'Ihe reactor vessel head venting system will discharge into the pressurizer relief tank in order to accomo-date testing and potential inadvertent releases of water and steam.

Additionally the current pressurizer venting capabilities will be upgraded to meet IEEE-279 requirements.

C-3 1677 325

D. RESIONSES 'IO 'IMI-2 ESSONS IEARNED TASK FORCE FINAL REPORT, NURD:i-0585 Recomendations 1: Personnel Qualifications and Training 1.1 Utility managenent involvement 1.2 Training programs 1.3 In-plant drills 1.4 Operator licensing 1.5 NFC staff coordination 1.6 Licensed operator qualifications 1.7 Licensee technical and managment support 1.8 Licensing of additional operating personnel Offshore Power Systems Response Each of these recommendations applies either to the plant owner or to the NRC, 3rd not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implenent the stated recuirenents before an FNP owner will require an operating license.

Additional OPS comnents are:

1.1 No further connent 1.2 OPS agrees that training of operations personnel needs to be reviewed and upgraded accordingly. However, rather than each utility performing a position task analysis for their own training programs, more benefit could be derived by the industry as a whole establishing minimum training criteria ard then each utility upgrading their training programs to at least meet the minimum established standards. 'Ihis could be accomplished through the Institute of Nuclear Power Operations (INPO).

1677 326

1.3 OPS agrees with the concept of in-plant drills as proposed, provided they do not require the manipulation of plant controls to the extent that plant status is affected.

1.4.1 No further coment 1.4.2 Guidelines should be established that clearly define the operator's responsibility concerning the actions he takes while operating a nuclear generating station. Further, these guidelines should outline the review process that will be used should operational errors occur and the actions that could be taken by the NRC to deal with operators comiting operational errors.

1.4.3 Assuming that INPO establishes standards for the training and capabilities of operations personnel, any program devised by the NRC to train er evaluate these personnel should be in agreement with and conform to the established standards.

1.4.4 Same as 1.4.3 1.4.5 No further coment 1.4.6 OPS agrees with the Task Force proposed alternative to Recomendation 6 of SECY 79-330E (Qualification of Reactor Operators).

1.4.7 No further coment 1.5 No further coment 1.6 OPS believes that changes in the qualifications of operations personnel should be made only after careful study and de-liberation. 'Ihe proposed study by INPO and the resulting criteria should be the basis for such changes or recomenda-tions.

1677 327 D-2

1.7 OPS recomends that INPO set the minimum standards for the capabilities of the utility staff that operates nuclear plants.

1.8 OPS recminends that the subject of the licensing of addi-tional operating personnel be in the charter of DHO.

1677 328 D-3

Recmrnendation 2: Staffirg of Control Room Offshore Power Systems Response This recommendation applies to the NRC and not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

However, OPS agrees that the studies should be conducted to determine mannire requirements. These studies should include the following areas:

1. Man-machine interface - how effectively can the plant be diagnosed and controlled by the operators.
2. Operator response time - given a set of conditions how quickly and to what extent must an operator interact with the plant.
3. Personnel qualifications - given a set of conditions what level of capability is required to mitigate the event.

Recomendation 3: Working Hours Offshore Power Systens Response This recommendation applies to the plant owner and not to the activities conducted by Offshore Power Systems under a License to Manufacture Floating Nuclear Plants.

1677 329 D-4

Reconmendation 4: Emergency Procedures Offshore Power Systes Response This recommendation applies mainly to the NRC and rot to the activities conducted by Offshore Power Systems urder a License to Manufacture Floating Nuclear Plants. Westinghouse has rewritten its generic mergency instructions which will be reviewed and approved by the Westinghouse Owners' Group and the NRC. Offshore Power Systems will monitor the process of emergency procedure review. Lessons learned frm these reviews will be applied by Offshore Power Systems durirg the final design phase when recomerded mergency instructions will be prepared for the guidance of the plant owner in preparation of emergency procedures. Ample time exists to implement the stated requirements before an FNP owner will require an Operating License.

g 1677 330

Reconnendation 5: Verification of Correct Performance of Operating Activities Offshore Power Systes Response Administrative steps contained in this recommendation are within the plant owner's scope of responsibility. The balance of the recomen-dation deals with plant design features for automatic system status monitoring. 'Ihe Floating Nuclear Plant presently includes significant provisions for status nonitoring; these are outlined in the following paragraphs. Offshore Power Systems will reain abreast of continuing developments in this area, including those by INPO, and particularly those affecting Regulatory Guide 1.47. Should any new requirements arise, they can be addressed during the final design phase.

Assurance of proper operation and/or positioning of safety-related equipment (including equipment in engineered safety features support-irg systas) during all operating activities is provided by:

1) Main Control Board (MCB) Display Features: include position /

status indicating lights, position / status disagreement irr31-cation, availability indication, and system level bypass indication. These features meet or exceed Regulatory Guide 1.47.

Sme a3ditional criteria are stated in Section 7.5.1 of the PDR.

These features are as follows:

Ibsition/ Status Indicating Lights (Backlit Pushbutton)

(PIL)

Backlit red (open) and green (closed) pushbuttons indicate actual valve position frm limit switches on the valve. The pushbutton is part of the KB module for that valve.

Backlit red (on) and green (off) pushbuttons indicate breaker or contactor status fr m appropriate auxiliary 1677 331 D-6

contacts. 'Ihe pushbutton is part of the KB module for that cmponent (pump, fan, etc.)

'Ihese position / status signals are also inputs (through isolation devices) to the Plant Cmputer Systems.

Valve Position Indicating Lights (Lights Only) (PIL*)

This valve position signal is also an input to the Plant Computer Systems.

Position / Status Dicagreement Light / Alarm (Backlit Push-button) (PDL)

A backlit alarm indication / acknowledgement pushbutton (normally extinguished) flashes in conjunction with an audible alarm if the equipment fails to achieve the last position or state comanded. In addition, the comanded position / status indicating light flashes. 'Ihis backlit pushbutton is part of the MCB module for that equignent.

Both of these flashing lights are acknowledged by this pushbutton, changing the alarm indication pushbutton from flashing to steady, and the comanded PIL from flashing to extinguished. The steady alarm indication light is not extinguished until the comanded and the actual equipment state are in agreement.

  • indicates " Lights Only", see Table D-1 D-7 .

Availability Light / Alarm (Same Backlit Pushbutton as PDL above) (AVL)

If the equipment is removed frcrn service (i.e., if notive power is unavailable or locked out) either deliberately or due to failure, the backlit alarm indication /ackrowledge-ment pushbutton (the same device actuated by the EL) flashes in conjunction with an audible alarm.

For equipnent removed frm service, this alarm signal is also an input (through an isolation device) to the Plant Canputer System. The Plant Computer System flashes a system level display (BYP) on the KB indicating that the appro-priate system ESF train is bypassed.

System Level Bypass Indication (BYP)

An engraved backlit window, praninently displayed to the operator, is provided for each division of each major Safety Subsysten (e.g. , SIS, RHR) .

21is window flashes whenever any of the following con-ditions (within the scope of the wincbw) indicates a bypass of a protective action:

a) Motive power unavailable to an ESF actuation device (for example, an MOV, power unavailable to the reversing contactor), due to deliberate bypass or circuit failure. This condition is derived fran " AVL" signal . (AVL /BYP) b) Valve positioned so as to create a bypass of a protective action. This condition is derived from actual valve position. (PIL/BYP) 1677.333 D-8

c) Window activated manually by operator from MCB, responding to information received through adminis-trative control. (AIN/BYP)

If a redundant division of any subsysts were concurrently placed in a bypass mode (due to any of the above inputs),

the second division window would flash and an audible alarm would occur.

Acknowledgement of the first division level bypass causes the first window to change from flashing to steady, until the bypass is cleared. Acknowledgement of the second (concurrent) division level bypass silences the audible alarm, but leaves the second window flashing until one of the bypass conditions is cleared.

'Ihe plant computer systems perform the combination and sequence logic that is required to control the system level bypass indication windows. 'Ihe position / status inputs to the computer that are derived from Class IE control circuits are isolated in accordance with Regulatory Guide 1.75.

'Ihe bypass indication system meets or exceeds the reqJire-ments of Regulatory Guide 1.47. Additional design criteria for the bypass indication system are provided in Section 7.5.1 of the PDR.

System Level Monitor Indication (MON)

An engraved, backlit window, praninently displayed to the operator, is provided for each division of each major safety subsysts (e.g., SIS, CSS) . This window flashes, in conjunction with its corresponding PDL light (s), whenever any equipnent (within the scope of the window) has failed to respond to an ESF signal.

D-9 -

2) Control Circuit Design Features: In a3dition to these display features, circuit design features are provided to assure proper alignment of equipment. 'Ihese features include assignment of control priorities to ESF ::ignals and selection of failure nodes. 'Ihese control features are described below.

Control Priority Assigment (CP) ,

While the equipment is in service (i.e., while notive power is available to it), its control priorities are assigned such that ESF signals will always override non-ESP signals (with the exception of electrical an3 mechanical circuit protection features which must override ESF signals in order to prevent component damage) .

Failure Mode of Actuation Device (FM)

Removal of an air operated or solenoid operated valve from service (i.e., renoving notive power) will cause the valve to move to the safe position.

Administrative Control Input (Manual) to Bypass Indication Systs (ADM)

'Ihe system level bypass indication (BYP) can be manually input by the operator through administrative control.

Computer software supplements plant administrative controls by tracking these manual inputs (together with non-manual inputs), determining the system level effects, and pro-viding appropriate displays.

3) Owner's Administrative Controls and Procedures: The design features described above will supplement and enhance the Owner's administrative control program. The Owner's administrative control program should be the first line of defense against improper operation.

1677 335

~

D-10

Table D-1 illustrates the specific application of these design features to the generic types of FNP equipnent that could be in-correctly operated. The table indicates which of the FNP control and display design features provide direct defense against:

a) The effects of mispositioned circuit breakers or contactors b) The effects of mispositioned valves, or r c) Undetected mispositioning of equipment for varioes con-ditions of plant operation and for various types of equipment.

Considered in the table are:

a) The nature of the safety system bypass (deliberate vs.

inadvertant) b) The plant operating node (periodic test, maintenance, etc.)

c) The ergineered safety features systems mode (standby vs.

active) d) The type of safety equipment (circuit breaker, motor operated valve, hard operated valve, etc.)

Table D-1 does not a$ dress any FNP design features that are not relevant to safety consequences, nor is credit taken for other types of design features (e.g. , process alarms) that in some cases would further enhance safety.

1677 336 D-ll

0 - OE OE OE =E Me t*

g 37. 3' edd eb.d 4 4z- 4z

37. .7.

o -mm -mm z edd sdd

-mm z=m 4

^

.tN g , Og =g =g Og E E 3' 37. "'.

M

- .u$"E o .

3'bb e

-mm ebb d=

-mm 4z 4z -mm ebd edd -mm B A s m g g g

- "N""E e [~^:t  : 3 4*

m a E j e 3 w

t o

lE4! g o

E 1

4= .e 3

e W

~

> a w 8 w 26n E Egg b 5 E B4f =g B :l  :$ => => C

.s .s .s .e .e a g fg^

os a jLL1 <

Ett 1 jtL ja$

EE EE

< < < 5*t a jLL g w 2 1 1 EEE Et -

a n o m b u

o . t. E C. D. E E C. EE t'

.E ##

.. E t

5 33a' ba aba 33a 33a 33a aba 3a "

~

d z

EQE out < 3a'k W # gen

-g Er Ettrk EE 2EE EEEEEEEE EtEE EEE EE 3 E

- E g s 2" mm um m . . mm um . m a

$ g .

ts: $ . E E EE E E E EE e.Em EE E E

  • z a *1 s 3a1 33a1 3a aba 33a 33a 33a aba na $

$ t23"e E EES ~tES EE EEE Ett REE EEE BEE EE a  ; za: 5 g

7 - 5  : = m s ~ m z s c u 8 , gs . E .g E E E E

=

w E m e .2 5 3' da 3a ha 3a E a

m m

o W- zz<

e t U Etk B B E42 Et2 E42 b RE -

g alo. Bz : g m

$3

<<w-.e b E.N E N. N

~

52~ tf m s = 3 3 3 3a W .'

6 N'EdE "

3'k S

4 4 U EE 2 E E

w g? E g 5 5 da o r .t su um . .. .. z 3" *!

w "ge-w EE EE AW EE EE E *8 geastt w

$ g<2 g

E e 31 tt 6

1 3'k E

gtl3'hth aB<t 3' <

1 3a er ed 2 B~@

4 ger C szoe "g' e t -

W a S*WE'NEE

- E -e, .! ,  : -

em utsaemeEs m

c E w

g

< r -

8 2

-Ex::ss  :

G $E gm Eat E r S  :: *

- 8 gEEw!gtElste o

g w g~ 5m z S ig  :  :  : z

.$ 5. 3:a 1:

W e ar .ita E E z

8"S e zza5" gSSI.

g$t*gttede t go m w h 5 -. .

E o 2 -

5"  : * [2

. m
  • t t

t e

a

a  :

. g w

e 87[g*s[*8ps"E u-B "

E: s . 2 - - -

a g e mmmmz  :

Ej 8.t t a t  : "

EEEEE =

?"a "

g t % u m a 3333 g"Eg a W  :: i # 0 CEr}uSEEE =

j}E g w # a& E" -

- =

"Eg2 3." 5 . . , . m g gm 3 361 g E ; 1  :  : 2 s w 2.0 3g ja"a =E E. E. 3 3 s. .t g g . .

D-12 1677 337

d

'IABLE D-1, Sheet 2 m 1. Valves are locked in safe position, and are under adninis-trative control.

NCTII 2. " Operator error" includes failure to recognize a valve that is left improperly positioned (for power operation) following stattup.

M 3. Safety-related hand operated process valves that have the capability of significantly degrading a protective action if left mispositioned are subject to the following cri-teria:

a) If normally operated more frequently than once per year with the plant at pwer, shall be locked in the safe position under administrative control. In addi-tion, remote position indication shall be provided.

b) If normally operated at startup, shutdown and/or refueling, shall have the provisions of paragraph a),

c) If only operated for non-routine maintenance or repair (e.g., to isolate a pump or heat exchanger for repair) with the plant at power, shall be locked in the safe position under adninistrative control.

M 4. 'Ihis table includes only those control and display features that provide direct defense against these conditions, recognizing that others of these features might be provided for a particular component, but would be less relevant.

m 5. Where nore than one design feature provides defense, the most proninent one is listed first.

-3 1677.338

Recmmendations 6: Evaluation of Operating Experience 6.1 Nationwide network 6.2 Providing information to operators Offshore Power Systems Response These recomendations apply to the NRC Staff and plant owners.

However, OPS agrees with the recomendation to review operational data and apply it to the plant operation and personnel training.

Recmnendations 7: Man-machine interface 7.1 Control room reviews 7.2 Plant safety status display 7.3 Disturbance analysis systems 7.4 Manual versus autmatic operations 7.5 Standard control room design Offshore Power Systens Response These recommendations suggest initial actions by the Nuclear Regulatory Comission, possibly leading to new design requirements.

Offshore Power Systems will remain abreast of the program of these activities as well as progress in the field of human engineering generally. During final design, the Control Room and control board designs will be developed in consonance with new requirements which may result from these recomendations.

Additional OPS coments are:

7.1 No further coment 7.2 No further coment 1677 339 D-14 -

7.3 At the present time, designs for computet based diagnostic systems cb not exist; however, programs have been initiated by both EPRI and DOE to perform the scoping and feasibility study for a plant wide disturbance ard analysis systs. Westinghouse has the responsibility for the overall project management of the EPRI program.

OPS recommends that any program to be performed by the Nuclear Regulatory Comission be developed with full recognition of the programs already initiated by EPRI and DDE.

7.4 OPS believes that a joint Nuclear Regulatory Research/ nuclear industry effort is the nost effective means for satisfying this recomendation. 'Ihe effort that is undertaken should recognize that specification of manual and automatic actions for nuclear power plant operation is a function of understanding and predicting every situation to which the plant is subjected. Since it is not possible to predict every potential scenario, there is a need for maintaining flexi-bility for manual operator actions. This need sMuld be a recognized criterion for the program.

7.5 No further coment o-1s 1677 340

Recmmendations 8: Reliability Assessments of Final Designs Offshore Power Systems Response This recommendation requires that the NRC initiate a systematic assessment of saftey systes reliability using simplified fault tree analysis techniques. It is assumed that once these analyses are emplete, appropriate design requirements would be promulgated. When such design requirements are prcxnulgated appropriate action will be taken to incorporate the requirments in the design of the FNP.

In this respect, a general overall reliability assessment of the FNP design was performed in early 1977 as part of the Liquid Pathways Generic Study. 'Ihis assessment was reported in an appendix to the FNP Liquid Pathways Generic Study Topical Report, OPS Report 22A60.

FNP design features such as improved testability of the interfacing check valves associated with the low pressure injection system, redundancy in the Auxilary Feedwater System design and incorporation of 4 separate diesel generator sets have produced significantly improved reliability for the FNP design when compared with the Ph'R plant analyzed in h" ASH-1400.

Reliability assessments for an ice condenser plant recently con-ducted by the NRC show that the loss of both long-term core cooling recirculation flow and containment spray flow as a result of failure to open the drains between the upper and lower containment compartments after refueling, is a major contributor to risks.

Accordingly, OPS intends to take steps to reduce the probability of leaving the drains closed following refueling. Design features such as automatic status indication and more stringent inspection requirements each appear to offer satisfactory results.

We believe that OPS has taken the initiative in keeping abreast of applicable reliability evaluations and applying the available re-sults to the FNP design. We shall continue to utilize this approach as other applicable reliability assessment studies are completed.

16/7 ,MI D-16 -

Recarnendation 9: Review of Safety Classifications and Qualifications Offshore Power Systems Response The recommended evaluation can be performed for the ENP following issuance of the License to Manufacture. This evaluation would be subject to review by the Staff during the final design approval phase (post-ML) . Recommendation 9 specifically provides that licensing of new plants need not be delayed pending completion of the specified evaluation. This is particularly appropriate in the case of the ENP, since both the pre-ML technical review and public hearirgs are substantially emplete.

OPS reccamends, however, that in order to obtain an orderly resolu-tion of this issue, it is essential that a lead role be identified for establishing a detailed scope for the investigation, and for defining acceptance criteria against which the results of the industry investigation can be evaluated. OPS endorses the imple-mentation of a classification system for electrical components that recognizes varying degrees of component utility in post-accident situations.

D-17 1677 M2

Recomendation 10: Design Features for Core-Damage and Core-Melt Accidents Offshore Power Systems Response The NRC position recomends NRC conduct rulemaking regarding design features to mitigate accidents that would result in either core-melt or severe core-damage without core-melt. As NRC is aware, Offshore Power Systes has already comitted to incorporate a core ladle in the ENP design to assist in mitigating the consequences of a core melt accident. In addition, a containment vent system has been investigated and incorporation of such a system into the FNP design was shown to be feasible (should it be required by rulemaking) . This system would open at an overpressure above the containment design pressure and vent into basin water beneath the platform (See Appendix F of the OPS Generic Liquid Pathways Repoct, OPS Report 22A60 of 6/77) . The air pathways source terms and resulting dose effects would be significantly reduced as a result of fission product adsorption by the basin water.

In a3dition OPS concurs with the Task Force recomendation that the Ccrmiission should define a clear criterion to define the basic safety goal for nuclear power plant regulation (Recomendation ll) .

Definition of this safety goal must be established prior to de-velopment of any new regulatory regairements. We note that the Task Force, however, does not recomend a time table for establishing such a safety goal. Many of the other Task Force recomendations, specifically 8, 9 and 10, are dependent on the definition of a safety goal. 'Ihus , rather than having an initial rulemaking pro-cedure for Recomendation 10 as proposed by the Task Force, we suggest action be taken prcmptly on defining the safety goal for reactor regulation.

D-18 1677J_O

The steps to accmplish this are as follows:

1. A rulemaking should be held to identify the safety goal. We process for this would be to publish the intent of such a rulemaking and to request input frm the industry in writing on the content of an initial proposed rule that defines the safety goal. We next steps would then be for the Staff to write the proposed rule, followed by a public hearing. We recomend that the Commission issue, within the next three months, a notice of intent to corduct a rulemaking to solicit coments for the safety goal. We proposed rule would then be published for public coment within one year of the notice of intent. This is the same time table as was proposed for Recomendation 10.
2. With the safety goal defined, the next step would be for the NRC to evaluate the core-damage and oore-melt design features itmized under Recomendation 10 in order to determine whether there is a need for a public hearing process. With the safety goal defined, many of the questions identified in Recomenda-tion 10 could be readily answered or eliminated when evaluated with respect to the safety goal. However, proposed design features and questions relating to core-damage accidents may require analysis to define whether there is still a need for a hearing. We results and findings of this NRC evaluation should then be published for irdustry coment and a rulemaking held, if necessary.
3. %e third step in the process would be the determination of whether other design features to improve safety are necessary.

Such a study should utilize the results of the work performed under Recomendations 8 and 9.

In sumary, the OPS position is that identification of design features for core-damage and core-melt accidents, as given in the Task Force Recmmendation 10, cannot be a3equately made until a D-19 -

safety goal has been defined by the NRC. 'Ihis should be done as early as possible using the rulmaking process, rather than the NRC suggestion of having a rulemaking for Recomendation 10. It is not logical to try to identify new design features for core-damage and core-melt accidents without having a safety goal upon which to judge the need for additional design features. With the safety goal defined, it may well be that the existing design features coupled with the siting considerations, mergency action plans, and the improved human and operational factors that are currently being developed, will meet the safety goal without the need to incorporate additional safety systems. With respect to any design requirements that may result frm the proposed rulmaking, Offshore Power Systems will consider and implement appropriate requirements in the FNP design once the rulemaking has been completed and required implementation (design features and schedule) has been defined.

/

D-20

Recmmendation ll: Safety Goal for Reactor Regulation Offshore Power Systems Response No action by Offshore Power Systems is indicated until the basic safety goal for nuclear power plant regulation is defined and resulting design requirements are pranulgated in the licensing process. Refer to the OPS Response to Recomendation 10.

Recomendation 12: Staff Review Objectives Offshore Power Systems Respoase This recomendation deals only with internal NRC procedures. Ample time exists for the Staff to implement this recomendation prior to the FNP final design review. We believe this recomendation should be implmented systematically without imposing longer licensing times. In fact, efforts to streamline the licensing process, such as NUREG-0292, " Nuclear Power Plant Licensing: Opportunities for Improvement," should not be abandoned because of the TMI accident.

Recomendation 13: NRR Emergency Response Team Offshore Power Systems Response This recomendation requires action only by the NRC Staff and will not affect Staff review of the FNP.

1677J46 D-21

Retrieved from "https://kanterella.com/w/index.php?title=ML19270H811&oldid=2610541"