Text

.....

MIDLAt1D 1 & 2 Q1 31.12 Section 1.3.2 of the FSAR does not satisfy the intent of Revision 2 -

(1.3.2) of the Standard Format.

The FSAR states that "due to extensive reformating and the additional information provided in the FSAR, cross-reference of changes is not considered appropriate and is therefore not 'ncluded." We do not agree that this information should be omitted.

The intent of this section is to identify all changes from the original design which was approved by the staff during the con-struction permit review.

The staff requires that the FSAR describe all changes from the CP design and identify the FSAR location where the r.ew design is described.

The description should include justification for the change.

We need assurance that the Midland units have,ut been con-structed to satisfy criteria that are less conservative than those which were comnitted to by the applicant and approved by the staff during the CP review.

Please amend the FSAR to reflect these requirements.

g 4

N

.8006 250 hO

,s

_2 31.13 The Midland 1 & 2 FSAR does not provide all of the information (3.11) specified by Section 3.11 of the Standard Format and the Standard Review Plan.

flotable examples are:

1.

All safety related equipment should be qualified to perform its function under all expected environmental conditions.

These environmental conditions are not limited to an accident environment such as that inside of containment during a LOCA.

Some of the tests discussed in Table 3.11-4 of the FSAR indicate that environmental qualification is not required when there is no extreme environment such as that produced by an accident.

Qualification is required even though the environmental envelope does not include these extreme conditions.

2.

Where Heating, Ventilation and Air Conditioning (HVAC) are relied on to control the environment of safety related equip-ment within the envelope to which they were qualified, these systems must meet at least one of the following requirements:

(a) The HVAC must be designed and qualified to meet all requirements of a safety related system, or, (b) The control room should receive an alarm when the acceptable temperature range has been exceeded.

This alarm should be provided by instrumentation which:

- (b;l) is of high quality

~ s 31.13 (b.2) is checked periodically to verify its functional (3.11) capability by plant technical specification requirements, and (b.3) is powered from a continuous power source or is redundant with separate channels and power sources.

~

Also the operator should have a method of obtaining a continuous record of the temperature during the time that the temperature range is exceeded.

The applicant shall report the occurrence of the tempera-ture exceeding the equipment qualification range as an abnormal occurrence to the NRC.

In addition, the applicant shall provide the results of an analysis to demonstrate that the excess temperature has not degraded the involved Class 1E equipment below an acceptable level for continued plant operation.

In either a or b above, we require the applicant to demon-strate the capability of the environmental control system to prevent degradation of redundant Class lE equipment beyond the point where the safety function cannot be accomplished within the tiiae required.

We require that this concern be addressed in the qualifi-cation program for all equipment which relies on HVAC systems for environmental control.

e 4

31.13 3.

There are several places in Section 3.11 which indicate that (3.11) information will be available later.

We require this informa-tion to complete our review.

With the above concerns in mind and in order to ensure that your environmental qualification program conforms with General Design Criteria 1, 2, 4 and 23 of Appendix A and Sections III and XI of Appendix B to 10 CFR Part 50, and to the national standards men-tioned in Part II " Acceptance Criteria" (which includes IEEE Std 323) contained in Standard Review Plan Section 3.11, the following information on the qualification program is required for all Class lE equipment:

I.

a)

Identification of Equipment including, 1.

Manufacturer 2.

Manufacturer's type number 3.

Manufacturer's model number b)

Equipment design specification requirements, including, 1.

The system function requirements 2.

An environmental envelope which includes all extreme conditions, both maximum and minimum, expected to occur during plant shutdown, normal operation and abnormal operation including any design basis event.

3.

Tine required to fulfill its function when sub-jected to any of the extremes of the environ-mental envelope specified above.

c)

Test plan, d)

Test set-up, e)

Test Procedures, f)

Acceptability Goals and requirements, 9

s 31.1 3 g) Test results (3.11 )

h)

Identification of the Documents which include and describe the above items This information shall be provided to the staff for at least one item in each of the following groups of Class lE equipment.

a) Switchgear b) Motor control centers, c) Valve operators (in containment) d) Motors e) Logic equipment f) Cable g) Diesel generator control equipment h) Sensors i) Limit switches j) Heaters k)

Fans

1) Control Boards m)

Instrument racks and panels n) Connectors o)

Penetrations - including design provisions for the overcurrent protection circuits, and p) Splices

_ 31.13 II.

In accordance with the requirements of Appendix B to 10 CFR 50 (3.11) the staff requires o 'tatement veri fying:

1) That all remaining Class lE equipment has been qualified in accordance with the program described above and 2) That the qualifi-cation information for this equipment is available for an NRC audit.

31.14 Section 7.1.2.2 discusses independence of redundant safety re-(7.1.2.2)

(8.3.1.4) lated instrumentation and control systems. We request the (3.11) following information:

(1)

Identify each type of device used to isolate Class lE cir-cuits from non Class lE circuits.

(2) Describe the method used to qualify each type of isolator.

(3) Provide a summary of the results of the qualification pro-gram for each type of isolator.

(4) Describe the power supplies for each type of isolator.

This description should demonstrate that Class lE power supplies will not be degraded by the isolators and that non-Class lE power supplies will not degrade any Class lE circuit.

m O

4

% s

/

- 31.15 FSAR Table 7.1-1 lists the pressurizer heater controls and the (7.1.1) decay heat removal isolation valve interlock as safety related instrumentation and control systems supplied by the NSSS vendor.

The FSAR does not describe how these systems will be environmen-tally qualified.

Describe the qualification program including criteria used to qualify these systems and all of their components and equipment.

31.16 Table 7.1.1 of the FSAR identifies other plants with similar safety (7.1.1) related instrumentation and control systems.

This table, however, does not identify the differences between the I1idland design and the design of the other plants. Also,it does not discuss differences and their effects on safety related systems.

Please provide this information as specified in Section 7.1.1 of the Standard Fo'r-mat.

31.17 FSAR Section 7.1.2.5 takes exception to branch technical position (7.1.2)

ICSB 4 (PSB) of the Standard Review Plan, Revision 1.

We do not agree with the exception and require that items 1 and 4 be fully implemented in the Midland design. VaPre lock out as provided in response to satisfy branch technical position BTP ICSB 18 (PSB) is intended to insure availability of the core flooding system during

' 31.17 normal operations.

Branch technicai position BTP ICSB 4 (PSB)

(7.1.2) is intended to insure availability of the core flooding systems during other times such as start up, when pressurizing the main coolant system and during power operations when the core flooding system is isolated (as allowed by the technical specifications) for short periods of time.

Please provide a modified design which satisfies all the require-ments of branch technical position BTP ICSB 4 (PSB) listed in the

~

Appendix 7A of the Standard Revitw Plan, Revision 1.

31.18 Conformance to the recommendations of Regulatory Guide 1.52, (7.1)

(App. 3A) discussed in Appendix 3A of the FSAR, is not accept ble.

The FSAR states that compliance to the' applicable IEEE Standards is not known.

It is also stated that the qualification program for the electrical components will be provided when available.

Please provide a discussion of conformance to the recommendations of Regulatory Guide 1.52, particularly position C.2.h.

Identify and justify all exceptions.

31.19 With regard to branch technical position BTP ICSB 24, the FSAR (7.1) states that compliance to this position will be discussed later in an amendaent.

We request that the applicant provide this in-formation.

4

31.20 In our letter to Consumers Power Company, dated September 29, 1976, (7.1)

(App. 3A) we found the balance of plant (BOP) separation criteria to be acceptable.

This separation criteria was presented ir. Amendment 32 to the PSAR.

In our letter to Consumers Power Company dated we approved modifications to the B0P separation criteria and we also approved the separation criteria for the nuclear steam supply system portion of the design.

This 'ew information was presented in a letter from the applicant dated March 30, 1978.

However, in order to ensure that implementation of this criteria is acceptable, we require that the following information be provided:

1.

Verify that the two diesel generator synchronizing circuits are the only Class IE to non-Class lE circuits that will be analyzed and not make use of the isolation cabinets.

2.

Identify and describe each type of device used to isolate the Class lE circuits from the non Class lE circuits.

3.

Provide a description of the qualification program used to demonstrate that each type of isolator will prevent degrada-tion of the Class lE circuits.

This deEcription should include a summary of the test results and the acceptance criteria.

[See Question 31.14 (1) & (2)]

- ~.

. 31.20 4.

Provide drawings to show examples (worse case) where termina-(7.1)

(App. 3A) tions of Class lE and non Class lE circuits are made on a common device (isolator).

Identify these drawings if already presentud in the OL application.

5.

Identify and justify all terminations on devices other than isolators where the six inch separation requirement between Class lE and non Class lE circuits is not met.

6.

Provide a description, with a summary of the results, of the method used to qualify the isolation relays in the CRDCS trip breaker cabinet. This device is discussed in item 7 of the NSSS separation criteria.

7.

Provide a sketch to show the physical separation between redundant channels which are connected to the reactor trip switch.

8.

Provide a description, with a summary of the results of the method used to qualify the CRDCS trip breaker.

This method should include a demonstration that the breaker contacts will open, when tripped, during and folicwing a seismic event.

31.31 The response to Regulatory Guide 1.105 giver. in FSAR Appendix 3A (7.1)

(App. 3A) states that " compliance of the NSSS safety-related instrumentation will be provided by amendment." Provide this information.

em I

O he

m

^ 31.22 The response to the acceptance review question 31.10 does not (7.2)

(7.8) satisfy our concerns.

The RPS inputs from the power range detectors are described in Section 7.8 of the FSAR. This section does not, however, address any safety requirements that these systems should meet.

Since these inputs are a vital part of the RPS we require that a description of this system be provided in the FSAR and the criteria specified.

If this information is provided in a revision of Section 7.8 then a reference to this revised section should be provided in Section 7.2.

31.73 FSAR Section 15.2.8.2.1 discusses a reverse-flow monitor which (7.3)

(15.2) is used to actuate the main steam line isolation system (MSLIS) and the auxiliary feedwater i tuation system (AFWAS).

Since credit is taken for this monitor, provide a description of the monitor,with drawings, and show how this monitor satisfies all requirements for a safety system including environmental and seismic qualification. This monitor was not included in the latest revision (# 12) of FSAR Sections 7.3.3.2.6 and 7.3.3.2,7, 31.24 Section 10.3.2.2 of the FSAR states that closure of the main (7.3) steam line isolation valves is accomplished by redundant spring assemblies requiring no additional energy assist. Also it is stated that two channels of acutation provide for positive valve closure on a trip signal (MSLIS).

Provide a description, including diagrams (both logic and mechanical) to show how each redundant signal accomplished valve closure.

Our interest is to verify that no single failure will preclude valve closure when required.

~

s

, 31.25 The control room fresh air intake system is required to have (7.3)

(3.11) monitors to detect and automatically initiate the emergency (12.3.3) mode of operation at sufficiently low activity concentrations so as to assure criterion 19 is not exceeded during the course of the accident. These detectors are therefore considered to be safety grade and all requirements for a safety related system should apply.

This includes conformance to the requirements of IEEE Std 279-1971.

Provide a description of these detectors.

Also describe the qualifi-cation program and provide a summary of the results which verify that this equipment satisfies all safety requirements.

31.26 Table 7.3-2 provides the design data for the engineersd safety (7.3) features actuation system (ESFAS). This table does not identify the ESFAS subsystem that will be affected b; high radiation in the fuel pool area.

Identify and describe this (these) subsystems.

31.27 (a) Section 7.4.1 of the FSAR identifies the pressurizer heater (7.4.1) controls as a system required for safe shutdown.

Yet Section 7.4.1.1.6(e) indicates that this system does not meet all requirements of IEEE-Standard 279-1971. This section also attempts to provide justification for not meeting this staff requirement.

, 31.27 Identify any and all unsafe conditions which would result (7.4.1) from failure of this system while attempting to acFieve and maintain safe hot shutdown. Also demonstrate that each of these conditions will not violate any of the commissions requirements.

Identify and justify all sections of IEEE-279-1971 which are not met in the design of the pressurizer heater control system.

Coordinate the response of this question with the response to question 211.35.

(b) Criterion 19 of Appendix A to 10 CFR 50 requires in part that equipment at appropriate locations otitside the control room should be provided with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. The staff interprets this to mean that the equipment is required for safety and should meet all require-ments for a safety related system.

These systems should be identified in FSAF. Section 7.4 as systems required for safe shutdown.

Provide a modified description in FSAR 7.4 to include all systems required to achieve and maintain safe shutdown of the reactor.

This description should include all informa-tion specified in Section 7.4 of the standard format.

Please :Jentify and justify all exceptions.

~.

, 31.28 Section 7.4.2.3 of the FSAR. in the discussion of conformance to (7.4.2) the recommendations of Regulatory Guide 1.53 states that "a failure modes and effects analysis of the contrcl rod drive control sys-tem (CRDCS) trip position, will be performed and submitted at a later date". We require this information to complete our review.

This section also states that conformance to Regulatory Guide 1.75 for the trip portion of the control rod drive control system will be submitted later. We require this information to complete

~'

our review.

31.29 (a) By omission,Section 7.5.2.2.1 of the FSAR takes exception (7.5).

to several sections of IEEE 279-1971.

Describe how your design of the safety related display instrumentation satisfies the missing sections of IEEE-279-1971 or provide justification for each omission.

(b) Provide justification for not including safety-related recorders in this design as required by ICSB Position 23 listed in Appendix 7A of the Standard Review Plan.

(c) Section 7.5.2.2.1 of the FSAR includes design criteria for only the engineered safety features actuation system (ESFAS).

Identify all other Safety Related Display Instrumentation and describe how it satisfies branch technical position ICSB 23 listed in Apoendix 7A of the Standard Review Plan.

In the response to this question-include the information requested in (a) and (b) above.

1-

~.

31.29 (d) Provide justification for not including control rod position (7.5) indication as safety related display instrumentation.

31.30 Section 15.4.6.3.3 of the FSAR takes credit for operator action (15.4.6)

(7.5) to terminate dilution flow during a chemical addition system mal-function.

To initiate this action the operator relies on a high make up flow alarm. Prcvide a description, with drawings, to show how this alarm satisfies all of the requirements for a pro-tection system or justify the design on some other basis.

Where drawings are included in the FSAR drawing package, a reference to the proper drawings will be acceptable.

31.31.

Section 9.3.4.3.1 of the FSAR states that "the make up tank has a (7.3.4)

(7.5) 10 minute supply of water below the low-level alarm point to enable the operator to line up the BWST (open valve) following a small break." This is described as part of the safety related function of the makeup and purification system.

Provide a des-cription,with drawings, to show how this low-level alarm satisfies all of the requirements for a protection system or, justify the design on some other basis. Where drawings are included in the FSAR drawing package, a reference to the proper drawings will be acceptable.

. ~_..

~.

31.32 With regard to the above two questions, identify all other alarms in (15)

(7.5) the Midland design which are relied on to inform the operator when to take any necessary manual safety actions.

Describe how each of these alarms satisfies all of the requirements of a protection system, or justify each design on ome other basis.

31.33 The decay heat removal system does not satisfy the staff's require-.

(5.4)

(7.6) ments.

(a) A single failure of motor operated valves 045 or 046, or their power supplies shown on Figure 5.4-10 (046 and 048 on 5.4-li for unit 2) can cause the complete loss of the DHR sys-tem. This is in violation of General Design Criterion 34 (GDC 34) listed in Appendix A of 10 CFR 50.

(b) Section 7.6.1.2 of the FSAR discusses the decay heat removal isolation valve interlock. We find this discussion of the design unacceptable since it does not satisfy our require-ments for independence of diversity for these interlocks.

These interlocks should satisfy item B2 of Branch Technical Position ICSB #3 which is listed in Appendix 7A of the Standard Review Plan, Revision 1.

Also, the design should assure that failure of a single power supply will not preclude isolation between the n4R system and the reactor coolant system when required.

31.33 Provide a modified design which satisfies both GDC 34 and (5.4)

(7.6)

Branch Technical Position ICSB 3 listed in the Standard Review Plan or justify this design on some other basis.

31.34 Following a steam line break upstream of a MSLIV, the single (7.7) failure of the other MSLIV to close could cause the second steam generator to blow down. Tc preclude this incident, which could result in the reactor retur ning to a critical condition, credit is taken for all downstrean valves to limit blow down of the second steam generator in an acceptable manner. This approach has been found to be acceptable to the staff as expressed in issue No. i of NilRE'a 0138.

The design of Midland 1 and 2 presents an additional problem which should be considered in the steam line break accident.

In addition to the turbine generator steam is also supplied to the Dow Chemical Company process steam evaporators.

Valves intended for isolation and routing of steam to this external system are controlled by the process steam transfer system (PSTS).

Fc.llowing a steamline break accident the PSTS will be relied on to control steam flow such that both steam generators will not be blown down.

a @e T

O e

m

- 31.34 Since this system is relied on to mitigate the consequences of (5.4)

(7.6) a steam line break accident then it should satisfy all require-merts for a safety related system.

(i)

Describe how the PSTS satisfies the requirements of IEEE Std 279-1971 or (2)

Provide justification on some other bases that failure of the process steam transfer system will not present a hazard during any postulated steam line break accident.

~

31.35 Section 9.5.2 of the FSAR states that a two-way radio system is (9.5.2) installed to suppiement the public address sjstem and the sound-powered phone system.

Describe the procedures and results of the tests used to demonstrate that this equipment will not degrade operation of safety related instrumentation, through radio fre-quency interference (RFI).

31.36 Section 7.7.2.2 of the FSAR states that "no accident 3nalyzed in (7.7.2.2)

Chapter 15 requires proper functioning of the integrated control system (ICS).

In addition, Chapter 15 addresses various abnc.rmalities that could result from failures of the ICS.

In all cases, the reactor prctection system (RPS) provides the necessary plant protection".

-~

_ ~-___.

\\

_19-31.36 This statement does not support the conclusion that all abnormalities, (7.7.2.2) resulting from all possible failure modes of the ICS, will be kept within acceptable limits by the RPS.

Provide the summary of an analysis which identifies all possible failure modes of the ICS, which could cause an abnormal condition outside of acceptable limits.

.