ML19308E103
| ML19308E103 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 09/01/1973 |
| From: | US ATOMIC ENERGY COMMISSION (AEC) |
| To: | |
| Shared Package | |
| ML19308E092 | List: |
| References | |
| NUDOCS 8003200826 | |
| Download: ML19308E103 (5) | |
Text
.
D-
. Q,'
CRYSTAL RIVER UNIT NO. 3 DOCKET NO. 50-302-i REGULATORY POSITION STATEMENTS 7.0 INSTRUMENTATION AND CONTROL 1.
The response to Request 7.7 indicates that the breakers supplying power to the core flooding tank notor-operated isolation valves will be maintained open to ensure against accidental closure'of these valves during normal reactor operation. Based on this mode of operation, we have concluded that the proposed administrative controls do not provide sufficient assurance that these valves will be open when required. We require that the valve control circuits be designed to meet IEEE 279 and the following features be incorporated in the design:
a.
Valve position visual indication (open or close) in the control room for each valve which is not dependent on power being available to the valve actuator.
b.
Valve not open audible alarm in the control room for each valve, actuated when the valve is not in the fully open position and reactor coolant pressure is above a preset value.
c.
Vr've position indications both visual and audible to be
}
de.lved from redundant and-independent valve position sensorr, and circuitry, such as limit switches actuated by the valve motor operator and valve position limit switches activated by stem travel.
The reactor coolant pressure signals shall also be redundant and independent.
I 1
d.
A Technical Specification requirement that the reactor shall not be made critical or shall be shutdown unless each core flooding tank isolation valve is open and the breaker supplying power to the valve operator is locked open and tagged.
2.
The response to Request 7.17 identifies the Power /RC pump trip as a survel11ance reactor trip function and indicates that because no credit is taken for this function in the safety analysis, this l
reactor protection trip does not have to meet IEEE 279. The Regulatory position is that all reactor protection system trips must meet IEEE 279.
3.
.The design criteria presented in response to Request 4 10 are not adequate for high pressure to low pressure interface valving.
Ihe Regulatory position is that you.nust adhere te the fo1Dwing criteria:
8003200. M d N
y
,9 4y
..-+-y
-tw wi
--a y
-=9---P
G a.
For systems where both valvT are motor-operated, the valves shall have independent and diverse interlocks to prevent valve opening at high pressure. These interlocks shall be designed to comply with all the requirements of IEEE 279.
b.
Automatic closure of the motor-operated valves whenever the reactor coolant. system. pressure exceeds the pressure rating of the low pressure system.
The closure devices shall be designed to comply with all the requirements of IEEE 279.
2.
4.
The Emergency Feedwater System (EFS) and Steam Line Break Isolation System (SLBIS) are of concern in the following areas:
We consider the EFS and SLBIS to be safety-related systems.
a.
Therefore, provide a description of the instrumentation, control and electrical equipment supplemented with functional diagrams, in sufficient detail to permit an independent eval-untion of these two systems. Your description must show that your design complies with IEEE 279 and 308. Also, include an analysis to show that, under steam line break conditions, no single failure in the I&C and electrical equipment will prevent reestablishing adequate emergency feedwater. to the intact steam generator.
b.
In the analysis of recovery from a steam line break accident, you state that the EFS, in conjunction with the unaffected 1
steam generator, is used to remove reactor decay heat. Our evaluation indicates that a single failure in either of the two serially connected valves located in the emergency feedwater supply line to the steam generator will preclude the EFS from performing its function under steam line break accident conditions. We will require that the design be modified to meet the single f ailure criterion in this regard.
l 1
1
l m
m.
8.0 El.ECTRICAL SYSTEMS 1.
The ac standby (onsite or emergency) power system is of concern in the following areas:
Single bus switching between redundant emergency buses.
a.
b.
Reactor building emergency cooling system load connections to the emergency buses.
c.
Connection of Non-Class IE loads to Class IE emergency buses.
1.1 Regarding the response to Requesp 7.1.7, the information presented in support of the automatic transfer of the single ESF 480 V motor control center (MCC) 3AB to either one of' the redundant ESF buses 3A or 3B did not address the potential conflicts resulting from implementing this design feature.
Identify the loads connected to this non-redundant MCC 3AB and provide sufficient information to permit evaluation of this design feature. We assume that the auto-matic or manual transfer of the single bus to either one of the redundant emergency buses is for the purpose of providing the neces-sary safety load redundancy in each emergency bus.
If so, the design would not meet the single failure criterion. Consistent with pre-serving the independence of the' emergency buses as discussed by GDC 17, IEEE 308 and Regulatory Guide 1.6, we require that the design of this single bus (MCC 3AB) satisfy these requirements:
a.
Preclude the automatic transfer feature (position 4 of Regu-latory Guide 1.6), and b.
Assure that failures in this bus will not be propagated to the emergency buses rendering both of them inoperable.
1.2
.As indiccted in FSAR, emergency cooling of the reactor building relies upoc one of the following combinations:
a.
Two spray systems and no air recirculation units, b.
Three air recirculation units and no spray systems, or c.
one spray system and two air recirculation units.
However, based on our examination of the infornation provided in Section 8.0 of the.FSAR, we conclude that all of these combinations may be prevented by a single failure in the emergency power system.
The provision of the design to transfer the third redundant air
"I i
i recirculation unit to. either one of the emergency buses in order to provide the required redundancy is not acceptable because the bus cannot of itself meet the single failure criterion.
This transferring feature is of further concern' with regard to a fail-ure in the third redundant unit rendering one emergency bus inoper-able and the propagation of the same failure to the other emergency bus as a result of load transferring action. This will cause the loss of both emergency buses. We require that the design of the emergency power system be modified to provide for - the independence of the redundant emergency buses required by GDC 17 and IEEE 308 while meeting the requirements for the reactor building emergency cooling system.
1.3 The response to Request 7.1.5 did not address the potential con-flicts resulting from the connection of Non-Class IE loads to the Class IE emergency bus 3B.
As shown on Figure 8-7 of the FSAR, the 4160/480 V plant auxiliary transformer 3 utilized to supply power to the Non-Class IE distribution system is energized during normal reactor operation from emergency bus,3B through a feeder breaker. Additionally, it is inferred from the information prs-sented in Section 8.0 of the FSAR that the con.n.ection of selected Non-Class IE loads to emergency bus 3B will be accomplished through administrative controls. Based on this mode of operation, it is our concern that in the event of an accident coincident with the loss of offsite power, a failure in the Non-Class IE electrical system could result in the unselected connection of Non-Class IE loads to the emergency bus 3B.
This could result in the tripping 1
of the associated diesel generator due to overload. We require' that the feeder breaker connecting the 4160/480 V plant auxiliary transformer 3 to emergency bus 3B be designed to meet Class IE requirements and that this breaker be opened automatically upon detection of an accident coincident with the loss of offsite power and be prevented from closure during the transient stabilization period subsequent to this event.
2.0 Section 8.2.2.6 of the FSAR states that provisions have been made for manual cross-connection of the two redundant main de distribu-tion buses in the event of a battery fdilure. Figure 8-9 shows 1
l
-S-that the two redundant de distribution systems.can also be inter-connected through the aubstation distribution panels and 120V ac vital buses. It is indicative from the information presented in Figure 8-9, that administrative controls will be the only means provided for accomplishing the cross-connection of redundant de distribution systems at any level. No mechanical and/or electrical interlocks are described to prevent inadvertent administrative errors from com;;romising the independence of the de ccergency power systems.
The ~Re'gulatory position is that administrative controls alone do not provide acceptable assurance that the independence of the de emergency power systems is maintained as required by GDC 17 and IEEE 308. Describe design interlocks that will be used to provide this assurance.
3.
The response to Request 8.4 indicates that the Unit 1 plant battery is the only source of de control power to the 230 KV switchyard breakers. The Regulatory position is that a single switchyard breaker de control power failure must not r,esult in the loss of both offsite power sources.
Describe a design which provides the independence required by GDC 17 consistent with the above position.
mm I
--