ML19326C367
| ML19326C367 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 02/07/1973 |
| From: | Deyoung R US ATOMIC ENERGY COMMISSION (AEC) |
| To: | Phillips J ARKANSAS POWER & LIGHT CO. |
| References | |
| NUDOCS 8004220909 | |
| Download: ML19326C367 (11) | |
Text
{{#Wiki_filter:P
- ~"'*C
-; ^^~ ~ ~ ~ * ~ ' ~ n - y.m ~Q' Q.*.,%,. y 4-3 '3 ~: f,,'. ~.. -., 1L N. f L AEC. 'DR. J' ~ .;W.g.y i ( s1 PDK : ~ .V ..1,,.. Steenauer. [g@y3 4 s-fv - = .RSBoyd[ ^ ' i, 7] RCDeYoung DSkovholt L FSchroeder FEB 7 1973 Docket No. 313 RRMaccary t DKnuth RTedesco HDenton Mr. J. D. Phf11fys PWR Branch Chiefs Vice' President & Chief Engineer RWKlecker Arh==d== Power & Light '*my OGC Sixthzand Pine Streets R0 (3) Pine Bluff, Ark - s 71601 RMBernero - 2 Etoy - 2
Dear Mr. Phillipe:
We recently performed eent eefety review of electrical, instra-Unit 1 plant.mentatian, and control systems for the Arkasses um,1.ar one - .On Jammary 23, 1973, and enumerated our comelusimos and requirements.we met with your repr====tative to this 'etter deemmer ts and dee=41= our review findings and The emelosure 3 consegeA. requirements which mest be met for licensing. of your intent to meet these conditimes.Flosse inform as w i specified data er if your reply is not fully responsive, it isIf you cannot m review of this project will have to be estemded. highly 1 Your full conditions should be embaitted by Marchresponse providing t i 15, 1973 to meistain our current review schedule which calla for is=saan f of our Safety Evaluation by April s 23, 1973. Please contact us if you have any questions regarding the==ela positions. sed Sinearely,
- 1. C. DeYoung, Assistant Director for Pressueized Water Reactors i
Directorate of Licaseing i Enclosures ) Electrical, Instrumentatica and Control DISTRIBUTION Safety Review Findings and Requirements Docket File -1 PWR-4 Reading Horace Jewell, Esquire RP Reading ec: nouse, solas & Jewell h omcc > 1 6 N201NE.[d.h -=== P,[WR-4Q_ L-{# /PWR-4 l L AD/P 46c ela-VM suin Aesc > Q 9 V M O. f 8 .RMBernero:kf .wencer R ng om > >... Form AEC-310 (Rev,9-53) AECM 0240 .6/.Z..L2;3.. 2/ z_; /73 _,,2/7/73 2/ 'k /73
- u s. oovenNa,etNT /mN o/rict: 1972-466 983 8
g Q' h h.h k. hb 7h _. ~. _. _. - l
i h r- \\ j,: e,,,,3, s UNITED STATES -[-N ATOMIC ENERGY COMMISSION L* 5 WASHINGTON. D.C. 20545 , W/ %, u.., o l Docket No. 50-313 FEB y 1973 Mr. J. D. Phillips Vice President & Chief Engineer Arkansas Power & Light Company Sixth and. Pine Streets Pine Bluff, Arkansas 71601
Dear Mr. Phillips:
We recently performed our safety review of electrical, instru-mentation, and control systems for the Arkansas Nuclear One - Unit 1 plant. On January 23, 1973, we met with your representatives and enumerated our conclusions and requirements. The enclosure to this letter documents and details our review findings and consequent requirements which must be met for licensing. Please inform us within seven (7) days after receipt of this letter of your intent to meet these conditions. If you cannot meet our. specified date or if your reply is not fully responsive, it is highly likely that the overall schedule for completing the licensing review of this project will have to be e:: tended. Your full response providing the manner by which you intend to meet these conditions should be submitted by March 15, 1973 in order for us to maintain our current review schedule which calls for issuance of our Safety Evaluation by April 23, 1973. Please contact us if you have any questions regarding the enclosed ' positions. Sincerely, ,/ l Jl,4"7'M Assist!ntDirector R. C. DeYouno for Pressurized Water Reactors Directorate of Licensing
Enclosure:
Electrical, Instrumentation and Control Safety Review Findings and Requirements cc: Horace Jewell, Esquire House, Holms'& Jewell 1550 Tower Building Little Rock, Arkansas 72201 e L
e 3 ELECTRICAL, INSTRUIG7fATION AND CONTROL ~ SAFE 1Y REVIET FINDINGS ANb REQUIREENTS ARKANSAS NUCLEAR ONE - UNIT 1 DOCIEf NO. 50-313 f 1. Reactc. , n System (RPS) 'Ihe installed reactor build $g pressure protection sensors . provide an analog output siE;nal rather than a digital signal' as documented in the FSAR and the ' o.s built" RPS logic schematics. We do not know how yo-.ill modify the } design to correct this inconsistency. However, since either design can be designed to meet the requirements of IEEE-279, we believe the inconsistency can be readily re-solved and should not be a cause for further concern. 2. Engineered Safety Features (ESF) Actuation System We have reviewed all aspects of the ESF actuation system, in-cluding logic schematics, testing capabilities and control of bypasses, and concluded that this system is acceptable, con-ditioned on the satisfactory implementation of the followirg design omission: 'Ihe present design of the ESF actuation system does not pro-vide for initiating the isolation of the reactor buildirg 3 ventilation system nor the operation of the reactor building
3 penetration room ventilation system. In addition, lack of information has prevented us frem. aviewing the adequacy of the instrumcntation and centrols for these two ESF ventilation systems. We will reciuire that the design of the ESF actuation system be modified to include these missing initiating features and that these features as well
- as the ventilation systems centrol circuits meet the criteria for similar ESF systems which include conpliance with.u:.:2-279 3.
ESF Actuator Circuits and Related Ecuipment We have reviewed the actuator control circuits and related equipment pertaining to the ESF systems, and concluded that the designs conform to our criteria and are acceptable, except for the following items: 31 Air-Coerated Valves Although ESF air-operated valves do not require air pressure to open or close upon an ESF trip signal, it appears from reviewing the electrical schematics and functional piping and instrument diagrams (P& ids) that there are scme valves which require air to cperate. We have requested that you. verify this and if it is determined to be correct, we will require that the design be made to confonn to che criteria.- 32 Valve 'Ibraue Switch Interlocks 'Ihe open and close control circuits of all ESF motor-operated valves are provided with toIque switch interlocks. 'Ihese interlocks will stop valve movement when the torque exerted by the valve-motor unit exceeds the setting of the torque switch. 'Ihis event normally occurs upon the valve reaching the fully open or close positicn. 'Ihese valves are rcr= ally >either fully cpen or closed and a high initial torque is required to start valve movement. 'Ihus, to prevent a torque switch from blocking valve movement, it is momentarily bypassed 'uring the first 5% of travel with a valve position limit-d switch. However, there are no provisicns to bypass the torque switches when the valve is at an intermediate position, and it G
3 s is not e rident if the high starting to-- 'e will trip the torque switch precluding further mover.it of the valve from this positicn. Although the design of the control circuits prevents these valves from stoppire at an intemediate position, it is our concern that a momentary loss of power may cause these valves to stop at an inter:rediate position and it is not evident that upon restoration of power these valves will ever reach the final destination. Your staff has agreed to examine this aspect of the design. If it is detemined that the operation of the torque switch precludes starting valve movement from an intemediate position, we will require that the design be modified to correct this situation. 33 Decay Heat Removal System (DERS) Overcressure Protection Interlocks The motor-operated suction valves interlocks used to prevent over-pressurization of the DERS by the Reactor Coolant System do not confom to the criteria stated in the licensing position for high p? essure to low pressure interfaces. The following criteria were identified to your staff during our review: a. At least two valves in series shall be provided to isolate the icw pressure system. b. For systems where both valves are motor-operated, the valves shall have independent and diverse interlocks to prevent valve opening at high pressure. These interlocks shall be designed to comply with all the requirements of m-279 n. Automatic closure of the motor-operated valves whenever ,~ the primary system pressure exceeds the pressure ratirs of the low pressure system. The closure devices shall be designed to comply with all the requirements of IEED-279 Your staff has agreed to modify the design to conform with the stated criteria. We will requi.'e that the design be subm1T,ted for our review prior to fabrication and installation in the plant. f a
m i _g_ - 3.4 Core Flooding Tar 3c Isolation Valve's You have elected to open the breakers supplying pcwer to the core flooding tank motor-operated isolation valves in order. to ensure against accidental closure of 12ese valves'durirg normal reactor operation. Based en this mode of operation,- your staff has been advised that the proposed administrative controls do not provide sufficient assurance that these . valves will be open when required. We will require that the valve control circuits be designed to meet IEEE-279 and the following features be incorporated in the design: a. Valve position visual indicaticn.(open or closed) in the control rocm for each valve which is not dependent en power being available to the valve actuator. b. Valve-not-open audible alarm in the control rocm for each valve, actuated when the valve is not in the fully open position and reacter coolant pressure is above a preset [ value.
- I
. c. Valve position indications both visual and audible to be . derived from redundant and independent valve pcsitien sensors and circuitry, such as limit switches actuated by the valve notor cperator and valve positicn limit switches activated by stem travel. 'Ihe reactor coolant pres'sure signals sh'll also be redundant ard independent. i d. A Technical Specification requirement that the reactor shall not be made critical or shall be shutdown unless each core - flooding tank isolation valve is open ard the breaker supplying power to valve operator is locked ppen and tagged. - 4. Auxiliary Systems Surcortint ESF Systems 4.1 Pump-Motor Bearing Coolin Failures It is not evident that the anviliary systems providing lubricatirs oil and cooling water to ESF systems motor and pump bearings j 1-are essential to the proper functioning of the ESF systems. Your 1 staff has been requested to determine if the loss of bearing 1 4 f = ,-e -.,e
m cooldng will impair the operation of the ESF systems fo'r the length of time required. If the ccnsequences of failure are unacceptable, we will require that the irstruments and con-trols for these supporting systems be designed as reliable as those for ESF systems that they support includire compliance with the objectives of IEEE-279 4.2 Switchgear Rooms Cooler Failure ,'Ihe two pairs of redundant and independent ESF switcbgear rocm coolers are being pcwered from the same bus. A failure of this bus will cause the loss of cooling capability in both of the switchgear rooms. We will require that you either ~ demonstrate that the less of. cooling will not imcair the prcper functioning of the switchgear, or mcdify the design to supply power to each pair of roam coolers fmm independent buses. 5. secaration and Identification criteria for Fratection and Bnergency Pcwer Systems We have reviewed your criteria for separation and identification of cables and examined the design arrangement of these as well as other safety-related systems. We have found that these criteria and design arrangements are acceptable, except for the items listed below and under Item 7 which follows. 51 Reactor Coolant Pressure Sensors 'IWo of the three redundant coolant pressure sensors associated with the ESF actuation system are mounted on a ccanon instrument rack. We will require that these sensors be separated unless you can demonstrate acceptability on the bases that diverse instrumentation provides equal protection. 5.2 Waterticmt Doors "he doors separating adjacent redundant ESF equipment recms are not of the watertight construction such as in the diesel-generator and 4160 V switchgear mems. It is our concern that the break of a service water supply line in either room may cause the f1 coding of both redundant rooms. We require that 1 you examine each ESF equipment room and either deronstrate that this is not possible or modify the present design to prevent this occurrence from happening. y m- ;; .c.-. g, r..,y. 7 ; v.., _, - _. _g s.
^ e u. .z m_,,, m m _,_. _.,,, _._. h y 53 Battery Room Ventilation The exhaust duct emanati".g frcm one of the 125 volt d-c station battery roc =3 passes through the other redundant battery rocm. It is our concern that a fire and/or explosien in this rocm could ce propagated to the other room resulting in the loss of both redundant 125 volt d-c systems. Unless you can demonstrate the capability of this exhaust duct design to withstand these types of events, we require that the design be mcdified to assure complete independence of these ventilation systers. 6. Emercency Feedwater (EP) System You have not identified the safety significance of the EF system to remove reactor decay heat in the event of a steam system failure concurrent with the loss of offsite power. Moreover, only ranual means are prc~;ided to close the steam block valves upon a failure of the Categcry II piping of both main steam lines during an assumed majcr seismic event. You have not demonstrated that ranual actuation is adequate to assure timely closure of the steam bicek valves. Tnerefore, we cannot evaluate the suitability of the present design until the safety significance of this system and related items is established. However, it should be noted that the present design of the EF system does not meet the single failure criterion in euch areas as physical installation of equipment, power sources, and actuator circuits. Further, the Integrated Centrol System (ICS) participates in the operation of the EF system and it shculd be also noted that the ICS is not designed to meet 1 -279. We consider the whole subject of I&C of the FF system including the steam system failure as an area of concern that must be resolved. 7 -Contro_ Recm and Rod Drive Centrol (RDC) Eauicment Foom Our review of the centrol rocm and RDC equipment rocm design arrangements revealed the follcwing items of concern: 71 Control Rocm Subfloor The RPS equipment cabinets are located in the control room and mounted en a raised floor. Cables entering the RPS cabinets are routed under the raised flecr. It appears that the design arrangerant of recundant RPS cables underneath the raised flocr { disregards any need for physical independence as provided in other areas thmugh which these cables are muted. This cable design arrangement is censidered to be vulnerable to conmon i
3 ' mode failures resulting from design basis events such as fire and flooding. Furthemore, this apparent lack of cable separation and vulnerability to conon mode failures is inconsistent with ycur en criteria as documented in the FSAR which include cenpliance with i -279 and '"" -308. Although we recognize the inherent fail-safe characteristics of the RPS upon loss of pcwer, we cannot conclude that all failures will make the system fail in a safe manner. We will require that you either demonstrate the adequacy of this design against all design basis events or nedify it to provide the required physical independence of the redundant protection systems. 7.2 comouter Room Subfloor 'Ihe Rod Drive Centrol (EDC) equipment' cabinets, located in the computer rocm above the contml rocm, are also mounted en a raised floor. 'Ihe cable design arrangement underneath the raised flocr is of concern for the same reasons stated before for the RPS cables. Although we recognize the inherent fail-safe characteristics of the system causing the rods to drop by gravity into the core upon loss of power, we carnot conclude that all failures will result in a safe shutdown of the reactor. We will require that you either denenstrate the adequacy of this design ngMnst all design basis events cr modify it to provide the required physical independence between safety-related cables. 73 Control Rocm Overhead Open raceways containing EDC power cables each carrying 47 A are located overhead in the centrol room. 'Ihese pcNer cables are a potential scurce of fire that could result in not cnly the loss of Unit 1 centrol room, but also the future adjoining Unit 2 control room. Your staff has claked that the cables are derated and only half of these cables will be carrfirg 47 A at any one time. We have concluded that this cable design does not minimize the probability and effect of fires in the centrol rocm as required by AEC General Design Criterien (GDC) No. 3 We will require that you install a fire barrier separatL% these open raceways firm the centrol room proper, and provide adequate accessibility and means necessary to extirguish a fire.
. + m ~ ' s 7.4 Control Rocm Coolers 'Ihe control mom emergency air-conditioning unit is situated near and in direct line with cabinets containing RPS and ESF controls. It is our concern that the failure of the air-l conditioning unit could cause mechanical or flooding damage to nearby redundant safety-related ccmponents. 'Ihis could + result in the loss of protective function capabilities. You should analyze these events and if it is determined that the consequences of this type of failure are unacceptable, we will require that you cither provide positive means to prevent these events from happening or relocate the unit. 8. Use of Diesel Generators for Peakira You have stated your intention to use the standby pcwer supply diesel generator sets to supply power to the electrical system during peak load demand periods, We have questiened and discussed this subject with you indicating that frequent and prolonged paralleling of the preferred (offsite) and standby power supplies is centrary to providing the independence re-quired by GDC 17 and i-- -308. GDC 17 requires that pmvisions be included to minitize the probability of losing electrical power frem any of the remaining supplies as a result of, or coincident with, the loss of the rain unit generator, the less of power from the grid (offsite preferred power supplies), or loss of pcwer fmm the ensite (standby) power supplies. In addition, although i- +-308 does not prchibit the use of diesel generators for other purposes, this Standard regttires that the preferred and standby power supplies shall not have a cemen failure mode. Ccc::cn failure is defined as: "A mechanism by which a single design basis event can cause redundant equipment to be inoperable." Our review of the intended use of diesel generators for system peaking leads us to conclude that the required frequent inter-connections of the preferred and standby power supplies do not minimize the probability of their coincident loss nor can the design be made imune to failure frcm a common failure rode. We also conclude that the ecencmic gain dces not justify the increased risk to safety resulting fmm operating the emergency s e -r ,w--, 9
e . power systems in this degraded manner. 'Iberefore, based on our interpretation of GDC 17 and.u=6-308, Section 5 Item 5.2.l(5), we will recuire that the diesel generator sets not be used for purposes other than emergency power supplies for the plant. 9 Offsite Pcwer Connecticns Our review of the electrical schematics revealed indiscriminate tripping of available offsite power supplies and apparent single failures resultirg in the loss of both offsite and onsite pcwer to the ESF buses. Tnese problems are a direct result of the cceplexity of the control circuit design provided to accomodate system peaking operation with diesel generators. In view of the above, and the pcsition confining the use of diesel generators, we rec,uire that you perform an overall audit of the present emergency pcwer system design, and modify it as necessar/ to provide the independence of the power supplies required by GDC 17 and m -308. O o 5 O s '"'F**- = c"'c-; p.1- ,3 'Q- ,,}}