ML19329D728
| ML19329D728 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 06/06/1974 |
| From: | Stello V US ATOMIC ENERGY COMMISSION (AEC) |
| To: | Moore V US ATOMIC ENERGY COMMISSION (AEC) |
| Shared Package | |
| ML19329D729 | List: |
| References | |
| NUDOCS 8003170518 | |
| Download: ML19329D728 (1) | |
Text
q 7,.w m-mm:r.m.m m mey y n g m.mm m <.m-mm m.,3..
e.
.s.
.w n'.
. g...n..
6
~. -
-n " r. :..:, v, y,
n.'y
.. 4 :>.::-(
5 ;;S5gt,:;3. y;,c; _c.
s r.;g., q
. p, y :.z
.y,,.
b, ;.
- . g3 (,
.-c
.rw 4,.
%%c m
.4
.,.s.,.9
.&y:;.. e. :..
a
+
I Nl;-
t'
.' j.
, W<
i/
.g;.A u-e 7
M 7 -c g
~
JUN 6 lo1g
~
=.
'..Q Cocket No. 50-302
- n
.:f -
n 3
V. A. Fbore. Assistant Director for L' Rs, Group 2, L FLORIDA POWER CORPOPATION, CRYSTAL RIVER - UMIT 3; INSTR'JMEDTATION, CONTROL AMD ELECTRICAL POUER SYSTEMS, SAFETY EVALUATION I
m@i)a g, n
Plant names ' Crystal River;- Unit"3 "
D La T FD) ] O d b
h Licensing Stage: OL~
U U j\\\\
. Docket Hutber: 50-302-Responsible Branch and Projectnnager: LWR 2-3, U. Buckley Requested Completion Date:J. May 31, 1974 Applicant': Responic Date:L MA Description of RcsponsabSafety Evaluation Review Status: Complate The w.'esed evaluation report ns prepared by the L:25:
Elecw 1, Instestation and Cantrol Syn.m 3 ranch. Si:
evale.;aa reflects W ra3ults of our'reviw of the an Nix, tnro:..,a Acenest Je meiuding logic and elac rict.1 scacm.c,.
and si te visit. Althcugh this evaluation is sut.mittec prk:c to reschtien of problem areas and review of the implmOntation af the applicant!s design comitrents, it cicarly icentifies tN3c
. as and cemitwents as well e our recon:: ended positions rwarda M:;. Beth the Project Marager;and the applicant are w.re of thase prchlem areas and the need to submit;the fevised desi r: for our review. -In addlLion..~our evaluation ' ass 6 tees satisfat. tory resoluttori of.less.fsporta;it items and documentation of agreed upon' changas: reported.in~the minutes;cf recent r.cetings that we
, had11th the appTicant. "
oricaa sist bi
. : } 4:.
,,M.- 22@&,;.-
j'Ictor Stel:o ', -
i:n w
+
v.
4
'+
,. %,a. w m,.. y z p y%gvs. ;y.sv. MWMfiO/@.M: V
+#
- p WDr
,K. N, gs c
x
.y.,
y.m.
Jeg,...~. istant D.irector
~s w
Ass
, v.MM688. ha-@M.,&.jXh?LOf for. Reactor' Safety.' ~ w G,:s &
.m,dh
.:DkE Directorate?of.l.icensing'.,.k.;iS.
P R. kdw n sFM*..:
.c' 7.sn:w:
- .,,:,:;;N:n &wum., W ' *W
. 3. pe',t.
M Enc 1osure PMMMM$yP @+ig,.,&.m%....;pw~,:d fDIS RIBUTIONi
+-
.. Q:x y;.z y js
,V.%
4 em -
. p fi;.* s : s-
-h s
mx.
? W JSafety'.Evalu..ation Re.m:,tTf.717 mW - e cketitle-por
.. a
- v. e w. ww mpn a
.: bps' +, -,M.,< g ggbWLAu..'f R. i. ?,.3.
.....n S%: '
^*
~cc W/0~, enc)::'EM'M"J.W h. T.;'4*T'*id*.?
..c..
~-3/
s
., U g g,.gEIC Rdg r.
a : % : M & M.w.c:?, M Mi&L:( % r a c y,y$,te110 & g g y,
W CDDaa
, n =k.fv 7.J~
Z,WA.7lu.:-
.a y -. ~
+ W 8c.Bu kley,~.=L.i:LW,2.3.w
- ~ ~ ~. w - w m
- .
- y w
vw
~ s.. q s c :
y m>:.,,, - cc / enc 1 :n.Se..Hanaugh..~.. : +m#. e...w n ~.
w c.
~ -.
gE,g;;.p..yg Q,,Tg.po11 toal:EI. CS ^,... ~~-.
- m. :--
.,n m T. Ip.
-. -,A u M M,J.r Hendrj.e. g.L.;
H-
- w-r m
gn
.e -.
&;A m w' -" g :g; "i.,(MTandges
- p 9.j L
gd{ /,c$$[{C$ g y i i y n j
DR J3Csi w::.n /
Ts r. mmgy,;WN,.;h_rga3
- gil{W-g.mi"u Jvd ~ I.1.EIC59%% pwp, o WF &
y w
m-m u
- k. m. MMM '.N ~ ' '_i__
NN5I N)$hl WM_L
.A MWAMa q,ggg[CN k..
E,,
~
g
~
m
,,r m.. #, (_D_yr _ P a-y.~.."._ JAcalv"o:d1r iDT6~n&f.m*.TM6pd bystel '
m_
%_ w.
~Mq M;.~mm
.e..
,522.fji([3 7:.Q.. :.
162 3-7fsQ [jhijtigig ifE6[e _,17
....y.v.
.s-g.xg y
-, y, m.
-.,3
' j 5 I~/, n Q $ f M74%
74=
4 v.a m mmmmm5summmmmmes
r
..: the protection system that initiates and controls the operation of the ESF systems and their vital auxiliary supporting systems, including logic schematics, testing capabilities and control of bypasses. The following sections identify those aspects of the design that were not acceptable to us and that were changed as a result of our review. Also, they discuss those design commitments made by the, applicant that must be satisfactorily implemented and reviewed before the ESF systems are considered to be acceptable.4 7.3.1 Core Floodino Tank Isolation Valves The applicant has elected to open the breakers supplying power to the core flooding tank motor-operated isolation valves to assure against accidental closure of these valves during normal reactor operation.
Based on this mode of operation, our review of the valve position indication circuits for the core flooding tank isolation 1
valves revealed that the design did not conform to our criteria with regard to providing redundant and independent indication systems for each core flooding tank isolation valve.
The applicant has committed to modify the design to conform with our criteria.
He will require that the design modifications of the valve position indication circuits be submitted for our review to confirm that the final design is acceptable.
7.3.2 Steam Line Break Isolation (SLB D Our review of the proposed SLSI system revealed that the instrureentation, control and electrical eouipment were not designed in accordance with the requirements of IEEE Std 279-1968 and IEEE Std 308-1969.
In addition, we have found that in the event of a steam line break, coincident with a single failure of either a feedwater or steam isolation valve (preventing valve. closure by either automatic or manual J
means) will result in the uncontrolled continued blowdown of the steam generator (s). The applicant has been advised that unless it can be determined that the consequences of thu occurrence are acceptable, vie will require that the design be modified to meet the single failure criterion.
Also, we will require that the capability
, of the SLBI system design be demonstrated against the requirements of IEEE Std 279-1968 and IEEE Std 303-1969.
The applicant has' agreed to providing.a protective system (automatically initiated)'that mitigates the consequences of a steam line(s) break accident and to demonstrating 4
the capability of this system against the above stated criterion and standards.
We will require that the design of the SLBI system be submitted for our review to confirm that the proposed design is acceptable.
n
--,-p
a
'7.4 Systems Reauired for Safe Shutdown We have reviewed the instrumentation, control and electrical systems being provided for safe shutdown as viell as the design provisions to place and keep the plant in a safe shutdown condition in the event that access to the main control room is restricted or lost.
We have concludeo that the designs conform to our criteria and are acceptable, xcept for the design of the instrumentation, control and electrical equipment pertaining to the Emergency Feedwater (EF) system.
Our evaluation.of the proposed EF system indicated that the required d? livery of energency feedwater to the-steam generator (s) was it.B'bited by a number of single failures under normal shutdown and steam lina break conditions.
In addition, it was found that the instrunentation, control and electrical equipment of the EF system were not designed in accordance with the requirements of IEEE Std 279-1968 and IEEE Std 303-1969 The applicant has been advised that the EF system is required for safety and as such it must meet the single failure criterion and that the capability of EF system design be demonstrated against the requirements of IEEE Std 279-1958 and IEEE Std 303-1959 The applicant has agreed to amand the design to meet the single failure criterion and to demonstrate the capability of the design against the above stated standards.
He v!ill require that the design modifications be submitted for our review to ccnfirm that this design commitment has been satisfactoriiy implemented and therefore acceptable.
7.5 Safety Related Disolav Instrumentation We have reviewed t designs for the instrumentation systems that provide information (1) to enable the operator to perform required safety manual functions and (2) for post-accident surveillance, and concluded that are acceptable, conditioned on the satisfactory resolution of the following item:
The applicant has been informed that the design of those parameters available to the operator in the control room and utilized for post-accident monitoring must provide for:
at least two redundant
.. channels 'of indication for each parameter monitored with at least one channel to be continuously. recorded, and the Other(s) indicated, and -both channels energized from the Class IE power system.
The applicant agreed to modify the design to conform with these requirements.
We have concluded that this design cormitment.is acceptable.
Mcwever, final acceptance will be made after submittal and review-of the design information in' support of the applicant's commitment.to meet the aforementioned requirements.
[
,,,7
+'7+
=-
'4 4
7 '. 6 RHR Overoressure Protection Interlocks Our review of the RHR motor-operated suction. valve interlocks, utilized to prevent overpressurization of the RHR system by the
. Reactor Coolant System revealed that the design did not satisfy our criteria with regard to providing interlocks of-diverse principles to prevent opening of these valves and-interlocks for automatic closure of these valves. The applicant has agreed to,
. modify the design to conform with our criteria. Although the applicant has submitted preliminary design sketches for our review, we will require that the applicant submits final drawings, including valve control circuit elementary diagrams, to confirm that the final design has been satisfactorily implemented.
- 7.7 Control Room Ventilation Our review of the control room design arrangement revealed that the ventilation system design provides for exhausting the hydrogen generated in the battery rooms into the control room thrcugh the ccamon ventilation system ducts.
Concern was expressed to the applicant about the potential problems of a fire and/or explosion in the control room rendering it uninhabitable and the resulting consequences to the safety related equipment located therein and to the plant operators.
In addition, we have fcund tnat the ventilation ducts in the control room were located in the plenum above the ceiling.
Concern was also expressed to the applicant about the potential for accumulation of an explosive hydrogen mixture in the
. plenum causing the same problems as stated above.
Unless the applicant can demonstrate' that the potential problem of a fire and/or explosion in the: control room is incredible, we will require that the present design be modified to prevent'these events from happening,
' Environmental and Seismic Qualifications 7.8 The' applicant-has identified and stated that all safety related motors, cables, instruments, controls and other equipment located inside:the containment which must operate during and subsequent to an accident, will be capable of functioning under the post-accident
~
t temperature, pressure, humidity. and radiation conditions for the time -
-periods required. -This capability has been demonstrated by testing and.has been documented ~in the FSAR, and is acceptable.
The applicant has documented'that the seismic -testing prog' ram meets the requirements of IEEE Std 344-1971 -
"lEEE Trial-Use Guide for
~ Seismic-Qualification of Class-I Electric Equipment for fluclear Power Genera ting ~.Sta tions".
It has also beenidocumented'in the FSAR that i
the' plant protectiv' system has been seismically qualified, and is
- acceptable. -
o.
4 S
~-IM
,1
~.
- 7.9 Separati?n and Identification of Safety Related Ecuicment We have reviewed the applicant's criteria for separation and
_ identification of cables,. cable trays, and terminal equipment and examined the design arrangement of these as well as other safety related equipment and systems.
We have found that these criteria and design arrangements are acceptable, except for the following items:
7.9.1 Reactor Protection System (RPS) Cable Separation The -steel conduits housing the cables that enter the bottom of the RPS cabinets had been cut short, thus, exposing redundant cables to air separation between each other.
He have informed the applicant that this cable design arrangement appears to be in violation of the separation criteria documented in the FSAR which provide for a minimum horizontal separation distance of 3 feet and barriers to maintain vertical separation between redundant safety related cable trays.
In the absence of barriers in this case to l
maintain vertical seoaration, we will consider acceptable a minimum vertical separation distance of 5 feet between redundant safety related cables. We will require that the applicant examine this cable arrangement and either show that it maintains the minimum required vertical and horincntal distance scparation or provide barriers when the ainimum spatial separatiun between redundant safety related cables can not be maintained.
7.9.2 Switchgetr Rooms Floodinc Our review of the safety related switchgear rooms design arrangement revealed that a main firewater line was located outside but nearby the redundant switchgear rooms.
The doors separating adjacent redundant switchgear rooms and these rooms from the main firewater line are
'not of the watertight construction.
In view of this, concern was expressed to the applicant about the failure of this line causing the flooding of. redundant switchgear rooms.
We will require that the applicant examine the potential flooding problem in the redundant switchgear rooms resulting from this pipe failure and either demonstrate that this is not possible or modify the present design to prevent
- this occurrence from happening.
7.9.3 Battery Rooms Seoaration The two redundant safety related battery rooms are directly. connected through the ventilation exhaust duct; the exhaust from one battery room discharges into the other redundant room.
Concern was expressed to the applicant about a fire and/or explosion in one room propagating
,to the other room resulting in the loss of both redundant d-c systems.
The battery rooms also shared a comon wall and door.
Concern was
.also expressed to the applicant with regard to the door being explosive
/
I
m
. proof and whether an explosion in one room could be propcgated to'the'other causing the loss of both redundant d-c systems.
We have advised the applicant that unless it can demonstrate the capability of this exhaust duct and door designs to withstand these types of events, we will require that the exhaust duct design be modified to assure complete independence of these ventilation systems and that the door design be made to withstand the effects of an explosion in one battery room from propagating to its redundant counterpart.
7.9.4 230 KV Switchyard Breakers Control Power Seoaration To satisfy the requirements of GDC 17 as related to offsite power, the applicant had committed, at our request, to provide two inderendent d-c control sources and feeds to the 230 kV switchyard breakers.
Our review'of the proposed (not installed) design arrangement revecled that'the d-c control power cables emanating from fossil Units 1 and 2 batteries respectively must pass through a common walk through.
tunnel before entering the switchyard.
We fcund that the tunnel was flooded several inches deep in scme areas and the tunncl sump pumps were inoperable.
Also, we noticed the absence of fire detection and protection in the tunnel.
Concern was expressed to the applicant about the potential hazards existing in this tunnel and the susceptibility of the proposed cable arrangement to single events such as fire and' flooding that could cause the failure of the two independent d-c feeds.
Unless the applican; can de:mstrate the adequacy of this proposed cable design arrangement in the tunnel against flooding and fire events, we will require that a new design arrangenant consistent with satisfying the requirements of GDC 17 in this regard, be considered and submitted for our review prior to installation in the plant.
- 7.10-Control Systems The control systems are functionally identical to those of the Arkansas fluclear One, Unit 1 except for the provisions of the rod drive' control system design to include manual switches for disconnecting power to each group of rods.
In this regard, we have requested from the applicant information that establishes the purpose of this design-fea ture.
In addition, it was found that the non-safety related Integrated ' Control System (ICS) participates in the operation of the
' safety _related emergency feedwater system. This concern is discussed in Section 7.4 of this report. With the exception of the control rod-drive power disconnect switches and emergency feedwater controis, we have found that minor differences in the other systems have not
. changed.the functional design or degraded the safety of this plant and concluded that these control systems are acceptable.
- However, the' final acceptability of the overall control system scheme is
' predicated on the satisfactory resolution of the two aforementioned items.
. 8.0 ELECTRIC PO!.'ER 8.1 Generri The Cocmission's GDC 17 and 18, IEEE Standards including IEEE Criteria for Class IE Electric Systems for Nuclear Power Generating Stations (IEEE Std 308-1969), and Regulatory Guides (RG) for Power Reactors including RG 1.6 and 1.9 -
served as the bases for evaluating the adequacy of the electric power system.
Specific documents used in the review are listed in the Appendix to this report.
8.2 Offsite Power System This plant site will be interconnected to the electrical grid system through two 503 kV and four 230 kV transmission lines cmanating from their respective switchyards.
The two 500 kV transmission lines converge on their switchyard through two seaarate end indepencent routes.
The four 230 kV transmission lines are arran;ed in pairs and each pair is routed to the 230 kV switchyard on a series of transmission towers which are located on separate and independent rights-of-way with resoect to the other pair of transmission lines.
The 500 kV switchyard is arranged in a ring bus configuration with the provisions to be converted to a breaker-and-a-half configuration ucon the installation of the future fourth unit at the si te.
The 230 kV s.vitchyard, which serves as the source of offsite power to nuclear unit 3, is arranged in a breaker-and a-half confiouration and it is not directly interconnected with the 500 kV switchyard.
Pcuer from the nuclear unit 3 generator is supplied to the 500 kV switchyard and also to th'e Unit 3 auxiliary transformer.
Fossil Units 1 and 2 at the site supply power to the 230 kV switchyard.
Offsite power to nuclear Unit 3 is from two separate feeders emanating from different breaker-and-a-half configuration bays in the 230 kV switchyard.
These power sources are connected to two separate startup transformers of which'one startup transformer is assigned to nuclear unit 3 and the other is shared between fossil Units-1 and 2 and nuclear Unit 3.
The shared startup transformer, feeder line and associated breakers have sufficient capacity to handle all required load demands from the three units.
All of the high voltage circe't breakers in the 230 kV switchyard are provided with primary and backup r~elaying circuits powered frcm independent d-c supplies.
The low voltage side of Unit 3 auxiliary transformer and
-of each one of the startup transformers is provided-with two redundant feeder breakers, each connected to one of the 4-y N
g.
two redundant' emergency buses.
The emergency buses are powered from the Unit 3 startup transformer during all modes of plant operation, and upon loss of the' normal supply, power is made available nanually from the control room to these buses from either the Unit 1 and 2 startup transformer or Unit 3 auxiliary transformer.
Each one of the transformers and attendant distribution systems have sufficien: capacity to meet shutdown and emergency load requirements.
a The applicant has conducted electrical grid stability analyses showing that the simultaneous loss of total generation at~ the Crystal River site will not adversely affect the stability of the remainder of the transmission system or the ability to provide offsite power to Crystal 4
River, Nuclear Unit 3.
Our review of the offsite power system revealed that the design provided for only one source of d-c control power to the 230 kV-switchyard breakers, thus, making the redundant offsite power sources susceptible to single failures. This item and its status are discussed in Section 7.9.4 of this report.
We have concluded that the offsite power system design with the satisTactory resolution or the above mentioned item would sati:fy the requirements of GDC 17 and 18 and IEEE Std 305-1959, and it would be acceptable.
4 8.3 Onsite power Systems
_ 8.3.1 A-C Power System 2
The a-c emergency onsite power system is comprised of two redundant and independent distribution systems, each powered by one of the two redundant diesel generators.
Each distribution system includes 4160, 480, 240 and 120 volt c
load centers to accommodate the voltage requirementscof the safety loads.
Each'4160 and each 480 volt load center bus in a distribution system can be connected to their respective redundant counterpart in the c;her -distribution system through two serially connected bus tie breakers.
The safety losds for the unit are distributed evenly between the two distribution. tystems with the exception of the third high pressure injection pump that provides extra redundancy.
This pump.can be powered from either distribution system.
~
.The selection of.the power feed is accomplished through a single breaker which can only be inserted manually in one of.
the redundant switchgear compartments at the time, thus, preventing the interconnection of the power supplies.
. h I
W y
w w
w y
n
"Wm-c@g ih 4 s,vp W
ra m
-g-
. There is a single 480 V motor control center which can be. manually connected to either one of the distribution
~
syste;as through an electrically interlocked transfer switch.
The applicant, at our request, had modified the design of the single 480 V motor control center to delete the automatic transfer feature and instead to include only the capability for manual transfer as recommended by RG 1.6.
We have determined that the loads connected to this bus.have no safety significance and the interlocks provided to prevent the propagation of faults to the redundant emergency buses are considered adequate.
We conclude that the design of the manual transfer of this load center is acceptable.
The design also provides for the connection of selected Non-Class IE loads to one of the Class IE emergency buses through a 4160/4S0 V transformer.
Ua have pursued with the applicant the potential conflicts of using administrative controls to connect and disconnect Non-Class IE loads to and from the emergency buses.
Concern was expressed to the applicant that in the event of an accidcnt coincident with the loss of offsite power, a failure in the Non-Class IE electrical. system could result in the unselected connection of Non-Class IE loads to the emergency buses.
This could result in the tripping of the associated diesel generator due to overload.
The applicant has been informed that we will require that the feeder breaker connecting the 4160/480 V transformer to one of the emergency buses be designed to meet Class IE requirements, and that this breaker be opened autcmatically upon detection cf an accident coincident with the loss of offsite power, and be prevented from closure during the transient stabilization period subsequent to this
- event.
The applicant has agreed to modify the design to conform with our position.
However, we will require that the design modifications be submitted for our review to confirm that the final design is acceptable.
Each diesel generator is rated at 4160 V, 2,750 kW continuous, 3,000 kW for 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> and 3,300 kW for 30 minutes.
The loading of-the diesel generators is within the limits suggested by Regulatory Guide (RG) 1.9 except for the voltage dip during tt3 first loading block which is approximately 28% of nominal instead of 25L recommended by R.G. i.9.
To compensate for this voltage dip in c:: cess of that recommended by RG 1.9, the apolicant has provided motor starters that will hold in during this lower voltage transient.
We have
- concluded that this is acceptable. With regard to the diesel generator qualifications, the applicant has indicated that' the diesel generators for this plant have been previously qualified for use.in Nuclear Power Plant applications.
We i
have requested that information in support of the diesel generator qualifications be submitted by the applicant for our review.
e
-s
--w.-
s dn l Each diesel generator is automatically started on an 1
undervoltage signal from its respective ?l60 V emergency bus, or on an ESF actuation trip signal.
If offsite power is..not available, the 4160 V emergency buses are automatically isolated from all supply sources.
The diesel generators are then connected automatically to their respect _ive 4160 V emergency bus, and under accident conditions, thethfety loads are automatically connected in a predetermined sequence to their respective diesel generator.
Our review of the electrical schematics revealed that the independence of the recundant emergency buses was compromised as a result of a design feature that provides for paralleling -
of the redundant diesel generators through the tie breakers
- connecting recundant 4160 V Duses when the offsite power is not available.
It was also discovered that the manual controls for the breakers through which offsite power is supplied to the emergency buses interferec with the operation of the undervoltage trip signal to isciate the emergency ouses from the offsite power sources when offsite po..er is lost.
In
. addition, we found that the th breakers ccnnecting redundant emergency kses at the 450 voit level were not automatically opened upon receipt of an ESF actuation trip signal, conpromising the independence of the redundant emergency buses.
These problems were identified to the applicant and it agreed to resolve them and modify the design accordingly.
We will require that the revised designs be submitted for our review to confirm that they are acceptable.
The diesel generator units are located in separate seismic Class I structures.
Each unit has independent auxiliary i ~
systems and separate seismic Class I underground fuel storage
~
T tank.
The total onsite fuel oil storage capacity provides for at least seven days' of diesel generator operation at full rated load.
We have concluded that the a-c emergency onsite power system with..the satisfactory implementation of the above mentioned design connittents and substantiation of the diesel. generator qualifications would satisfy GDC 17 and 18, IEEE Std 308-1969 and Regulatory Guides :1.6 and 1.g,'and it would be acceptable.
8.3.2 0-C Power-System Onsite d-c cmergency power is derived from Nuclear Unit 3 and fossil Units l and 2 battery systems.
The nuclear Unit 3 battery system.is comprised of two redundant and independent 250/125 volt. battery ~ bank-charger units and the attendant distribution systems.
Each distribution. system is normally supplied by the ' battery charger and backed up by the floating 4
.m
____,.-.m._.__.__.__..--m_..m..m.m._._.____m._._m-m r
nl._ bank which is sized to carry all connected loads for two hours upon the loss of the normal supply.
Each 250 and each 125 volt battery charger in a distribution system is supplied from separate 480 V emergency buses.
In addition, there is an installed 250/125 volt ba tery charger for each redundant battery bank which can be manually
. connected to either half of their corresponding 250/125 volt d-c system.
Each 250/125 volt battery bank is located in a separate seismic Class 1 room.
Our review of the nuclear Unit 3 d-c emergency power system revealed that the design provided for manual cross-connection of the two redundant main d-c distribution buses in the event of a battery failure. Also, it was found that these buses cculd be interconnected through d-c distribution circuit panels. Administrative controls were the only means provided for accomplishing the interconnections and there were no mechanical and/or electrical interlocks provided to prevent inadvertent administrative errors from compromising the independance of the d-c emergency power system.
We have informed the applicant that administrative controls clone do not provide reasonable assurance that the independence of the d-c emergency power system is maintained as required by GDC 17 and IEEE Std 30S-1969.
Therefore, we will require that the -
design be modified to provide this assurance. The applicant agreed to modify the design to assure that the independence of the tuo redundant d-c systems. is maintained by either supplerr-ating cdministrative controls with mechancial and/or electrical interlocks or deleting the manual cross-connection between the redundant d-c systems. We will require that the revised design be submitted for our review to confirm that it is acceptable.
Four redundant 120 volt vital a-c distribution buses are provided to supply power to the plant protection system instrumentation and associated circuits.
Each a-c vital bus. is supplied separately from e static inverter.
Each pair of inverters is normally supplied from separate 480 V emergency buses and backed'up from the respective battery bank.
' Our review of the 120 volt vital a-c system revealed that the provisions of the design to manually cross-connect the redundant 120 volt vital a-c buses and to supply these buses from the Non-Class IE regulated instrument buses will make the ESF analog channels vulnerable to single failures.
We have advised thc applicant that an acceptable design should
-preclude the interconnection of the vital buses during those i
- modes of plant operation where the plant orotection system ^is required to remain operable after a single failure. With regard to the vital buses being supplied from the regulated ins.trument buses, we have informed.the applicant that an i
w:-
(
~
w acceptable design should only permit the connection of
-one vital bus at the time to the instrument bus and only then for a period not to exceed 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
The applicant
.was advised that supplying power to one of the vital buses from the instru..a.it bus was not a requirement from the standpoint of safety but it could be considered a cesi,rable feature from the standooint of preventing spurious signals from. tripping the reactor or initiating the ESFs',
while the normal source cf power to the vital bus is being repaired.
The applicant has agreed to make the design acceptable and to reconsider the supply of the vital buses from the Non-Class IE regulated instrument buses.
In addition, we found that a single failure in the transfer control switch utilized to select the alternate power source for the ESF indicating lights will compromise the independence of two of the redundant 120 V vital a-c buses.
This problem was identified to the applicant 'nd i; agreed to modify the design so it would 'iot be vulnerable to single failures.
We will require t'iat the revised designs pertaining to the above mentioned items be submitted for our review to confirm that they ar2 cccratable.
The battery system from fossil Units 1 aad 2 consists of two separate battery. bank units and attendant distribution systems.
These power sources, in addition to supplying the d-c loads of the fcssil units, provide control power to all 230 kV switchyards breakers.
Our review findings with,re;ard to this battery system are reported in Sections 7.9.4 and 8.2 of this evaluation.
We have concluded that the d-c emergency onsite power-system
'+
with the satisfactory implementation of the above mentioned design commitments and satisfactory resolution of the 230 kV evitchyard breakers control power separation (Section 7.9.4) and ventilation ducts and commen door in the nuclear Unit 3 battery rooms (Section 7.9.3) would satisfy GDC 17 and 18, IEEE Std 308-1969, Regulatory Guide 1.6, and it would oe acceptable.
4 APPENDIX The following principal documents were used by J. A. Calvo in
~ the.0perating License Review of Crystal River, Unit 3:
1.
Final Safety. Analysis Report (FSAR) through Amendment 38 for Crystal River, Unit 3.
2.
Sections 6, 7, 8, 9 and 10 of FSAR for Arkansas Nuclear One, Unit 1.
3.
Operating License Safety Evaluation Report for Arkansas Nuclear One', Unit 1, issued June 6, 1973.
4.
Babcock & Wilcox (B&W) Schematic Diagrams for the Reactor Protection System.
5.
Gilbert Associates, Inc. (GAI) Elementary Diagrams for the Engineered Safety Features Actuat:cr System.
6.
GAI Elementary and Single Line Diagrams for the Electric Fewer System and Safety Related Actuation Devices-Centrol Circuits.
7.
-10 CFR Part 50 and Appendix A to 10 CFR Part 50.
8.
Regulatory Guides 1.6, 1. 9, 1.11, 1. 22, and 1.32.
4 9.
Institute of Electrical-and Electronic Engineers (IEEE) Standards:
" Proposed IEEE Criteria for Nuclear Power Plant Protection Systems."
IEEE Std 308-1969 "IEEE Criteria for Class IE Electric Systems for Nuclear Power Generating Stations."
IEEE Std 317-1971 "IEEE Standard for Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations."
IEEE Std 323-1971 "IEEE Trial-Use Standard:
General Guide fnr Qualifying Class I Electric Equipment for Nuclear
-Power-Generating Stations."
'IEEE'Std 334 1971 "IEEE Trial-Use Guide for Type Tests.of Continuous Duty Class I Motors. Installed Insid. the Containment of Nuclear Power Generating Stations."
IEEE Std 336-1971 "IEEE Standard Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power 1:
Generating Stations."-
4 e
L m
, ~
.IEEE Std 333-1971 "IEEE Trial-Use Criteria for the Periodic Testing of. Nuclear Power Generating Station. Protection Systems."
IEEE Std 344-1971 "IEEE Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations."
IEEE Std 332-1972 "IEEE Trial-Use Guide for Type Test of Cla.ss I Electric Valve Operators for-Huclear Power Generating ~
Stations."
IEEE Std 387-1972 "IEEE Trial-Use Standard:
Criteria for Diesel-Generator Units _ Applied as Standby Power Supplies _ for Huclear Power Generating Stations."
M 15,,
?,