ML20027C485
| ML20027C485 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 10/14/1982 |
| From: | Devincentis J PUBLIC SERVICE CO. OF NEW HAMPSHIRE, YANKEE ATOMIC ELECTRIC CO. |
| To: | Kerrigan J Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-2.D.3, TASK-2.E.1.2, TASK-2.E.4.2, TASK-2.F.1, TASK-2.F.3, TASK-TM SBN-342, NUDOCS 8210180001 | |
| Download: ML20027C485 (95) | |
Text
PUEBLIC SERVIC'd SEABROM STAM Engineering Omce:
Companyof NewHampshre 1671 Worcester Road Framingham, Massachusetts 01701 (617). 872 - 8100 October 14, 1982 SBN-342 T.F. B 7.1.2 United States Nuclear Regulatory Commission Wasuington, D. C. 20555 Attention:
Ms. Janis Kerrigan, Acting Chief Licensing Branch #3 Division of Licensing
References:
(a) Construction Permits CPPR-135 and CPPR-136, Docket Nos. 50-443 and 50-449 (b) USNRC Letter, dated February 16, 1982, " Request for Additional Information," F.J. Miraglia to W.C. Tallman (c) USNRC Memo, dated March 23, 1982, " Additional Agenda Items for Meeting with Seabrook Applicant on Instrumentation and Controls," T.P. Speis to R.L. Tedesco (d) PSNH Letter, dated April 1, 1982, " Meeting Notes; Instrumentation and Controls Systems Branch (ICSB),"
J. DeVincentis to R. Stevens (e) PSNH Letter, dated June 10, 1982, " Meeting Notes; Instrumentation and Control Systems Branch (ICSB),"
J. DeVincertis to F. Miraglia (f) PSNH Letter, dated August 10, 1982, " Meeting Notes; Instrumentation and Control Systems Branch (ICSB),"
J. DeVincentis to F. Miraglia
Subject:
Meeting Notes; Instrumentation and Controls Systems Branch (ICSB)
Dear Sir:
We have attached notes from the September 14 and 15,1982 ICSB review meetings which were conducted at the offices of United Engineers (Philadelphia, PA).
This meeting was based on the ICSB Requests for Additional Information which were forwarded in References (b) and (c). The notes also include those items discussed at the March 23-25, 1982; May 12 and 13, 1982; and July 15 and 16, 1982 review meetings that have been revised.
O G210180001 821014 PDR ADOCK 05000443 A
PDR x
United States Nuclear Regulatory Commission October 14, 1982 Attention:
Ms. Janis Kerrfgan Page 2 meeting at which the response or a revision to a response was made. The attachments to the previous Meeting Notes [ References (d), (e), and (f)] are
-not included with this ?etter.
Very truly yours, YANKEE ATOMIC ELECTRIC COMPANY J. DeVincentis Project Manager 5
ALL/fsf cc:
Mr. Louis Wheeler, Project Manager Mr. Ralph Marback Licensing Branch No. 3 Argonne National Labs, Bldg. 301 Division of Licensing 9700 S. Cass Argonne, IL 60439 Mr. Robert Stevens 1
Instrumentation and Control Systems Branch Division of Systems Integration
ICSB REVIEW MEETING 9/14'AND 9/15/82 ATTENDANCE ROSTER NRC C. Rossi R. Stevens R. Marback YAEC
.D. Maidrand W. Reed W. Fadden
- P. Anderson
- G. Semienko UE&C R. Neustadter
- H. Katz
- L.
Varindani
- W. Laybourn G. Morris
- Part-time I
l f
1 4
1 l
1 420.5-As called for in'Section 7.1 of the Standard Review Plan, provide (7.1) information as to how your design conforms with the following TMI j
Action Plan Items as described in NUREG-0737.
(a)
II.D.3
- Relief and safety valve position indication, (b)
II.E.1.2 - Auxiliary feedwater system automatic initiation flow indication, (c)
II.E.4.2 - Containment isolation dependability (positions 4, 1
I 2
5 and 7),
(d)
II.F.1
- Accident monitoring instrumentation (positions 4, 5 and 6),
4 1
J (e)
II.F.3
- Instrumentation for monitoring accident conditions (Regulatory Guide 1.97, Revision 2),
(f)
II.F.3
- Final recommendations
.9
- PID controller
.12 - Anticipatory reactor trip.
RESPONSE
(a)
II.D.3 The single acoustic device to monitor all safety 3/23 valves is not redundant but is safety grade. Limit switches for each PORV are not redundant but position indication is safety grade. Position indication system is seismically and environmentally qualified. There will be control room alarm for acoustical device and for either PORV not closed.* There is backup temperature indication downstream of each safety valve and one temperature indication for both PORVs, all are alarmed in the control room. The FSAR will be revised.
(b)
II.E.1.2 Auxiliary feedwater system automatic initiation is safety grade. Flow indication meets Item 2a and b of j
II.E.1.2.5, NUREG-0737.
(c) & (d)
II.E.4.2 and II.F.1 will be handled by containment systems branch.
(e)
II.F.3 will be covered by Regulatory Guide 1.97, Response.
420.51.
(f)
II.K.3.9 and.12, provided response in letter SBN-212, dated 2/12/82. Reviewed by staff and found acceptable.
ADDITIONAL
RESPONSE
(a) NUREG-0737, Item II.D.3, Clarification was made that the final 5/12 design of the safety and relief valve position indication is not complete. The project documents and the FSAR will be revised. The block valves, position indication and their manual controls will be Class lE.
(b) NUREG-0737, Item II.E.1.2, will be addressed in the overall discussions of the emergency feedwater system.
l FSAR Figure 7.2-1, Sheet 15 and Page -7.3-23, will be i
corrected to indicate that both A & B train actuate the turbine driven emergency feedwater pump.
ADDITIONAL
RESPONSE
(a) FSAR 5.2.2.8 will be revised to provide the information on 9/14 relief and safety valve position required by NUREG 0737 II.D.3.
A handout of the draft FSAR revision is included in the meeting minutes.
(b) The information required by NUREG 0737 II.E.1.2 is provided in the following FSAR sections that are keyed to the 0737 positions:
Part I (1) 6.8.1 h, 6.8.5 (2) 6.8.1 a (3) 6.8.4, 7.3.2.2 (4) 8.3 (5) 6.8.1 h (6) 8.3 (7) 6.8.1 h The automatic initiation signals and circuits are safety i
grade.
Part II (1) 6.8.5 (2) 6.8.5 Note that 6.8 is being revised to include this and other information on EFW changes, a copy of the draf t revision is I
attached as part of the response to RAI 420.36.
FSAR Figure 7.2-1, Sheet 15, and p. 7.3-23 will be revised to show that both A & B trains actuate the turbine driven pump. A copy of the FSAR markups are attached.
HANDOUT:
Revised FSAR 5.2.2.8 for RAI 420.5 (a).
9/14 5.2.2.8 Process Instrumentation Instrumentation is provided-in the control room to give the i
open/ closed status of the pressurizer safety and Power Operated Relief (PORV) Valves. Each PORV is monitored by limit switches that operate red and green indicating lights on the main control board. The safety valves are monitored by an acoustic monitor j
that senses the ecoustic emissions associated with flow in the discharge line that is common to the three safety valves.
All instrumentation will be environmentally and seismically qualified, will be powered from a vital instrument bus, and will actuate VAS alarms. The indication will not be redundant, therefore, backup indication is provided by temperature indication i
! l
on the discharge of each safety valve and the common discharge from the PORVs and by primary relief tank temperature, pressure, and level.
The primary and backup instrumentation will be integrated into the emergency procedures and operator training. The human factors analysis will be performed as part of the control room design review.
STATUS:
Confirmatory pending ICSB review.
9/14 420.6 Provide an overview of the plant electrical distribution system, (7.1) with emphasis on vital buses and separation divisions, as backgrmind for addressing various Chapter 7 concerns.
RESPONSE
Discussed at meeting, no further response required.
3/23 STATUS:
Closed.
5/12 420.7 Describe features of the Seabrook environment control system which (7.1) insure that instrumentation sensing and sampling lines for systems important to safety are protected from freezing during extremely cold weather. Discuss the use of environmental monitoring and alarm systems to prevent loss of, or damage to systems important to safety upon failure of the environmental control system.
Discuss electrical independence of the environmental control system circuits.
RESPONSE
Written response reviewed by the NRC and attached to meeting 3/23 notes. We reviewed the freeze protection for the refueling water storage tank (RWST) af ter the meeting. It was determined that the instruments and sensing lines are in the building that encloses the RWST and is maintained above 320F by the heated RWST.
Additional freeze protection is not required. RAI 440.104 is related. This item is under review by the staff.
ADDITIONAL
RESPONSE
Fluid systems are protected from freezing by being 1) located in 5/12 an area with a heating system; 2) located in an enclosure with a 7/15 heated tank; or 3) provided by heat tracing.
The majority of the safety-related piping is located in areas that are provided with heating systems. Low ambient temperature is alarmed in the control room. The alarms are not safety grade.
The alarm is electrically independent of the heating system. The areas are accessed periodically as part of the operators inspections. The operator will be instructed to notice abnormal ambient temperatures that could result from failure of the heating system.
The tank farm enclosure is maintained above the freezing temperature by the heat lost from the heated RWST. Low ambient,.
RWST, and spray additive tank temperatures are alarmed in the control room to warn of abnormal conditions in the tank farm enclosure.
Safety-related piping that is not in heated areas or that require the maintenance of temperatures higher than the design ambient temperatures is provided with dual heat tracing circuits and low temperature alarms.
The alarm and heat tracing circuits are electrically independent, therefore, failure of the heating circuit will not result in loss of the low temperature alarm. Loss of power to the low temperature alarm and heat tracing circuits will be alarmed in the control room.
HANDOUT:
To ensure that instruments, including sensing and sampling lines, 3/23 are protected from freezing during cold weather, electrical heat tracing is provided. Heat tracing on safety-related piping is protected by redundant, non-safety-related, heat tracing. On the boron injection line only, the primary heat tracing circuit is train A associated. The backup heat tracing circuit is train 1 associated. This backup circuit is normally de-energized. On the remaining lines, the redundant heat tracing circuit is energized from the same train as the primary circuit.
Integrity of each circuit is continuously monitored. Low and high temperature alarms are available at the heat tracing system control cabinet. Additionally, failures as detailed below are indicated at the heat tracing control cabinets that are located in the general vicinity o.
the systems being heat traced:
a)
Loss of voltage, b)
Ground fault trip for each heating element circuit, c)
Overload trip of branch circuit breakers, Trouble alarms are provided in the main control room.
STATUS:
Closed.
9/14 420.8 Provide and describe the following for NSSS and BOP safety-related (7.1) setpoints:
(a) Provide a reference for the methodology used. Discuss any differences between the referenced methodology and the methodology used for Seabrook, (b) Verify that environmental error allowances are based on the highest value determined in qualification testing, (c) Document the environmental error allowance that is used for each reactor trip and engineered safeguards setpoint,, _,
l
)
(d)
Identify any time limits on environmental qualification of instru' its used for trip, post-accident monitoring or engir red safety features actuation. Where instruments are qualisted for only a limited time, specify the time and basis for the limited time.
i
RESPONSE
Seabrv.;, uses the same methodology as W used for DC Cook, North 3/23 Anna and Sumner, there are no differences. DC Cook and North Anna were submitted and approved. This is applicable for both NSSS and BOP safety-related setpoints.
WCAP 8587 and 8687 describe the determination of environmental error allowances.
l ADDITIONAL
RESPONSE
The use of the Westinghouse statistical methodology was accepted 4
9/14 by the NRC for Virgil C. Sumner (NUREG 0717 Supplement No. 4).
The determination of the Seabrook setpoints will be consistent with the method used for Sumner.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.9 There is an inconsistency between the discussions in FSAR (7.1.2.5)
Section 1.8 and FSAR Section 7.1.2.5 pertaining to the compliance with Regulatory Guide 1.22.
FSAR 3ection 1.8 states that the main reactor coolant pump breakers are not tested at full power. FSAR Section 7.1.2.5 does not include these breakers in the list of equipment which cannot be tested at full power. Please provide a discussion as to whether the operation of the reactor coolant pump breakers is required for plant safety. If not, then please justify. Also, please correct the inconsistency described above and, as a minimum, provide a discussion per the recommendations of Regulatory Position D.4 of Regulatory Guide 1.22.
RESPONSE
Revised 1.8 provided to staff and attached to meeting notes, 3/23 reactor does not trip on opening of reactor coolant pump breakers.
STATUS:
Closed.
4 9/14 420.10 Using detailed plant design drawings (schematics), discuss the (1.8)
Seabrook design pertaining to bypassed and inoperable status (7.1.2.6) indication. As a minimum, provide information to describe:
(7.5) 1.
Compliance with the recommendations of Regulatory Guide 1.47, 2.
The design philosophy used in the selection of equipment / systems to be monitored, 3.
How the design of the bypass and inoperable status indication systems comply with Positions Bl through B6 of ICSB Branch Technical Position No. 21, and '
4.
The list of system automatic and manual bypasses within the BOP and NSSS scope of supply as it pertains to the recommendations of Regulatory Guide 1.47.
The design philosophy should describe, as a minimum, the criteria to be employed in the display of inter-relationships and dependencies on equipment / systems and should insure that bypassing or deliberately induced inoperability of any auxiliary or support system will automatically indicate all safety systems affected.
RESPONSE
Handout given to staff. Overview of systems covered and 3/23 description of operation given including automatic and manual modes, and interaction between systems. Handout as ammended during meeting will be attached to the meeting minutes.
System description of computer and video alarm system (VAS) presented during meeting and will be followed up by written description to staf f as response to RAI 420.49. A meeting will be held with the staff in Washington at a later date to review all aspects of plant computer operation.
Staff presented concern that some guarantee must be considered as to percent of time computer will be operating and that plant will not continue to operate for any length of time, without appropriate corrective action, when and if' computer should be out of service. A possible solution would be to refer operating and repair times to safety review committee although it is agreed that the computer is not a safety-related system. Staff asked for additional information concerning level of validation and verification of software.
HANDOUT:
1.
Systems are designed to meet the recommendations of 3/23 Regulatory Guide 1.47.
I 2.
Design philosophy is discussed in FSAR Section 7.1.2.6.
The selection of equipment is given in Item 4.
3.
System design meets the recommendation of ICSB-21 a's follows:
B1 - Refer to FSAR Section 7.1.2.6(a).
B2 - System design meets the requirements. Refer to logic diagrams listed in FSAR Section 7.1.2.6(f).
B3 - Erroneous bypassed / inoperable alarm indications could be provided by any of the following:
- dirty relay contacts
- dirty limit switch contacts.
I B4 - The bypass indication system does not perform functions l
essential to safety.
(Refer to FSAR Section 7.1.2.6)
I
- A system design is supplemented by administrative l
' l
procedures. The operator will not rely solely on the indication system.
B5 - The indication system does not perform any safety-related functions and has no effect on plant safety systems. The indication system is located at the MCB separately for each train on system level basis.
B6 - All bypass indicators and plant video annunciator systems are capable of being tested during normal system operation.
4.
The list of the equipments for which bypass / inoperable alarms and indication are provided.
Al - Service Water System (SW)
Service Equipment Logic Diagram Schematic 2
Service Water Pumps SW-P-41A/41B M-503968 M-301107 Sh. AG3, AR3
-41C/41D M-503969 M-301107 Sh. AG4, AR4 Cooling Tower Pumps SW-P-110A M-503966 M-301107 Sh. AU2
-110B M-503967 M-301107 sh. AU6 Cooling Tower Fans SW-FN-51A M-503951 M-301107 Sh. AV4
-51B M-503452 M-301107 Sh. AW4 Cooling Tower / Service M-503973 M-310951 EH9/EHO Water Bypass /Inop.
. Note: There are separate lights for the service water pump and the cooling tower subsystems.
A2 - Primary Component Cooling Water System (CC)
Service Equipment Logic Diagram Schematic Primary Cooling Water Pumps CC-P-llA M-503270 M-310895 Sh. A58/A78 llB/ llc /llD A59,A79 PCCW Bypass Inop.
M-503277 M-310951 EH9/EHO A3 - Containment Building Spray (CSB)
Service Equipment Logic Diagram Schematic Containment Spray Pumps CBS-P-9A/9B M-503257 M-310900 Sh. A61,A81 Containment Sump Iso. Viv.
CBS-V8/V14 M-503252 M-310900 Sh. B84,D40 Cont. Spray Add. Iso. Viv.
CBS-V39/V44 M-503259 M-310900 Sh. 4b Cont. Spray Nozzle Iso. Vlv. CBS-V13/Vl9 M-503259 M-310900 Sh. 4b Service Equipment Logic Diagram Schematic Primary Comp. Cooling Water to Containment HX CC-V131/V260 M-503259 M-310895 Sh. 4a Primary Comp. Cooling Water M-503259. - -
A4 - Residual Heat Removal (RH)
Service Equipment Logic Diagram Schematic RH Cold Leg Inj. Iso. Vlv.
RH-V14/26 M-503768/503769 M-310887 Sh. B57,B65 RH Hot Leg Inj. Iso. Viv.
RH-V32/70 M-503768/503769 M-310887 Sh. B58,D90 Chg. Pump Suc. Iso. Viv.
RH-V35 M-503768/503763 M-310887 Sh. B59,B66 SI Pump Suc. Iso. V1v.
RH-36 M-503768/503763 M-310887 Cont. Sump-Iso. Viv.
CBS-V8/V14 M-503252 M-310900 Sh. 384,D40 Prim. Comp. Cooling Water to HX CC-V133/V258 M-503768 M-310895 Sh. 4A Residual Ht. Removal Pumps RH-P-8A/8B M-503761 M-310877 Sh. A57,A77 A5 - Safety Injection System (SI)
Se rvice Equipment Logic Diagram Schematic SI Pumps SI-P-6A/6B M-503900 M-310890 Sh. A56/A76 Cont. Sump Iso. Valve CBS-V8/V14 M-503918 SI Cold Leg Iso. Valve SI-V114 M-503918 M-310890 Sh. B49 SI-P-CA-6B to Hot Legs Isolation Valve SI-V102/V77 SI-P-6A/6B to RWST Isolation Valve SI-V89/V90 M-503918 M-310890 Sh. B41/B42 SI-Pump Cross Connect SI-Vill /Vll2 M-503918 M-310890 Sh. B47/B48 Prim. Comp. Cooling Wtr.
M-503918 M-310895 Sh. EH9/3 EA A6 - Chemical and Volume Control System (CS)
Service Equipment Logic Diagram Schematic Charging Pump CS-P-2A/2B M-503372,M-503330 M-310891 Sh. A62,A82 Prim. Comp. Cooling Wtr.
M-503372 i
Service Equipment Logic Diagram Schematic Emer. Feedwater Pump FW-P-37B M-503586 M-310844 Sh. A80 Emer. FW Pump 37A/37B FW-V71/73 M-503599 M-310844 Sh. 4 Discharge and Bypass Vivs.
FW-V65/67 M-503599 M-310844 Sh. 4 A8 - Diesel Generator Service Equipment Logic Diagram Schematic DG Control Power Lost M-503495 M-310102 DG Breaker Control Power Lost M-503495 M-310102 EPS Control Power Lost M-503495 M-310102 Protection Relays not Reset M-503495 M-310102 DG - Barring Devices Engaged M-503495 M-310102 Starting Air Pressure Lo-Lo M-503495 M-310102 Control Switch Pull to Lock M-503495 M-310102 l
Selector Switch Maintenance M-503495 M-310102 i
[
I l l
B - Interrelationship Between Auxiliary Systems and Safety Systems Auxiliary systems such as service water system (SW),
primary component cooling water system (CC), and diesel generator system (DG) are dependent on the operation of other auxiliary systems or are required for the operation of other auxiliary or safety systems.
The VAS will automatically indicate the dependent auxiliary jtyt and safety systems that are made inoperable by an inoperable auxiliary system.
Initiation of the Emergency Power Inoperable indication will automatically initiate all the indicators for the same train on the bypass and inoperable status panel. Initiation of an indicator on the bypass and inoperable status panal is performed manually and will automatically initiate indication of dependent auxiliary and safety systems on the bypass and inoperable status panel.
Reference logic drawings:
M-503277 - M-503973 M-503259 - M-503768 M-503918 - M-503372 ADDITIONAL
RESPONSE
The handout will be revised to indicate that alarms and indicators 5/12 are provided. The indication on the bypass and inoperable sistus panel is on the system level for each train. All automatic initiation is through the VAS.
Indication on the status part is manually initiated in response to the VAS alarm or when the system is bypassed or made inoperable with devices not monitored by the VAS. The VAS and the status panel have logic that will automatically indicate all systems made inoperable when a support system is inoperable.
Typographical errors on
- .7 and A8 will be corrected.
This items remains open pending the review of the VAS.
After the meeting, a note to clarify the service water indicators was added to Al of the 3/23 handout. A8 was deleted as the Diesel Generator status monitoring lights and alarms are not considered part of the bypass and inoperable status monitoring cystem, since the events monitored occur less than once per year. FSAR 7.1.2.6, copy attached, will be revised.
ADDITIONAL
RESPONSE
Item A8, diesel generator, will be returned to the list as data 7/15 for other diesels indicate that they may require maintenance outages more than once per year.
The functions that are listed all initiate a VAS common alarn which indicates that a train is inoperable, TRN EMERG POWER INOPERABLE. - -. --- -
Diesel generator status is indicated on the diesel generator status light panel on Section HF of the MCB, not on the bypass and inoperable status light panel on Section CF of the MCB. These status monitoring lights along with specific and common VAS alarms provide continuous status of the diesel generators.
We will add the bypass / inoperable status monitoring system pushbuttons to the computer inputs that initiate the VAS bypass / inoperable alarms. This will ensure that the same information on system status is available at the monitoring system i
or through the VAS. A summary of the current status of the VAS bypass / inoperable alarms will be available on demand to ensure that operator is aware of the status of redundant systems when a system is bypassed /made inoperable. A system level VAS alarm vill be initiated if the redundant trains are bypassed /made inoperabie.
ADDITIONAL
RESPONSE
The 3/23 handout, Part B, is revised to include the Diesel i
9/14 Generator in the discussion of the interrelationship of the auxiliary systems. Logic diagrams will be changed.
STATUS:
Confirmatory pending review of formal documentation.
4 9/14 420.11 Summarize the status of those instrumentation and control items (7.1) discussed in the Safety Evaluation Report (and supplements) issued for the construction permit which required resolution during the operating license review.
RESPONSE
There are no unresolved items relating to Chapter 7 of the SAR 3/23 identified in the construction permit SER (Supplements 1 to 4).
STATUS:
Closed.
5/12 420.12 Various instrumentation and_ control system circuits in the plant (7.1.2.2)
(including the reactor protection system, engineered safety features actuation system, instrument power supply distribution l
System) rely on certain devices to provide electrical isolation capability in order to maintain the independence between redundant safety circuits and between safety circuits and non-safety circuits.
1.
Identify the type of isolation devices which are used as boundaries to isolate non-safety grade circuits from the safety grade circuits or to isolate redundant safety grade circuits.
l 2.
Describe the acceptance criteria and tests performed for each isolation device which is identified in response to Part 1 above. This information should address results of analyses or tests performed to demonstrate proper isolation and should assure that the design does not compromise the required protective system function.
-lo-l l
l
I
RESPONSE
1.
BOP uses the same type W 7300 system, with the same j
3/23 qualifications, as is used by NSSS (NSSS equipment for.
Seabrook is identical to that for SNUPPS).
2.
Radiation data management system will require submittal of further documentation of isolation devices used.
3.
Power supply distribution isolation is covered under RAI 430.40A.
ADDITIONAL 8
RESPONSE
The current Itatus of the RDMS isolators was discussed. Further 9/14 discussion is deferred pending overall resolution of train separation criteria.
STATUS:
Open pending documentation of testing to be performed to show that 9/14 the isolator will perform the required isolation function. The maximum credible fault voltage and current should be justified.
420.13 The discussion in Section 7.1.2.2 states that Westinghouse tests (7.1.2.2) on the Series 7300 PCS system covered in WCAP-8892 are considered (7.5.3.3) applicable to Seabrook. As a result of these tests, Westinghouse j
(7.7.2.1) has stated that the isolator output cables will be allowed to be routed with cables carrying voltages not exceeding 580 volts ac or 250 volts dc.
The discussion of isolation devices in Section 7.5.3.3 of ttue FSAR, however, considered the maximum credible fault accidents of 118 volts ac or 140 volts de only. -Also, the statement in Section 7.7.2.1 implies that the isolation devices were tested with 118 volts ac and 140 volts de only. In order to clarify the apparent inconsistency, provide the following:
(a) Specify the type of isolation devices used for Seabrook process instrumentation system.
If they are not the same as the Series 7300 PCS tested by Westinghouse, specify the fault i
voltages for which they are rated and provide the supporting test results.
(b) Provide information requested in (a) above for the isolation devices of the nuclear instrumentation system. As implied in WCAP-8892, the tests on Series 7300 PCS did not include the nuclear instrumentation system.
(c) Describe what steps are taken to insure that the maximum t
credible fault voltages which could be postulated in Seabrook, as a result of BOP cable routing design, will not exceed those for which the isolation devices are qualified.
i
. RESPONSE:
The isolation devices used are as described in 420.12.
3/23 Isolation device design is identical and has been qualified the same as for SNUPPS. The routing of cables leaving the cabinets is consistent with the interface criteria in WCAP 8892A.
STATUS:
Closed.
l 5/12 i
-.___.-__-,_.r.._._
. --.~.
420.14 The FSAR information provided describing the separation criteria (7.1.2.2) for instrument cabinets and the main control board is
= insufficient. Please discuss the separation criteria as it pertains to the design criteria of IEEE Standard 384-1977, Sections.5.6 and 5.7.
Detailed drawings should be used to aid in verifying compliance with the separation criteria.
RESPONSE
Handout submitted to staff. Overview of main control board was 3/23 presented using drawings and pictures. FSAR Sections 7.1.2.2 and 1.8 will be revised to be applicable to both balance of plant and NSSS control panels..The design criteria of IEEE Standard 384-1977, Sections 5.6 and 5.7 for the main control board and instrument cabinets has been met.
STATUS:
Closed.
9/14 HANDOUT:
1.
Instrument Cabinets 3/23 Section 5.7 of IEEE-384-1977 is met by having independent cabinets for redundant Class lE instruments, examples of this separation may be found on instrument cabinets MM-CP-152A and MM-CP-152B, both located in the main control room, control building Elevation 75'-0".
2.
Main Control' Board (MCB)
Sections 5.6.1 through 5.6.6 of IEEE-384-1977 are met as follows, and as described in UE&C Specification 9763-006-170-1, Revision 5:
(a) Section 5.6.1 - The main control board, seismically qualified by analysis and testing per UE&C Specifications 9763-006-170-1 Revision 5, and 9763-SD-170-1, Revision 0, is located in the main control room of the Seabrook station control building (Elevation 75'-0") which is a Seismic Category I structure.
(b) Sections 5.6.2 through 5.6.6 - MCB Zone "B" (front contains the low pressure safety injection; rear contains miscellaneous systems like steam generator blowdown, heat removal, spent fuel) will be used to describe compliance with above referenced sections of IEEE-384-1977. UE&C drawings 9763-F-510102 Revision 6, 9763-F-510ll5 Revision 4 and 9763-F-510ll6 Revision 4 could be used to ascertain the compliance with the standard.
b.1 Internal Separation (5.6.2) - the front section of Zone B is divided into Class lE train "A" (and it's associated non-Class lE circuits trein "AA")
on the left-hand side, separated from the Class 1E train "B" (and it's associated non-Class lE i
I circuits train "BA") by a full size top-to-bottom 1 J 1
r-e.
-w,
-m--.-.v--.v-,y r,,,m-yn
.,n
- -,.-7m-
.-m,
-,-m,
,.m,w
,og w,,gny-,m
,,w, e
c..
e--,
e,,,
,w, q.
-m.-
m
-,e-ve.
e--
steel barrier. However, due to process requirements there are instruments of the opposite
- train, "B", on the train "A" side; they are separated by a steel enclosure fully surrounding the instrument or open at the rear after a depth 6" deeper than the instrument itself.
The rear section of Zone B is all Class lE train "A" or it's associated non-Class lE circuit train "AA".
Again, as in the front section due to process requirements, there are instruments of the opposite train which are separated by a steel enclosure in the same fashion as in the front section.
Refer to next Item, b.2, for wiring separation.
b.2 Internal Wiring Identification (5.6.3) - All wiring within each section is identified by different jacket colors, as follows:
Class lE train "A"
- red Class lE train "B"
- white Non-Class lE train "AA" - black with red stripe Non Class IE train "BA" - black with white stripe Each wire / cable insulation is qualified to be flame retardant per either IPCEA-S-19-81 (NEMA WC3) paragraph 6.13.2 or UL-44 Section 85 or IEEE Standard-383 Section 2.5.
In addition, all wiring within each section is run in covered wireways formed from solid or punched sheet steel. Minimum wire bundles were allowed where it was physically impossible to install wireways or where it would have been hazardous to the operator / maintenance personnel.
Class lE and Non-Class IE wiring of the same train are run in the same wireway. The wireways were further identified with red "A" or white "B" to depict the train assignment of the wire being run within the particular wireway.
b.3 Common Terminations (5.6.4) - No common terminations were allowed in the MCB.
b.4 Non-Class lE Wiring (5.6.5) - Class lE and Non-Class lE associated circuits wiring of the same train are run together in the same metallic wireway but are separated by specific identifying jacket colors as described above (b.2).
b.5 Cable Entrance (5.6.6) - Field cables to be terminated on the MCB terminal blocks are routed in train assigned raceways through the cable I
spreading room which is located directly under the main control room (refer to UE&C Drawing 9763-F-500091, Revision 6).
The raceways run all the way up to the floor slots of the same assigned train located in the floor right underneath the MCB.
(The floor slots location and train assignment are shown on UE&C Drr
.gs 9763-F-500100 Revision 6, 9763-F-101347 Revision 5 and 9763-F-310432 Revision 8).
420.15 Identify all plant safety-related systems, or portions thereof, (7.1) for which the design is incomplete at this time.
RESPONSE
The design of all safety-related systems has been completed. The 3/23 design details associated with procurement and installation are on-going in accordance with the project schedule.
fj['y STATUS:
Closed (design modifications are being covered under the other 5/12 RAIs).
420.16 Identify where microprocessors, multiplexers, or computer systems (7.1) are used in or interface with safety-related systems.
RESPONSE
NSSS does not use microprocessors, multiplerers or computers in or 3/23 to interface with safety-related systems (multiplexors are used for information transmission).
The radiation data management uses microprocessors and computers.
Detailed descriptions on how the system works will be submitted later.
ADDITIONAL
RESPONSE
The RDMS is functionally identical to the systems installed at 5/12 Byron-Braidwood, St. Lucie 2, Waterford 3, SNUPPS and Comanche Peak.
NRC will review handout presented, copy attached. More information is needed on the lE microprocessor software and design features.
The Class lE monitors are identified in FSAR Tables 12.3-13, 12.3-14 and 12.3-15.
They are described in Section 12.3.4.
ADDITIONAL
RESPONSE
Software desiga control and testing was discussed. The controls 9/14 will be documented.
Information on the testing will be provided.
STATUS:
Open.
9/14 420.17 The FSAR information which discusses conformance to Regulatory (7.1)
Cuide 1.118 and IEEE-338 is insufficient. Further discussion is (7.2) required. As a minimum, provide the following information:
)
(7.3)
- ~_
-~
(1.8) 1.
Confirm that the Technical Specifications will provide detailed requirements for the operator which insure that i
blocking of a selected protection function actuator circuit is returned to normal operation after testing.
2.
Discuss response time testing of BOP and NSSS protection systems using the design criteria described in Position C.12 or Regulatory Guide 1.118 and Section 6.3.4 of IEEE 338.
Confirm that the response time testing will be provided in the Technical Specifications.
3.
The FSAR states that, " Temporary jumper wires, temporary test instrumentation, the removal of fuses and other equipment not hard-wired into the protection system will be used where applicable". Identify where procedures require such operation. Provide further discussion to describe how the Seabrook test procedures for the protection systems conform to Regulatory Guide 1.118 (Revision 1) Position C.14 guidelines. Identify and justify any exceptions.
4.
Confirm that the Technical Specifications will include the RPS and ESFAS response times for reactor trip functions.
5.
Confirm that the Technical Specifications will include response time testing of all protection system components, from the sensor to operation of the final actuation device.
6.
Provide an example and description of a typical response time test.
RESPONSE
Handout was distributed and found acceptable with changes 3/23 discussed during meeting. The revised handout is included in the meeting minutes.
STATUS:
Confirmatory pending correction of an editorial error to show 9/14 that the correct revision is Revision 2, dated June 1978.
HANDOUT:
1.
Technical Specification Tables 3.3-1 reactor trip system, 3/23 3.3-3 engineered safety features actuation, and 3.3-5 reactor trip /ESF actuation system interlocks, provide the operator with the minimum operable channel criteria and the appropriate action statement.
2.
BOP and NSSS protection system time response tests will be conducted in accordance with Regulatory Guide 1.118 Revision 1, IEEE-338-1975, ISA dS67-06, and draft Regulatory Guide Task IC 121-5, January, 1982, with the following exceptions and positions:
(a) Task IC 121-5 Regulatory Position Cl states that the term " nuclear safety-related instrument channels in nuclear power plants" should be understood to mean instrument channels in protection systems.._ _
(b) Response time-testing will be performed only on those channels having a limiting response time established and credited in the safety analysis.
(c) The revised discussion of Regulatory Guide 1.118 in FSAR Section 1.8 (copy attached).
Response time testing is specified in Tables 3.3-2 and 3.3-4.
3.
It is not anticipated that any Seabrook test procedures performed on protection systems will require the use of temporary jumpers, lifted wires or pulled fuses. All procedures will, in fact, utilize the hard-wired test points within the system and therefore, comply with Regulatory Guide 1.118, Revision 1, Position C14.
If during plant operation, conditions or test requirements show that deviation from this guide is the only practical method of obtaining the desired test results, then all affected testing will be performed and documented under the control of a special test procedure. We will inform ICSB, prior to licensing, of any temporary modifications identified during preparation of the surveillance procedures.
4.
Response times are specified in Tables 3.3-2 and 3.3-4.
5.
Compliance with Regulatory Guide 1.118, Revision 1, IEEE-338-1975, and ISA dS67-06 ensures that the complete channel is tested with the exception noted on Table s.3-2 of Seabrook Technical Specifications.
6.
Response time tests have not yet been prepared. Test methods to be employed are outlined below:
Pressure Sensors The process variable will be substituted by a hydraulic ramp, the ramp rate to be selected based on the transient for which the sensor is required to respond.
In the event that the sensor is required to respond to more than one transient, the ramp rates will be selected to represent the fastest and slowest transients.
Temperature Sensors Will be tested in place using the loop current step response (LCSR) method. See NUREG-0809.
(
Impulse Lines Tests will be conducted during the startup testing phase to establish the relationship between response time and impulse line flow, subsequent tests will be limited to flow testing..
i Electronic Channel The signal conditioning and logic section of the instrument channel will be tested by inputting a step change at the input of the process racks, and measuring the time required until the final device in the channel actuates.
420.18 It is stated in FSAR Section 7.1.2.11 that, "A periodic (7.1.2.11) verification test program for sensors within the Westinghouse scope for determining any deterioration of installed sensor's response time, is being sought".
NUREG-0809, " Review of Resistance Temperature Detector Time Response Characteristics",
and draft Standard ISA-dS67.06, " Response Time Testing of Nuclear i
Safety-Related Instrument Channels in Nuclear Power Plants", are documents which propose acceptable methods for response time testing nuclear safety-related instrument channels. Please provide further discussion on this matter to unequivocally indicate the test methods to be used for Seabrook.
RESPONSE
See our Response to 420.17 for a discussion of the proposed 3/23 response tira testing program. The referenced portion of 7.1.2.11 will be deleted (see attached copy).
STATUS:
Closed.
9/14 420.19 FSAR Section 7.1.1 does not provide sufficient information to (7.1.1.1) distinguish between those systems designed and built by the nuclear steam system supplier and those designed or built by others. Please provide more detailad information.
RESPONSE
Draft revision of FSAR 7.1.1 provided to staff and found 3/23 accep:able and is attached to the meeting' notes.
STATUS:
Close1.
9/14 420.20 Section 7.1.2.7 of the FSAR discusses conformance to Regulatory (7.1.2.7)
Guide 1.53 and IEEE Standard 379-1972. The information provided addresses only Westinghouse provided equipment and associated topical reports. Provide a conformance discussion that addresses the BOP portions of the plant safety systems and auxiliary systems required for support of safety systems.
RESPONSE
FSAR has been revised to cover single failure criteria for BOP and 3/23 NSSS and is attached to the meeting minutes.
ADDITIONAL
RESPONSE
The change to FSAR 7.1.2.7 was reworded. Copy is attached.
5/12 STATUS:
Closed.
9/14..
~,
420.21 The information in Section 7.2.1.1.b.6, " Reactor Trip on Turbine (7.2.1.1)
Trip", is insufficient. Please provide further design bases discussion on this subject per BTP ICSB 26 requirements. As a minimum you should:
~1.
Using detailed drawings, describe the routing and separation for this trip circuitry from the sensor in the turbine building.to the final actuation in the reactor trip system (RTS).
t 2.
Discuss how the routing within.the non-seismic Category I turbine building is such that the effects of credible faults i
or failures in this area on these circuits will not challenge the reactor trip system and thus degrade the RTS performance. This should include a discussion of isolation devices.
3.
Describe the power supply arrangement for the reactor trip on turbine trip circuitry.
i 4.
Provide discussion on your proposal to use permissive P-9 (50% power).
5.
Discuss the testing planned for the reactor trip on turbine trip circuitry.
4 Identify any other sensors or circuits used to provide input j
signals to the protection system or perform a function required for safety which are located or routed through non-seismically qualified structures. This should include sensors or circuits providing input for reactor trip, emergency safeguards equipment i
such as auxiliary feedwater system and safety-grade interlocks.
Verification should be provided to show that such sensors and circuits meet IEEE-279 and are seismically and environmentally qualified.
Identify the testing or analyses performed which insures that failures of non-seismic structures, mountings, etc.
will not cause failures which could interfere with the operation of any other portion of the protection system.
l
RESPONSE
Add to the SNUPPS response to " Reactor Trip on Turbine Trip" that 3/23 circuits and sensors used in a non-seismic structure are Class lE i
and are run in separate conduits meeting Regulatory Guide 1.75 l
with the exception of seismic qualification. Hydraulic pressure i
and limit switches on the turbine stop valves are two examples.
the response will be attached to the meeting minutes.
Permissive P-9 has an adjustable setpoint between 10 - 50%.
Reactor trip on turbine trip circuitry is testable at power.
1 l
The turbine impulse chamber pressure transmitters are Class lE and routed as Class lE, with the seismic exception.
There are no other safety grade sensors routed through non-seismic
(-
areas. The only safety-related outputs in non-seismic areas are i j I.
., _ _ - -. _ _.,-..-- _.. ~.,__
m signals to close the feedwater control valves, close the condenser dump valves and trip the turbine generator. These circuits are designed as described above.
ADDITIONAL
RESPONSE
The handout was discussed and revised.
5/12 Each turbine stop valve is monitored by two independent switches.
L 4
STATUS:
Closed. ICSB will follow PSB review of separation per Regulatory 7/15 Guide 1.75.
HANDOUT:
Revised SNUPPS Submittal 3/23 9/14 Evaluations indicate that the functional performance of the protection system would not be degraded by credible electrical f aults such as opens and shorts in the circuits associated with -
reactor trip or the generation of the P-7 interlock. The contacts 1
of redundant sensors on the steam stop valves and the trip fluid pressure system are connected through the grounded side of the ac supply circuits in the solid state protection system. A ground 2
fault would therefore produce no fault current. Loss of signal caused by open circuits would produce either a partial or a full reactor trip. Faults on the first stage turbine pressure circuits would result'in upscale, conservative, output for open circuits and a sustained current, limited by circuit resistance, for short circuits. Multiple failures imposed on these redundant circuits could potentially disable the P-13 interlock. In this event, the i
nuclear instrumentation power range signals would provide the P-7 safety interlock. Refer to Functional Diagram, Sheet 4 of Figure 7.2-1.
SSPS input circuits and sensors in non-seismic structures are Class 1E.
The electrical and physical independence of the connecting cabling conforma to Regulatory Guide 1.75.
$7 STATUS:
Closed.
9/14 420.22 FSAR Section 7.2.1.1.b.8 states that, "The manual trip consists of
(
(7.2.1.1) two switches with two outputa on each switch. One output is used i
to actuate the train A reactor trip breaker, the other output actuates the train B reactor trip breaker." Please describe how this design satisfies the single failure criterion and separation I
requirements for redundant trains.
RESPONSE
Manual trip design is identical to SNUPPS, Watts Bar, j
3/23 Byron-Braidwood. Drawing was reviewed and found acceptable.
STATUS:
Closed.
5/12 l
420.23 Describe how the effects of high temperatures in reference legs of l
(7.2) steam generator and pressurizer water level measuring instruments subsequent to high energy breaks are evaluated and compensated for. '
i
in daterm..ing setpoints. Identify and describe any modifications planned or taken in response to IEB 79-21. Also, describe the level measurement errors due to environmental temperature effects on other level instruments using reference legs.
RESPONSE
The steam generator level transmitter reference legs will be 3/23 insulated to prevent excessive heating under accident conditions.
Setpoints will include errors for high energy line breaks with the insulation.
For the pressurizer level, we will review SNUPPS report and determine applicablity to Seabrook.
REVISED
RESPONSE
SNUPPS did not insulate reference legs in containment. We are 5/12 evaluating their approach for application to Seabrook and will advise the NRC on our final corrective action.
STATUS:
Open. Evaluation of transient heating of steam generator 9/14 reference leg continues. A complete response will be submitted to the NRC.
420.24 State whether all of the systems discussed in Sections 7.2, 7.3, (7.2) 7.4 and 7.6 of the FSAR conform to the recommendations of (7.3)
Regulatory Guide 1.62 concerning manual initiation. Identify (7.4) any exceptions and discuss how they do not conform to the (7.6) recommendations. Provide justification for nonconformance areas.
RESPONSE
Systems discussed in Sections 7.2, 7.3, 7.4 and 7.6 of the FSAR 3/23 conform to the recommendations of Regulatory Guide 1.62 concerning manual initiation. There are no exceptions taken.
STATUS:
Closed.
5/12 420.25 The information provided in Section 7.2.2.2.c.10.(b) on testing (7.2.2.2) of the power range channels of the nuclear instrumentation system, covers only the testing of the high neutron flux trips. Testing of the high neutron flux rate trips is not included. Provide a description of how the flux rate circuitry is tested periodically to verify its performance capability.
RESPONSE
The power range nuclear instrumentation system and all associated 3/23 bistables including the rate trips are testable at power.
STATUS:
Closed.
5/12 420.26 Identify where instrument sensors or transmitters supplying l
(7.2) information to more than one protection channel are located in a l
(7.3) common instrument line or connected to a common instrument tap.
The intent of this item is to verify that a single failure in a common instrument line or tap (such as break or blockage) cannot defeat required protection system redundancy...
t
=
RESPONSE
Identical to SNUPPS except we do not share taps for pressurizer 3/23 pressere. There are no shared taps for redundant BOP safety instruments.
STATUS:
Closed.
5/12' 420.27 If safety equipment does not remain in its emergency mode upon (7.3)
. reset of an engineered safeguards actuation signal, system modification, design change or other corrective action should be planned to assure that protective action of the affected equipment is not compromised once the associated actuation signal is reset.
i This issue is addressed by I&E Bulletin 80-06.
Please provide a discussion addressing the concerns of the above bulletin. This discussion should assure that you have reviewed the Seabrook design per each of the I&E Bulletin 80-06 concerns. Results of your review should be given.
RESPONSE
We have reviewed the electrical schematics for engineered safety i
3/23 feature (ESP) reset controls. In the Seabrook design, all systems serving safety-related functions remain in the emergency mode upon removal of the actuating signal and/or manual resetting of ESF actuation signals. The required testing (per 80-06) will be performed as part of the start-up test. program described in Chapter 14.
STATUS:
Closed.
5/12 420.28 The description of the emergency safety feature systems which is (7.3.1.1) provided in the FSAR Section 7.3.1.1 is incomplete in that it does not provide all of the infornation which is requested in Section 7.3.1 of the standard format for those safety-related systems, interf aces and components which are supplied by the applicant and mate with the' systems which are within the Weatinghouse scope of supply. Provide all of the descriptive and design basis information which is requested in the standard format for these systems.
In addition, provide the results of an analysis, as is requested in Section 7.3.2 of the standard format, which demonstrates how the requirements of the general design criteria and IEEE Standard 279-1971 are satisfied and the extent to which the recommendations of the applicable Regulatory Guide are satisfied.
Identify and justify any exceptions.
Tables supplied in response to 420.32 and the additional
RESPONSE
3/23 information to be supplied when answering 420.29 will satisfy the requirements of this question.
ADDITIONAL
RESPONSE
See 420.29.
5/12 STATUS:
Closed.
7/15 L
i
. ~
t 420.29 l Confirm that the FMEA referenced in FSAR Section 7.3.2.1:
(1) is j
(7.3.2.1)~
applicable to all engineered safety features equipment within the BOP and NSSS scope of supply, and (2) is applicable to design changes subsequent to the design analyzed in the-referenced WCAP.
RESPONSE
Discussion of this item was deferred to the next meeting.
3/23 y
ADDITIONAL
RESPONSE
The Seabrook design complies with the interface criteria in (28629)
. Appendix B of WCAP 8584, Revision 1.
The FMEA in WCAP 8584 is 5/12 applicable to all BOP and NSSS safety features equipment at Seabrook including design changes made to the systems analyzed in WCAP 8584.
STATUS:
Closed.
7/15 420.30 Section 7.3.2.2 of the FSAR indicates that conformance to
~
(7.3)
Regulatory Guide 1.22 is discussed in Section 7.1.2.8. ~ However, i
Section 7.1.2.8 addresses Regulatory Guide 1.63.
Correct this discrepancy.
, The reference to Section 7.1.2.8 will be changed in Amendment 45
RESPONSE
3/23 to Section 7.1.2.5 where Regulatory Guide 1.22 is addressed.
STATUS:
Closed.
I 9/14 4
420.31 Using detailed drawings, discuss the automatic and manual ciperation (7.3.2.2) of the containment spray system including control of the chemical additive system. Discuss how testing of the containment spray system conforms to the recommendations of Regulatory Guide 1.22 and the requirements of BTB ICSB 22.
Include in your discussion the tests to be performed for the final actuation devices.
RESPONSE
Draft of response submitted to staff. Overview of containment 3/23 spray system was presented using drawings. System description and operation were reviewed. Staff questioned redundancy of temperature system. Tank temperature is monitored by a temperature indicating switch that actuates a VAS alarm and by an independent temperature indicating controller that controls auxiliary steam to the tank. Fluid systems are totally separable into trains "A" and "B".
The electrical systems are also completely separable into trains "A" and "B" as per the piping systems. Provisions are available for on-line testing of CBS system as described in FSAR 7.3.2.2.
The assignment of components to slave relays for on-line testing is indicated in the ESF table in the response to 420.32.
ADDITIONAL
RESPONSE
The response was clarified to specify that the spray additive 5/12 tank is the tank being discussed.
_~
=
This item is considered closed.
i
{bY STATUS:
Closed.
5/12 420.32 Please provide a table (s)~ listing the components actuated by the i
(7.3) engineered safety features actuation system. As a minimum, the table should include:
i 1.
Action required, 1
2.
Component description, 3.
Identification number, 4.
Actuation signal and channel.
RESPONSE
Tables supplied at the meeting are attached.
3/23 STATUS:
Closed.
5/12 i
420.33 Section 7.3.2.2.e.12 discusses testing during shutdown. Describe (7.3.2.2) provisions for insuring that the " isolation valves" discussed here are. returned to their normal operating positions af ter test.
RESPONSE
Administrative controls to ensure that equipment and systems are 3/23 restored to normr2 after testing will be addressed in equipment control procedures.that follow the guidance of ANS 18.7, 1976.
The system inoperative status monitoring panel will be manually actuated when a system is made inoperative.
STATUS:
Closed.
-5/12 420.34 Portions of paragraph 7.3.12.f, appear not to apply to E 7AS (7.3) response times.
In particular, the discussion on reactor trip breakers, latching mechanisms, etc., should be replaced by a discussion of ESF equipment time responses. The applicant should provide a revised discussion for ESFAS (a) defining specific beginning and end points for which the quoted times apply, and (b) relating these times to the total delay for all equipment and to the accident analysis requirements.
RESPONSE
FSAR 7.3.1.2.f will be revised as indicated on the attached markup.
3/23 STATUS:
Closed.
9/14 420.35 Using deta!.ied drawings, describe the ventilation systems used to I
(7.2 & 7.4) support engineered safety features areas 1ncluding areas containing systems required for safety shutdown. Discuss the i
s -.--- --
design bases for these systems including redundancy, testability, etc.
RESPONSE
Overview given at meeting on EVAC system for control room.
3/23 Equipment for system is redundant and safety grade. The HVAC instrumentation and control required for safety-related equipmene is Class lE and trains "A" and "B" oriented. Radiation detectors for intake air are redundant and safety related. Other systems in the control building are redundant and safety related.
Control of safety-related HVAC systems are operated from the control room and those systems required for remote safe shutdown also h,ve local control. The control room outside air intake lines are shared between Units 1 and 2.
Each unit has its own controls and isolation valves.
STATUS:
Closed.
5/12 420.36 Using detailed system schematics, describe how the Seabrook (7.3.2.3) auxiliary feedwater system meets the requirements of NUREG-0737, TMI Act.on Plan Item II.E.1.2 (See question 420.01). Be sure to include the following information in the discussion:
a) the effects of all switch positions on system operation.
b) the effects of single power supply failures including the effect of a power supply failure on auxiliary feedwater control after automatic initiation circuits have been reset in a post-accident sequence.
c) any bypasses within the system including the means by which it is insured that the bypasses are removed.
d) initiation and annunciation of any interlocks or automatic isolutions that could degrade system capability.
e) the safety clateification and design criteria for any air systems required by the auxiliary feedwater system. This should include the design bases for the capacity of air reservoira required for system operation.
f) design features provided to terminate auxiliary feedwater i
flow to a steam generator affected by either a steam line or i
feed line break.
g) system features associated with shutdown from outside the control room.
RESPONSE
Overview of emergency feedwater system was presented to staff 3/23 using drawings for description of system operation.
Emergency feedwater system was discussed with staff and it is considered an open item.
Significant concerns identified:
[ __
a)
Lack of safety grade air system.
b)
Single failure in pneumatic control valve.
c)
Loss of one train of power while operating from remote safe 3
shutdown panel.
d)
On-off control of the EFW control valves.
ADDITIONAL
RESPONSE
The concerns expressed in this RAI and in the le ter, dated 9/14 April 22, 1982 (Items A - K), were discussed in meetings with 4
ICSB,. ASB, RSB, YAEC, PSNH, and UE&C on June 23 and 24 and July 14 and 15, 1982. Our letter SBN-300, dated July 27, 1982, provided response to your April 22 letter. Our letter SBN-321, dated September 7, 1982, described the changes that are being made to the emergency feedwater system. A draft copy of the revision to FSAR Section 6.8 reflecting these changes is attached.
STATUS:
Confirmatory pending ASB review of recire line modification and 9/14 ICSB review of the formal documentation.
420.37 Using detailed system schematics, de ribe the sequence for s
(7.3) periodic testing of the:
a) main steam line isolation valves b) main feedwater control valves 1
c) main feedwater isolation valves d) auxiliary feedwater system i
e) steam generator relief valves f) pressurizer PORV The discussion should include features used to insure the availability of the safety function during test and measures taken to insure that equipment cannot be left in a bypassed condition af ter test completion.
4
RESPONSE
Periodic testing was discussed using detailed drawings.
3/23 Significant discussion items are:
a)
To be presented at next meeting.
b)
Standard Westinghouse testing system used.
c)
When testing main feedwater control and main feedwater isolation valves using train "A",
the system for train "B" remains completely operable.
d)
During testing of emergency feedwater pumps the discharge valve 'is closed and recirculation valve opened. The system _
~. _ _ _. - _ _... - -
t-inoperable indication is in accordance with Regulatory Guide 1.47.
I During testing, the capability exists to test the entire ESFAS as including actuation of the EFW pump.
e)
Discussed with no comments.
f)
Discussed with no comments.
ADDITIONAL
RESPONSE
The MSIV logic has been redesigned so that periodic testing can be 9/14 performed during normal power operation as a series of overlapping tests. Since the MSIVs cannot be fully closed at power, the actuation logic is blocked by a signal from the solid state protection system (SSPS) test cabinet when the test relay is energized. Operation of the slave relay and the test switch actuates the isolation logic. Proper operation of the logic is indicated at the logic gate that has been blocked.
After the SSPS is returned to normal, the MSIV is exercised'by partial stroke closure at a reduced speed. The exercise signal overlaps the actuation test to verify the operability of the complete logic.
The restoration of the flow restrictor after the exercise test is monitored.
I STATUS:
Confirmatory pending review of formal documentation.
j 9/14 420.38 The information supplied'in FSAR Section 7.4.1 does not adequately l
(7.4.1) describe the systems required for safe shutdown as required by Section 7.4.1 of the standard format. Therefore, provide all the l
descriptive and design basis information which is requested by
-Section 7.4.1 of the standard format. Also, provide the results of an analysis, as requested by Section 7.4.2 of the standard format, which demonstrates how the requirements of the general design criteria and IEEE Std. 279-1971 are satisfied and the l
extent to which the recommendations of the applicable regulatory guides are satisfied. Identify and justify any exceptions.
[
RESPONSE
Staff to review handouts presented at this meeting and come back 1
3/23 with any further questions. Update list for 420.39 and submit with minutes. YAEC given written position on safe shutdown, to be forwarded formally. Rewritten FSAR 7.4 is attached.
L ADDITIONAL l
RESPONSE
The analog instruments associated with the remote shutdown panel 5/12 are Non-lE and are independent of the control room instruments.
l The controls at the remote shutdown locations have the same qualification as the controls at the main control board.
i i I
REVISED
RESPONSE
The design of the controls at the remote shutdown locations have 9/14 undergone considerable revision to comply with the requirements of Appendix R and to be consistent with the changes required for safety grade cold shutdown from the control room, Since the same safety grade equipment will be used for remote shutdown without a fire, all the associated controls at the remote shutdown locations are safety grade and meet the applicable requirements of IEEE 279-1971, 324-1974, and 344-1975.
The instrumentation at the remote locations (with the exception of the wide range nuclear instrumentation) are separate loops that are completly independent of the instrument loops that provide indication in the control room. Since the remote shutdown locations are not required to have the controls and indication necessary to control the plant during accidents, the instrumentation at the remote shutdown locations do not meet all the requirements for safety grade equipment. We have determined that the electronics and indicators at the remote shutdown panels (CP-108 A & B) and the field wiring do meet the requirements of IEEE 344-1975. The transmitters and indicators are mechanically similar to transmitters and indicators that are qualified to 344-1975. We are obtaining the necessary documentation to cert
'w that the transmitters and indicators will be operable following I
seismic event. We will be able to certify that the instruments at the remote shutdown panels will be available following all postulated natural phenomena and, therefore, will meet the design basis of the remote shutdown equipment. This documentation will be available for audit prior to fuel loading.
The design for the safety grade wide-range nuclear instrumentation has the electronics mounted such that they would not be affected by a fire in the control room cable spreading room. The indication that will be provided at the remote shutdown location will be safety grade. We are reviewing a conflict between our Appendix R response (de-energization of the SSPS) and the ICSB guidance to meet Appendix K (do not disable ESF actuation prior to i
cooldown). We will provide our position on this item.
The draft revision to FSAR 7.4 submitted with the March 23, 1982, meeting minutes is being revised to reflect the latest design of the remote shutdown equipment and will address the positions in your April 21, 1982 letter, item-by-item.
STATUS:
Compliance with the Appendix K guidelines remains open, the 9/14 remainder is confirmatory.
420.39 The information supplied for remote shutdown from outside the control room is insufficient. Therefore, provide further discussion to describe the capability of achieving hot or cold shutdown from outside the control room. As a minimum, provide the following information:
i 9 :
1
a.
Provide a table listing the controls and display instrumentation required for hot and cold shutdown from outside the control room. Identify the safety classification and train assignments for the safety-related equipment.
b.
Design basis for selection of instrumentation and control s
equipment on the hot shutdown panel, c.
Location of transfer switches and remote control station (include layout drawings, etc.).
d.
Design criteria for the remote control station equipment including transfer switches.
e.
Description of distinct control features to both restrict and to assure access, when necessary, to the displays and controls located outside the control room.
f.
Discuss the testing to be performed during plant operation to verify the capability of maintaining the plant la 4 safe shutdown condition from outside the control room.
g.
Description of isolation, separation and transfer / override provisions. This should include the design basis for preventing electrical interaction between the control room and remote shutdown equipment.
h.
Description of any communication systems required to coordinate operator actions, including redundancy and separation.
i.
Description of control room annunciation of remote control or overridden status of devices under local control.
j.
Means for ensuring that cold shutdown can be accomplished.
k.
Explain the footnote in FSAR Section 7.4.1.4 which states that, " Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the control room".
Discuss the modifications required on the instrumentation and controls of the pressurizer pressure control including opening control for pressurizer relief valves, heaters and spray and the nuclear instrumentation that are necessary to shutdown the plant from outside the control room. Also discuss the means of defeating the safety injection signal trip circuit and closing the accumulator isolation valves when achieving cold shutdown.
RESPONSE
See 420.38.
3/23 ADDITIONAL
RESPONSE
We will investigate the absence of pressurizer level indication in 5/12 the table that was provided in response to Item a..-
Response to Item g should refer to 7.4.1.1 and 7.4.1.3.a.5 vice 7.4.11.
See 420.36.
HANDOUT:
a)
Table is attached.
3/23 5/12 b)
See response to Item 440.13 (attached).
c)
Transfer switches are at the same location as the controls.
d)
Controls are the same safety classification as the controls in the control room. Instrumentation is not safety-related.
e)
The controls are located in areas that are controlled by the security system. The transfer switches are key-locked.
f)
Verification of the capability of maintaining the plant in a safe shutdown condition from outside control room will be in accordance with commitment in Chapter 14, Table 14.2-5, Item 33.
Reactor coolant pumps will not be tripped for this test. Verification of natural circulation will be in accordance with commitment in Chapter 14, Table 14.2-5, Item 22.
g)
Isolation is discussed in FSAR 7.4.1.1 and 7.4.1.3.a.5.
h)
See response to 430.67 (attached).
1)
Any switch that is in the local position is alarmed by the VAS.
j)
See Items a and b.
k)
The footnote has been deleted. See rewritten 7.4 submitted in 420.38.
ADDITIONAL
RESPONSE
a)
A revised table will be attached to the meeting minutes.
9/14 b)
Item-by-item compliance with RSB BTP 5-1 will be documented in our response to RAI 440.133.
d)
See 420.38 for the design of instrumentation.
c)
The remote shutdown locations are the vital switchgear rooms on elevation 21' 6",
tow level directly below the control room on elevation 75.
Access is through the stairwell on the south side of the control building or through stairwells in the turbine building.
Access to all levels of the control building is controlled by the station security system. The operators key cards will allow access to all levels of the control building.,
y
-e
(.
Administered controlled keys are also available to assure access should the security system be inoperable.
1)
VAS will be reviewed under 420.49.
STATUS:
Confirmatory, closely related to 420.38.
9/15
/
420.40' Concerning safe' shutdown from outside the control room, discuss j
the likelihood that the auxiliary feedwater system will be automatically initiated on low-low steam generator level following a manual reactor trip and describe the capability of resetting the initiating logic from outside the control room. Describe the method of controlling auxiliary feedwater from outside the control roome
. RESPONSE:
Even though the emergency feedwater system may be automatically 3/23 initiated as the main control room is evacuated, the emergency feedwater system can be controlled _from the remote safe shutdown 7
panel without resetting the actuation logic.. Additional information required by staff is furnished in the response to 420.38 and 420.39.
STATUS:
Closed.
l 9/14 420.41 Subsection 7.4.2 states that, "The results of the analysis which (7.4.2) determined the applicability to the Nuclear Steam Supply System safe shutdown systems of the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1".
This statement does not address the balance of plant (B0P) safe shutdown systems. Also, sufficient.information giving results of the analysis performed for safe shutdown systems cannot be found from Table 7.1-1.
Therefore, provide the results and a detailed discussion of how the BOP and NSSS systems required for safe shutdown meet CDCs 13, 19, 34, 35, and 38; IEEE Standard 279 requirements; Regulatory Guides 1.22, 1.47, 1.53, 1.68, and 1.75.
Be sure that you include a discussion of how the remote shutdown station complies with the above design criteria.
RESPONSE
Closely related to Items 38 and 39.
Staff will review to see if 3/23 more response is required.
ADDITIONAL
RESPONSE
Table 7.1-1 will be revised to include the GDCs, Standards, and 9/14 Regulatory Guides listed as being applicable to Section 7.4.
A draft revision of Table 7.1-1 is attached.
STATUS:
Confirmatory.
9/14 420.42 FSAR Section 7.4.2 states that, "It is shown by these analyses, (7.4.2) that safety is not adversely affected by these incidents, with the associated assumptions being that the instrumentation and controls i
i 1
indicated in Subsections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown". Please provide a discussion pertaining to the phrase " associated assumptions". Your discussion should address loss of off-site power associated with plant load rejection or turbine trip.
RESPONSE
Covered in the response to 420.38.
3/23 ADDITIONAL
RESPONSE
The phrase " associated assumptions" will be deleted. Loss of-9/14 off-site power will be addressed in the revised 7.4 (see 420.38).
STATUS:
Confirmatory.
9/14 420.43 Please discuss how a single failure within the station service (7.4.2) water system and/or the primary component cooling water system affects safe shutdown.
RESPONSE
Each of the independent and redundant flow trains of the station 3/23 service water system and the primary component cooling water system is capable of performing their safety functions necessary to effect a safe shutdown assuming a single failure. See Sections 9.2.1, 9.2.2 and 9.2.5 for further details.
STATUS:
Closed.
5/12 420.44 Using detailed electrical schematics and logic diagrams, discuss (9.2.5.5) the tower actuation (TA) signal which is generated to isolate the normal service water system and initiate the cooling tower system. Be sure to include in your discussion the possibilities of inadvertent switchover (loss of off-site power, etc.) and the affects this would have.
RESPONSE
The tower actuation circuit is being revised. The revised 3/23 drawings will be submitted for review.
ADDITIONAL i
RESPONSE
The TA actuation logic is being revised to correct deficiencies in 9/14 the logic and to provide the design features described in 420.73.
Latch relays are now used that require a signal to actuate and j
another signal to reset. Loss of off-site power or loss of power to the TA circuit will not cause inadvertent actuation. The
)
redundant cooling tower train will provide the service water i
function if one cooling tower train does not actuate. FSAR 9.2.5.5 will be revised, marked-up copy is attached.
STATUS:
Confirn story pending review of formal documentation.
9/14 i
420.45 FSAR Section 7.4.2 states that, " Loss of plant air systems will not (7.4.2) inhibit ability to reach safe shutdown from outside the control room".
Using detailed drawings, please provide further discussion l
l
on this matter. Clearly indicate any function required to reach safe shutdown from outside the control room which is dependent on air and the means by which the air is provided.
RESPONSE
Instrument air system is redundant, piping is safety grade and 3/23 seismically supported but appropriate safety-grade compressor has not been located. Critical to define how long system can operate from accumulator tanks.
Staff questioned atmospheric relief valve as to safety classification - valve itself is safety grade but control system is not.
This item is still open.
REVISED
RESPONSE
Instrument air is no longer required for safe shutdown as the 9/14 e.nergency feedwater control valves and the atmospheric dump valves no longer have pneumatic operators and the RHR system can be operated without the use of instrument air.
STATUS:
Confirmatory.
9/14 420.46 Describe the procedures to borate the primary coolant from outside (7.4) the control room when the main control room is inaccessible. How much time is there to do this?
RESPONSE
Handout given to NRC.
Staff questioned if MOV's and controls 3/23 mentioned are safety grade.
Items are safety grade.
If problem exists during review, it will'be covered under overall discussion i
of shutdown.
" Adequate time" mentioned in response is minimum of four hours.
STATUS:
This issue was discussed at the June 23 and 24, 1982, meeting,
' 9/14 and is closed.
HANDOUT:
Boration of the primary coolant will require an alignment of the 3/23 suction of charging pumps from the refueling water storage tank (RWST) to the boric acid storage tank (BAST). This will be required once the plant starts its cooldown. The gravity feed from the BAST to the suction of the charging pumps contains manual isolation valves located in the primary auxiliary building. The RWST suction valves contain motor-operated valves (MOV) that can be controlled from the motor control center in the switchgear. If need be, the MOV's can be operated locally. There is adequate time for an operator to follow the procedure since the plant is in a safe hot shutdown condition.
420.47 Using detailed drawings (schematics, P& ids'), describe the i
(7.4) automatic and manual operation and control of the atmospheric relief valves. Lescribe how the design complies with the requirements of IEEE-279 (i.e., testability, single failure, redundancy, indication of operability, direct valve position, indication in control room, etc.).
RESPONSE
Operation of these valves from a remote location is not considered 3/23 a safety-related function; therefore, they are not designed to - - -,
meet IEEE-279. Overview of operation given at meeting. Item still under review by staff and considered open.
REVISED i
RESPONSE
The operators for the atmospheric dump valves are being changed to 9/14
. safety grade operators that will comply with the requirements of IEEE 323-1974 and 344-1975. Safety grade manual control will be i
provided and will. override the non-lE automatic controls. The preliminary design was discussed.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.48 Using detailed electrical schematics and piping diagrams, pleas e (7.4.2) discuss the automatic and manual operation and control of the (7.3) station service water system and the component cooling water system. Be sure to discuss interlocks, automatic switchover, testability, single failure, channel independence, indicrtiva of operability, isolation functions, etc.
RESPONSE
Reviewed system design and operation from drawings and 3/23 schematics. Staff will review isolation of non-seismic portion of service water system during earthquake without another accident.
ADDITIONAL
RESPONSE
Low service water pump discharge pressure (could be the result of 5/12 tunnel blockage due to an earthquake) will result in tower actuation (TA). The TA signal will isolate the non-seismic portion of the SW system.
ADDITIONAL l
RESPONSE
An analysis was performed that shows that a complete failure of l
9/14 the non-seismic SW piping will reduce SW pump discharge pressure below the tower actuation setpoint. The non-seismic SW-piping is isolated on tower actuation, safety injection and loss of off-site.
power (see revised 9.2.5.5 in response to 420.44).
l STATUS:
Open pending ICSB review with ASB.
9/14 420.49 The information supplied in FSAR Section 7.5 concentrates on the (7.5) post accident monitoring instrumentation and does not provide l
sufficient information to describe safety related display instrumentation needed for all operating conditions. Therefore, please expand the FSAR to provide as a minimum additional information on the following:
1.
ESF Systems Monitoring i
2.
ESF Support Systems Monitoring 1
3.
Reactor Protective System Monitoring 4.
Rod Position Indication System
- i I
5.
Plant Process Display Instrumentation 6.
Control Boards and Annunciators 7.
Bypass and Inoperable Status Indication 8.
Control Room Habitability Instrumentation 9.
Residual Heat Removal Instrumentation Please use drawings as necessary during your discussion.
RESPONSE
All except Item 6 will be covered in response to Regulatory Guide
-3/23 1.97.
Summary of VAS and annunciator system will be provided.
ADDITIONAL
RESPONSE
Letter.SBN-268, dated 5/4/82, forwarded additional information on 5/12 the main plant computer system and the VAS.
The annunciators are standard lightboxes that respond to digital inputs. Power is supplied from inverters and the de system.
Audible alarms and controls are shared with the VAS.
The alarm sequence is:
Operator Alarm Ringback Condition Action Visual Audible Audible Off Off Off 1.
No rmal 2.
Off Normal Fast On Off Flash 3.
Off Normal Silence Fast Off Off Flash 4.
Off Normal Acknowledge Steady Off Off i
5.
Normal Slow Off On Flash (momentary)-
6.
Norm 41 Reset Off Off Off i
The an unciator alarms are a subset of the VAS alarms and were selected to provide essential alarms if the VAS is inoperable.
The alarm points are shown on Drawings 9763-C-509109 through 509114. Some VAS inputs are obtained from relays in the annunciator that duplicate the input to the annunciator. Failure of the VAS will not affect the annunciator.
I FSAR 7.5 will be revised in our response to Regulatory Guide 1.97, Revision 2.
SIATUS:
SBN-268 was discussed on 6/21/82 by NRC/PSNH/YAEC. 'Information 7/15 was requested on sof tware QA and security; control of alarm priority (criteria and method for assigning priorities);
management functions; and the use as a Regulatory Guide 1.47 monitor (see RAI 420.10).
4
. ADDITIONAL
RESPONSE
VAS Software QA and Security 9/14 1.
The testing of the video alarm system (VAS) is being conducted as part of the startup test program in two phases.
Phase 1 will be run after installation of the computer equipment at the plant site and will validate the functional operation of the VAS system.- Tests will be run using projected worst case conditions derived from simelator date.
Phase 2 will verify operation of individual computer inputs as plant systems are checked out.
j 2.
Changes to the software after the Phase 1 testing has been completed will be controlled by procedure. This procedure,
- under control of the Station Plant Manager, will ensure that changes to the tested software are authorized and adequately tested before they are implemented. The change control
- procedure will require operator authorization to make the change, documentation of the change, retest of the affected system, and integration into the procedures and operator training as applicable.
J i
3.
The following operator change functions are under keylock and administrative procedure control:
delete / restore a point from alarming delete / restore a group of points from alarming delete / restore a point from scan i
modify a point's alarm limits i
modify a point's engineering value 4.
Procedures will be available for review three months prior to fuel loading:
VAS Alarm Priority f
i The Operations Group is in the process of reviewing the VAS alarms for priority, alarm message, point identification and destination. Their comments will be incorporated in the project documents. The following priority guidelines are being used:
i i
Priority One - Immediate operator response required to:
A.
Prevent plant shutdown.
B.
Minimize the consequences of a shutdown.
i Priority Two - Occurrence of alarm indicates a degradation of a I
major plant system that could result in plant shutdown, power j
reduction, or reduced availability of a safety system.
[
f l.
i i
i
,n.-
,-n
-n w > -
-w
,-----..-,r.
--,,,-,v-
,-.,,m-,--,---
,r,,
Priority Three - Occurrence of alarm indicates degradation of a system component or are informational items describing a change of state.
STATUS:
The VAS software response will be raviewed by the NRC and 9/14 discussed during a conference call to be scheduled later. FSAR 7.5, 7.2.2.2 (13) and (20) are being revised to provide the additional information requested.
420.50 If reactor controls and vital instruments derive power from common (7.5) electrical distribution systems, the failure of such electrical distribution systems may result in an event requiring operator action concurrent with failure of important instrumentation upon which these operator actions should be based. IE Bulletin 79-27 addresses several concerns related to the above subject. You are requested to provide information and a discussion based on each IE Bulletin 79-27 concern. Also, you are to:
1.
Confirm that all a.c. and d.c. instrument buses that could affect the ability to achieve a cold shutdown condition were reviewed.
Identify these buses.
2.
Confirm that all instrumentation and controls required by emergency shutdown procedures were considered in the review.
Identify these instruments and controls at the system level of detail.
3.
Confirm that clear, simple, unambiguous annunciation of loss of power is provided in the control room for each bus addressed in item 1 above.
Identify any exceptions.
4.
Confirm that the effect of loss of power to each load on each bus identified in item 1 above, including ability to reach cold shutdown, was considered in the review.
5.
Confirm that the re-review of IE Circular No. 79-02 which is required by Action Item 3 of Bulletin 79-27 was extended to include both Class lE and Non-Class lE inverter supplied instrument or control buses.
Identify these buses or confirm that they are included in the listing required by Item 1 above.
RESPONSE
Refer to the attached response to IE Bulletin 79-27 and two 3/23 attached responses to IE Circular 79-02.
9/14 1.
All lE and non-lE ac and de instrument buses were reviewed.
Refer to the listing of buses reviewed in the attached response to Bulletin 79-27.
2.
Redundant instrumentation and controls required for safe shutdown are available at the control room and the remote
/
shutdown location. Loss of an entire power train will not hf/fI prevent the ability to accomplish cold shutdown with the control and indication powered by the other train.
3.
Annunciation of loss of power is provided in the main control room through Seabrook video alarm system. The wording of all alarms is subject to review by the station operating staff to insure clarity.
4.
See Item' 2.
5.
Refer to the two attached responses to Circular 79-02.
The buses are listed in the response to Bulletin 79-27.
ADDITIONAL
RESPONSE
Item 1 was revised. We will clarify the reviews performed for 5/12 Items 2 and 4.
All required instrumentation and controls will be identified.
Our emergency procedures will contain the items requested by I&E Bulletin 79-27, Items 2.a, 2.b and 2.c.
We will provide additional information on our inverters as requested by I&C Circular 79-02 (time-delay, modifications).
ADDITIONAL
RESPONSE
Item 1 was revised.
The NRC clarified the additional information 7/15 requested in Items 2 and 4.
A handout on inverters was reviewed and is included in the meeting minutes.
HANDOUT:
Time Delay Circuits on Inverters 7/15 1.
Class lE 7.5 kVA inverters (I-1A, -1B, -lC, -lD, -lE and -lF).
There are no time delays on the voltage sensing circuits on the Class lE inverters. High de voltage at the output of the rectifier section will result in tripping the ac input only.
Power will continue to be supplied from the 125 V de battery.
2.
Non-Class lE 60 kVA inverters (I-2A and I-2B).
There are no time delays on the voltage sensing circuit, on these inverters. High or low de voltage at the rectifier section output and high or low ac voltage at the inverter section output will trip the inverter off and force an automatic transfer to the backup ac supply through the solid state transfer switch, 3.
Non-Class lE 25 kVA inverter (I-4).
i l
There are no time delays on the voltage sensing circuits on this inverter. High or low de voltage at the inverter j
section input will trip the inverter input breaker and force an automatic transfer to the backup ac supply through the solid state transfer switch.
No modifications to the lE and non-lE inverter were found necessary as a result of the re-review of IE Circular 79-02.,
1
=,
m..
STATUS:
Closed.
9/14 420.51 Table 7.1-1 indicates that conformance to R.G. 1.97 is discussed (7.5) in Section 7.5.3.2.. However, Section 7.5.3.2 is a section of definitions only. We find partial discussion on conformance in Section 7.5.3.1.
Correct Table 7.1-1.
Also, FSAR Section 1.8 states that Regulatory. Guide 1.97, Revision 2, is presently being -
reviewed and the extent of compliance will be addressed at a later date. Discuss the plans and schedule for complying with R.G.
1.97, Revision 2.
RESPONSE
Applicant is working on response to Regulatory Guide 1.97, 3/23.
Revision 2.
Schedule will be supplied at a later date.
STATUS:
We have continued to review Seabrook.for compliance with Regulatory i
9/14 Guide 1.97, Rev. 2.
We are following the applicable discussions within the NRC, particularly those of the CRGR in relation to SECY gjg 82-111. Will not be an open item on the SER.
/F/
420.52 Provide a discussion (using detailed drawings) on the residual.
(7.6.2) heat removal (RHR) system as it pertains to Branch Technical Position ICSB 3 and RSB 5-1 requirements. Specifically address the following as a minimum:
1.
Testing of the RHR isolation valves as required by branch position E of BTP RSB 5-1.
~
2.
Capability of operating the RHR from the control room with either onsite or only off-site power available as required by Position A.3 of BTP RSB 5-1.
This should include a discussion of how the RHR system can perform its function assuming a single failure.
3.
Describe any operator action required outside the control room after a single failure has occurred and justify.
In addition, identify all other points of interface between the Reactor Coolant System (RCS) and other systems whose design pressure is less than that of the RCS. For each such interface, discuss the degree of conformance to the requirements of Branch Technical Position ICSB No. 3.
Also, discuss how the associated interlock circuitry conforms to the requirements of IEEE Standard 279. The discussion should include illustrations from applicable drawings.
RESPONSE
The RHR isolation valves can be tested while on RHR by operating 3/23 only one RHR pump, removing power from one valve associated with the operating pump, simulating high pressure in the isolation.
channel for the valve that has power removed and verifying that the associated valve in the non-operating loop closes. The system is restored, the sequence repeated for the other isolation channel, cooling shifted to the other loop and the test sequence repeated.
NRC will review reply to RAI 440.23 and 440.24 that address power sources.
There is no other system interfacing with the reactor coolant system (RCS) whose design pressure is less than that of the RCS.
STATUS:
The RSB has concerns with the response to RAI 440.23.. They are
. 9/14
' continuing their review. Additional information will be provided on the design of the RHR suction valve controls and indication and time available to restore RHR flow following inadvertent closure RHR suction valves. Information will include alarms for switch position, need for temporary modification, alarm to indicate valve i
closure, sidlysis to consider worst case conditions for all modes, and operator action required. FSAR 5.4.7.2 will be revised.
420.53 FSAR Section 7.6.4, Accumult. tor Motor-Operated Valves, states that, (7.6.4)
"During plant operation, these valves are normally open, and the motor control center supplying power to the operators is de-energized". Describe how power is removed and how the system complies to Positions B.2, B.3 and B.4 of BTP ICSB 18 (PSB).
4 Also, identify any other such areas of design and state your j
conformance to the positions of BTP ICSB 18.
RESPONSE
Covered in response to 420.59.
3/23 STATUS:
Closed.
5/12 1
420.54 FSAR Section 7.3.1.1 states that, The transfer from the injection (7.3.1.1) to the recirculation phase is initiated automatically and completed (7.6.5) manually by operator action from the main control board".
4 Describe automatic and manual design features permitting switchover from injection to recirculation mode for emergency core cooling including protection logic, component bypasses and overrides, parameters monitored and controlled and test capabilities. Discuss design features which insure that a single i
failure will neither cause premature switchover nor prevent i
switchover when required. Discuss the reset of Safety Injection i
actuation prior to automatic switchover fom injection to recirculation and the potential for defeat of the automatic, switchover function. Confirm whether the low-low level refueling water storage tank alarms which determine the time at which the containment spray is switched to recirculation mode are safety grade.
RESPONSE
Will be discussed later.
3/23
RESPONSE
The step-by-step automatic and manual switchover operations are 5/12 described in detail in FSAR Section 6.3.2.8 and Table 6.3-7.
The l
ECCS/ Containment Spray Recirculation Signal is generated for each train by a combination of the safety injection signal and low-low level in the RWST. The level signal uses 2 out of 4 logic to prevent premature switchover and to ensure switchover is 4 i
4
,--w2,,-my,.,..-,,- -.
mm.m, y
-.e-c
..,_-_-,e gy-
,--.-r,_w_.-.-..
.._,___,___7,q.-
,,n,%
y 977--,,,-,---
f accomplished. Each ESF train uses completely redundant equipment for recirculation to ensure that the safety functions are accomplished. The operator is provided with safety grade indicators for RWST and containment sump level, and manual controls for all the valves required for recirculation so that recirculation can be accomplished without any automatic action.
Non-safety grade but. independent low-low level alarms are available from the VAS and the annunciator to alert the operator i
of the need for recirculation.
The safety injection signal sets latching relay K740 that requires separate action to reset after the safety injection signal has been reset. This ensures automatic recirculation on low-low level in the RWST even if the safety injection signal is reset before the low-low level is reached. Lights will be provided on MCB AF and BF to indicate when K740 is latched to ensure that it is reset after periodic testing. The light has a lamp test feature. Its operatioa is also verified as part of the periodic testing.
ADDITIONAL
RESPONSE
The independence of the non-safety grade RWST low-low level alarms 7/15 was discussed. Details will be provided later. Level setpoints are provided in Figure 6.3-6 (Amendment 45).
ADDITIONAL
RESPONSE
The four transmitters that provide the low-low level recirculation 9/14 signal will provide an annunciator alarm when any of *,he low-low a
level histables have tripped. A wide range level transmitter will provide an analog input to the station computer. The station computer will generate a VAS low-low level alarm at the same setpoint as the annunciator alarm.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.55 FSAR Section 5.2.5.8 states that calibration and functional testing (5.2.5.8) of the leakage detection systems will be performed prior to initial (7.6) plant startup. Please provide justification since Position C.8 of Regulatory Guide 1.45 states that, " leakage detection systems should be equipped with provisions to readily permit testing for operability and calibration during plant operation".
RESPONSE
The electronics can be tested with plant at power.
There are 3/23 readouts that can be checked during plant operation. Radiation sensors can be tested at power because they have check source in I
them. Level sensors will be channel calibrated in accordance with Technical Specifications.
STATUS:
Closed.
5/12 420.56 As shown on Drawing 9763-M-310882 SH-B54a, two circuit breakers in (7.6) series are employed in the power and control circuits for the residual heat removal inlet isolation valves. Tripping of either )
I breaker will remove power from the position indicating lights and valve position indication will be lost. Discuss how this arrangement complies with Branch Technical Position ICSB No. 3 which calls for cuitable valve position indication to the control room.
RESPONSE
Handout submitted to staff. Valve position indicator lights will 3/23 be powered from different source so that true valve position will always be indicated when power is removed from valve motor by racking out breaker. This applies to RHR interface valves.
STATUS:
Confirmatory pending review of formal documentation.
9/14 HANDOUT:
Two circuit breakers in series are employed in the circuits of 3/23 motor-operated valves inside containment. This is part of the containment penetration protection provided in response to Regulatory Guide 1.63.
Refer to FSAR Section 8.3.1.1.c.7a.
Valve position indication is provided on both RCS-RHR interface valves which are in series. As with any circuit, when power is removed because of a fault, indication will also be lost.
We believe that our revised design meets the intent of ICSB 3 position B4.
In addition to the normal valve position indication lights, the valve full closed position is also monitored by the station computer to alarm whenever the valve is not fully closed and the reactor coolant system is above the pressure rating of the RHR system.
420.57 Section 7.6.2.1 indicates that the interlock circuits of the (7.6) residual heat removal isolation valves, RC-V22 and RC-V87, have a transmitter that is diverse from the transmitter associated with valves RC-V23 and RC-V88.
Discuss the method (s) used to achieve this diversity.
RESPONSE
Different manufacturers for pressure transmitters are used to 3/23 achieve the diversity.
STATUS:
Closed.
5/12 420.58 Discuss conformance of the accumulator motor-operated valves to (7.6) the recommendations of Branch Technical Positions ICSB No. 4.
RESPONSE
Handout submitted to staff. Change response to indicate valve 3/23 position is monitored through video alarm system (VAS). Details of VAS will be in the response to 420.49.
Staff will review adequacy of alarm.
i l i
STATUS:
Closed.
9/14 HANDOUT:
The design of the accumulator motor-operated valves conforms to 3/23 the recommendations of ICSB No. 4.
Refer to FSAR Section 7.6.4 for a response to Branch Technical Positions B1 and B2.
[
Branch Technical Position B3:
Valve position is monitored and alarmed by the video alarm system.
Branch Technical Position B4:
The automatic safety injection signal bypasses all main control board switch functions which may have closed the SI accumulator valve.
The safety injection signal will not automatically return power to the de-energized motor control center.
420.59 Section 7.6.9 of the FSAR lists the motor-operated valves which (7.6) will be protected from spurious actuation by removal of motor and control power by de-energizing their motor control centers (MCC 522 and MCC 622). The FSAR also states that control of the breakers supplying power to these MCCs is provided in the main control room. Provide the following information:
i (a) The control the the MCC breaker from the Main Control Board for a typical Safety Injection System accumulator isolation valve is not shown on schematic diagram 9763-M-310890 Sh.
B35a. Identify the drawing where this is shown.
(b) The residual heat removal inlet isolation valves are not included in the list of valves protected against spurious operation.
State whether protection against spurious action of these isolation valves is planned and if so, provide information on how it is accomplished. If not, then justify.
I i
RESPONSE
(a) Refer to FSAR Section 8.3.3.
Alarm is provided in the 3/23 control room when the breaker is closed.
r (b) Reply given in response to RAI 440.23 and will be reviewed by the staff.
1 l
ADDITIONAL t
RESPONSE
We will explain the operation of valves 35, 36, 89, 90 and 93 and 5/12 the effects of failure of valve 93 or its position switches.
l STATUS:
The valve interlocks were discussed during the meeting held j
9/14 June 23, 1982. Additional information on interlock testing is l
required.
I l
420.60 The following apparent errors have been noted in the schematic
(
(7.6) diagrams.
l
! I
4 1
(a) Drawing M-310980, Sh. B35d, Rev. O Contacts 5-5C on LOCAL REMOTE SWITCH SS-2403 appear incorrectly developed. An X indicating contacts closed shculd appear under the REMOTE column for contact 5 to allow remote closing of the accumulator valves.
(b) Drawing 9763-M-310900, Sh. B52a, Rev.1 Motor starter 42 open coil is mislabeled 42/C instead of 42/0.
RESPONSE
We agree with your observation of drawing errors on the two 3/23 schematic sheets mentioned and this will be corrected in the next revision of these drawings.
STATUS:
Closed.
5/12 420.61 FSAR Section 7.6.6 discusses interlocks for RCS pressure control r
(7.6.6) during low temperature operation. Using detailed schematics, discuss how this interlock system complies with Positions B.2, B.3, B.4 and B.7 of BTP RSB 5-2.
Be sure to discuss the degree of redundancy in the logic for the low temperature interlock for the RCS pressure control. Also, include a discussion on block valve control.
RESPONSE
Reply for the low temperature operation of the RCS pressure 3/23 control will be under RAI 440.11.
The block valves and manual controls are Class lE, train oriented, with controls being on the main control board.
REVISED
RESPONSE
Design of the cold overpressure interlocks will be changed to 5/12 make them single failure proof.
ADDITIONAL
RESPONSE
The single failure problem with the cold overpressure interlocks 9/14 was related to the use of one auctioneer card in each circuit to arm the other circuit and actuate the same circuit. Redundant l
auctioneer cards will be added to each circuit so that the arming l.
and actuating signals will be independent, therefore, no single failure will prevent operation of both relief valves. FSAR Figures 7.6-4 will be revised.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.62 If control systems are exposed to the environment resulting from (7.7) the rupture of reactor coolant lines, steam lines or feedwater lines, the control systems may malfunction in a manner which would cause consequences to be more severe than assumed in safety analyses.
I&E Information Notice 79-22 discusses certain non-safety grade or control equipment, which if subjected to the adverse environment of a high energy line break, could impact the.
t
, - -,3 c_..
,-r
,e
-,,,,m.
,,..-.-,,m-,
safety analyses and the adequacy of the protection functions performed by the safety grade' systems.
The staff is concerned that a similar potential may exist at light water facilities now under construction. You are, therefore, requested to perform a review per the I&E Information Notice 79-22 concern to determine what, if any, design changes or operator actions would be necessary to assure that high energy line breaks will not cause control system failures to complicate the event beyond the FSAR analysis. Provide the results of your review including all. identified problems and the manner in which you have resolved them.
The specific " scenarios" discussed in the above referenced Information Notice are to be considered as examples of the kinds of interactions which might occur. Your review should include those scenarios, where applicable, but should not necessarily be limited to them.
RESPONSE
We will identify key control systems that effect plant safety and 3/23 analyze for effects of high energy line break. Review will be completed and formal response to I&E-Information Notice 79-22 submitted.
STATUS:
We have received the memo from Check to Tedesco that provides (420.62 &
additional guidance. Our review is in progress and the required
.63) reports will be submitted later.
j 9/14 1
420.63 If two or more control systems receive power or sensor information (7.7) from common power sources or common sensors (including common headers or impulse lines), failures of these power sources or l-sensors or rupture / plugging of a common header or impulse line could result in transients or accidents more severe than 3
considered in plant safety analyses. A number of concerns have been expressed regarding the adequacy of safety systems in mitigation of the kinds of control system failures that could actually occur at nuclear plants, as opposed to those analyzed in FSAR Chapter 15 safety analyses. Although the Chapter 15 analyses are based on conservative assumptions regarding failures of single control systems, systematic reviews have not been reported to demonstrate that multiple control system failures beyond the Chapter 15 analyses could not occur because of single events.
Among the types of events that could initiate such multiple failures, the most significant are, in our judgment, those resulting from failure or malfunction of power supplies or sensors common to two or more control systems.
To provide assurance that the design basis event analyses adequately bound multiple control system failures, you are i
requested to provide the following information:
(1) Identify those control systems whose failure or malfunction could seriously impact plant safety.
i
_44_
g,
(2) Indicate which, if any, of the control systems identified in (1) receive power from common power sources. The power sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction of more than one control system and should extend to the effects of cascading power losses due to the failure of higher level distribution panels and load centers.
(3) Indicate which, if any, of the control systems identified in Item 1 receive input signals from common sensors. The sensors considered should include, but should not necessarily be limited to, common hydraulic headers or impulse lines feeding pressure, temperature, level or other signals to two or more control systems.
(4) Provide justification that any simultaneous malfunctions of the control systems identified in (2) and (3) resulting from failures or malfunctions of the applicable common power source or sensor are bounded by the analyses in Chapter 15 and would not require action or response beyond the capability of operators or safety systems.
RESPONSE
We will submit formal response similar to that submitted on other 3/23 Westinghouse plants.
STATUS:
See 420.62.
9/14 420.64 FSAR Section 7.7.1 discusses steam generator water level control.
(7.7.1)
Discuss, using detailed drawings, the operation of this control system. Include information on what consequences (i.e.,
overfilling the steam generator and causing water flow into the steam piping, etc.) might result from a steam generator level control channel failure. Be sure to discuss the high-high steam generator level logic used for main feedwater isolation.
RESPONSE
High-high steam generator level trip will be changed to two out of 3/23 four logic.
ADDITIONAL
RESPONSE
S/G level is not programmed as a function of power level. 420.67 5/12 from the draft memo dated 3/22/82 is now 420.70.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.65 Recent review of a plant (Waterford) revealed a situation where (7.2) heaters are to be used to control temperature and humidity within (7.3) insulated cabinets housing electrical transmitters that provide input signals to the reactor protection-system. These cabinet heaters were found to be unqualified and a concern was raised since possible failure of the heaters could potentially degrade the transmitters, etc.._
1 Please address the above design as it pertains to Seabrook.
If cabinet heaters are used, then describe as a minimum the design criteria used for the heaters.
RESPONSE
Class lE electronic transmitters are not mounted in an insulated 3/23 cabinet with heaters for temperature and humidity control. The subject design, therefore, does not pertain to Seabrook.
STATUS:
Closed.
5/12 Note:
The NRC memo dated March 22, 1982, on the SSPS slave relay contacts is now 420.81.
420.66 It is not clear from the drawings provided and the description of (7.2) the turbine trip circuits and mechanisms that the equipment used-to trip the turbine following a reactor trip meets the criteria applicable to equipment performing a safety function.
It is the staff position that the circuits and equipment used to trip the turbine following a reactor trip should meet the criteria applicable to a safety function with the exception of the fact that the circuits may be routed through non-seismic qualified structures and the turbine itself is not seismically qualified.
Please provide further discussion on how the Seabrook design meets the staff position.
RESPONSE
We will comply with the attached Westinghouse Interface Criteria 5/12 for Implementation of Turbine Trip on Reactor Trip. We are discussing the design changes required with General Electric Co.,
the turbine supplier.
J ADDITIONAL
RESPONSE
We will provide redundant, safety grade (except for seismic 9/14 qualification) solenoids powered from the vital busses, that are energized to trip the turbine.
SIATUS:
Confirmatory pending review of formal documentation.
9/14 420.67 The reactor coolant system hot and cold leg resistance temperature (7.2) detectors (RTD) used for reactor protection are located in reactor l
coolant bypass loops. A bypass loop from upstream of the steam generator to downstream of the steam generator is used for the hot leg resistance temperature detector and a bypass loop from
(
downstream of the reactor coolant pump to upstream of the pumps is j
used for the cold leg resistance temperature detector. The j
magnitude of the flow affects the overall time response of the temperature signals provided for reactor protection.
It is the staff's position that the magnitude of the RTD bypass loop flow be verified to be within required limits at each refueling period and that this requirement be included into the plant technical specifications. Please provide discussion on how i
the Seabrook design complies with the staff's position. If there are any exceptions please describe and provide justification.
RESPONSE
Westinghouse letter SNP-4340, attached, evaluates the potential 5/12 for reduced flow in the RTD Bypass System due to corrosion product de position.
Based on their analysis, we do not consider flow reduction due to crud to be a problem.
We will verify the bypass flow rates during the preoperational testing program. The low flow alarm in the combined return line will be set at a value to indicate unacceptable flow degradation in either the cold or hot leg bypass manifolds.
This response is the same as was made to Catawba.
This item is open pending NRC review.
STATUS:
The NRC reiterated the position that the bypass flow be 7/15 reverified each refueling. Technical Specification revision is required.
ADDITIONAL
RESPONSE
Preoperational verification of bypass flow will be by test 9/14 procedure that follows the guidance of NAH/NCH-SU-2.1.9, Resistance Temperature Detector Bypass loop Flow Verification.
Surveillance procedures that verify the bypass loop flow will be available 90 days before fuel loading. The surveillance procedure will be performed every refueling. Any required Technical Specification will be generated as part of procedures outlined in NUREG 0452, Revision 4.
STATUS:
Closed.
9/14 420.68 Operation of either of two manual reactor trip switches (7.2) de-energizes the reactor trip breaker undervoltage coils and, at the same time, energizes the breaker shunt coils for the breakers associated with both protection logic trains.
It is the staff's position that the plant technical specifications include a requirement to periodically, independently verify the operability of the undervoltage and shunt trip functions. Please describe how the Seabrook design complies with our position.
If there are any exceptions please identify with sufficient justification.
RESPONSE
We defer response pending generic resolution of this item by 5/12 Westinghouse and the NRC (Ref. NS-EPR-2588, dated 4/29/82).
STATUS:
The NRC has responded to the Westinghouse letter.
Issue is 9/14 still open. Westinghouse is preparing for further discussions.
420.69 Several safety system channels make use of lead, lag or rate signal (7.2) compensation to provide signal time responses consistent with.
q
-assumptions in the Chapter 15 analyses. The time constants for these signal compensations are adjustable setpoints within the analog portion of the safety system.. The staff position is that the time constant setpoint be incorporated into the plant technical specifications. Please provido a discussion on this matter.
RESPONSE
The time constants are in Tables 2.2-1 and 2.2-2 of the Technical
)
5/12 Specification. Attached is a revised Table 2.2-2 with editorial corrections and inclusion of the time constants that clarify Item j
4.E.
1 STATUS:
Closed.
9/14 420.70 The present Seabrook design shows that three steam generator level (7.2) channels are to be used in a two-out-of-three logic for isolation (7.3) of feedwater on high steam generator level and that one of the three level channels is used for control. This design for
, actuation of feedwater isolation does not meet Paragraph 4.7 of IEEE-279 on " Control and Protection System Interaction".. For example, the failure of the level channel used for control in the low direction could defeat the redundancy requirements (i.e., a single failure of one of the remaining channels defeats the a
two-out-of-three requirements). Therefore it is the staff's position that the system be modified (i.e., addition of a fourth protection channel) to meet the redundancy requirements or provide an analysis justifying that isolation of feedwater on high-high steam generator level is not required for safety. Please prov'de a discussion based on the above staff requirements.
RESPONSE
This was addressed in the March 23-25 meetings as Item 420.67.
5/12 Commitment was made to change the S/G high level trip to 2 out' of 4 (see 420.64).
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.71 FSAR Figure 7.2-1, Sheet 2 shows a reactor trip initiated by a (7.2)
General Warning Alarm from the Solid State Protection System. The information presented in the FSAR does not sufficiently describe this trip signal. Therefore, please provide additional i
information to describe and justify this reactor trip.
f
RESPONSE
The Seabrook SSPS is functionally similar to that discussed at I
5/12 Catawba. FSAR Section 7.2.2.2 will be revised per attached markup as was done at Catawba.
STATUS:
Closed.
9/14 420.72 Using detailed drawings (schematics, P&ID's), describe the (7.3) automatic and manual operation and control of the main steam and feedwater isolation valves. Describe as a minimum how the design complies with the requirements of IEEE-279 (i.e., single failure, redundancy-indication of operability, direct valve position indication in the control room, automatic actuation, etc.).
RESPONSE
-(a) Discussions on circuit modifications to the MISV controls 5/12 continue. Response is deferred pending resolution (see 420.37a).
(b) The MFWIV's were discussed with 420.37.
STATUS:
Closed (items called out above were discussed 'with those of 9/14 420.37).
1 420.73
-Ir.strumentation for process measurements used for safety functions (7.3) such as reactor trip or emergency core cooling typically are (7.4)
'provided with the following:
a)
An indicator in the control room to provide the operator information on the process variable being monitored which can also be used for periodic surveillance checks of the instrument transmitter.
b)
An alarm to indicate to the operator that a specific safety function has been actuated.
c)
Indicator lights or other means to inform the operator which specific instrument channel has actuated the safety. function.
I j
d)
Rod positions, pump flows, or (sive positions to verify that the actuated safety equipment ha. taken the action required for the safety function.
i e)
Design features to allow test of the instrument channel and actuated equipment without interfering with normal plant operations.
During recent reviews, it has been found that one or more of the.
i features above was not provided for certain instrumentation used to initiate safety functions.- Examples include instrumentation j
used to isolate essential service water to the air compressors, instrumentation used to isolate the non-safety-related portion of the component cooling water system, and instrumentation used to r
isolate the spray additive tank on low-low level.
The staff position is that instrumentation provided to perform safety functions such as isolati,ng non-seismic portions of systems, closing valves when tank levels reach low level setpoir ts, and similar functions should be provided with alarms and indicators commensurate with the importance of the safety functioi and should be testable without interfering with normal plant oaerations. The applicants should provide the staff with a list of all instrument channels which perform a safety function I
where one or more of the features listed in a through e of the
}
concern above are not currently provided. For each of these instrument channels, the applicants should indicate which of the features a through e are not currently provided. The staff.
4
. - _, _ -,.. ~.. -
... ~ _ - - - -.,, -
position on these instrument channels is'further that the applicants should:
a)
Provide an alarm to indicate that the safety function has been actuated if such an alarm is'not in.the current design.
-b)
If not in the current design, provide means to inform the operator which specific ~ channel has actuated the safety function.
l c)
If not in the current design,' provide indication that the j
actuated safety equipment has taken the action required for the safety function.
d)
If not in the current design, provide the capability for testing each safety function without interfering with normal plant oper. -ions and without lif ting instrument leads or using jury tigs. The capability for testing should include the transmitter.where indicators are not provided to perform operability checks of the transmitters.
The staff will provide requirements in the plant technical specifications for testing these safety functions. Please provide discussion on how the Seabrook design meets the above stated staff position.
If there are any exceptions please describe and provide justification.
RESPONSE
A preliminary list was provided. We are evaluating the missing 5/12 features and will respond at the next meeting.
STATUS:
Our review continues. A complete report will be submitted at a 9/14 later date.
420.74 On November 7, 1979, Westinghouse notified the Commission of a (7.3) potential undetectable failure which could exist in the engineered safeguards P-4 interlocks. Test procedures were developed to detect failures which might occur. The procedures require the use of voltage measurements at the terminal blocks of the reactor trip breaker cabinets.
In order to minimize the possibility of accidental shorting or grounding of safety system circuits during testing, suitable test jacks should be provided to facilitate testing of the P-4 interlocks. Provide a discussion on how the above issue will be resolved for Seabrook.
RESPONSE
In SBN-120, dated May 15, 1980, we committed to the tests described 5/12 in NS-TMA-2204.
ADDITIONAL
RESPONSE
We will provide suitable circuits for testing the P-4 interlock.
7/15 Details will be provided later....
. ADDITIONAL
RESPONSE
Test switches and meters will be permanently installed to perform 9/14 the tests outlined in SBN-120.
i STATUS:
Closed.
9/14 420.75 On May 21, 1981, Westinghouse notified the Commission of a (7.3) potentially adverse control and protection system interaction i
(9.3.4) whereby a single random failure in the Volume Control Tank level (6.3) control system could lead to a loss of redundancy in the high head safety injcetion system for certain Westinghouse plants. Please determine whether this generic problem exists on Seabrook and, if so, how the problem is to be resolved.
RESPONSE
The generic problem is applicable to Seabrook. We are evaluating 5/12 Westinghouse recommendations for procedural changes.
ADDITIONAL
RESPONSE
In SBN-164, dated June 18, 1981, we committed to reviewing the 9/14 plant procedures to ensure that the operators would be properly alerted and would take appropriate action. The procedures will be available for review 3. months prior to fuel loading. An analysis l
performed by Westinghouse (see NAH-1935, dated April 23, 1982, copy attached). indicates that there is in excess of ten minutes from the VCT low level alarm until the VCT is empty.
STATUS:
Open pending NRC review.
'9/14 420.76 Discuss the likelihood that emergency core cooling will be (7.4) automatically initiated following a manual reactor trip initiated 4
during a temporary evacuation of the control room. For example, is it possible for the reactor coolant system to be cooled to the point that the pressurizer empties during the time interval between manual reactor trip and the time an operator can take control of auxiliary feedwater outside the control room? Analyses and operating experience from plants similar to Seabrook should be presented during the discussion. Based upon the likelihood of emergency core cooling actuation following a manual reactor trip, should the capability'for resetting the equipment be provided outside the control room?
i
(
RESPONSE
Westinghouse has analyzed the transient resulting from 9/14 evacuation of the control room using the following assumptions:
I i
1.
The-reactor turbine, RCPs, and MSlVs were tripped prior to l
leaving the control room, no other operator action was taken.
s l
2.
The trip was from 100% power with no decay heat.
i 3.
EFW temperature was 60 F.
c I
^
4.
Both EFW pumps operate and provide 1440 GPM.
The analysis shows that safety injection will not occur until more than 12 minutes after the reactor trip. This will provide sufficient time for the operator to throttle EFW flow to stop the cooldown.
If safety injection is actuated, the operator has the capability of terminating flow by stopping the charging and RHR pumps from CP 108 A & B and by tripping the SI pumps at the switchgear. These pumps can be restarted from outside the control room without temporary modifications if necessary. Automatic start of the SI pumps is not defeated by local trip of the breaker.
STATUS:
Open pending NRC review with RAI 420.38.
9/14 420.77 The FSAR states that the pressurizer auxiliary spray valve is used (7.4) during cooldown when the reactor coolant pumps are not operating (5.4.10.3) and FSAR Section 7.4 lists the auxiliary spray as a system required for safe shutdova. FSAR Figure 9.3-13 shows this system as a single path with a single diaphragm operated valve. A single failure could conceivably:
1)
Prevent the use of auxiliary spray for cooldown, 2)
Cause inadvertent actuation, or 3)
Prevent isolation of the system.
Using detailed fluid and schematic drawings, please provide further discussion describing the operation of the auxiliary spray system.
RESPONSE
The safety grade power operated relief valves will be used to 9/14 depressurize the RCS during safe shutdown; therefore, the auxiliary spray valves have been deleted from FSAR 7.4.
See the draft revision provided for RAI 420.38.
STATUS:
Confirmatory pending review of formal documentation.
9/14 420.78 Provide a discussion on the termination of possible inadvertent l
(7.4) boron dilution. Will automatic equipment be used for termination?
RESPONSE
The revised criteria for the boron dilution accident promulgated 5/12 by NUREG-0800 are under review.
ADDITIONAL
RESPONSE
We will meet the operator response times specified in NUREG 0800 9/14 following receipt of a flux increase alarm from the safety grade wide range neutron monitor. - -
~.. -
STATUS:
Closed pending ICSB discussions with RSB.
9/15 420.79 Describe the design features used in the rod control system which (7.7.1.2) 1)
Limit reactivity insertion rates resulting from single failures within the system.
l 2)
Limit incorrect sequencing or positioning of control rods.
The discussion should cover the assumptions for determining the maximum control rod withdrawal speed used in the analyses of reactivity insertion transients.
RESPONSE
Section 7.7.1.2.2 of the FSAR will be revised per attached markup 5/12 to describe features that limit reactivity insertions, maximum rod 4
speeds and incorrect sequencing resulting from single failures within the system. This evaluation is identical to that made for the SNUPPS review.- The SNUPPS and Seabrook rod control systems are functionally identical.
STATUS:
Closed.
9/14 420.80 The FSAR (Section 5.2.2.8) information describing direct position indication of relief and safety valver is insufficient to allow the staff to complete its review. Therefore, please provide additional information on how the Seabrook design complies with each' specific requirement of NUREG-0737, TMI Item II.D.3.
RESPONSE
The FSAR will be revised when the details of the valve position 5/12 indication system are known (see 420.05 response).
STATUS:
Confirmatory (see 420.05(a)).
9/14 480.81 During the Seabrook drawing review it was discovered that safeguards actuation circuits have parallel relay contacts to handle specific load requirements. The slave relays used for the output of the solid state protection system (SSPS) have apparently been qualified by Westinghouse for use in circuits drawing a maximum current of 4.4 amps.
It is our understanding that the Seabrook 5 Kv and 15 Ky systems expose the SSPS slave relay contacts to a magnitude of 5.2 amps upon safeguards actuation.
r The applicant has decided to use parallel contacts to carry the current, relying on simultaneous closure (and opening) of the safeguards contacts upon protection signal actuation.
4 This design concept is unacceptable to the staff. We have concluded that paralleling contacts may not solve the concern with the current ratings of the Westinghouse slave relay contacts since
[
closure (or opening) of the SSPS slave relay contacts at the exact I
same time cannot be assured. One set of contacts will, in most instances, function before its redundant counterpart thus allowing the full 5.2 amps to that set of contacts. Also, it appears that the present test methods do not allow for checking operation of 1
i -
each individual set of contacts when paralleled.
It is the staff's position that the relays used in the protection system should be qualified for the maximum expected current.
The applicant is requested to modify the Seabrook design to comply with the above staff position.
RESPONSE
We will perform an independent test to verify the contact current 5/12 carrying ca.pabilities of the SSPS slave relays. The test will be performed on single contacts controlling actual switchgear components.
i, Upon completion of the tests, the NRC will be notified on the disposition of the issue regarding the use of these relays.
The NRC expressed concern that the testing meet similar requirements as were utilized during the W testing. Departures should be justified.
STATUS:
We are discussing this test with Worcester Polytechnic Institute.
9/14 We expect to have results available by January 1983. A test plan that includes acceptance criteria and justification will be 2-provided.
3 t
l i
d t
i 1. - - --
. -.. ~. - - -
7 In regards to the Emergency Feedwater System, there is one motor-driven pump and one turbine-driven pump. The motor-driven pump is initiated from pS Train B logic, and the turbine-driven pump is initiated f rom Train A* logic.
The motor-driven and turbine-driven pumps are initiated automatically by the following signals:
Safety injection, or safeguards sequence (from Solid State Protec-a.
tion System) or b.
2/4 low-low level in any steam generator (from Solid State Protec-tion System) or c.
Black-out signal These pumps can also be started manually.
In addition, the startup feedwater pump which is a pump additional to the emergency feed pumps is started automatically 'on the trip of all main feed-water pumps.
7.3.2.4 Summary The effectiveness of the Engineered Safety Features Actuation System is evaluated in Chapter 15, based on the ability of the system to contain the
(
ef fects of Condition III and IV faults, including loss of coolant and steam line break accidents. The Engineered Safety Features Actuation System para-meters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appro-priate factors to account for uncertainties in the data are factored into the constants characterizing the system.
The Engineered Safety Features Actuation System must detect Condition III and IV faults and generate signals which actuate the Engineered Safety Features. The system must sense the accident condition and generate the signal actuating 'the protection function reliably and within a time deter-mined by and consistent with the accident analyses in Chapter 15.
Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with Engineered Safety Features.
This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load.
Operating procedures require that the complete Engineered Safety Features Actuation System normally be operable. However, redundancy of system com-ponents is such that the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service.
Channels that are out of service are to be placed in the tripped mode or bypass mode in the case of containment spray.
7.3-23
- !!r;P,gg9.g(b_)
l l"I
- I
/
5 r.n
/2
[ [4 b,i.
i i
a!.,f 11 lI
=
1 ei
- g g
=
l-l g y
.e !.!
I
= r r 's..
[1
=
e s i
I 15 vi! r g
~. ') i; llt! ),
I is!
- e ir
/ lg):
.l.
.ggld I 1jries!;!
[. [::gg
- 1, x.
I rrrisursi ig ou 7
T,+
i Su, r
h1 !.-
IP i
Y,Il 13 T
sir
,O!!;!!
df$h i !
I
!!!S u 3
, as 1,
r r
g,,; g,l
't I
i @. 'i 'id I
O,,
f.D
, =.
~
, "S
.g-W liij l-g h,
!ili lll:ll j,!
rid s
!!!f
~
I!!!
((((
i :
e 5
.~.
iO I ;I- :
N
'a
~
igt N
?j Ml!
- = D -!
a l
si
n v
i jj st a
u i
UI1 -
-.3-n i !,
v..
it, =-
t
.=
-)
I di
!!S gD-
!),0 i
i; F'W~Y,I -
5 f(-a ~l D F
- !.i
=4v e
ld, l li,[ 40 d
53
.x
->v 3,
v f
5:
j l
Er ll l
8 ls)4 i
8
=1 m;a
.i Psr i
4 fy-r
...r is s
?
'h~
y N,sgiri If t
/.
!=f i 'i si @-!!.i.li!III f/!!!ij!!!
- f g';
v-IIllin fI.
3 u;ni I'!
h
?.
6 I
f.
I l
I l
=
o
l hhh.] $
SB 1 & 2
/
FSAR j'
ff 5V SY 6.8 EMERGENCY FEEDWATER SYSTEM 6.8.1 Design Bases The Emergency Feedwater (EFW) System provides the capability to remove heat f rom the Reactor Coolant System during emergency conditions when the Main Feedwater System is not available, including small LOCA cases. The EFW System operates over a time period sufficient to cool down the Reactor Coolant System to temperature and pressure levels at which the Residual Heat Removal System can operate.
The EFW System is designed to meet the following safety-related functional requirements:
A malfunction or single active failure of a system component or a.
non-essential equipment does not reduce the performance capabilities of the system.
i b.
The functional perf ormance of system components is not affected by adverse environmental occurrences, abnormal operational requirements, and of f-normal conditions such as small breaks in the Reactor Coolant System or the loss of off-site power.
I c.
System components and piping have sufficient physical separation and shielding to protect against the effects of internally and externally generated missiles.
d.
The functional performance of the system is not affected by pipe whip and l
jet impingement that may result from high or moderate energy piping breaks or cracks.
l e.
The system possesses diversity in motive power sources such that the system performance requirements are met with either power source.
6.8-1 L
kb
/.2.-
The system design precludes-the occurrence of fluid flow instability during normal plant operation and during upset or accident conditions.
g.- Provisions are included to verif y correct system operation, to detect and control system leakage, and to isolate portions of the system in case of excessive leakage or component malfunctions.
h.
The system is capable of automatically initiating flow upon receipt of a system actuation signal. The system is also capable of manual actuation to provide protective action and for operational testing ladependent of the automatic signal. Single f ailure of the manual circuit will not.
result in loss of the system function.
- i. The system design possesses the capability to automatically terminate flow to a depressurized steam generator, while providing flow to intact steam generators.
The Emergency Feedwater System is designed in accordance with ASME Code Section III, Class 3; IEEE Standards 323-1974 and 344-1975, Class lE; and Seismic Category I requirements.
System components are located within Seismic Category I structures and are thereby protected against effects of natural phenomena.
6.8.2
System Description
Upon loss of normal feedwater flow, the reactor is tripped, and the decay and sensible heat is transferred to the steam generators by the Reactor Coolant System via the reactor coolant pumps or by natural circulation when the pumps are not operational.
Heat is removed from the steam generators via the main condensers or the main steam safety and/or steam generator atmospheric relief valves. Steam generator water inventory is maintained by water makeup from the Emergency Feedwater System. The System will supply feedwater to the steam generators to remove sufficient heat to prevent the overpressurization of the Reactor Coolant System, and to allow f or eventual system cooldown.
0 & - 22
Y,2$=b
[
SB 1 & 2 FSAR The Emergency Feedwater System is comprised of two full-sized pumps (one motor-and one turbine-driven) whose water source is the Condensate Storage Tank (CST). Suction lines are individually run f rom the GST to each pump, with a common pump discharge return line which is used for recirculation pump testing. Both pumps feed a common discharge header, which in turn supplies the four emergency feed lin%.
The common discharge header includes normally open gate valves between each branch connection to provide isolation in the event of a pipe break or for maintenance. Each emergency feed line is connected to one of the main feedwater lines downstream of the feedwater isolation valve. Each main feedwater line enters the containment through a single penetration and feeds a single steam generator. A normally open recirculation path between each pump's discharge and the opposite pump's suction is also provided to ensure minimum flow to prevent pump damage for any low flow system operating conditions. Additional redundant pumping capability is provided by the start-up feed pump in the Feedwater System. This pump can be aligned by manually operated valves to the emergency feedvater discharge header. For a diagram of the Emergency Feedwater System see Figure 6.8-1. Ud78 hCLP1NA'Af'.%f Fi%W FOM SOA-32/
/.5 A 77HcA4rfg f
A minimum of 200,000 gallons of demineralized water is maintained in the lower half of the condensate storage tank for the exclusive use of the Emergency Feedwater System. For a description of the condensate storage facility see Section 9.2.6.
Makeup to the tank is provided by the demineralized water make-up system (see Section 9.2.3).
The motor-driven pump and pump controls are powered f rom an emergency bus.
The start-up f eed pump is also capable of being powered f rom an emergency bus, and diesel generator capacity is available to start this pump even for a fully loaded emergency bus.
Steam f or the turbine-driven pump is supplied from either of two main steam headers via branch lines connected upstream of the main steam isolation valves. Each branch line includes an air-operated, fail-open valve. A summary of pump data is provided in Table 6.8.1.
l The branch lines to each steam generator include a manual gate isolation valve, two motor-operated flow control valves, a flow venturi, and a flow 6.8-3
y,28. %
SB 1 & 2 FSAR orifice. The flow control valves are normally in the open position when the system is not operating and are automatically closed during system operation in the event of a pipe break. These valves can be operated remotely as described in Section 6.8.5 to control steam generator water level. Two valves in series are provided for redundancy and are powered from different trains.
Each valve is also provided with a handwheel to permit manual operation. The open position of the flow control valves will be set to insure the minimum required flow of 235 gpm to each steam generator for the most limiting condition.
6.8.3 Safety Evaluation The Emergency Feedwater System components, instrumentation, and power supplies are sized and designed with sufficient redundancy to maintain the system's safety-related functions under all credible accident conditions. The combination of one turbine-driven pump and one motor-driven pump provides a diversity of power sources to assure delivery of feedwater under emergency conditions.
The system has been designed to provide the required flow following a single active f ailure coupled with a passive failure in the high or moderate energy piping and a loss of off-site power. The common discharge header is not pressurized during normal plant operation, and is therefore not considered high energy piping.
An accident analysis for this system in conjunction with the loss of the Main Feedwater System is provided in Chapter 15.
A failure analysis of the Emergency Feedwater System following a feedwater pipe break is provided in Table 6.8.2.
6.8.4 Tests and Inspections Prior to initial plant startup, the Emergency Feedwater System is hydrostatically tested in accordance with the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Class 3, and preoperationally tested as 6.8-4
9.2 d. 34 SB 1 & 2 gS FSAR described in Chapter 14.
Periodic testing in accordance with Technical Specifications will be performed during normal plant operation.
6.8.5 Instrumentation Requirements and Controls The Emergency Feedwater System will be actuated automatically on loss of of f-site power, low-low level in any of the steam generators or safety injection signals. The engineered safety feature actuation system details are presented in Section 7.3.
Manual controls for the turbine-driven pump steam supply valves are located at the main control board (MCB), as well as at the remote safe shutdown (RSS) panels. For the motor-driven pump, the controls are located at the MCB and in the switchgear room. The suction and discharge pressures of both pumps are indicated locally and at the MCB.
Low suction pressures are alarmed at the MCB. The suction pressure indication at the MCB is safety grade. This suction pressure indication will also enable the operator to determine level in the CST.
Flow indications f or all four individual emergency feedwater lines are provided.
Safety grade flow orifice instrumentation readouts are displayed at the MCB.
The instruments are powered from the safety grade inverters - A and C steam generators on the Train A inverter, and B and D steam generators on the Train B inverter. Two of the four flow venturi instrumentation readouts are displayed at a RSS panel and the remaining two flow venturi instrumentation readouts are displayed at a second RSS panel. The design details of the safety-related display instrumentation are presented in Section 7.5.
l A high flow condition in any of the lines is indicative of a line break. A pumi. run-out protection control system is incorporated such that the affected line will be isolated by automatically closing the motor-operated valves on high flow signals f rom the flow orifice instrumentation. Die protection system is designed such that a single failure will not prevent emergency feedwater flow to at least two steam generators. Manual override provisions are also incorporated at the MCB as well as at the RSS panels, along with the open/close valve position indication. Each of the motor-operated control 6.8-5 i
y 26.14 SB 1 & 2
[r FSAR valves in each branch line is provided with fully independent power supplies, instrumentation, and controls to ensure that at least one of the valves in each branch line can be closed when needed. All eight valves can be operated from the MCB. Four of the valves, one in each branch ca.n also be operated f rom a RSS panel and the remaining four valves, one in each branch, can be operated from a second RSS panel. Thus, complete redundancy is provided to control flow or to isolate any steam generator in the event of pipe breaks.
A flow orifice and associated instrumentation are provided in the common pump discharge recirculation path to the CST. This instrumentation is provided to permit periodic testing of the pumps to verify proper head-flow cha rac ter is tic s.
6.8-6
$E05S SB 1 & 2
/27 FSAR TABLE 6.8.1 EMERGENCY FEEDWATER PUMP DATA Total Number Per Unit 2
Electric Motor-Driven 1
Turbine-Driven 1
Design Flow (each) 710 gpm Design Head 3050 ft. (1320 psi)
Feedwater Design Temperature 50-100 F Required BHP 770 Motor Size, HP 900 Turbine Rating, HP 900 t
4 1
V20.h SB 1 & 2
/ I FSAR TABLE 6.8.2 i
EKERGENCY FEEDWATER SYSTEM FAILURE ANALYSIS Active Failure Concurrent with a Feedwater System Pipe Break (One SG* Faulted)
COMPONENT ACTIVE FAILURE SYSTEM RESPONS_E Emergency Feed Pump Pump fails to start Second pump starts and (loss of power source) provides required flow to the intact SGs.
Flow sensing elements identify and isolate faulted SG.
Flow Control Valve One of two valves in No ef fect on system line to faulted SG response. The second fails to close (redundant) valve in line closes to isolate the faulted SG.
Flow Control Valve Valve in line to intact Two pumps start; flow SG closes on spurious sensing elements signal identify and isolate faulted SG.
Pumps provide the required flow to the two intact SGs.
Check Valve in Pump Check valve fails to Second pump provides
-Discharge 'iping open; flow from one required flow to the three pump blocked intact SGs.
Flow sensing elements identify and isolate faulted SG.
t.
r rnom SUF Pume g,,,,,.,,,,,
)
u M
M t
y ri.
yM
- l:
" * "[
k Q
' v ri, W to MFW S v5, f
b
- gggg4 viss lg[
TO P -37A VI' v30 vp V45 Qvizs c ~ ~.. -
- v. o N
/.
,., / y "
g v t.7 N
M
~
v Q i
vn rev ?
[v6s Q
y,54 CST re
!^ f " S*'-
To
,%Q
, SGs\\0 x
- j; gy,,
= vsr xxx 1
E 1
v'58
][v73W n
m o
"I y
',i; m4 2 3d j
^
V I
X vss rev r r
]
v64 W w~
FG M N 5'5 TO M(
- SG11C em r-r,
e yin V,59 v47 vu
_4 [
7 M o n -37s vy, v 7, N
N jjj
""'4$!
V81 rcv ?
l A
vaz W MN 5#5-QK
- SGilB v1s vn
\\N
,s OR AWN BY TITLE.
g YANKEE ATOMIC ELECTRIC COMPANY PU 6/23/62 Simetirico Sxcrcs gb og rse CHECKEDgY rgg OEABRoo<
3TATION k
NUCLEAR SERVICES DIVISION u
D o-io.
APPROVED e
//
D
//
//
EFW S ysTem v
st
Safety Classification Train Control Description Device Mechanical Electrical Assignment Location Note 1 Emergency Feedwater Pump FW-P-37A 3
lE A&B CP-108A & B FW-P-37B 3
lE B
4 kV Bus E6 SG A Emergency Feedwater Control Valve FW-FV-4214-A 3
lE A
CP-108A l
B FW-FV-4224-B 3
1E B
CP-108B C
FW-FV-4234-A 3
1E A
CP-108A D
FW-FV-4244-B 3
lE B
CP-108B SG A Emergency Feedwater Control Valve FW-FV-4214-B 3
1E B
CP-108B B
FW-FV-4224-A 3
lE A
CP-108A C
FW-FV-4234-B 3
lE B
CP-1085 D
FW-FV-4244-A 3
lE A
CP-108A SG A Emergency Feedwater Flow FW-FI-4214 Non IE AA CP-108A B
FW-FI-4224 Non IE BA CP-108B C
FW-FI-4234 Non IE AA CP-108A D
FW-FI-4244 Non IE BA CP-108B RC Loop 1 Hot Leg Temperature RC-TI-9406 Non IE AA CP-108A 4
RC-TI-9407 Non IE BA CP-108B RC Loop 1 Cold Leg Temperature RC-TI-9410 Non IE AA CP-108A 4
RC-TI-9411 Non IE BA CP-108B SG A Atmos. Relief Valve MS-PV-3001 2
lE A
CP-108A B
MS-PV-3002 2
lE B
CP-108B C
MS-PV-3003 2
lE A
CP-108A D
MS-PV-3004 2
1E B
CP-108B N*
\\3 SG A Wide Range Level FW-LI-4310
(~ )$
B FW-LI-4320 Non IE BA CP-108B h
C FW-LI-4330 Non IE AA CP-108A
FW-LI-4340 k
s SG A Pressure MS-PI-3173 B
MS-PI-3174 Non IE BA CP-108B Non IE AA CP-108A C
MS-PI-3178 D
Safety Classification Train Control Description Device Mechanical Electrical Assignment Location MS ISOL VLV Loop 1 MS-V-86 2
lE A&B CP-108A and B One switch MS ISOL VLV Loop 2 MS-V-88 2
lE A&B CP-108A and B for all MS ISOL VLV Loop 3 MS-V-90 2
lE A&B CP-108A and B valves on MS ISOL VLV Loop 4 MS-V-92 2
1E A&B CP-108A and B each RSS Panel SG Blowdown Isolation Valve SB-V-9 2
lE A&B PP-112B or PP-ll2A SB-V-10 2
lE A&B PP-1125 or PP-ll2A SB-V-11 2
lE A&B PP-ll2B or PP-ll2A SB-V-12 2
lE A&B PP-ll2B or PP-112A Non IE AA CP-108A Pressurizer Heaters Group A Non IE BA CP-108B Croup B Charging Pump CS-P-2A 2
1E A
4 kV Bus E5 Cubicle CS-P-2B 2
lE B
4 kV Bus E6 Cubicle Ch:rging Flow Isol.
CS-V-142 2
lE A
CP-108A CS-V-143 2
lE B
CP-108B Pressurizer Relief Valve RC-PCV-456A 1
lE A
CP-108A RC-PCV-456B 1
lE B
CP-108B Pressurizer Relief Block Valve RC-V-122 1
lE A
CP-108A RC-V-124 1
lE B
CP-108B Non IE AA CP-108A Pressurizer Pressure RC-PI-7336 RC-PI-7335 Non IE BA CP-108B N
A3 Pressurizer Level RC-LI-7334 Non IE AA CP-108A Q
Non IE BA CP-108B RC-LI-7333 V
h]
Boric Acid Tank CS-LI-7446 Non IE AA CP-108A CS-LI-7464 Non IE BA CP-108B
Safety Classification Train Control Description Device Mechanical Electrical Assignment Location SI Accum. Tank 9A Isolation Valve SI-V-3 1
1E A
CP-108A 9B SI-V-17 1
1E B
CP-108B 9C SI-V-32 1
1E A
CP-108A 9D SI-V-47 1
IE B
CP-108B SI Accum. Tank A Vent Valve SI-V-2475, 2476 2 IE B
CP-108B B
SI-V-2482, 2483 2 1E A
CP-108A C
SI-V-2477, 2486 2 1E B
CP-108B D
SI-V-2495, 2496 2 1E A
CP-108A High Pressure Injection CS-V-65 2
1E A
CP-108A CS-V-66 2
1E B
CP-108B SI-V-138 2
IE A
CP-108A SI-V-139 2
IE B
CP-108B VCT Discharge Isolation Valve CS-LCV-112B 2
IE A
MCC E512 CS-LCV-112C 2
1E B
MCC E612 RC Letdown Isolation RC-V-81 1
1E A
MCC F531 Chzrging Pump Suction from RWST CS-LCV-112D 2
1E A
CP-108A CS-LCV-112E 2
1E B
CP-108B Bus F52 Feeder Breaker to MCC-E522 AW9 IE A
CP-108A Bus E62 Feeder Breaker to MCC-E622 AWO IE B
CP-108B Wida Range Neutron Monitors NI-NI-6690 IE A
Later NI-NI-6691 IE B
Later Sarvice Water Pump SW-P-41A 3
1E A
4 kV Bus E5 Cubicle 7 SW-P-41B 3
IE B
4 kV Bus E6 Cubicle 7 SW-P-41C 3
IE A
4 kV Bus E5 Cubicle 2 SW-P-41D 3
IE B
4 kV Bus E6 Cubicle 2 g
Turbine Bldg SW Isolation Valves SW-V-4 3
IE A
\\
W h SW-V-5 3
IE B
CP-1088 SW Cooling Tower Fan 1-SW-FN-51B 3
1E B
CP-108B 2-SW-FN-51B 3
IE B
CP-108B g
Safety Classification Train Control Description Device Mechanical Electrical Assignment Location PCCW Pump CC-P-llA 3
1E i
4 kV Bus E5 Cubicle 12 CC-P-llB 3
IE B
4 kV Bus E6 Cubicle 13 CC-P-llc 3
lE A
4 kV Bus E5 Cubicle 14 CC-P-llD 3
lE B
4 kV Bus E6 Cubicle 15 PCCWLoopkTemperatureControlValve CC-TV-2171-1 3
Non IE AA CP-108A CC-TV-2171-2 3
Non IE AA CP-108A PCCW Loop B Temperature Control Valve CC-TV-2271-1 3
Non IE BA CP-108B CC-TV-2271-2 3
Non IE BA CP-108B PCCW Loop A Temperature CC-TI-2197 Non IE AA CP-108A B
CC-TI-2297 Non IE BA CP-108B Cont. Structure CC Loop A Supply CC-V-168 2
1E B
CP-108B B
CC-V-175 2
1E A
CP-108A Cont. Structure CC Loop A Inbd. Supply CC-V-57 2
lE A
CP-108A B
CC-V-176 2
lE B
CP-108B Cont. Structure CC Loop A Inbd. Return CC-V-121 2
lE A
CP-108A B
CC-V-256 2
IE B
CP-108B Cont. Structure CC Loop A Otbd. Return CC-V-122 2
lE B
CP-108B B
CC-V-257 2
lE A
CP-108A Thermal Barrier Cooling Pumps Later Later IE A
CP-108B l
Containment Cooling Unit IA CAH-FN-1A NNS Non IE BA CP-108B 1B CAH-FN-1B NNS Non IE BA CP-108B IC CAH-FN-lC NNS Non IE AA CP-108A 1D CAH-FN-1D NNS Non IE BA CP-108B y
lE CAH-FN-lE NNS Non lE AA CP-108A 1F CAH-FN-lF NNS Non IE AA CP-108A N-Emsrgency Switchgear Area CBA-FN-19 3
lE A
MCC E521 Supply Fan CBA-FN-32 3
IE B
MCC E621 g
Emtrgency Switchgear Area CBA-FN-20 3
lE A
MCC E521 Rsturn Fan CBA-FN-33 3
lE B
MCC E621
Safety Classificatic,n Train Control Description Device Mechanical Electrical Assignment Location B-2ttery Room A Exhaust Fan CBA-FN-21A 3
1E A
MCC E521 B
CBA-FN-21B 3
1E B
MCC E621 Diesel Generator Room Supply Fan DAH-FN-25A 3
IE A
MCC E521 DAH-FN-25B 3
1E B
MCC E621 Diesel Generator Room Exhaust Fan DAH-FN-26A 3
lE A
MCC E521 DAH-FN-26B 3
1E B
MCC E621 Diesel Generator Room Supply Damper DAH-DP-15A 3
lE A
MCC E521 DAH-DP-ISB 3
1E B
MCC E621 Diesel Generator Room Exhaust Damper DAH-DP-16A 3
lE A
MCC E521 DAH-DP-16B 3
1E B
MCC E621 Containment Enclosure Cooling Fan EAH-FN-5A 3
lE A
CP-108A EAH-FN-5B 3
IE B
CP-108B Containment Enclosure Fan EAH-FN-31A 3
1E A
MCC E512 EAH-FN-31B 3
1E B
MCC E612 Emergency Feedpump House Fan EPA-FN-47A 3
lE A
MCC E512 EPA-FN-47B 3
lE B
MCC E612 Emergency Feedpump House Dampers EPA-DP-54A 3
lE A
MCC E512 EPA-DP-54B 3
1E B
MCC E612 EPA-DP-61A 3
lE A
MCC E512 EPA-DP-61B 3
1E B
MCC E612 PAB PCC Pump Area Supply Fan PAH-FN-42A 3
lE A
MCC E512 PAH-FN-42B 3
IE B
MCC E612 1
\\
l PAB PCC Pump Area Supply Damper PAH-DP-43A 3
lE '
A MCC E512 hlN(
PAH-DP-43B 3
1E B
MCC E612 i
PAB PCC Pump Area Exhaust Dampers PAH-DP-44A 3
lE A
MCC E512 a
i PAH-DP-44B 3
1E B
MCC E612 f
Szrvice Water Pump House Supply Fan SWA-FN-40A 3
1E A
CP-108A SWA-FN-40B 3
1E B
Safety Classification Train Control Description Device Mechanical Electrical Assignment Location Rasidual Heat Removal Pumps RH-P-8A 2
lE A
4 kV Bus 5 Cubicle 10 RH-P-8B 2
lE B
4 kV Bus 6 Cubicle 11 RHR Suction Isolation Valve RC-V-87 1
lE B
MCC Bus E621 RC-V-88 1
lE A
MCC Bus E521 RC-V-22 1
lE B
MCC Bus E621 RC-V-23 1
IE A
MCC Bus E521 Dio:el Generator A lE A
DC-CP-75A B
lE B
DC-CP-76A RCS Sample Loop 1 RC-FV-2832 2
lE A
CP-108A RC-FV-2874 2
lE B
CP-108B Loop 3 RC-FV-2833 2
lE B
CP-108B RC-FV-2876 2
1E A
CP-108A MANUAL CONTROL RER Local Sample Valve RH-V-8 2
Manual Hand-Operated Valves RH-V-44 2
Gravity Feed Boration Valves CS-V-424 3
Manual Hand-Operated Valves CS-V-423 3
CS-V-442 2
CS-V-439 3
CS-V-437 3
CS-V-430 3
i Note 1 NN D
Non IE Instrumentation is designed to operate following a seismic event.
T
e A%10 TABLE 7.1-1 go, if l (Sheet 1 of 9)
LISTINC OF APPLICABLE CRITERIA CRITERIA TITLE CONFORMANCE DISCUSSED IN 1.
General Design Criteria (CDC),
Appendix A to 10 CFR Part 50 GDC 1 Quality Standards and Records 3.1, 7.2.2.2, GDC 2 Design Bases for Protection Against 3.1, 7.2.1.1.k, 7.2.1.2.e l Natural Phenomena y
CDC 3 Fire Protection 3.1, 7.1.2.2c GDC 4 Environme.tal and Missile Design Bases 3.1, 7.2.2.2 CDC 5 Sharing of Structures, Systems, and 3.1 Components rg y_
Ne CDC 10 Reactor Design 3.1, 7.2.2.2 GDC 12 Suppression of Reactor Power Oscilla-3.1 tions GDC 13.
Instrumentation and Control 3.1, 7.3.1, 7.3.2,7 Y -
GDC 15 Reactor Coolant System Design 3.1, 7.2.2.2 Q
N GDC 17 Electric Power Systems 3.1, 8.3.1
+4 GDC 19 Control Room 3.1
- 7. Y -
N GDC 20 Protection System Functions 3.1, 7.2.2.2, 7.3.1, 7.3.2 gk E.
CDC 21 Protection System Reliability and 3.1, 7.2.2.2, 7.3.1, 7.3.2 qg Testability
,3, CDC 22 Protection System Independence 3.1, 7.1.2.2, 7.2.2.2, co s~
w*
7.3.1, 7.3.2-
TABLE 7.1-1 (Sheet 2 of 9)
CRITERIA TITLE CONFORMANCE DISCUSSED IN GDC 23 Protection System Failure Modes 3.1, 7.2.2.2, 7.3.1, 7.3.2 GDC 24 Separation of Protection and Control 3.1, 7.2.2.2, 7.3.1, 7.3.2 Systems CDC 25 Protection System Requirements for 3.1, 7.3.2 Reactivity Control Malfunctions CDC 26 Reactivity Control System Redundancy 3.1 and Capability CDC 27 Combined Reactivity Control Systems 3.1, 7.3.1, 7.3.2 Capability GDC 28 Reactivity Limits 3.1, 7.3.1, 7.3.2 as CDC 29 Protection Against Anticipated Opera-3.1, 7.2.2.2 5-tional Occurrences
$ o.
u GDC 33
.Rea.ctor Coolant Makeup 3.1 3.1'74 CDC 34 Residual Heat Removal CDC 35 Emergency Core Cooling 3.1, 7. 3.1, 7. 3. 2,7. 4 * %*
hk GDC 37 Testing of Emergency Core Cooling 3,1, 7.3.2 System x
GDC 38 Containment Heat Removal 3.1, 7.3.1, 7.3. 2,7.4 m
CDC 40 Testing of Containment Heat Removal 3.1, 7.3.2 g.g Syatem 2@
l '$ I GDC 41 Containment Atmosphere Cleanup 3.1, 6.5.1
<g 44 gn GDC 43 Testing of Containment Atmosphere 3.1, 7.3.2 gg Cleanup Systems i
)
)
i TABLE 7.1-1 (Sheet 3 of 9)
CRITERIA TITLE C0hTORMANCE _ DISCUS _ SED IN GDC 44 Cooling Water 3.1 GDC 46 Testing of Cooling Water System 3.1, 7.3.2 GDC 50 Containment Design Basis 3.1 CDC 54 Piping Systems Penetrating Contain-3.1 ment GDC 55 Reactor Coolant I'ressure Boundary 3.1 Penetrating Containment CDC 56 Primary Containment Isolation 3.1 GDC 57 Closed Systems Isolation Valves 3.1 m
m*
2.
Institute of Electrical and m~
Electronics Engineers (IEEE)
Standards:
w IEEE Std 279-1971 Criteria for Protection Systems for 7.1, 7.2, 7.3, 7.6 7P.dk (ANSI N42.7-1972)
Nuclear Power Generating Stations j
IEEE Std 308-1974 Criteria for Class IE Electric Systems 8.1, 8.3 for Nuclear Power Generating Stations IEEE Std 317-1972 Electric Penetration Assemblies in 8.1 7)
Containment Structures for Nuclear I\\}
Power Generating Stations (j
g IEEE Std 323-1974 IEEE Standard for Qualifying Class lE 3.11, 1.8, (RG 1.89) 4 ss Equipment for Nuclear Power Generat-ing Stations IEEE Std 334-1971 Type Tests of Continuous-Duty Class I_
1.8, (RG 1.40)
Motors Installed Inside the Containment of Nuclear Power Generating Stations
TABLE 7.1-1 (Sheet 4 of 9)
CRITERI_A TITLE CONFORMANCE DISCUSSED IN IEEE Std 336-1971 Installation, Inspection and Testing 7.1.2.10 (ANSI N45.2.4-1972)
Requirements for Instrumentation and Electric Equipment During the Con-struction of Nuclear P'va* Generating Stations 1EEE Std 338-1975 Criteria for the Periodic Testing of 7.1.2.11 Nuclear Power Generating Station Protection Systems IEEE Std 344-1975 Guide for Seismic Qualification 3.10 (ANSI N41.7) of Class I Electrical Equipment for Nuclear Power Generating Stations IEEE Std 379-1972 Cuide for the Application of the 7.1.2.7 m
Single Failure Criterion to Nuclear
=
ym-Power. Generating Station Protection N*
Systems IEEE Std 381-1977 Type Tests of Class IE Modules Used in 3.11 Nuclear Power Generating Stations IEEE Std 382-1972 Type Test of Class I Electric 3.11 Valve Operators IEEE Std 384-1973 Standard for Type Test of Class IE 3.11 Electronic Cables, Field Splices and Connections for Nuclear Power Generating Stations G
M' IEEE Std 384-1974 Criteria for Separation of Class IE 7.1.2.2a (ANSI N41.14)
Equipment and Circuits D\\
IEEE Std 420-1973 Trial Use Guide for' Class IE Control 7.1.2.2b Switchboards for Nuclear Power Generating Stations-
)
(
TABLE 7.1-1 (Sheet 5 of 91
_ CRITERIA TITLE CONFORMANCE DISCUSSED IN 3.
Regulatory Guides (RG)
RG 1.6 Independence Between Redundant Stand-8.3 by (Onsite) Power Sources and Between Their Distribution Systems RG 1.7 Control of Combustible Gas 1.8 Concentrations in Containment Following a Loss-Of-Coolant Accident RG 1.11 Instrument Lines Penetrating Priesty 1.8, 7.3.1.lb Reactor Containment RG 1.12 Instrumentation for Earthquakes 1.8 RG 1.22 Periodic Testing of Protection System 1.8,. 7.1.2.5, 7.3.2.2e,7'4b-Actuation Functions m*
m h
RG 1.29 Scismic Design Classification 1.8 RG 1.30 Quality Assurance Requirements for 1.8, Chapter 17 n
the Installation, Inspection, and Testing of Instrument, tion and Electric Equipment RG 1.32 Criteria-for Safety-Related 1.8, 8.1 Electric Power Systems for Nuclear Power Plants
'4g RG 1.40 Qualification Tests of Continuous 1.8, 3.1 (3
Duty Motors Installed Inside the j
Containment of Water Cooled Nuclear NR Power Plants RG 1.45 Reactor Coolant Pressure Boundary 1.8 Leakage Detecticn Systems
.(
TABLE 7.1-1 (Sheet 6 of 9)
CRITERIA TITLE CONFORMANCE DISCU.SSED IN RG 1.47 Bypassed and Inoperable Status Indica-1.8, 7.1.2.6 7 d-tion for Nuclear Power Plant Safety Systems Re 1.53 Application of the Single-Failure 7.1.2.7, 1.8', % 2.
Criterion to Nuclear Power Plant Protection Systems RG 1.62 Manual Initiation of Protection Actions 1.8, 7.3.2.2g RG 1.63 Electric Penetration Assemblies in Con-1.8, 8.1 tainment Structures for Water-Cooled Nuclear Power Plants RG 1.67 Installation of Overpressure Protection 1.8 Devices E-RG 1.68 Preoperational and Initial Startup Test 1.8, 14.2.6, 7'Y
$e Programs for Water-Cooled Power Reactors w
RG 1.70 Standard Format and Content in Safety 1.8 Analysis Reports for Nuclear Power Plants, Rev. 3.
RG 1.73 Qualification Test of Electric Valve 1.8, 8.1 Operators Installed Inside the Con-tainment RQ l.75 Physical Independence of Electric 1.8, 7.1.2.2a, 8.1 j 7.h Systems RG 1.78 Assumptions for Evaluating the Habita-1.8 bility of a Nuclear Power Plant Control
%h Room During a Postulated Hazardous Chem-g ical Release N
RG 1.80 Preoperational Testing of Instrument 1.8
\\
Air k
wNv t.,/
M SB 1 & 2 FSAR During plant operation, inservice inspection of the Class 3 portion of the ultimate heat sink will be performed in accordance with ASME Code I
Section XI.
Provisions will be 'made for testing the portable makeup equipment for the e
9.2.5.5 Instrumentation Application Control and display instrumentation in the ultimate heat sink is provided in both the primary and secondary control locations, in accordance with CDC 19.
Transfer from the Atlantic Ocean to the cooling tower is possible from the i
primary location only. The primary control location for system pumps, fans and valves is in the main control room with the secondary location the control building switchgest room. The controls for all the pumps and valves associated with the ultimate heat sink satisfy the requirements of redundancy and separation as set forth in IEEE Std-279 and NRC's Attachment C, " Physical Independence of Electric Systems" (FSAR Appendix h
8A).
Seawater level in each service water pumphouse is indicated on the main k
control board (MCB), and is available for alarm and display via the main
,U plant computer system.
// A4/// $ $ f Y Transfertothecoolingtowersisaccomplishegvisatoweractuationsignal.
The individual train tower actuation (TA) signal is generated when the pump (
discharge pressure coincident logic system determines that flow in that f
train decreases to the predatermined pressure setpoint, indicative offlow g y level. The logic system automatically initir.tes the transfer of the l
train to tower operatton based upon coincidence logic to reduce the incidence of inadvertant transfers. The operator can also manually initiate the TA signal from the MCB. Once a TA signal is initiated, the transfer of that particular train to tower operation will be completed automatically.
All manual controls will be blocked until the TA signal is reset by the operator. This transfer operation includes automatically shutting down and isolating the service water pumps, starting the cooling tower pumps and fans, and repositioning valves to permit closed loop coolant flow from the y e.ing tower basiq,. Operator reset of the TA signal permits realignment of valves as might be required to reduce total tower heat load. For details of the TA signal actuation logic, refer to Drawing No. 9763-M-503962 (see IS /JSO gr% un w_y.yy pgg, yg gpN-f/fs7,z/.CR/ P/PM6 t on 1.7 S
>m m m ww arcrm.
$ ~e tower bcstn contatns independent level transmitters dhich provide for indication, recording, and alarming of the basin level at the MCB.
If there is a loss of level in the basin, the tower return lines contain flow indica-tion which help the operator identify a failed line and permit its isolation. The tower basin level indication is safety related. This indication provides operator information regarding proper operation of the f(
i I
9.2-25
y l
V 20. 75 NAH-1935
.3..
- s
(
'. ? %T.
,,. !..c Westinghouse Water Reactor e teamegroioson. ~
Electric Corporallon Olvisions g,333 PittsburghPennsylvania 15230 April 23, 1982 CWS-NAH-1649 Hr. J. OeVincentis S.O.: NAH-280 Seabrook Project Manager Yankee Atomic Electric Company 1671 Worcester Road Framingham, Massachusetts 01701 PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION UNITS 1 AND 2 Volume Control Tank Level Control System
Dear Mr. DeVincentis:
7#
NRC question 420. & requested chat Westinghouse provide criteria by which
.:9 the plant operators would be able to ensure an adequate water supply for
@qj the charging (high head safety infaction) pumps in the event of a failure in the Volume Control Tank level control system. The requested informatfor, v
is provided in two attachmints to this letter. tabulates the various control and alarm functions performed by VCT level channels LT-185 and LT-112.
This document includes the setpoints which will be recommended by Westinghouse in the Precautions, Limitations and i
Setpoints Documents for the various level control and alarm functions.
The l
attachment also provides an analysis which indicates the information provided to the operator in the event of the failure of either leve1' instrument and the time durations available for protective action. provides general and specific precautions and instructions to u,
enable the operator to protect the charging pumps from a loss of' suction.
/
This document also provides instructions designed to address a situation b
wherein the normally operating charging pump might be damaged by a loss of i
suction. These later instructions are intended to protect the Reactor Coolant Systemand/ortheremainingchargingpump(s).
A third attachment of the interlock logic diagrams has been included to facilitate the understanding of the logic behind VCT level channels LT-185 and LT-112.
l -
l l
l l
{ca2 7f 72 Mr. J. Devincentis NAH-1935 CWS-NAH-1649
{
\\
Please contact us should there be any question on any of the attached documents.
Very truly yours, WESTINGHOUSE ELECTR.'C CORPORATION j' f (Ull. '
W. E. Wright Seabrook Project Manager g
MLMasch/PABarilla/MH Attachment J. DeVincentis - 4L, 3A cc:
B. B. Beckley - 2L lA D. H. Rhoads - 2L, 2A W. B. Sturgeon - 1L J. H. Herrin - IL G. S. Thomas - IL, IA D. G. McLain - IL O
(
f)$l5
/~7 NAH-1935 CWS-NAH-1649 l
ATTACHMENT 1 VCT LEVEL INSTRUMENTATION FUNCTIONS, CHANNEL ASSIGNMENTS AND SETPOINTS LT-185 LT-112 FUNCTION SETPOINT SETPOINT Fully Divert Valve 1-LCV-ll2A 90%
High Level Alarm 83%
Modulate Divert Control Setpoint 75%
for Valve 1-LCV-112A Auto Makeup Stop 50%
Auto Makeup Start 30%
Low Level Alarm 20%
20%
Emergency Makeup RWST(I) and 5%
5%
?!-
Lo-Lo Level Alarm Control Board Level Indication X
f Local Level Indication X
NOTE (1): Coincident 2/2 logic requires signals from both level channels in order to transfer the pump suction to the RWST.
6 (s
fjt275
/1' VCT LEVEL INSTRUMENTATION FAILURE MODES AND EFFECTS (Refer to Attached Drawing) 1.
Level Transmitter LT-185 generates an incorrect high level signal resulting in the complete or partial diversion of letdown to the Recycle Holdup Tanks by modulating VCT level control valve 1-LCV-112A.
The emergency refueling water makeup function is defeated, and there may be an incorrect control room indication of VCT level.
Upon decreasing level in the VCT, LT-112 will initiate automatic inakeup f f the makeup water system has been pre-set for automatic operation, or it will generate an alarm at the auto makeup level if the makeup control switch is not in automatic. LT-112 will also generate a low and low-low level alarm.
2.
Level Bistable LB-185B malfunctions. The result would be the loss c4 the emergency refueling makeup function. However, this malfunction v said go unnoticed until the function was required because failure of the bistable does not result in a diversion of letdown. VCT level would be indicated in the control room.
If required, LT-112 would initiate automatic makeup if the makeup water system has been pre-set for automatic f,,,
operation, or it will generate an alarm at the auto makeup level if the M'~
makeup control switch is not in automatic. LT-112 and LT-185 would have full alarm capability except for the low-low alarm on LT-185.
3.
Level Controller LC-185C malfunctions and diverts letdown. The results are the same as item.ELwith the exception that the emergency refueling water makeup function is not defeated.
4.
Level Transmitter LT-112 fails generating an incorrect high level signal which re alts in the complete diversion of letdown to the Recycle Holdup Tanks by tripping VCT level control valve 1-LCV-112A. The emergency refueling water makeup function and the automatic makeup water function are both defeated.
Upon decreasing level in the VCT, LT-185 provides low and low-low alarm functions, and correct VCT level indication.
5.
Level Bistable LB-112B malfunctions. This results in the loss of the emergency refueling water makeup function but does not result in a diversion of letdown. However,this would go unnoticed until the function was required.
VCT level would be indicated in the control room.
If required, LT-112 would initiate automatic makeup if the makeup water system has been pre-set for automatic operation, or it will generate an alarm at the auto makeup level of the makeup control switch is not in automatic.
LT-112 and LT-185 would have full alarm capability except for the low-low alarm on LT-112.
w
IMd f5 6.
Level Bistable LB-1120 malfunctions. The automatic makeup function and alarm would be defeated. Again, this would go
. s unnoticed until the function was required.
If required, the emergency refueling water makeup function will operate.
Level indication in the control room will be operable, and all LT-185 and LT-112 high, low and low-low alarms are operable.
i 4
a l
'D' I
e 0
I
(
l l(~l\\
i
r al pi aE. g !? sf.' f!
M O.
j gf s
s N
s' 0,r " 8# '!'
I'
(
}
r - '
y-
,6 s
-Y 5
e, L
r.
I
(--
y =-
I e
- e
\\,
g ej. g:
3 -
.: r g
ts Bt Et; *i ??
5 I n zl gg I
fp 83gre,f 5
3 y
E:" Ti t y:
af 5: s. s a 4 :s d* e 4
y Y -a
- H.g[3 :isit65
~
yI vi
-*w g'
j fji 58 y
,1 w
E Y
i. es "
-y I J. ;
3 5, i
B Is!.Y! 8f ic :I*
5 s-55E.sg Yg3 *f,.E;e-g g5 va
- e. 's+ -
9 e
v
! is y,r, nr a g.,..
Y.e
,aansnenl!ti,gH gs
. -e.
g a
e a a.-
e a a e s -
c' t,
(-
.o
.i. "..
u.
?
<C t- - h'- {'---
- , 3 y
- s.:.
f a sl I
l I
f,=
y a
I
~
g SE 22 2!5 j
I F--'3E SE-ht_dI.6O e d C
e s
a 5,>
f ass v ',
'?
---($$
y s'J
>H!
l h
os,7
- O, -
g i
.e 3
g' L_ 3:-
A...........q
,r,
a t
rz 8
O e
y a
g g g
g, s
l
,r e
y T.
i 1
x.,
- s-Elb--!i!
6-
'-- $5 @ '-
t s
sis
\\'
es!e -
sI m::op
~ i.s i1.j
,o y.
s f$a u
S; h 1;j,!hh ;!f 293 50;9 l
e c--
1 ia 3;
..g
't I
- o. tg i
e i
g==
2 8
8 8
3d85
(....'
{.....
4
,r -
9 t-2 s,.
O e
l V
ll l
3I m;,VS a
e' s
' ere-E 7
[
s.
l h
1 d5, t.
"" 1 i
__m_
1 1
l
r 72075 o7 NAH-193S 9
CWS-NAH-1643
(
ATTACHMENT 2 MALFUNCTION OF A VCT LEVEL CONTROL INSTRUMENT INSTRUCTIONS i
I.
Definitions 1.
The phrase "High VCT Conditions" is intended to include any or all of the following indications of high water level in the Volume Control Tank: high level alarm, complete or partial diversion of the VCT level control valve, indication of high water level above che modulate divert setpoint.
The phrase " Low V.CT Conditions" is similarly intended to include 2.
any or all of the following indications of low water level in the Volume Control Tank: low and low-low level alarms actuation of automatic makeup from the Reactor Makeup Control System, indicated water level below the low level alarm or auto makeup setpoint.
II.
Precautions 1.
The Reactor Makeup-Control System should be pre-set to provide blended boric acid solution to the charging pump suction automatically upon a low level condition in the Volume Control Tank, except during boration or dilution operations.
2.
Do not operate two charging pumps simultaneously for normal charging service when the suction is aligned to the Volume Control Tank.
In the event that a normally operating charging pump is damaged 3.
or unintentionally tripped, do not start the standby charging pump until an assured suction source has been provided for the standby pump or until it has been verified that the source of the malfunction will not damage the standby pump.
III. General Instructions 1.
Manual actuation of safety injection will always correctly align the charging pump suction to the Refueling Water Storage Tank and start the standby centrifugal charging pumps.
Re-aligning the suction of the charging pumps from the VCT to 2.
the Refueling Water Storage Tank will protect the pumps from a
(
loss of VCT suction.
q
r 0 0. 7 5
/ i
(
Isolating letdown and stopping the normally operating charging 3.
pumps will protect the normally operating charging pump and restrict the reduction in RCS inventory to normal leakoff from the Reactor Coolant Pump seals. This is acceptable provided that component cooling water is available for cooling the Reactor Coolant Pump Thermal Barrier.
IV.
Specific Instructions 1.
If high VCT level indications exist and only high VCT indications exist, then the following instructions are applicable.
If not, proceed to Ste;: 4.
2.
If letdown flow (FI-132) exceeds charging flow (FI-121), or if the Reactor Makeup Control System is in operation for boration, dilution, or makeup, then the high level indications are likely to be true indications and no immediate protective action is required.
If charging flow (FI-121) equals or exceeds letdown flow (FI-132) 3.
and the Reactor Makeup Control System is not in operation for boration, dilution or makeup, then the high level indications are likely to be erroneous and the charging pump suction should be re-aligned to the Refueling Water Storage Tank.
4.
If low VCT level indications exist and only low VCT conditions exist, the following instructions are applicable.
If not, proceed to Step 6.
5.
Verify that makeup or that the suction transfer to the RWST is initiated automatically.
If these functions are not automatically initiated at the appropriate VCT levels; then manually re-align the charging pump suction to the RWST.
If the operator has available one or more conflicting', contradi,:: tory, 6.
or inconsistent high and low VCT level indications, manually re-align the charging pump suction to the RWST.
7.
In the event that the normally operating charging pump is damaged or unintentionally tripped, the resulting loss of charging flow can be diagnosed from the following indications.
Approximate Time Interval Indication Following Loss of Charging
(
a.
Low charging flow indication Immediate and alarm (FICA-121).
b.
Low Reactor Coolant Pump Immediate seal injection flow indication i (
and alann (FIA-142/143/144/145).
High temperature indication and Immediate c.
alarm downstream of regenerative heat exchanger (TIA-127).
t/.20. 73_
/
-f
. Approximate Time Interval Indication Following Loss of Charging d.
High temperature indication Immediate and alarm downstream of letdown heat exchanger (TICA-130).
High temperature indication Immediate e.
and alarm downstream of letdown orifice relief valve 8117 (TIA-125).
II) f.
Low pressurizer level deviation 3 1/2 minutes alarm.
7-34 minutes (2) g.
Low pressurizer level alarm, pressurizer heater cutout, letdown line isolation.
h.
Direct charging pump indications Immediate such as motor voltage or current, if application.(3)
Explana_tcry Notes
' l
/l) Based.on120gpm_letdownflowrate.
(2) Depends on initial load and letdown flow rate.
C (3) Plant specific.
8.
In the event that plant instrumentation indicates a loss of charging flow, innediately isolate letdown and trip the operating charging pump.
9.
Re-align the charging pump suction to the RWST.
10.
If the reactor has not been tripped and the source of the malfunction cannot be detected and corrected while the plant is at power, then the plant should be brought to a hot zero power subcritical condition.
- 11. Attempt to restart the initially operating charging pump or alternatively start the standby charging pump as required to maintain or restore pressurizer level, to borate, or to provide cooling for the Reactor Coolant Pump seals.
12.
If the charging system is returned to service with the charging pump suction aligned to the RWST and the VCT isolated, the nonnal letdown line can also be returned to service and re-aligned to the Recycle Holdup Tanks. Alternatively the excess letdown line can be placed into service to return leakage into the RCS through the Reactor Coolant Pump seals, to the Reactor Coolant Orain Tank, or to the charging pump suction.
(
F-g/20. 75
//8 l
((
OPERATOR ACTION TIME TIME TO EMPTY I
LEVEL SETPOINT_
VCT IN MINUTES 26.2 Modulate Divert 75%
Setpoint 19.64 Auto Makeup Stop 50%
14.4 Auto Makeup Start 30%
11.8 Low Level Alarm 20%
7.85 Emergency Makeup /
5%
Low-Low Alarm The above times are based on the CVCS in operation at i
NOTE:
maximum letdown (120 gpm).
t
[
h i
'(
x
-, ~. -
+ -. - -
a,,--
-,,-..e.-
9 m
NAH-1935 pf/
CWS-NAH-1649
/
-(
t ATTACHMENT 3 INTERLOCK LOGIC DIAGRAMS l
ua
, cg. :
Y
(.
9J8. 78
(}
IETERLOCK SHEET
. (_
gg g
.c s
.st.-ow s e s o== 54e iz
(.
$EAsR.coK SArioM Caeu.s \\/o t. GnTets sno CvC - 4(U i so.
<~,us.
s :..,.
bus D SY.STEA4S hPL/CATicM 4./D/ 76 f' I
- d. STELLA Ms. eAs s)
T'bs sve opJ l
!a I
owu!
l i
To -
tver:
l %o l8 jjg sasr l
MCS Hi L E vt. t y
p 1
_f--.
$1
~
I Y
U 1711ffff-~
f i
L l
Y Y
)I
'Dev c at McDyLATES ptVE R.T To oN StGOAL yo Nc,T Frtom LT-185 E w s r-kirt-OPE R.AT6'D Tan.ee - WW o
i NJA LV E l-Lt.V - l i d
pc 75
~
[
INTERLOCK SHEET
.n
.u- ~i a ' o*= 548 : 2 1
OM kV 6 S
(
"'sc4 e n.o o,(
c-ea.s vot. G~,ses
' cvc - 8ed)
N w..,,..
u.sm, c
., c.,s,ms Aceu.co,c.;
</sc/7 :
NJ C'r L P \\jt L L NJ L T R.L4 M E rJr S S prs 4G RE T ott rJ To W
AsAro LT it a
\\186 /
I I
V r' c.
k o
le r
Lo-Lo
'O*J l
8 C
r.
d I
O f LEvt.
[ 14 J C L g
/
MCS S
v u j
j 1
r
..r Y
EU l
OP E W.
i i
EMERGEMCy MAKEu P 6
VALVE F~ Re v.
R.v F r 7
I
/AJTt'R.LCC W-
"f A O l V l
VC.T Ou7 d T EMER. 74c,E;f ISO L A1:00 FRom q
3 7 M A ca/ E P WCT l
j l-LCsr-Il2 8 l-LCi/-//2D Y
ir
/-4ct/-/12C
/-LCV-//."C op V ALV E.
s;4to g Ver ouTLEr vat.s1E t
i
\\Ssae A - SIS \\
' INTERLOCK SHEET C;!,2 0
.:r nc-ovu.... saaim Emeerect v u niteu p UAL v EE - RW t r To C46. P a uP S
..o,.o StA& flodl< GrArio M Ca cM. d. Vo t. Co urreo t, j
c.
, '...CVC-WL\\
<an,i.
svsnu M
bTE LLA Cc.uio %sreM i Mf7LiflT/0^ ' M!3 7/75 -
f i
i SPRnJG REruR.d To 4 C-T g7g Lo - Lo
( e vc <-
h c
tr Y
o#c I
o o
2.
18 l
I k 5,.
i ucs
/
J-
[k g
Ad i
~_p y l
15);
I h, k..
y; 9 y 1
,,---,1
'T 4.
)f C L o S E.
oP6 d l
Morost-OP6 RATE D i
VALVES I - LC.V-Il2.D ( TRAle A )
i-o -ti2.e ( t a i u a 3 k ~
\\
/
E
<7
(,
_ _ _ _