ML20027D666
| ML20027D666 | |
| Person / Time | |
|---|---|
| Site: | Clinch River |
| Issue date: | 11/03/1982 |
| From: | Longenecker J ENERGY, DEPT. OF, CLINCH RIVER BREEDER REACTOR PLANT |
| To: | Check P Office of Nuclear Reactor Regulation |
| References | |
| HQ:S:82:118, NUDOCS 8211080226 | |
| Download: ML20027D666 (47) | |
Text
}
Department of Energy Washington, D.C. 20545 Docket No. 50-537 HQ:S:82:ll8 NOV 0 31993 Mr. Paul S. Check, Director CRBR Program Office Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C.
20555
Dear Mr. Check:
INSTRUMENTATION (CHAPTER 7) WORKING MEETING, SEPTEMBER 21 and 22, 1982 - ADDITIONAL INFORMATION
Reference:
Longenecker to Check,
Subject:
Meeting Summary for Instrumentation (Chapter 7) Working Meeting, September 21 and 22, 1982, dated September 24, 1982 Enclosed is the additional information requested during the subject meeting for which response dates of November 1,1982, were projected.
Marked up Preliminary Safety Analysis Report (PSAR) pages will be incorporated into a future PSAR revision. Also included are responses for items 46 and 51 which originally had December 1,1982, commitments.
Any questions regarding the information provided or further activities can be addressed to Mr. R. Rosecky (FTS 626-6149) or Mr. A. Meller (FTS 626-6355) of the Project Office Oak Ridge staff.
Sincerely, bo yh Jo hn R. LongenGc er Acting Director, Office of the Clinch River Breeder Reactor Plant Project Office of Nuclear Energy Enclosures cc: Service List Standard Distribution Licensing Distribution l
8211080226 821103
- l PDR ADOCK 05000537 A
{
4 Enclosure j
CHAPTER 7 SEPTEMBER 21 AND 22,19 82 WORKING MEETING, ACTION ITEMS DUE TO NRC NOVEMBER 1,19 82
- 1. Lam 4
17 18 42 56 62 89 90 91 92 96 Partial response; full response will be provided by 12/1/82 46 This item originally scheduled for submittal December 1,19 82 51 This item originally scheduled for submittal December 1, 1982 i
i i-6 e
-e~
^5 Page 2 Item (i I&C Design Criteria - tech. basis Comments:
PSAR page 7.1-3, clarify..PPS primary / secondary separation requirements 'in terms of Reg. Guide 1.75
)
among redundant channel's by prime and sec. systems i
and between prime and sec systems.
I
~
Resolutl6nt' Section 7.1.2.2 has been amended (attached) to clarify the application of Reg. Guide 1.75 in the design of the Reactor Shutdown Systems (RSS).
Within general plant areas (non-hazard areas), the primary RSS instrument channels are physically separated from the secondary RSS channels to meet the requirements of Regulatory Guide 1.75.
Within hazard areas, redundant channels of the primary RSS and secondary RSS are physically separated such that a common event within the defined area will not fail more than one channel of each RSS.
Within the hazard area, physical separation is maintained to meet Regulatory Guide 1.75.
i 9
=
l
Pega 3 7.' 1.2. 2 Indenandance of Redundant Safety Related Svstame
[\\
To assure that independence of redundant saf ety related equipment is preserved, the following specific physical separation crlieria are imposed for safety related Instrumentation.
All interrack' PPS wiring shall be run in conduits (or equfvaient) with o
wiring for recundant charnels run in separate conduits.,0nly PPS wiring shall be <lncluded in these condults. Primary RSS wiring shall not be run in the same conduit as secondary RSS wiring. W! ring f or the CIS may be run in condults containing either primary RSS wiring or condults containing secondary shutdown system wiring, but never intermixed. E'xpanded criteria for physical separation of the CIS are given In Section 7.3.2.2.
Wiring for other safety related systems may be run in condults o
containing.elther primary RSS wiring'cr conduits containing secondary RSS wiring, but never intermixed, provided that no degradation of tne separation between primary and secondary RSS results. '
Wiring for redundant channels shall be brought through separate o
containment penetrations with only PPS wiring b, oughi ihrough these penetrations. Primary RSS wiring shall not be brought through thes same penetration as secondary RSS wiring. Wiring for the CIS and other safety related systems will be brought through the same penetration as the RSS wiring with which it is routed.
Instrumentation equipment associated with redundant channels shall be o
mounted in separate racks (or completely, meteIIIcally enclosed compartments). Only PPS channel Instrumentation shalI be mounted in these racks.
Primary RSS equipment shall not be located in the same rack as Secondary RSS equipment.
3 jih ys el epa lo e
n co uit pe tl rac o
)
nt n
ed dan nst ent en s
Ib pe led n
<V
[
l vi I
se b Is mee tha ut ant of R irl a v
t j
,g This separation shall provide assurance that credible single events do not simultaneously degrade redundant channels or redundant shutdown systems.
+
s l
The wiring f rom a PPS buf fered output which is used for a non-PPS o
purpose may be included in the same rack as PPS squipment. The PPS wiring shall be physically separated f ran the non-PPS wiring. The l
amount of separation shall meet the requirements of IEEE 384-1974.
1 Electrical power for redundant PPS equipment shall be supplied from o
separate sources such that f ailure of a single power source
.g
/
7.1-3 Amend 62 Nov. 1981
Page 4 INSERT The physical separation between conduits, penetrations, or racks containing redund, ant instrument channels shall meet the requirements of Regulatory Guide 1.75.
Redundant instrument channels in the primary RSS shall be physically separated from one another in accordance with the' requirements of Regulatory Guide 1.75.
Redundant instrument channels in the secondary RSS shall be physically separated from one another in accordance with the requirements of Regulatory Guide 1.75.
Functional capability is maintained in the event of single design basis events which might impact more than one sensor by alternate protective functions as described in Table 7-2-2.
a, a
Page 5 Item 17:
RSS - single failure criterion for PPS and channel independence comments:
Discuss isolation techniques between primary and secondary systems - add this to the PSAR. ~
Particularly address commonality at the inverter.
Resolution:
The Primary and Secondary Reactor Shutdown Systems are isolated from each other, from the power supply inverter through to the control rod drives, by means of physical separation as discussed in Item 4 previously.
A new Section 7.2.1.2.4 is added to the PSAR which discusses Power Supplies to the Reactor Shutdown Systems.
This discussion includes analysis that justifies no loss of reliability of shutdown as a consequence.
e 0
-wvw--v--w w
Pcga 6 i
7.1.2.11 Confonnance to Regulatory Guide 1.62 " Manual 7.1-6 Initiation of Protective Functions 7.1.2.12 Regulatory Guide 1.89 " Qualification of Class IE 7.1-6a Equipment for Nuclear Power Plants" 22
~
7.2 REACTOR SHUTDOWN SYSTEM 7.2-1 7.2.1 Description 7.2-1
- 7. 2.1.1 Reactor Shutdown System Description 7.2-1 7.2.1.2 Design Basis Information 7.2-6
- 7. 2.1. 2.1 Primary Reactor Shutdown System Subsystems 7.2-7 57 7.2.1.2.2 Secondary Reactor Shutdown System Subsystems 7.2-9
- 7. 2.1. 2. 3 Essential Performance Requirements 7.2-11
~1 1..l.2. 4 Pnfuktor Systsm Pope CQiec jf 7.2.2 Analysis 7.2-13 7.3 ENGINEERED SAFETY FEATURE INSTRUMENTATION AND CONTROL 7.3-1 7.3.1 Containment Isolation System 7.3-1
' 7. 3-1 7.3.1.1
System Description
7.3.1.2 Design Basis Information 7.3-2 7.3.1.2.1 Containment Isolation System Subsystems 7.3-2 7.3.1.2.2 Essential Performance Requirements 7.3-3 7.3.2 Analysis 7.3-3 7.3.2.1 Functional Performance 7.3-3 7.3.2.2 Design Features 7.3-4 7.4 INSTRUMENTATION AND CONTROL SYSTEMS 7.4-1 REQUIRED FOR SAFE SHUTDOWN 7.4.1 Steam Generator Auxiliary Heat Removal 7.4-1 In'strumentation and Control System 7.4.1.1 Design Description 7.4-1 7.4.1.1.1 Function 7.4-1 7.4.1.1.2 Equipment Design 7.4-1 7-11
,i
Page 7 o
Tornado The PPS is protected from the effects of the design basis tornado by locating the eqpipment within tornado hardened structures.
o Local Fires All PPS equipment, incl uding sensors, actuators, signal conditioning equipment, wiring, scran breakers, and cabinets housing this equipment is redundant and separated. These characteristics make any credible fire of no consequence to the safety of the piant. The separation of the redundant components increases the time required for fire to cause extensive damage and also allows time for the fire to be brought to i
the attention of the operator such that corrective action may be.
Initiated.
Fire protection systems are also provided as discussed in Section 9.13.
o Local Exolosions and Missiles All PPS equipment essential for reactor trip is redundant.
Physical separation (distance or mechanical barriers) and electrical' isolation exists between redundant components. This physical separatior of redundant components minimized the possibility of a local explosion or missile damaging more than one redundant component. The remaining
(
redundant components are still capable of performing the required protective functions.
o Earthauakes All PPS equipment, including sensors, actuators, signal conditioning equipment, wiring, scran breakers and structures (e.g., cabinets) housing such equipment, is classed as Seismic Category 1.
As such, all PPs aulpment is designed to remain f unctional under W E and SSE conditions The characteristics of the WE and SSE used for the eval uation vf the PPS are found in Section 3.7.
jg w t s p.7-
"J. t. l. 1. 4 -
7.2.2 Analvsis The Plant Protection System meets the safety related channel performance and l
l rollabilIty requirements of the NRC General Design Criterin, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other appropriate criteria and standards.
Gene'ral Functional Raoutrement The Plant Protection System is designed to automatically initiate appropriate protective action to prevent unacceptable plant or component damage or the release or spread of radioactive materials, l
7.2-13 Amend. 71 Sept. 1982 l
1
l Page 8 INSERT 7.2.1.2.4 Protection System Power Supplies The Primary and Shcondary Shutdown Systems are connected to the same three vital supply distribution. buses, i.e.,
channel A in each system is supplied from the same distribution panel.
This commonality between the two systems is not.:onsidered to impact their separation because of the following design features:
o Loss of one common distribution bus will result in the tripping of one logic train in each RSS system.
This i
will provide the correct indication for appropriate corrective action without prejudicing safety.
o Provision of isolation devices in the individual power supplies within the two protection systems will prevent any failure caused by a circuit failure in one system from affecting the proper safety function of the other system.
o These same isolation features will prevent a common electrical interference surge received in the cabling between the distribution panel and the two systems from i
impacting either system.
From this analysis of these features and the satisfactory experience with a system of this type in an extended operation test program, it is concluded that no reduction in system reliability arises from use of common power supplies for the Primary and Secondary Shutdown Systems.
i e
G f
v
Item 18 -- RRS -- gingle failure criterion for power supply (PS) and chanc.el independence.
Comment:
Provide a description of test results or test plans to demonstrate that faults within a PS or a trip channel will not propagati in such a way as to compromise trip channels associated with more than one vital bus.
Resolution: Section 7.2.2 has been revised to describe features of the power supplies to the PPS which prevent propagation of faults to Primary and Secondary trip channels which share the same Uninterruptible Power Supply.
l
Single Failure No single failure within the Plant Protection System nor removal from service of any component or channel will prevent protective action when requi red.
)'
57l hich is capable of terminating all excursions without allowing plant param-Two independent, diverse reactor shutdown systems are provided, either of w
eters to exceed specified limits. Each system uses three redunda.nt instru-ment channels and logic trains. The Primary RSS is configured using local coincidence logic while the Secondary RSS uses 57 general coincidence logic.
To provide further assurance against potential degradation of protection due to credible single events, functional and/or equipmen di ersit are included in the hardware design.
Bypasses Bypasses for normal operation require manual instating.
Bypasses will be automatically removed whenever the subsystem is needed to provide protection.
The equipment used to provide this action is part of the PPS.
Administrative procedures are used to assure correct use of bypasses for infrequent operations such as two loop operation.
If the protective action of some part of the system has been bypessed or deliberately rendered inoperative, this fact will be continuously indicated in the control room.
Multiple Setpoints Where it is necessary to change to a more restrictive setpoint to provide adequate protection for a particular normal mode of operation or set of operating conditions, the PPS design will provide autcmatic means of G
assuring that the more restrictive setpoint is used. Administrative proce-m) dures assure proper setpoints for infrequent operations.
For CRBRP, power operation on two-loops will be an infrequent occurrence, and will only be initiated from a shutdown condition. While the reactor is shutdown, the PPS equipment will be aligned for two-loop operation which will include set down of the appropriate trip points.
Sufficient trip point set down is being(designed into the PPS equipment to adequately cover the possible range conceptually from 2% to 100%)
of trip point adjustment required.
In addition, administrative procedures (specifically the pre-critical checkoff) will be invoked during startup to ensure that the proper PPS trip points have been set.
The analysis of plant performance during two-loop operation has not been completed to date. Therefore, the exact trip point settings for two-loop operation cannot be specified at this time.
However, the range of trip point settings indicated above is adequate to ensure that trip points appropriate for the anticipated lowest two-loop operating power can be achieved.
In sumary, the design of the PPS equipment trip point adjustments and other features for two-loop operation coupled with the anticipated two-loop operating power level and administrative procedures assure full compliance with Branch Technical Position EICSB 12 and satisfy Section 4.15 of IEEE std 279-1971.
16
'~
7.2-14 Amend. 57 Nov. 1980
Insert 1 The DC and AC Uninterruptible Power Supplies (UPS) to the redundant instrument channels and logic trains are provided from three respective redundant power divisions. The three divisions are physically and electrically independent such that loss of any one division will not prevent the other divisions from performing their safety function. The design of power supply equipment (inverters and battery chargers),
which use solid state components, is such that it precludes the possibility of a fault in one power division to have any adverse affect on similar power supply of the other two divisions.
The inverters will be tested to demonstrate that a transient on the inverter output will have no affect on the input power supplies.
Testing will be performed in accordance with ISA and ANSI C37.90.
3Property "ANSI code" (as page type) with input value "ANSI C37.90.</br></br>3" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process..
r
Page 9
_ Item 42:
QR 421.45 Comments:
Amend QR 421.45 to clarify there are no Fafety related sensor lines exposed to outside temperatures
- (water and steamlines).
Resolution:
Amended response to Q 421.45 attached.
(
l
Page 10 Question CS 421.45 Describe features of the CRBRP environmental control system which f asure that instrumentation sensing and sampling lines for systems important to safety are protected from freezing during extremely cold weather. Discuss the use of environmental monitoring and alarm systems to prevent loss of, or damage to, systems important to safety upon failure of the environmental control system. Discuss electrical independence of the environmental control system circuits, and the monitoring / alarm circuits.
Response
All safety related process, instrument and sampling lines are contained entirely within environmentally controlled buildings. Thus, there are no safety related instrumentation sensing or sampling lines located external to the building or near building access openings from the external environment, such as doors and equipment hatches, which could freeze as a result of exposure to cold weather.
The Nuclear Island Heating, Ventilating and Air Conditioning (NI HVAC) 0 System will maintain a minimum temperature of 55 F in all areas of the NI buildings which contain safety-related equipment. All HVAC units utilizing outside air for ventilation will alarm when the temperature of the air, measured upstream of the cooling coil, is below a fixed set point. Electrical independence of the NI HVAC System is described in Chapters 7.1 and 7.6 of the PSAR.
Page 11 Item 56:
Q421.26 Conments:
Amend to clarify which items are safety related and include rationale why non-safety related items are classified as such.
Resolution:
Amended response to Q421.26 attached.
n p
l l
I
Page 12 duestion CS 421.26 In the PSAR, Section 7.4.1.1.2 discusses the Protected Air-Cooled Condenser (PACC) and how air flows through it is contro_11ed by a combination of fan blade pitch and inlet louver position.
The staff requires a, detailed discussion of this instrumentation and in particular the method used for fan blade pitch indications.
Response
The outlet louvers have discrete open and closed position sensors.
These provide indication at both the local control panel and main control panel in the control room.
The inlet louvers have both discrete open and closed position sensors and a continuous position sensor.
The continuous position sensor provides feedback to the louver control.khe main Both typesprovideindicationatthelocalcontrolpaneland[
control panel in the control room.
T is sse d k The fan blade pitch meee cohtinuous position sensors for both control and indicgtion.
The indication is provided at the local control panel and%he main control panel in the control room.
Both the discrete and continuous sensors are integral to the actuator.
The discrete sensors are roller switches activated by a cam and the continuous is a potentiometer.
discatted alvvt This instrumentation is Class lE with the exception of the indicating lights.
f I
l l
l.
1
Page 13 Item 62:
Discuss (other than RSS) Safety Related System Display Information Comments:
Provide a summary description of the alarms and indicators for the PPS and ESF's.
Resolution:
Summary descriptions of alarms and indicators are provided in the PSAR:.
PPS Section 7.2.2 (amended)
CIS Section 7.3.2.2 (amended)
DHRS & EVS Section 7.6.3.1.2 SGAHRS Section 7.4.1.1.9 DHRS alarms are provided as follows:
1.
Pri. Na make-up pump A coolant flow low 2.
Pri. Na make-up pump B coolant flow low 3.
EVST NaK pump A coolant flow low 4.
EVST NaK pump B coolant flow low 5.
Pri. Na make-up pump A PWR or phase loss 6.
Pri. Na make-up pump B PWR or phase loss 7.
EVST NaK pump A PWR or phase loss 8.
EVST NaK pump B PWR or phase loss 9.
Sequencer A failure 10.
Sequencer B failure 11.
ABHX A interlocks tripped 12.
ABHX B interlocks tripped z
l
Paga 14 C
o Tornado The PPS is protected from the effects of the design basis tornado by locating the equipment within tornado hardened structures.
o Local Fires All PPS equi pment, including sensors, actuators, signal conditioning equipment, wiring, scram breakers, and cabinets housing this equipment is redundant and separated. These characteristics make any credible fire of no consequence to the safety of the plant. The separation of the redundant components increases the time required for fire to cause extensive danage and also allows time for the fire to be brought to the attention of the operator such that corrective action may be initiated.
Fire protection systems are also provided as discussed in Section 9.13.
o Local Exolosions and Missiles All PPS equipment essential for reactor trip is redundant.
Physical separation (distance or mechanical barriers) and electrical isolation exists between redundant components. This physical separation of redundant components minimized the possibility of a local explosion or missIIe damaging more than one redundant component. The remaining
(
redundant components are stilI capable of performing the required protective f unctions, o
Earthauakes All PPS equipment, including sensors, actuators, signal conditioning equipment, wiring, scram breakers and structures (e.g., cabinets) housing such equipment, is classed as Seismic Category I.
As such, all PPS equipment is designed to remain f unctional under (BE and SSE conditions. The characteristics of the OBE and SSE used for the eval uation of the PPS are found in Section 3.7.
IN S E R T --g 7.2.2 Analvsis The Plant Protection System meets the safety related channel performance and l reliability requirements of the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other appropriate criteria and standards.
Gen'eral Functional Raoufrement The Plant Protection System is designed to automatically initiate appropriate protective action to prevent unacceptable plant or component danage or the release or spread of radioactive materials.
7.2-13 Amend. 71 s.
Sept. 1982
Pcgn 15 i
l sus &RT-A e
Information Read-Out Indicators and alarms are provided as an operating aid and to keep the plant operator infonr.ed of the status of the RSS. Except for the IHX primary outlet temperature analog indicators which are part of th,e accident monitoring The following items system, all indicators and alarms are not safety related.
are located on the Main Control Panel for operator information:
Analog Indication A.
Secondary Wide Range Log MSV Power Level B.
Secondary Wide Range Linear Power Level C.
Primary Power Range Power Level D.
Reactor Vessel Level E.
HTS Pump Speeds F.
HTS Loop Flows G.
Reactor Inlet Pressure H.
IHX Primary Outlet Temperature I.
Evaporator Outlet Temperature J.
Steam Flows K.
Feedwater Flows L.
Steam 0 um Level Indicating Lights A.
Instrument Channel Bypass Permissive Status B.
Instrument Channel Bypass Status C.
Logic Train Trip / Reset Status D.
HTS Loop Trip / Reset Status E.
HTS Loop Test Status Annunciators Instrument Channel Trip / Reset information is provided for each function A.
listed in Table 7.2-1.
B.
Logic Train Power Supply failure
,y.....
Ihformation is also available to the operator via the Plant Data Handling and Display System.
Page 16 There are three categories of CIS cabling: cables between the radiation monitoring sensors and logic panels; cabling between the logic panels and the power breakers; and cabling from the breakers to the valve actuatcrs.
Wiring for the three CIS Instrument channels wilI be routed exclusively with the three Secondary PPS Instrument channels.
CIS logic train actuation wiring wilI be routed through two separated and independent conduits. A conduit wilI contain only wiring from a single CIS logic train. No Intermixing of CIS logic trains within a conduit will be permitted.
CIS logic train I wiring will be routed from CIS logic panel 1 to CIS breaker 1.
CIS logic train 2 wiring wilI be routed from CIS logic panel 2 to CIS breaker 2.
All of the Inside contairment isolation valve actuation wiring (both manual and autanatic) wilI be routed through at least one separated and independent conduit fran CIS breaker 1 through a separate and Independent containment isolation valve actuation containment penetration.
Inside containment isolation valve actuation wiring will be routed through separate and independent conduits fran the inside of the containment isolation valve actuation containment penetration to the Individual containment isolation val ves. No other wiring will be routed through the conduit and containment penetration containing inside containment isolation valve actuation wiring.
(
All of the outside containment isolation valve actuation wiring (both manual and autanatic) wilI be routed through at least one separated and Independent conduit from CIS breaker 2 to the Individual outside containment Isolation valves. No other wiring will be routed through the conduit containing outside containment isolation valve actuation wiring.
-lNSEAT-B l
l l
l l
(
s 7.3-4 a Anend. 62 l
Nov. 1981 s
i PEga 17
- IN s nT-S Inforretion Read-Out Indicators and alarms are provided as an operating aid and to keep the plant operator informed of the CIS status.
All indicators and alarms are not safety related. The following items are located on the Main Control Panel for operator information.
Analog Indication A.
Head Access Area Radioactivity B.
Containment Exhaust Radioactivity Indicating Lights A.
CIS Breaker Trip / Reset Status B.
CIS Isolation Valve Position Annunciators A.
Head Access Area High Radiation B.
Containment Exhaust High Radiation 6
1 Page 18 l
Item 89:
SGB Flood Protection System Comments:
Provide summary of I&C system functional design, l
redundancy, and safety classification of ncn-safety I&c.
Resolution:
Amended Sections 7.6.5.3.3 and 7.6.5.3.2 provide discussion of the instrumeatation and controls provided for the Steam Generator Building flooding protection, the safety function to be performed, and the consequent safety classification and design requirements for IEC equipment.
I f
~
Page 19
.5.3.1 Instrumentation Instrumentation provided for this subsystem consists of C1 1E tempe ture, and moisture transducers.
In addition, non-Clas E
level tran cers are provided. The transducers and associat control logic are loco d'in the SGB cells containing main feecwa or recir-,
culation piping.
hree independent moisture and temper ure measurements in each cell are ut zed for identifying a major w r/ steam line rupture. Water level surements in each cell firm a flooding condition and are annunci d in the main con
' room.
7.6.5.3.2 Controls Each heat removal loop i a
the main feedwater supply upcn detection of a major pipe rupt e.
The rt-up and main feedwater control valves close upon a vation by a t -out-of-three logic using measurements of moistur nd temperature in ea cell. The main feed -
water isolation valv s independently closed upo activation by a two-out-of-three logi sing the same three moisture an emperature measurements fr each cell. Separation and isolation maintained between the ntrol valve and isolation valve activation ic.
Small water / steam leaks are identified in each SGB cel y
me ring water level. Manual corrective control of flooding is in.
[
3 ated by the operator upon annunciation in the main control room.
4.
s gqfxe ws /et /w.1WY Y had. 45 )
7 N/
7.6-39
- (.
t
Page 20 Insert A 7.6.5.3.1 Instrumentation The SGB f.looding protection instrumentation consist of temperature, moisture and water level instrument channels. The temperature and moisture instrument channels are class IE and the level channel is non-class 1E.
For each cell in the SGB which contains steam and water piping three independent and redundant temperature and moisture instrumentation channels are provided.
These signals are buffered and provided to two independent logic trains.
In addition, two water level instrumentation channels are provided in each cell.
7.6.5.3.2 Controls The flooding protection subsystem has a safety function and a non-safety function. The safety function is to detect a major pipe rupture and to isolate the feed water supply system and the affected loop. The non-safety function is to detect a small leak and annunciate in the main control room.
Upon detection of a major pipe rupture the startup and main feedwater control valves and the feedwater isolation valves are closed by two independent and separate class 1E logic trains. One logic train closes the startup and main feedwater control valves, the other the feedwater isolation valve.
Actuation of each logic train requires concurrent two-out-of-three signals from both temperature and moisture from the same cell of any one of the four cells in each heat transport loop.
Small leaks are detected in each cell by measuring water level and by alarms on water level, temperature and moisture. Operator action is initiated upon annunciation in the main control room.
Page 21 Item 90s Inert Gas Blanketing System Comments:
Provide summary of IEC system functional design, redundancy and rationale for safety classification of I&c.
Resolution:
PSAR Section 7.7.1.10 identifies those IEC systems that do not perform a safety related function and whose failure would not cause the failure of a safety related system to perform its safety related function.
Included is the Inert Gas Receiving and Processing System (IGRP), which is further discussed in Section 9.5.
Section 9.5.5 discusses Instrumentation requirements for the IGRP, none of which identify a safety related function for it.
Accordingly, the IGRP I&C system is not discussed in Section 7.6 which discusses I&C Systems required for safety.
..,-.m.
Page 22 Item 91:
Auxiliary Liquid Metal System Comments:
Provide summary of IEC system functional design, redundancy and rationale for safety classification of I&c.
Resolution:
PSAR Section 7.7.1.10 identifies those IEC systems that do not perform a, safety related function and whose failure would not cause the failure of a safety related system to perform its safety related function.
Included are portions of the Auxiliary Liquid Metal System.
Other portions of this System are used by the Direct Heat Removal Service and the Spent Fuel Storage System which perform safety-related functions; instrumentation and controls for these portions of the Auxiliary Liquid Metal System are classified as safety related and are accordingly designed to requirements for safety related systems.
The safety related portions of the instrumentation and controls for the Auxiliary Metal System are discussed in the amended Section 7.6.3
" Direct Heat Removal Service (DHRS) and Ex-Vessel Storage Tank (EVST) Cooling System Instrumentation and Control."
l l
l l
l i
Page 23 PAGE 7.6 OTHER INSTRUMENTATION AND CONTROL SYSTEMS
~ 7.6-1
~ ~ ~ ~ ~ ~ ~
@ IRED FOR 5AT C 7.6.1 Plant Service Water and Chilled Water 34 Instrumentation and Control Systems 7.6-1 7.6.1.1 Description 7.6-1 7.6.1.2 Analysis 7.6-1 7.6.2 Fuel Handling Safety Interlocks 7.6-1 7.6.2.1 Design Description 7.6-1 7.6.2.2 Design Analysis 7.6-3 Sverflow Heat Remo$ &*x NMR.570(*NE cd&UAb Dim'ECT I
val Serviceg nstru enta-7.6.3 tion and Control 7.6-3 7.6.3.1 Design Description 7.6-3
- 7. 6. 3.1.1 Function 7.6-3
- 7. 6. 3.1. 2 Design Criteria 7.6-3
- 7. 6. 3.1. 3 Equipment Design 7.6-3a 7.6.3.1.4 Initiating Circuits 7.6-3c 44!
- 7. 6. 3.1. 5 Bypass and Interlocks 7.6-3c 7.6.3.2 Design Analysis 7.6-3d 7.6.4 Heating, Ventilating, and Air Conditioning Instrumentation and Control System 7.6-3e 7.6.4.1 Design Basis 7.6-3e 7.6.4.2 Design Criteria 7.6-3e 7.6.4.3 Functional Control Iliagrams 7.6-3f
. 7.6.4.3.1 Reactor Containment Building HVAC !&C 7.6-3f 7.6.5 SGB Flooding Protection System 7.6-3f 7.6-3f 1
7.6.5.1 Design Basis 7.6.5.2 Design Requirements 7.6-3f 49 7.6.5.3 Design Requirements 7.6-3f k end. 4's
.a ea 7.v4
I Page 24 component movement prior to initiation. The type of core component is checked for compatibility with the intended destination. The destination for the core component is checked for occupancy and readiness to receive a particular core component.
Core components can be identified by the IVTM to verify the type of core component prior to any movement into the reactor core or removal from the Reactor Vessel., The Central Computer monitors the operation of the other refueling machines and incorporates a software operational alarm system to add further depth to the design for operation without errors. The use of setpoint generation rather than direct digital control permits the IVTM and EVTM computer comands to be passed through a pennissive hard-wired interlock system only if proper preconditions are met.
In addition, the Central Computer monitors annunciator status and alann failures. An alann log can be displayed at all local computer CRT terminals.
Finally, a complete manual control capability is provided which also must work through the refueling interlock logic.
The analysis of the consequences of specific fuel handling events given in Section 15.5 has not identified a requirement for any specific safety interlocks.
Some interlocks are included in the design to preclude the possi-bility of major machine damage.
(
Typical interlocks are given below and in Table 7.7-1.
IVTM grapple / fuel element EVTM grapple / fuel element Rotating Plug drive system /IVTH grapple position Rotating plug drive system /IVTM hold down sleeve Rotating plug drive system /EVTM position j
EVST drive motors /EVTM grapple position Postulated Reactor Refueling System (RRS) accidents with potentially l
severe consequences were analyzed in detail to determine requirements for L
. safety interlocks.
The techniques employed included safety assurance diagrams, fault trees, mechanical and thermal analyses, and radiological release calcu-lations. None of the analysis results showed off-site doses exceeding those l
presented in Section 15.5 or 15.7.
The off-site doses in Section 15.5 and l
15.7 resulting from postulated RRS accidents are all well below the 10 CFR 100 guideline exposures without taking credit for interlocks.
It was there-59, fore concluded that the RRS interlocks should not be designated as safety interlocks.
l 7.7.1.10 Nuclear Island Auxiliary Instrumentation and Control Systems A number of Instrumentation and Control Systems, not discussed in i
Section 7.0, are provided in the plant to support various auxiliary systems.
These systems do not perform a safety-related function, nor would their failure prevent the functioning of a safety-related system.
These instrumentation systems, discussed in other sections of this report are:
1 Amend. 59 l
7.7-15 Dec. 1980 t
Paga 25 Section System
- 3. A.1, 3. A.2 R:ct rcui att ng Gas 9.7.5 Auxillary Cooling Fluid 9.5 Inert Gas Receiving and Processing 9.8.5 f+ purity Monitoring and Analysis Im 7.7.1.11 Balance of Plant Instrumentation and Control Systems A numDer of Instrumentation and Control Systems are provided to support vcrious Balance of Plant Systems. These systems'do not perform a safety-related f unction, nor would their f ailure prevent the f unctioning of safety-ral ated systems.
7.7.1.11.1 Treated Water Instrumentation and Control system Th3 Treated Water System includes the Portable Water System, the Normal Plant Service Water System, the Secondary Service Closed Cooling Water System, The Emergency Plan Service Water System, the Normal and Emergency Plant Chilled Water Systems, and the Makeup Water Treatment System.
r Auxiliary Liquid Metal (This includes only those portions of the Auxiliary Liquid Metal System that are not associated with the Direct Heat Removal Service (DHRS) or the Spent Fuel Storage System (ex-vessel storage). The DHRS and the Spent Fuel Storage System are required for safety and their associated instrumentation and controls are discussed in Sections 7.6.3, 9.1.3 and 9.3.3).
I i
?.7-Isr
1 Paga 26 E(5UST) O**I ad (n Victcl C C
7.6.3 Direct Heat Removal Service (DHRSh Instrumentation and control System A
7.6.3.1 Design Descriotion 7.6.3.1.1 Functlon
- NG
& ftps+ d &]
The DHRS (fluid system and mechanical components as described in Sectio _n 5.6,)
and electrical components as describe'd below) provides a supplementarytmears of removing long term decay heat,for the remote case in which none of the c'er-merator{~ decay heat removal paths are available.-% $afe%reMed a d Ars]
lMSGLT~&
Q) Cost CoefdC sfM The DHR nstrumentationandControir@;tr : Kprovfded to permit the monitoring of system conditions and to provide alarm Indication of off-normal conditions. These*are the same instrumentation and controls that are provided for EYST cooling (Section 9.1.3.1.5) and the reactor primary sodlum overflow circuits (Section 9.3.2.5) with the addition of a few temperature monitoring Instruments located on the NaK lines connecting the overflow heat exchanger with the EVST NaK cooling loops (see Figures 9.3-2 and 9.3-3).
7.6.3.1.2 Design criterla Cad EvW Coelk Cesfe*]
Design criteria that are applicable to DHRS electrical equipment are as follows:
A.
No single failure of an instrument, interconnecting cable or panel shall prevent a key process variable from being monitored.
B.
DHRS valves shall be remotely operated and DHRS electrical equipment
]
shall be controlled (see 5.6.2) from a panel in the Control Room to provide 1/2 hour start up capability.
C.
Physical and electrical separation of redundant portions of DHRS (EVS cooling system, primary makeup pumps, Instrumentation, and controls)
)
shall be provided.
Electrical power supplied to h ) electrical equipment shall be D.
Independent of off-site power.
f 1
E. dialt4 fontrol instrumentation and h electrical equipment shall f unction during and af ter an SSE.
F.
Capability for periodic calibration and testing of M electrical equipment shalI be provided.
DHRS is separate in function and equipment location from the Steam Generator Auxiliary Heat Removal System (SGAHRS), and there is no common sharing of instrumentation or controls between them.
j F.4-3
Page 27 INSERT - C.
The EVS Cooling System (described in Section 9.1.3) removes decay heat from fuel stored in the Ex-vessel Storage Tank.
The redundant liquid inetal cooling circuits using forced convection heat rejection and one liquid metal cooling circuit using natural draft heat rejection provide this function.
a f
I,
(
\\ Pcgn 28
'7.6.3.1.3 Eau 1oment DesIan I
As shown on Figure 5.!,, the DHRS is part ' f the primary sodium processing, o
and the EVS Sodlum Processing System.
Description of the functioning of these i
systems for reactor decay heat removal is provided in Sections 9.1.3 and 1 9.3.2.
The P&l diagrains are given in Figures 9.3-2 and 9.3-3.
Coud E C cool M stifo D DHR5felectrices equipment meets the design criteria listed in Section
\\
7.6.3.1.2 atove in the' folIowing manner:,
y t
,~
A.
Control Srstems Q K UGT 0 0) Q Sinc W The fof IowIng DHRstcontrof f unctions ere provided from separate, redundant control panels (local and main control room):
!~
(1) Remote, manual control of voltage to all NaK and" sodlum pumps.
(2) Remote manual control of ABHX dampers and f an speed.
-.\\
(3) Remote anuel override of pump and ABUX Interlock circuits.
f 3
.. ~
(4) Remote manual control of all valves required to provide DHR(c+ad 6Mif ctd[Arg i
B.
Monitoring" Instrumentation Sczne Instrumentation required to monitor the f unctional performance of the decay heat removal process loops is redundant from the sensor out to end including the readout panel, so that a single f ailure of an instrument, interconnecting cable or panel does not prevent the process loop from being monitored.
In those cases where a redundant sensor is not provided, separate Indicators on separate panels are provided. ner's redundant sensors are not provided, loss of the sensor does not prevent the sequisition of equivalent diagnostic (nformation frcrn other sensors on the process loop.
The following EVST cooVing and DHRS process variables are monitored with completely redundant instrumentation (sensors, cablliv and panels):
- (1) EVST outlet sodium tevnperatures i
- Required for post accident monitoring.
i The EVST cooling syste
, (escribed in Section 9,1.3 and the P&I diagram for the system is giver =a F lure 9.3-3.
4 7-(o ~3 %
~
~
Attrechm:nt to LEM-82-085 Page 29 C-The flow in the primary sodium overflow makeup loop and EVST NaK loops, and the EVST airblast heat exchanger f an speed is set at maximum design rates.
The only interlocks remaining active in DHRS during this mode of operation are those associated with protection of the NaK and sodium pumps against high temperature In'the pump stators. Manual override of this Interlock can also be perf ormed with the knowledge that pump damage and early f ailure could result.
7.6.3.2 Design Analvsis When DHRS is activated, all automatic controls are bypassed, the pumps and valves are remotely set to provide maximum flow through the DHRS 1. oops, and the airblast heat exchangers are remotely set to provide maximum cooling capabi l ity.
Control of the pumps and the airblast heat exchanger is provided from three separate locations:
a field panel adjacent to or in a cell adjacent to the equipment, a local panel in same building as the equipment, and the control panel in the main Control Room. The capability to provide power directly to the pumps, by bypassing all panel vcitage and interlock control functions, is also provided so that no control f unction f ailure can keep DHRS electrical equipment from operating.
~
The EVST cooling system is normally controlled from a local panel located in the Reactor Service Building.
In the event of the loss of this local control, the EV5, cooling system equipment control is transferred to the Auxiliary Liquid Metal System panel located in the Main Control Room.
All electrical equipment required for the functioning of the systems is classified as safety related and is qualified to IE requirements, and is provided with Class IE power supply, backed up by diesel generators to provide power during off-normal conditions.
I r
l l
t 7 6-3 d
Page 30 Item 92:
Sodium Purification System Comments:
Provide summary of IEC system functional design, redundance and rationale for safety classification of I&c.
Resolution:
PSAR Section 7.7.1.10 identifies those IEC systems that do not perform a safety related function and whose failure would not cause the failure of a safety related system to perform its safety related function.
Included is the Impurity Monitoring and Analysis System which is further discussed in Section 9.8.
Section 9.8.5 discusses the Instrumentation Requirements for the Impurity Monitoring and Analysis System none of which identify a safety related function for it.
Accordingly, the Impurity Monitoring and Analysis System is not discussed in Section 7.6 which discusses I&C Systems required for safety.
J j
Page 31 Item 96:
Q421.19 (Control System Failures)
Comments:
Obtain copy of Westinghouse response to this concern on SNUPPS.
Amend response.
Resolution:
The kesponse provided by SNUPPS to this concern was reviewed.
An amended CRBRP response (attached) includes an evaluation of the effects of control system failures, similar to that provided by SNUPPS.
This evaluation demonstrates that design criteria applied to the Plant Protection System and the Plant Control System adequately ensure their capability to maintain the plant in a safe condition, including events where one or more control systems sustain failures or malfunctions.
\\
, ~..
.=.
i Page 32 ouestion cs421.19 A number of concerns have been expressed regarding the adequacy of safety systems in mitigation of the kinds of control system f ailures that cculd actually occur at nuclear plants, as opposed to those analyzed in PSAR Chapter 15 safety analyses., Although the Chapter 15 enalyses are based on conservative assumptions regarding f ailures of single control systems, systematic reviews have not been reported to demonstrate that multiple control system f ailures beyond,the Chapter 15 analyses could not occur because of single events. Among the types of events that could initiate such multiple f ailures, the most significant are in our judgement those resulting from f ailure or malfunction of power supplies or sensors common to two or more control systems.
To provide assurance that the design basis event analyses adequately bound multiple control system f ailures you are requested to provide the following Information:
1)
Identify those control systems whose f ailure or malfunction could seriously impact plant safety.
2) lodicate which, if any, of the control systems identified in (1) receive power from common power sources. The power sources considered should Include all power sources whose f ailure or malfunction could lead to tellure or malfunction of more than one control system and should extend to the ef fects of cascading power losses due to the failure of higher level distribution panels and load centers.
l 3)
Indicate which, if any, of the control systems identified in (1) receive input signals from common sensors, common hydraulle headers, or common impulse 1Ines.
The PSAR should verify that the design criteria for the control systems wilI be such that simultaneous malfunctions of control systems which could result i
from failure of a power source, sensor, or' sensor impulse line supplying power or signals to more than one control system will be bounded by the analysis of anticipated operational occurrences in Chapter 15 of the Final Saf ety Analysis Report.
Remonse I
i n criteria for the Plant Protection System prohibits control syst malfunction endangering plant safety. Therefore, there are rol system failures or nctions that seriously impact ety because of prot,ection provided by the t Protection PPS). Failure In the fof Iowing controf systems could cause a reactor seran to occur:
Supervisory Control, Rea ntrol, PHT HTS Sodlum Flow Control, PHTS and lHTS Pump S
.ntrol, Drum Level Control an e Control. The Chapter 1 ysis envelopes the f ailure of multiple contro s due to los power since:
s
(
M EFLnce worn wasr -b y
QCS421.19-1 gy 199
Pega 33
-1C
- loss of of f site power, the PPS trips the control rods upon loss of
\\1)N or F
\\ power to the sodlum pumps. Action of the control system is irrelevant.
p
- 2) Pi-imary rod contrcl has redundant DG sets powered from non-UPS normal A and B. sources.
Loss of A or B does not affect rod motion.
For ) (ss of A
}
and B,e PPS trip occurs due to steam /feedwater mismatch resu ing from a turbine /geqerafor trip.
.s
,/
- 3) FatIure of eloctrIcol power (non-UPS normal A) to the pervisory*Controf Systems wIII not result in prim control rod and Reactor Contro( trol rod rate circuit will prpduce a zero rod rate withdrawal. The con signal with zero poweyallable. The worse thpt can, happen on the loss of non-UPS normal electrical power is a reduction In' coolant flow which is enveloped in the Chapter 1$ gnalysis.
For Supervisory Control, Reactor yntr 1( PijTS' Sodium Flow control and 4)
IHTS Sodium Flow Control, the dest rovides for controllers In different llerg.Qestoeliminatepowersupply j
cabinets each with redundant powe upp f ailures af fecting several co Superheater exit steam flow se rs ar'e shared b'y,the Supervisory Control and Drum Level Control Systems, t median select circdits are used to prevent single sensor failures for cauptng an abnormal condi'tlon and resulting i
I Loss of iowerA o the median select circuits will result In a f
reactor scram.
lowering of the stearrvd, rum, I'evel and a reduction in reactorspower.
The Plant The Protection Systemyril tr1p the reactor on a " low steam drum'tevel" trip.
loss of power t& The, median select causes the superheater exit \\ team flow signal to gof6 zero Indicating zero steam flow. This causes the steg drum level contr41,sy' stem to close the f eedwater control valves resulti In.a
. It also causes the supervisory coiRrol decrease In.the steam drum level.
t system-to decrease reactor power in order to keep reactor power equal to p s
th inal power as Indicated by the superheater exit steam flow signal.
N
.b 4
._ N
-i Amend. 69 QCS421.19-2 July 1982 j
Page 34 INSERT -)
Response
The design criteria for the Plant Protection System require that control system malfunctions do not as a consequence compromise the capability of plant systems to maintain the plant in a safe condition.
Accordingly, the Plant Protection System has been designed to provide continuing protection in the event of control system failures and malfunctions.
The Plant Protection System is designed as a safety related system and includes redundant instrument channels, qualified to safety grade requirements.
Where control actions are accomplished by plant control systems, functions important to safety are monitored through the plant protection system.
Thus, the Plant Protection System through its redundant sensory channels will sense and respond appropriately to the consequential effects of control system failures or malfunctions.
This includes failures or malfunctions within one control system that directly affect the functioning of other control systems, e.g.,
loss of a power supply common to several control systems, or shared sensory inputs.
Evaluation of the application of these design criteria applied to CRBRP Plant Protection System and Plant Control System involves analysis of postulated events which could propagate the effects of failures or malfunctions through more than one control system.
Events which are considered to cause or result in such propagation are:
1) loss of a single sensory instrument 2) loss of a single sensory instrument line 3) loss of power supply for all systems provided from a common power source (e.g., a single inverter supplying several systems).
l CRBRP control systems which may affect functions important to safety are:
A)
Supervisory Control B)
Reactor Control C)
PHTS and IHTS Sodium Flow Control D)
Steam Drum Level Control E)
Turbine Control i
Analysis of such events have been conducted for typical control
- systems, i.e.,
A) thru part of C) above.
PHTS Sodium Flow was included since the IHTS analysis gives similar but less severe results.
These analyses show that for postulated events considered in 1) thru 3) above the plant is maintained in a safe I
condition and no conditions result which are worse than those addressed in the PSAR Chapter 15, Accident Analyses.
l l
l
Page 35 The analyses assume initial conditions to be anywhere within the full operating power range of the plant (i.e., 0 - 100%), where applicable.
The results of the analysis indicate that, for any of the postulated events' considered in 1) thru 3) above, the accident analyses in Chapter 15 of the PSAR are bounding.
~ --
o Page 36 Loss of Any Single I_nstrument Median select circuits an used by the control systems itemized above to feedback signal.
provide the median of thme sensors as the controlFailure of on The analysis in this section goes beyond a sensor failure and considers a failure in the controller circuitry such that the feedback signal fails Table 1. Loss of Any Controller Feedback Signal. is an high or low.
evaluation of the effect on the control systems listed above caused by loss of the feedback signal either high or low.
For control action in Where no the unsafe direction, the bounding PSAR accident is listed.
control action occurs or where control action is in a safe direction, This table clearly shows that for the no bounding accident is given.
feedback signal failing high or low, events in Chapter 15 of the PSAR are bounding.
Loss of power to a Protection Separation Group This section analyzes the effects on the control systems caused by the If the bus to loss of an inverter powering a protection channel.
protection channel A. B~or C fails low, then the following PPS bufferedCha signals used by the control systems will drop to zero:
cormsponding to failed bus for reactor flux, primary sodium flow, and Since median select circuits are used to provide superheater steam flow.the median of the three buffered PPS signals as the signal, there will be no loss of control and no effect on the plant.
l Chapter 15 accident analysis is not applicable.
Loss of Power to Control Systems l
This section examines the effects on thd control systems caused by loss The supervisory, mactor of the power bus feeding the control systems.
and primary sodium flow control systems am powered from Non IE Syst The Bus 12NIF80258.and loss of this bus will affect all three systems.
Table 2 provides the effects on these systems a l.
of these buses.
Pega 37 Loss of Power to Con _ trol Systems (cont'd)
The table shows that loss of the control function results; however, no plant distuttance results and no reactor scram occurs.
Besides the lo'ss of power to crettel systems from the loss of a power 1
distribution bus, there is a chance of having an electrical fault on one of the control system circuit cards. The control systeus are designed so that each card is used in only one control system. A circuit card failure cannot directly impact more than one control system.
A failure on a control carti would cause the controller to generate either an "off" or a " full on" output, depending on the type of failure. This result would be similar to having the feedback signal fail high or low.
Therefore, the failure of or 1oss of power in any control system circuit card would be bounded by the Loss of Any Controller Feedback signal analysis described in Table 1.
Conclusions The preceeding sections including referenced tables have shown that failures of individual sensors, the loss of controller feedback signals, and loss of Power to protection channels and control systems all result in events which are bounded by Chapter 15 of the PSAR or results in events with no control or plant impact. Therefore, the PSAR Chapter 15 Accident Analysis adequately sounds the consequences of these fundamental failures.
i e
a I
l i
l l
Table 1.
Loss of Any Controller Feedback Signal Assuned Bounding Failure Fee &ack Direction Effect
_ Event Signal _
System l
l Primary Sodium Flow Primary Sodium to Primry pump speed Not applicable.,
increases if primry Flow Control flow control in auto mode.
Hi Primary pump speed If flow controller output l
decreases if primary change is greater than 10%,
flow control in auto pop speed does not change mode.
due to speed control mode transfer to manual (open loop).
If flow controller output change is less than 10% pump t
speed decreases over time.
Hence, bounding event is Spurious Primary Pump Trip (PSAR 15.3.1.2).
mJ m
Reactor Flux Reactor Control Lo Control rods are Bounding event is Malopera-w*
withdrawn if flux tion of Reactor Plant Con-control in auto until trollers (PSARSection15.2.2.3).
high flux or flux-to-flow deviation rod blocks stop rod motion.
Hi Control rods are Not applicable.
inserted if flux j
control in auto.
i i
Tabla 1 (cont'd):
4 Assuned Bounding l
Failure Event Effect_
Direction l
Feetback System Si< rial _
Bounding event is Maloperation Control rods are of Reactor Plant Controllers to Reactor Control withdrawn if core exit Ctre Exit Temperature temperature control in (PSAR Section 15.2.2.3).
auto until high flux or flux-to-flow deviation rod blocks stop rod motion.
i Not applicable.
l Hi Control rods are inserted if core exit temperature control in auto.
Bounding event is Maloperation Control rods am with-of Reactor Plant Controllers to Turbine Inlet drawn if turbine inlet i
Turbine Inlet Temperature Control temperatum control in (PSAR Section 15.2.2.3).
j Ternperature auto until high flux or l-flux-to-flow deviation j
rod blocks stop rod m
notion.
I Not applicable.
S Control rods are in-Hi serted if turbine inlet g
l tenverature control in l
auto.
Intennediate ptmp speed Not applicable.
to Turbine Inlet in all loops increases
)l Turbine Inlet Pressure Control if turbine inlet pressure Pressure control in auto.
l Bounding event is Loss of Off-Intermediate pump speed Site Electrical Power (PSAR Hi in all loops decreases Section 15.3.1.1).
if turbine inlet pressure control in auto.
i i
Tabb 1 (cont'd):
Assumed Feedback Failum Bounding Sip a_1_
System Dimction Effect Event _
Superheater Steam Unit Load Contml Lo Setpoints to all NSSS Not applicable.
l Flow (Load Programmer) control systems will decrease to 40% of j
design.
Hi Setpoints to all NSSS Bounding event is Maloperation control systems will of Reactor Plant Controllers i
intmase to 100% of (PSAR Section 15.2.2.3).
design.
i I
1 e
Table 2.
Loss of Peer to Control Systems Effect on Plant _
Bounding Event _
Effect on Systent System -
Not applicable.
No plant disturbance.
Loss of primary flow control Primary Flow Controller output (purp function.
speed demand) drops to zero. Speed Control controller transfers to manual maintaining pump speed constant upon sudden drop in setpoint.
Not app 1>
ble.
No plant disturt>ance.
Loss of reactor control function Reactor Control (core exit temperature and flux control). Rod rate signal drops to zero and direction sipals in open contact state indicating no rod movement.
Rods blocked.
Rod block sipal in open contact state indicating rod block, Not applicable.
No plant disturbance.
?
i For loss of 120 VAC bus, rod Rod position indication j
Primary Rod control function (Group Rod or All l ost. Rods stationary.
Control Single Rod Control) is lost.
0 primary rod position display infor-mation is lost. Movement of rods is inhibited.
No effect on plant if For loss of. 480 VAC bus, no loss of mdundant MG Set is running; I
contin 1 if other MG Set is running.
otherwise plant scram.
I NSSS Not applicable.
No plant disturbance.
Loss of supervisory control under control as discussed Supervisory Turbine load increase /
Steam dump under function.
above.
Control decrease signals in open contact pressure control. Turbine state indicating no change in load constant.
turbine load. Bypass control logic signal in pressure mode.
Page 42 Item 46:
Address relationship of PETS, IHTS and SGS with SHRS Comments:
Add to the PSAR a summary of DHRS instrumentation and control design criteria and how it is.
independent and separate from SGAHRS I&C.
Verify in PSAR*that DHRS IEC is safety related and separate
. from SGAHRS IEC.
A discussion of DHRS 'nstrumentation and controls i
Resolution:
including design criteria is provided in amended Section 7.6.3.
There it is stated that DHRS and SGAHRS do not share or have any common instrumentation or controls, including sensors, control circuits, or control panels.
Also, it is stated that the control and instrumentation for DHRS is classified as safety related.
Accordingly the controls and instrumentation have been designed to lE Safety Related requirements.
i i
l
~
l l
Page 43 htem51:
DHRS Instrumentation Comments:
Determine if there are any interlocks which are process dependent and are used to pince the Direct Heat Removal Service into service.
Resolution:
The Direct Heat Removal Service (DHRS) is as described in PSAR Section 5.6.2.3.9.
Sections 5.6.9.1 and 9.3 provide design, component, and operational aspects of the DHRS and 7.6.3 discusses DHRS instrumentation.
No interlocks, which are process dependent and which would be required for puting DHRS into service, and no inhibit logic which would prevent DHRS from starting up on operating, are provided.
i 0
_.,_,,.c--
--