Text

Forwards Request for Addl Info Re Instrumentation & Control Sys & Proposed Agenda for Future Branch Meetings
	ML20054C611
Person / Time
Site:	Clinch River
Issue date:	04/09/1982
From:	Check P; Office of Nuclear Reactor Regulation
To:	Longenecker J; ENERGY, DEPT. OF
References
	NUDOCS 8204210415
	Download: ML20054C611 (33)
	v • d • e

,

P Y

w a

Distribution Docket Files D

April 9,1982 DR NSIC j

CRBR Reading Docket No.: 50-537 R. Stark C. Thomas P. Check e

A W. Foster p

g P. Shutt1 h [M' Mr. John R. Longenecker J. Mauck Licensing and Environmental Coordination CRBRStaI q#cd'.q.

A Clinch River Breeder Reactor Plant 1

$y U. S. Department of Energy, NE-561

/~.

~

3 U

Washington, D. C. 20545

Dear Mr. Longenecker:

//

~~

SUBJECT:

CLINCH RIVER BREEDER REACTOR PLANT, REQUEST FOR ADDITIO INSTRUMENTATION AND CONTROL INFORMATION AND PROPOSED AGENDA FOR FUTURE MEETINGS Enclosed is a request for additional instrumentation and control infomation (Enclosure A) and a proposed agenda for future I&C meetings (Enclosure B).

These items have resulted from meetings with your representatives and a continuation of the staff's review of Chapter 7 of the CRBR Preliminary Safety Analysis Report (PSAR).

The Instrumentation and Control Systems Branch (ICSB) would like to discuss items listed in Enclosure B at future meetings. These items resultad from our meetings, our continuing review, and the continuing review by our consultants from INEL. This review was based on Chapter 7 of the CRBR PSAR and covered information through Amendment 64. As a result of these future meetings and the continuation of our review, we anticipate that other questions and concerns may arise. Thus, the attached list should not be considered as a complete list of items to be resolved prior to issuing a Safety Evaluation Report.

We have not attempted to group items in Enclosure B in any particular way.

We suggest that you group the items in convenient sets such that each set-can be discussed at an individual meeting lasting between two and five j working days. We also suggest that each individual meeting include the minimum number of participants necessary to fully discuss the topics to be covered. You should also be prepared to discuss the pertinent details of fluid system and mechanical equipment with which the instrumentation and controls interface.

8204210415 820409 PDR ADOCK 05000537 A

PDR omce>

sunsru o DATE )

l Nec ronu sis oo-soi nncu cuo OFFICIAL RECORD COPY uso m i,ei-m m t

?,

April 9, 1982 Mr. John R. Longenecker The reporting and/or recordkeeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.L.96-511.

If you desire any discussion or clarification of the information requested, please contact R. H. Stark, Project Manager (301) 492-9732.

Sincerely, Paul S. Check, Director CRBR Program Office Office of Nuclear Reactor Regulation

Enclosure:

As stated cc: Service List C

m 9,

...d..R.d...R..h.0..!. N..R..R..

H..R..R..'..C,P.0...: N..R..R..p...%NRR...

o,nc,>

.BS..g/.8.2........

,,,#....,..,.s..,,,,,,,

tRr..........P,Q,hgc,k,.

t

.W.c....

sunu m >

4../..o....

. 4./.D../.8. 2.........4../... 8. 2..........4..../. 82 om>

OFF1CIAL RECORD COPY moeon,.i m m NRC FORM 318 00@) NRCM Ou0

. cc:

Dr. Cadet H. Hand, Jr., Director Barbara A. Finamore Bodega Marine Laboratory S. Jacob Scherr University of California Ellyn R. Weiss P. G. Box 247 Dr. Thomas B. Cochran Bodega Bay, California 94923 Natural Resources Defense Council, Inc.

Daniel Swanson 1725 I Street, N.W.

Office of the Executive Suite 600 Legal Director Washington, D.C.

20006 U. S. Nuclear Regulatory Commission Eldon V. C. Greenberg Washington, D.C.

20555 Tuttle & Taylor 1901 L Street, N.W.

William B. Hubbard, Esq.

Suite 805 Assistant Attorney General Washington, D.C.

20036 State of Tennessee Office of the Attorney General L. Ribb 450 James Robertson Parkway LNR Associates Nashville, TN 37219 Nuclear Power Safety Consultants 8605 Grimsby Court William E. Lantrip, Esq.

Potomac, MD 20854 City Attorney Municipal Building P. O. Box 1 Oak Ridge, TN 37830 George L. Edgar, Esq.

Morgan, Lewis & Bockius 1800 M Street, N.W.

Washington, D.C.

20036 Herbert S. Sanger, Jr., Esq.

General Counsel Tennessee Valley Authority Knoxville, TN 37902 Chase Stephens, Chief Docketing and Service Section Office of the Secretary U. S. Nuclear Regulatory Commission Washington, D.C.

20555 Raymond L. Copeland Project Management Corp.

P. 0. Box U Oak Ridge, Tennessee 37830

O ENCLOSURE A ITEMS REQUIRING FORMAL DOCUMENTATION AND/0R PSAR CHANGES AS A RESULT OF MEETINGS WITH THE CRBR APPLICANT _S CS 421.01 During meetings with the applicants and Westinghouse, several discussions have been held concerning the fact that the primary and secondary shut-down systems do not each, individually, comply with Section 4.7.3 of IEEE-279 on Control and Protection System Interaction.

The applicants should document for inclusion in the PSAR the justification of the ade-quacy of the proposed design for complying with Section 4.7.3 of IEEE-279.

This justification should include a discussion of the system adequacy with respect to control and protection system interaction during pericdic testing of a protection system channel or when a protection system channel is out of service for maintenance.

If the justification includes the use of a median selector for control signals, plans to periodically test the median selector during plant operation should also be discussed.

CS 421.02 The staff requires that the applicant document how the CRBR primary and secondary shutdown systems meet GDC 20 through 29. Al so, provide docu-mentation showing the separation maintained between the shutdown systems, the independency of the shutdown systems, common mode failures of the shutdown sys tems (i.e., sharing of inverters, an overvol tage or over/

under frequency in the Reactor Protection system power supply), the test-ability of the shutdown systems, manual initiation for both systems, di-versity of the shutdown system electrical circuitry components, and how each of the shutdown systems independently meet IEEE-279.

CS 421.03 Provide a list of safety grade trips and non-safety grade trips for the Reactor Protection system.

Provide confirmation that credit will be taken

for only the safety grade trips in the analysis of Chapter 15.

CS 421.04 The applicant should formally submit a diagram of the auxiliary feedwater system showing the division assignments for all valves and safety grade instrumentation and controls. A discussion should be included to indicate the normal position and position upon loss of power of each valve.

In your presentation, and in Section 7.4.1.1.6, credit is taken for the feedwater isolation valve to fail safe in the open position upon loss of electrical power. Justify this fail-safe analysis for all incidents (i.e.,

hot shorts, power supply overvoltage, etc.) that could prevent operation of this iso-lation valve.

CS 421.05 Section 7.6 of the PSAR states that the Radiation Monitoring System contains safety related components which are discussed in Chapter 11.

However, Chap-ter 11 does not discuss these safety related components. Correct the PSAR to identify the safety related com?onents of the Radiation Monitoring Sys-tem.

CS 421.06 The CRBR PSAR Table 7.1-3 of Chapter 7.0 page 7.1-1 Amendment 57 Nov.1980 lists the applicable IEEE Standards for the safety related instrumentation and control systems.

The following listed standards need to be updated to the shown revision.

As Listed Revise To IEEE-308-1974 IEEE-308-1978 IEEE-317-1972 IEEE-317-1976 IEEE-334-1971 IEEE-334-1974 IEEE-336-1971 IEEE-336-1977 IEEE-338-1971 IEEE-338-1977 IEEE-352-1974 IEEE-352-1975 I

IEEE-379-1972 IEEE-379-1977 IEEE-384-1974 IEEE-384-1977 i

i

Expand all references to IEEE Standards to includ? the year of the par-ticular Standard that is being referred to in the PSAR.

Update Tables 7.1-2 and 7.1-3.

CS 421.07 Various instrumentation and control system circuits in the plant (including the reactor protection system, engineered safety features actuation system, instrument power supply distribution system) rely on certain devices to pro-

~

vide electrical isolation (PSAR 7.2.2) capability in order to maintain the independence between redundant safety circuits and between safety circuits and non-safety circuits.

Therefore, provide the following information:

a)

Identify the types of isolation devices which define the Class 1E boundary for interfaces between the safety circuits and non-safety circuits, b)

Provide the acceptance. criteria for each isolation device iden-tified in response to part a above.

c) Describe the type of testing that will be conducted on the iso-lation devices to ensure adequate protection against EMI (i.e.,

noise), short-circuit failures, voltage faults, and/or surges.

CS 421.08 Document the design provisions for conducting response time tests of BOP and NSSS protection systems in accordance with R. G.1.118.

Identi fy. sa fe ty-related systems that do not have provisions for response time testing.

Dis-cuss the techniques to be used to periodically measure safety-related sen-sor time responses.

CS 421.09 Identify where instrument sensors or transmitters supplying information to more than one protection channel, to both a protection channel and control channel, or to more than one control channel, are located in a common in-strument line or connected to a common instrument tap.

The intent of this item is to verify that a single failure in a common instrument line or tap

(such as break or blockage) cannot defeat required protection system re-6 dundancy.

CS 421.10 Identify any sensors or circuits used to provide input signals to the pro-tection system which are located or routed through non-seismically quali-fied structures.

This should include sensors or circuits providing input for reactor trip, emergency safeguards equipment, and safety grade inter-locks.

Verification should be provided that the sensors and circuits meet IEEE-279 and are seismically and environmentally qualified.

Testing or analyses performed to insure that failures of non-seismic structures, moun-tings, etc., will not cause failures which could interfere with the oper-

't ation of any other portion of the protection system should be discussed.

CS421.ll Verify that a failure modes and effects analysis will be performed for each of the ESF systems identified in Section 7.3.1.

CS421.12 The staff has recently issued Revision 2 to Regulatory Guide 1.97, "Instru-mentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident".

This revision re-flects a number of major changes in post-accident instrumentation, and

~~'

includes specific implementation requirements for plants in the license

~"

review stage.

Discuss this Reg. Guide and how it is applicable to the Breeder.

CS 421.13 Provide and describe information for NSSS and BOP safety related setpoints that verifies that environmental error allowances will be based on the highest value determined in qualification testing.

CS 421.14 Discuss the CRBR design pertaining to bypassed and inoperable status indi-cation. As a minimum, provide information to describe:

Means to be used for compliance with he recomendations of 1.

R. G. 1.47, 2.

The design philosophy to be used in the selection of equip-ment / systems to be monitored, 3.

How the design of the bypass and inoperable status indication systems will comply with positions Bl through 86 of ICSB Branch Technical Position No. 21.

The design philosophy should describe as a minimum the criteria to be em-ployed in the display of inter-relationships and dependencies on equip-ment / systems and should insure that bypassing or deliberately induced inoperability of any auxiliary or support system will automatically in-dicate all safety systems affected.

CS 421.15 Identify and document where microprocessors, multiplexers, or computer systems maybe used in or interface with safety-related systems.

CS 421.16 I & E Bulletin 80-06 addressed concerns related to safety equipment not remaining in its emergency mode upon reset.

The applicant should speci-fy and justify any places in the design of CRBR safety sytem logic where safety equipment will not remain in its emergency mode upon reset of an engineered safeguards actuation signal.

CS 421.17 The information supplied for remote shutdown (PSAR Section 7.4.3) from out-side the control room is insufficient.

Therefore, provide further discussion to describe the capability of achieving hot or cold shutdown from outside the control room.

As a minimum, provide the following information:

a) A table listing the controls and display instrumentation required for hot and cold shutdown from outside the control room.

Identify the train assignments for the safety related equipment.

b) Design basis for selection of instrumentation and control equip-ment on the hot shutdown panel, c) location of transfer switches and the remote control station.

d) Description of distinct control features to both restrict and to assure access, when necessary, to the displays and control loca-ted outside the control room.

e) Description of isolation, separation and transfer / override provi-s ions.

This should include the design basis for preventing elec-trical interaction between the control room and remote shutdown equipment.

f) Description of control room annunciation of remote control or overridden status of devices under local control.

g)

Description of compliance with the staff's Remote Shutdown Panel position.

CS 421.18 Provide documentation that verifies that control provided for safe shutdown l

from outside the control room will include the capability for reset of any engineered safety features equipment having a high likelihood of being auto-matically initiated during the normal transient occurring following a manual reactor trip.

For example, the auxiliary feedaater system may be in this ca tegory.

' CS 421.19 A number of concerns have been expressed regarding the adequacy of safety systems in mitigation of the kinds of control system failures that could actually occur at nuclear plants, as opposed to those analyzed in PSAR Chapter 15 safety analyses.

Although the Chapter 15 analyses are based on conservative assumptions regarding failures of single control systems, systematic reviews have not been reported to demonstrate that multiple control system failures beyond the Chapter 15 analyses could no* occur

,L _

z._,,

-q-

I because of single events. Among the types of events that could initiate such multiple failures, the most significant are in our judgement those resulting from failure or malfunction of pcwer supplies or sensors common to two or more contrdl systems.

To provide assurance that the design basis event analyses adequately bound multiple control system failures you are requested to provide the following information:

j 1)

Identify those control systems whose failure or malfunction could seriously impact plant safety.

2)

Indicate which, if any, of the control systems identified in (1) re-ceive power from cocinon power sources.

The power sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction of more than one control system and should extend to the effects of cascading power losses due to the failure of higher level distribution panels and load centers.

i 3)

Indicate which, if any, of the control systems identified in (1) i receive input signals from common sensors, common hydraulic head-ers, or common impulse lines.

~

I The PSAR should verify that the design criteria for the control systems will be such that simultaneous malfunctions of control systems which could result from failure of a power source, sensor, or sensor impulse line supplying power or signals to more than one control system will be bounded by the analysis of anticipated operational occurrences in Chapter 15 of the Final Safety Analysis Report.

CS 421.20 As a result of the Loose Parts Monitoring Briefing held on February 24, 1982, the staff requires a formal submittal for the following:

{.

(1) An analysis for all loose objects that can occur in the primary, intermediate, and the steam systems and their effect on safety.

(2) An analysis for the potential effects of crud on safety.

(3) An analysis for a system to detect failures through a noise diag-nostic program.

~

(4) Criteria for a system that will satisfy Regulatory Guide 1.133 (i.e., CRBR needs to develop their own threshold analysis).

(5) The design concepts being considered with a demonstration of feasibility.

CS 421.21 If control systems are exposed to the environment resulting from the rup-ture of steam lines or feedwater lines, the control systens may malfunc-tion in a manner which would cause consequences to be more severe than assumed in safety analyses.

I&E Information flotice 79-22 discusses cer-tain non-safety grade or control equipment, which if subjected to the adverse environment of a high energy line break, could impact the safety-analyses and the adequacy of the protection functions performed by the safety grade systems.

The applicant should confirm in the PSAR that design bases for instru-mentation and control systems will include a design criterion that high energy line breaks will not cause control system failures to complicate any event beyond the PSAR analysis.

The specific " scenarios" discussed in the above referenced Information flotice are to be considered as examples of the kinds of interactions which might occur.

Your control system design should include those scenarios, where applicable, but should not necessarily be limited to them.

CS 421.2,2 The information supplied in PSAR Section 7.5 concentrates on the infor-mation and monitoring systems but does not provide sufficient information to describe safety related display instrumentation needed for all opera-ting conditions.

Therefore, please expand the PSAR to provide as a mini-mum additional information on the following:

1.

ESF Systems Monitoring 2.

ESF Support Systems Monitoring 3.

Reactor Protective System Monitoring 4.

Rod Position Indication System 5.

Plant Process Display Instrumentation 6.

Control Boards and Annunciators 7.

Bypass and Inoperable Status Indication 8.

Control Room Habitability Instrumentation 9.

Residual Heat Removal Instrumentation CS 421.23 In the CRBR PSAR Section 7.6, several ins trumentation and control systems are listed as being required for safety which have not been included in the following discussion in Section 7.6.

It is apparent from our review of this section that these are systems which have been omitted and also, have not been completed.

The staff requires additional information to

~~

complete our review of Section 7.6.

1

ENCLOSURE B PROPOSED AGENDA FOR MEETING (S) WITH CRBR APPLICANTS 0N INSTRUMENTATION AND CONTROLS Following is a list of items for discussion at one or more additional meetings with the applicant to provide the NRC staff with information required to under-stand the design bases and the feasibility of design implementation for the instrumentation and control systems on the CRBR project.

The applicantsshould be prepared to use instrument, control, and fluid system schematics at the meetings in explaining system designs and to demonstrate the feasibility of meeting the design bases and regulatory criteria.

It would be useful if we could be provided with drawing numbers (and the drawings if not already sub-mitted to us) of drawings to be used by CRBR personnel for discussion of each i tem.

If possible, we would like to have this information two weeks in

~~

advance of the meeting where the drawing will be discussed.

s CS 421.24 In the PSAR Section 7.5.6.14, a limited description of the CRBR Sodium Dump system is presented.

Provide a detailed discussion of this system and present a single failure analysis for this system.

CS 421.25 With regard to Question 222.63, it appears from Figure 7.2-2E that a failure in a test switch with permissive outputs may prevent tripping of the corresponding primary or intermediate pump.

Provide a discussion of such an event.

CS 421.26 In the PSAR, Section 7.4.1.1.2 discusses the Protected Air Cooled Con-denser (PACC) and how air flow through it is controlled by a combination of fan blade pitch and inlet louver position.

The staff requires a de-tailed discussion of this instrumentation and in particular the method used for fan blade pitch indications.

CS 421.27 In the PSAR Section 7.3, the statement is made that the initiation of containment isolation is the only Engineered Safety Feature (ESF) iden-tified which requires a description in this Section.

Chapter 6 of the PSAR denotes several systems (Annulus Filtration System, Reactor Service Building Filtration System, and the Residual Heat Removal System inclu-ding SGAHRS and OHRS) in addition to the Contain ent Isolation System 'as being part of the ESF System.

Justify why these systems aren' t included in Section 7.3 of the PSAR.

Also, the staff believes that the Sodium-Water Reactor Pressure Relief System (SWRPS) should be classified as part of the ESF System.

Describe the actions to be automatically ini-tiated or to be initiated by operators to mitigate sodium-water reactions The discussions should include actions necessary to protect public safety or avoid an unanalyzed plant upset.

CS421.28 Section 7.5.6.2 of the PSAR dealing with the Sodium-Water Reactor Pressure Relief System (SWRPRS) states:

"SURPRS equipment whose failure could cause

~

. loss of decay heat removal capability to the SGAHRS is safety related. Any credible single failure in the SWRPRS can lead to the failure of at most one of the three decay heat removal loops.

Since the three decay heat removal loops are redundant and independent, the SGAHRS will meet the single failure criterion and the adequacy of the decay heat removal system following a cre-dible single failure in the SWRPRS is assured." Provide details explaining the interrelationships of the SWRPRS and the SGAHRS.

(S 421.29 Discuss in further detail the measurement system used for detecting a sodium-water reaction (PSAR Section 7.5.5.31) and how this system meets IEEE-279.

Do the hydrogen detectors cause loop isolation at their setpoints?

(S 421.30 To extend our review, the staff (ICSB & EG&G) each require a set of one line I&C drawings for the safety related CRBR systems.

Drawings should also be provided that indicate the separation used in the CRBR design.

(S 421.31 Address the adequacy of the Reactor Vessel level gauges with emphasis on the lack of diversity, the level range chosen, the method selected, and the effects of temperature on the level accuracy.

Provide this same discussion for the level probes in the Sodium expansion tank, the sodium dump tank, and the so-dium pump tank. Also, discuss the provisions made for sodium level measure-ments in the intermediate system.

CS 421. 32 Upon reviewing the PSAR Section 7.7.1.10, it is apparent that the Sodium Fire Protection System is proposed as a non-safety system.

Justify this classifi-ca tion CS 421. 33 Does the safety-related instrumentation in contact with a Sodium or Sodium Po-tassium (PSAR Section 7.5.2.1.1) environment meet IEEE-279, Section 4.5? In-clude a discussion of freeze protection for this environment.

CS421.34 PSAR Section 7.5.2.1.2 states in part that a signal is provided to the control

room indicating that the pony motor is running.

The staff requires more in-formation with regard to the CRBR pony notor instrumentation and control sys-tem.

In particular, the initiation signals for the pony motors, manual ini-tiation capability, qualifications for the system, and the design criteria for the system should be discussed.

PSAR Section 7.5.6.1.1 states in part that the sodium pony motor is tripped upon a large leak detection.

Discuss the safety aspects of this trip and provide the staff information on other signals that will trip the pony motors.

CS 421.35 Provide a more detailed discussion (PSAR Section 7.5.4.1.1) on the argon co-ver gas monitoring system and indicate the design criteria for this system.

Also, Section 7.5.4.1.1 indicates that a mini-computer will be used for cover gas analyses, discuss the use of this mini-computer and how its failure relates to system operation.

CS 421.36 Provide a more detailed discussion of the CRBR Leak Detection System and how it meets the provisions contained in the Light Water Reactor Regulatory Guide 1.45.

The discussion should include detection methods, detector sensitivity, detector response time, signal correlations and calibration, seismic qualifi-cation, testability and the provisions for technical specifications.

CS 421.37 Discuss the provisions made for alarming a zero or negative differential pressure (PSAR Section 7.5.5.2.1) as to sensor-type, location, setpoints, testability, and annunciation.

CS 421.38 Section 7.4.2.1.4 of the PSAR states:

" Control interlocks and operator overrides associated with the operation of the superheater outlet isolation valves have not been completely defined".

Have these interlocks and over-rides now been defined?

CS 421.39 Section 7.5.4 of the PSAR deals with the Fuel Failure Monitoring (FFM) system.

There are no requirements or criteria delineated in the PSAR for this system. Discuss the design criteria for this system.

CS 421.40 Section 7.6.4.2 of the PSAR states:

" Instrumentation and control are pro-vided to comply with CRBRP General Design Criterion 13, Section 3.1.3".

A review of the CRBR Program Office Preliminary Design Criteria of 1976 and those revised in 1981 do not have a Section 3.1.3 to Criterion 13.

Is there a different set of criteria being used?

CS 421.41 Section 7.7.1 of the PSAR deals with the Plant Control System.

The section states in part:

"The automatic control includes two modes:

a reactor fol-low mode in which the plant is operated based on a reactor power level es-tablished by the plant operators; and load follow mode in which the plant responds to the load demand from the operator or the utility Automatic Load Dispatch System.

The automatic control system maintains the temperatures, flows, and pressures according to a specified plant load profile shown in Figure 5.7-1 and 5.7-2".

In the second mode, the plant responds to the load demand from the operator or the utility Auto.matic Load Dispatch Sys-tem.

This system is not identified as part of the Plant Control System and cannot be identified as being located in the reactor control room.

Therefore, does the dispatcher have control of the Automatic Load Dis-patch System?

If so, discuss the means to defeat the automatic load dis-patch system if it is concluded at the time of the operating license review that automatic load dispatching is not permitted.

CS 421.42 Section 7.1.2 and 7.2.2 of Chapter 7 of the PSAR reference the use of IEEE standards.

Other sections in Chapter 7 make reference to Section 7.1.2 but do not identify specific IEEE standards which were implemented j

in the system design.

Justify why section 7.3 through 7.7 of the PSAR do not provide enough information to determine whether the IEEE standards are implemented in the design.

CS 421.63 Section 7.7.1.3.2 of the PSAR deals with the Rod Position Indication Sys-tem.

Discuss the design criteria for this system?

CS 421.44 Seismic Instrumentation is provided for the CRBR.

For earthquake events, this instrumentation would be vital to the reactor operator.

This instru-mentation is not included in the systems described in Chapter 7 of the PSAR.

Provide the design criteria for the seismic instrumentation.

CS 421.45 Describe features of the CRBR environmental control system which insure that instrumentation sensing and sampling lines for systems important to safety are protected from freezing during extremely cold weather.

Discuss the use of environmental monitoring and alarm systems to prevent loss of, or damage to, systems important to safety upon failure of the environmental control system.

Discuss electrical independence of the environmental control sys-tem circuits, and the monitoring / alarm circuits.

CS 421.46 As called for in Section 7.1 of the Standard Review Plan, provide informa-tion as to how your design conforms with the following TMI Action Plan Items as described in NUREG-0737:

a)

II.D.3 - Relief and safety valve position indication b)

II.E.4.2 - Containment isolation dependability (positions 4, 5, and 7)

~

c)

II.K.3 - Final recommendations

.9 - PID controller

.12-Anticipatory reactor trip It has been the case for light water reactors to provide an anticipatory reactor trip following a turbine trip directly frc.n the turbine bypass and/or control valves.

In the PSAR, Table 7.2-2 indicates that a turbine trip will cause a Reactor trip upon a steam feedwater flow mismatch and/or steam drum level indication.

Justi fy

i the lack of an anticipatory reactor trip initiated from turbine bypass or control valve closure.

CS 421.47 Discuss the design bases for the ventilation systems used for engineered safety feature areas including areas containing systems required for safe shutdown.

The discussion should cover redundancy, testability, etc.

CS 421.48 Using system schematics, describe the sequence for periodic testing of the:

a) outlet steam icnlatica valves b) main feedwater control valves c) main feed. vater isolation valves d) auxiliary feedwater system e) Pressure Relief valves at Superheater The discussion should include features used to insure the availability of the safety function during test and measures taken to insure that equipment cannot be left in a bypassed condition after test completion.

CS 421.49 Discuss the design of the CRBR purge system.

Provide the effects of the argon purging of the cover gas spaces on the Radioactive Argon Processing System's Measurement of tag samples (CRBR PSAR Section 7.5.4.1.3).

CS 421. 50 Please discuss how a single failure within the Plant Service llater System and/or the Emergency Chilled 14ater system affects safe shutdown.

CS 421.51 Using drawings (schematics, P& ids'), describe the automatic and manual oper-ation and control of the atmospheric relief valves (superheater).

Describe how the design complies with the requirements of IEEE-279 (i.e., testabili-ty, single failure, redundancy, indication of operability, direct valve po-sition indication in control room, etc.).

CS 421.52 Describe how the effects of high temperatures in reference legs of steam drum water level measuring instruments subsequent to high energy breaks are evaluated and compensated for in determining setpoints.

Identify i

and describe any modifications planned or taken in response to IEB 79-21.

Also, describe the level measurement errors due to environmental temper-ature effects on other level instruments using reference legs.

i CS 421. 53 Section 7.2.1.1, paragraph 2, of the PSAR states the Primary RSS is compri-sed of 24 subsystens and the Secondary RSS is comprised of 16 subsystems.

Each of these subsystems consists of three physically separate redundant instrument channels.

This information contradicts the information in Table 7.2-1 and Figure 7.2-2B and 7.2-2D which shows there are 8 subsystems in the Primary RSS and 7 subsystems in the Secondary RSS.

Shouldn't it be that the Primary RSS allows 24 inputs, the Secondary RSS allows 16 inputs?

There are 8 subsystems in the Primary RSS providing 17 inputs to the Pri-mary RSS logic and the Secondary RSS consists of 7 subsystems providing 16 inputs to the Secondary RSS logic as follows:

PLANT PROTECTION SYSTEM PROTECTIVE FUNCTIONS Primary Reactor Shutdown System

of Inputs 1.

Flux-Delayed Flux (Positive and Negative) 2 2.

Flux-Pressure 1

3.

High Flux 1

_c 4.

Primary to Intermediate Speed Mismatch 3

5.

Pump Electrics 3

6.

Reactor Vessel Level 1

7.

Steam-Feedwater Flow Mismatch 3

8.

IHX Primary Outlet Temperature 3

9.

7 Spare Secondary Reactor Shutdown System 1.

Modified Nuclear Rate (Positive and Negative) 2 2.

Flux-Total Flow 2

3.

Startup Huclear.

1 4.

Primary to Intermediate Flow Ratio 2

5.

Steam Drum level 3

6.

Evaporator Outlet Sodium Temperature 3

7.

Sodium Water Reaction 3

0 Spare i

CS421.54 Section 7.1.2.1 of the 'PSAR states the PPS includes the Reactor Shutdown System (RSS), the Containment isolation System (CIS), and the Shutdown Heat Removal System (SHRS).

Table 7.5-1 of the PSAR states that the following are safety-related sub-systems and part of the PPS.

Wide Range Flux Monitoring Power Range Flux Monitoring Reactor Inlet Pressure Primary and Intermediate' Flow on Heat Transport Loops Evaporation Sodium Outlet Temperature on Heat Transport loops Primary / Secondary Pump Speed on Sodium Pumps Feedwater Flow on Steam Generator Feedwater Temperature on Steam Generator Superheat Steam Temperature on Steam Generator Steam Drum Pressure on Steam Generator Superheat Steam Pressure on Steam Generator Rupture Discs Operation on Sodium-Water Reactor Pressure Relief Why aren't these subsystems covered as part of the PPS in Section 7.1.2.1.

of the PSAR?

CS 421. 55 Section 7.2.2 of the PSAR provides the General Functional Requirements.

The periodic testing requirement states that the Plant Protection aystem (PPS) is designed to permit periodic testing of its functioning including actua-tion devices during reactor operation.

It is not apparent from the PSAR, Chapter 7, that the PPS subsystems identifi-

-d ed in Table 7.5-1 meet the general periodic testing requirement.

CS 421. 56 Discuss the reason for not providing spare inputs to the Secondary Shutdown System since the Primary Shutdown System has seven spare inputs.

CS 421. 57 PSAR Section 7.7.1.S discusses steam drum water level control.

Discuss the operation of this control system.

Include information on what consequences (i.e., overfilling the steam generator system and causing water flow into the steam piping, etc.) might result frem a steam generator level control

Be sure to discuss the high-high (12 inches) steam gen-channel failure.

erator level logic used for main feedwater isolation.

CS 421.58 Recent review of a plant (Waterford) revealed a situation where heaters are to be used to control temperature and humidity within insulated cabinets housing electrical transmitters that provide input signals to the reactor protection system.

These cabinet heaters were found to be unqualified and a concern was raised since possible failure of the heaters could potenti-ally degrade the transmitters, etc.

Please address the above design as it pertains to CRBR.

If cabinet heaters are used then describe as a minimum the design criteria used for the hea ters.

CS 421.59 Table 7.1.4 gives a list of RDT Standards applicable to Safety Related In-strumentation and Contro' Systems. The RDT standards are intended for use by non-commercial reactors, therefore the staff does not normally require compliance with these standards.

However, since the applicant is taking credit for their applicability, we have reviewed the CRBR design using criteria noted in RDT Standard C16-lT and the following items were noted:

1.

Section 7.2.2 of the PSAR states:

"The Plant Protection System meets the safety related channel performance and reliability requirements of the NRC General Design Criteria, RDT Standard C16-lT, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other appropriate criteria and standards."

RDT Standard C16-lT states in Section 3.1.3 the following:

"The PPS does not directly include the reactor operator in implementing a Protective Function.

However, manual control devices for manual initiation of each and every Protective Action are required for defense against unanticipated events.

These manual control devices are considered part of the PPS."

Section 7.2.2 of the PSAR also states:

"The Plant Protection System includes means for manual ini-tiation of each protective action at the system level with no single failure preventing initiation of the protective action.

Manual initiation depends upon the operation of a minimum of equipment because the manual trip directly operates the scram breakers, solenoid scram valve power supply, or equivalent for Shutdown Heat Removal and Con-tainment Isolation System."

Are the RSS, the Shutdown Heat Removal System, and the Con-tainment Isolation System the only systems of the PPS that initiate a Protective Action?

2.

RDT C16-lT ' states the following in Section 3.2.3.4:

"The PPS shall limit the consequences of:

- two concurrent independent Unlikely Faults,

- other combinations of concurrent independent faults des-ignated by the RSD (Responsible System Designer),

to a severity level less than that of the Design Basis Acci-dent."

Has the analysis for the PPS been based to include the two above conditions?

3.

RDT C16-1T states the following in Section 3.2.4:

"The Protective Functions established by the RSD as required in Section 3.2.shall be listed in a tabular format containing, but not limited to, the following column headings:

Protective function; incident, or excursion requiring the specified Protective Action; reference to design basis documentation; monitored variable, including important limitations; Protective Action required; time permitted for completion of Protective Action; critical plant variable (not necessarily a measured variable);

permissible limit on critical variable; Protective Margin; worse case Set Point; required or acceptable instrument Accuracy; nominal Set Point; remarks."

Review of the PSAR and SDD Number 99 does not provide the infor-ma tion.

Is this information documented elsewhere?

4.

RDT C16-1T states the following in Section 3.3:

"3.3 Essential Performance Requirements (EPR)

The EPR for all relevant PPS equipment shall be determined using the results of the analyses that establish each of the reqcired Protective Functions, together with the environmental conditions to which the Protective Subsystem (s) in question will be subjected.

The most stringent performance requirements so determined shall be the basis for the equipment specifications.

3.3.1 Range of Environmental Conditions The Design Basis shall contain a statement of the range of en-vironmental conditions under which the PPS must perform during

normal, abnormal, and accident conditions, for example:

transient and steady-state conditions of the electric power supply (voltage, frequency);

transient and steady-state conditions of other utility supplies (coolant, compressed air or gas, etc. );

temperature; humidity; pressure; vibra tion; radiation.

3.3.2 Credioie Single Events The Design Basis shall contain a list of the malfunctions, accidents, and natural events against which the PPS is to have defenses, for ex-ample:

falling objects; single structural failures; leaking or broken supply piping (local flooding);

local fires ;

local explosions; missiles; 1

lightning; wind; l

ea rthqua ke.

3.3.3 Instrument Channels The Essential Performance Requirements of each Instrument Channel shall be determined from the requirements for each Protective function tabu-lated as required by Section 3.2 and shall be documented by the PPS designer.

The following are examples of Instrument Channel EPR's which should be listed:

i 1

s

Accuracy, response time, Re pea tabili ty,

Sensitivity,

gain, ra nge,

span, range of environmental conditions and utility supplies within which the EPR must be met, range of environmental conditions and utility supplies within which the EPR need not be met, but damage to the PPS Components is not incurred.

3.3.4 Logic Elements The EPR of the Logic Elements shall be determined for the limiting Pro-tective Function tabulated as required by Section 3.2, and shall be do-cumented by the PPS designer.

The following are examples of logic ele-rent EPR's which should be listed:

response time, hys te resis,

range of environmental conditions and utility supplies within

^*

~~

which the EPR must be met, range of environmental conditions and utility supplies within which the EPR need not be met, but damage to the PPS Components is not incurred.

Provided'that these ranges differ from those specified for the Instrument Channels.

3.3.5 Actuators The EPR of the Actuators siiall be determined for the limiting pro-s tective Function tabulated as required by Section 3.2, and shall be documenteo by the 'PPS designer.

The following are examples of Actu-ator EPR's which should be listed:

. design life; i

device release time; i

acceleration; j

environmental conditions; I

l force, horsepower, torque; I

reliability; veloci ty; control valve stroke time; j

pneumatic operator fill time; 4

structural constraints.

NOTE:

This list of EPR's refers mainly to control (shim, safety) rods and valves.

A conceptually related list should be prepared for other devices.

3.3.6 Power So'urces i

The Design Basis shall list the characteristics of the essential load requirements and the length of time each must be carried and state the required source of power for each.

3.3.7 Testing The Design Basis shall identify and provide. justification for the type j

of testing (either periodic, monitoring, or none) which will be used to confirm the ability of each item of PPS equipment to meet each of its EPR's."

Are these to be found in the Design Basis? They are not found in the PSAR or SDD.

5.

RDT C16-1T states the following in Section 4.4:

"PPS equipment and its installation shall be of a quality consistent with the reliability requiremen'ts of paragraph 4.1.2.

Prior to ini-tial reactor operation, it shall be established for the entire PPS

~

that all Components are fundamentally capable of meeting the re-quirements set forth in the Design Basis, and the quality assurance program requirements set forth in Section 5.

Compliance with appli-cable requirements of MIL-N-52335 is recommended but not required."

Are there intentions to show or is it documented somewhere that the instrumentation meets the requirements set forth in the Design Basis?

This type of information is not found in the PSAR or SDD.

6.

RDT C16-lT states the following in Section 4.5.7:

" Instrument Channel Bypasses shall not be provided unless justified by the RSD.

If justified, provisions may be made for permanently installed arrangements to routinely Bypass single Instrument Cha-nnels in only those systems that have " extra" redundancy, such as 2-of-4 or 1-of-3 systems.

Bypasses are not allowed in designs having 1-of-2 taken twice.

The system must be able to carry out every Protective Function after any Internal Random Failure at all time s.

These provisions shall meet the following requirements.

a.

Means shall be provided to limit the number of Instrument Channels that can be bypassed at a given time in order that redundancy shall be maintained.

b.

The fact that any Instrument Channel is bypassed shall be visually and audibly annunciated in the control room.

The I

annunciation shall identify the Instrument Channel being

(

l bypassed. Reset of the audible annunciation shall require a deliberate manual action by the operator, c.

Test means shall be provided for the purpose of confirming proper Instrument Channel reconnection af ter removal of a i

Bypass.

d.

The means provided for bypassing shall not cause the vio-lation of any of the requirements of this Standard.

Par-ticular attention shall be given to meeting the require-ments of Section 4.2.

Unanticipated conditions may require Instrument Channel Bypasses until formal bypassing means can be designed and installed. Also, certain maintenance and troubleshooting operations may require temporary Bypasses.

Such Bypasses are potentially unsafe and are to be avoided as a means for routinely altering Protective Functions.

When such Bypasses cannot be avoided, supervised Instrument Channel l

Bypasses may be applied manually on an individual basis. Adequate administrative control is required to insure that a sufficient num-t ber of Instrument Channels will not be bypassed to negate a Pro-

]

tective function and that such a Bypass is removed when no longer requi red. Additionally, provisions are necessary to confirm that the Instrument Channel operates properly after the Bypass is removed.

Administrative control of such temporary Bypasses shall meet the intent of the requirements of this paragraph, a through d above.

ML20054C611

Contents

Text

Dear Mr. Longenecker:

SUBJECT:

Enclosure:

Navigation menu

ML20054C611

Text

Dear Mr. Longenecker:

SUBJECT:

Enclosure:

Navigation menu

Search