ML20054E709
| ML20054E709 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 06/10/1982 |
| From: | Devincentis J PUBLIC SERVICE CO. OF NEW HAMPSHIRE, YANKEE ATOMIC ELECTRIC CO. |
| To: | Miraglia F Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-2.D.3, TASK-2.E.1.2, TASK-2.E.4.2, TASK-2.F.1, TASK-2.F.3, TASK-TM SBN-280, NUDOCS 8206140089 | |
| Download: ML20054E709 (70) | |
Text
I l 9
1 suam swum S, .:: N Office:
1PUBLIC Companyof New: SERVICE
" iW h 1671 Worcester Road Framingham, Massachusetts 01701 (617) - 872 - 8100 June 10, 1982 SBN-280 T. F. B 7.1.2 United States Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Mr. Frank J. Miraglia, Chief Licensing Branch #3 Division of Licensing
References:
(a) Construction Permits CPPR-135 and CPPR-136, Docket Nos. 50-443 and 50-444 (b) USNRC Letter, dated February 16, 1982, " Request for Additional Information," F. J. Miraglia to W. C. Tallman (c) USNRC Memo, dated March 23, 1982, " Additional Agenda Items for meeting with the Seabrook Applicant on Instrumentation and Controls," T. P. Specs to R. L.
Tedesco (d) PSNH Letter, dated April 1, 1982, " Meeting Notes; Instrumentation and Control Systems Branch (ICSB)"
J. DeVincentis to R. Stevens
Subject:
Meeting Notes; Instrumentation and Controls Systems Branch (ICSB)
Dear Sir:
We have attached notes from the May 12 and 13 ICSB review meetings conducted at the office of United Engineers (Philadelphia, PA). This meeting was based on the ICSB Requests for Additional Information which were forwarded in Reference (b) and (c). The notes also include those items discussed at the March 23-25 review meeting that have been revised. We have indicated the date of the review meeting at which the response or a revision to a response was made. The March 23-25 meeting notes, (Reference d,) are not included with this letter.
These notes are provided to assist you in the preparation of the Safety Evaluation Report, as they highlight open issues, resolved issues, and commitments which have been tendered.
SooI B206140089 820610 PDR ADOCK 05J000443 A PDR
/
t 4
Mr. Frank J. Miraglia June 10, 1982 Page 2 We understand future meetings with ICSB will be conducted, until the review has been satisfactorily completed.
Very truly yours, YANKEE ATOMIC ELECTRIC COMPANY
/ .j bdli$
ohn DeVincentis Project Manager I
cc: Mr. Louis Wheeler, Project Manager Mr. Ralph Marback Licensing Branch No. 3 Argonne National Labs, Eldg. 301 l
Division of Licensing 9700 S. Cass l Argonne, IL 60439 l
l Mr. Robert Stevens Instrumentation and Control Systems Branch l
l 1
l i
A .
. d 13 May 12, 1982 SEABROOK STATION ATTENDANCE ROSTER-ICSB MEETING A_T, UNITED ENGINEERS & CONSTRUCTORS NAME ORGANIZATION TITLE
/AL SSN kS6 .ff41g dsid0 JM ww"<
AGIW
~
Y~ 5 $
cr e rkpar fs ,o u ues ,aaw
. % u / / d a < d ri ae l y/l t~c 5e t%;af Eny DA VE R//o # G (R487 wi yEye Mo) EM6. M !$
RM %m as a ,,ay_u
&MO
~R,a Kernce
'9^!L iae r 4 c sy.
1csa NN I f c 6 4 ;.
Dl%) MheoaLD (39vi- /}Rssmust {'Sn H ff 0 J/EcrI de,e.a-cend El ee h o C-m e u .> .sp,. ,,,g a MC L.pt. V AllIn D Arts. O G 4 L-d lZgc
%f WM u E s. c- zges & em-c , Ts o o w ca o s suec sz eu caco
}a,n ha (l197 rigt) U $f C- ~
Yeafth ?!Of 3'OJY
~k we. Ls ,2.en JLaosuu L>a a,vu E~ +.astL (pD h fyyy,s( //dd-- bfoJ W A M * A cMdrTws) . .
.,craim -cen l .. T[ (f hl f ['N f )
.- . - - . . . - . . = - -. - - _ ~.
9 420.5 As called for in Section 7.1 of the Standard Review Plan, provide (7.1) information as to how your design conforms with the following TMI Action Plan Items as described in NUREG-0737:
(a) II.D.3 - Relief and safety valve position indication, (b) II.E.1.2 -' Auxiliary feedwater system automatic initiation flow indication, (c) II.E.4.2 - Containment isolation dependability (positions 4, 5 and 7),
(d) II.F.1 - Accident monitoring instrumentation (positions 4, 5 and 6),
(e) II.F.3 - Instrumentation for monitoring accident conditions (Regulatory Guide 1.97, Revision 2),
(f) II.F.3 - Final recommendations
.9 - PID controller
.12 - Anticipatory reactor trip.
RESPONSE: (a) II.D.3 The single acoustic device to annitor all safety 3/23 valves is not redundant but is safety grade. Limit switches for each PORV are not redundant but position indication is safety grade. Position indication system is seismically and i environmentally qualified. There will be control room alarm for acoustical device and for either PORV not closed. There is backup temperature indication downstream of each safety valve and one temperature indication for both PORVs, all are -
alarmed in the control room. The FSAR will be revised.
! (b) II.E.1.2 Auxiliary feedwater system automatic initiation is 4
safety grade. Flow indication meets Item 2a and b of i II .E.1.2.5, NUREG-0737.
(c) & (d) II.E.4.2 and II.F.1 will be handled by containment systems i branch.
1 (e) II.F.3 will be covered by Regulatory Guide 1.97, Response 420.51.
(f) II.K.3.9 and .12, provided response in letter SBN-212, dated 2/12/82. Reviewed by staff and found acceptable.
ADDITIONAL RESPONSE: (a) NUREG-0737, Item II.D.3, Clarification was made that the final 5/12 design of the safety and relief valve position indication is not complete. The project documents and-the FSAR will be revised. The block valves, position indication and their manual controls will be Class lE.
(b) NUREG-0737, Item II.E.1.2, will be addressed in the overall discussions of the emergency feedwater system.
s_ _ _ ._ _ _ _ _ . - __
i 1
FSAR Figure 7.2-1, Sheet 15 and Page 7.3-23, will be corrected to indicate that both A & B train actuate the turbine driven emergency feedwater pump.
420.6 Provide an overview of the plant electrical distribution system, (7.1) with emphasis on vital buses and separation divisions, as background for addressing various Chapter 7 concerns.
RESPONSE: Discussed at meeting, no further response required.
3/23 STATUS: Closed.
5/12 420.7 Describe features of the Seabrook environment control system which (7.1) insure that instrumentation sensing and sampling lines for systems important to safety are protected from freezing during extremely cold weather. Discuss the use of environmental monitoring and alarm systema to prevent loss of, or damage to systems important to safety upon failure of the environmental control system.
Discuss electrical independence of the envircnmental control system circuits.
RESPONSE: Written response reviewed by the NRC and attached to meeting 3/23 notes. We reviewed the freeze protection for the refueling water storage tank (RWSf) af ter the meeting. It was determined that the instruments and sensing lines are in the building that encloses the RWST and is maintained above 320F by the heated RWST.
Additional freeze protection is not required. RAI 440.104 is related. This item is under review by the staff.
ADDITIONAL RESPONSE: The majority of the safety-related piping is located in areas that 5/12 are provided with heating systems. Low ambient temperature is alarmed in the control room. The alarms are not safety grade.
The areas are accessed periodically as part of the operators inspections. The operator will be instructed to notice abnormal
- ambient temperatures that could result from failure cf the heating system.
l l The RWST enclosure is maintained above the freezing temperature by i the heat lost from the heated RWST. Low ambient and RWST l temperatures ate alarmed in the control room to warn of abnormal conditions in the RWST enclosure.
i Safety-related piping that is not in heated areas or that require
! the maintenance of temperatures higher than the design ambient j temperatures is provided with dual heat tracing circuits and low
! temperature alarms. The alarms and heat tracing elements are on separate 120 V ac circuits; therefore, failure of the heating l circuit will not result in loss of the low temperature alarm.
! Loss of power to the low temperature alarm and heat tracing circuits will be alarmed in the control room.
l
t i
HANDOUT: To ensure that instruments, including sensing and sampling lines,
-3/23 are protected from freezing during cold. weather, electrical heat tracing is provided. Heat tracing on safety-related piping is protected by redundant, non-safety-related, heat tracing. On the boron injection line only, the primary heat tracing circuit is train A associated. The backup heat tracing circuit is train B associated. This backup circuit is normally de-energized. .On the remaining lines, the redundant heat tracing circuit is energized from the same train as the primary circuit.
Integrity of each circuit is continuously monitored. Low and high temperature alarme are available at the heat tracing system control cabinet. Additionally, failures as detailed below are indicated at the heat tracing control cabinet:
a) Loss of voltage, b) Ground fault trip for each heating element circuit, e
c) Overload trip of branch circuit breakers, Trouble alarms are provided in the main control room.
420.8 Provide and describe the following for NSSS and BOP safety-related (7.1) setpoints:
(a) Provide a reference for the methodology used. Discuss any differences between the referenced methodology and the methodology used for Seabrook, (b) Verify that environmental error allowances are based on the highest value determined in qualification testing, (c) Document the environmental error allowance that is used for each reactor trip and engineered safeguards setpoint, (d) Identify any time limits on environmental' qualification of instruments used for trip, post-accident monitoring or i
engineered safety features actuation. Where instruments are qualified for only a limited time, specify the time and basis for the limited time.
RESPONSE: Seabrook uses the same methodology as W used for DC Cook, Norch 3/23 Amta and Summer, there are no differences. DC Cook and North Anna
! were submitted and approved. This is applicable for both NSSS and 30P safety-related setpoints.
WCAP 8587 and 8687 describe the determination of environmental error allowances.
STATUS: Discussions are being held between Westinghouse and the NRC on the 5/12 detailed application of this methodology for Virgil Summer.
420.9 There is an inconsistency between the discussions in FSAR i (7.1.2.5) Section 1.8 and FSAR Section 7.1.2.5 pertaining to the compliance with Regulatory Guide 1.22. FSAR Section 1.8~ states that' the main reactor coolant pump breakers are not tested at full power. FSAR Section 7.1.2.5 does not include ' these breakers in the list of
- equipment which cannot be tested at full power. Please provide a discussion as to whether the operation of the reactor coolant pump breakers is required for plant safety. If not, then please justify. Also please correct the inconsistency described above
, and, as a minimum, provide a discussion per the recommendations of Regulatory Position D.4 of Regulatory Guide'l.22.
RESPONSE: Revised 1.8 provided to staff and attached to meeting notes, 3/23 reactor does not trip on opening of reactor coolant pump breakers.
STATUS: FSAR revision required.
5/12 420.10 Using detailed plant design drawings (schematics), discuss the 2
(1.8) Seabrook design pertaining to bypassed and inoperable status (7.1.2.6) indication. As a minimum, provide information to describe:
(7.5)
- 1. Compliance with the recommendations of Regulatory Guide 1.47,
- 2. The design philosophy used in the selection of equipment / systems to be monitored, 1
- 3. How the design of the bypass and inoperable status indication systems comply with Positions Bl through B6 of ICSB Branch Techcical Position No. 21, and
- 4. The list of system automatic and manual bypasses within the ~
BOP and NSSS scope of supply as it pertains to the l
recommendations of Regulatory Guide 1.47.
! The design philosophy should describe, as a minimum, the criteria to be employed in the display of inter-relationships and dependencies on equipment / systems and should insure that bypassing or deliberately induced inoperability of any auxiliary.or support system will automatically indicate all safety systems affected.
RESPONSE: Handout given to staff. Overview of systems covered and 3/23 description cf operation given including automatic and manual modes, and interaction between systems. Handout as aumended during meeting will be attached to the meeting minutes.
System description of computer and video alarm system (VAS) i presented during meeting and will be followed up by written description to staff as response to RAI 420.49. A meeting will be held with the staff in Washington at- a later date to review all aspects of plant computer operation.
Staff presented concern that some guarantee must be considered as l to percent of time computer will be operating and that plant will
- not continue to operate for any length of time, without appropriate corrective action, when and if computer should be out of service. A possible solution would be to refer operating and i
1
. -.-. , - - . - - , -~ ,
I repair times to safety review committee although it is agreed that the computer is not a safety-related system. Staff asked for additional information concerning level of validation and verification of software.
HANDOUT: 1. Systems are designed to meet the recommendations of 3/23 Regulatory Guide 1.47.
- 2. Design philosophy is discussed in FSAR Section 7.1.2.6. The selection of equipment is given in Item 4.
- 3. System design meets the recommendation of ICSB-21 as follows:
B1 - Refer to FSAR Section 7.1.2.6(a).
B2 - System design meets the requirements. Refer to logic diagrams listed in FSAR Section 7.1.2.6(f).
B3 - Erroneous bypassed / inoperable alarm indications could be provided by any of the following:
- dirty relay contacts
- dirty limit switch contacts.
B4 - The bypass indication system does not perform functions essential to safety. (Refer to FSAR Section 7.1.2.6)
- A system design is supplemented by administrative procedures. The operator will not rely solely on the indication system.
B5 - The indication system does not perform any safety-related functions and has no effect on plant safety systems. The indication system is located at the MCB separately for each train on system level basis.
B6 - All bypass indicators and plant video annunciator systems are capable of being tested during normal system operation.
- 4. The list of the equipments for which bypass / inoperable alarms jgfg, and indication are provided.
Al - Service Water System (SW)
Service Equipment Logic Diagram Schematic Service Water Pumps SW-P-41A/41B M-503968 M-301107 Sh. AG3, AR3
-41C/41D M-503969 M-301107 Sh. AG4,AR4 Cooling Tower Pumps SW-P-110A M-503966 M-301107 Sh. AU2
-110B M-503967 M-301107 Sh. AU6 Cooling Tower Fans SW-FN-51A M-503951 M-301107 Sh. AV4
-51B M-503452 M-301107 Sh. AW4 Cooling Tower / Service M-503973 M-310951 EH9/EHO Water Bypass /Inop.
l
Note: there are separate lights for the service water pump and the cooling
~
JQf;L
/
tower subsystems.
A2 - Primary Component Cooling Water System (CC)
Service Equipment Logic Diagram Schematic Primary Cooling Water Pumps . CC-P-11A M-503270 M-310895 Sh. A58/A78 11B/ llc /11D A59,A79 PCCW Bypass Inop. M-503277 M-310951-EH9/EHO A3 - Containment Building Spray (CSB)
Service , Equipment Logic Diagram Schematic
- Containment Spray Pumps CBS-P-9A/9B M-503257 M-310900 Sh. A61,A81 Containment Sump Iso. Viv. CBS-V8/V14 M-503252 M 310900 Sh. B84,D40 Cont. Spray Add. Iso. Viv. CBS-V39/V44 M-503259 M-310900 Sh. 4b Cont. Spray Nozzle Iso. Vlv. CBS-V13/Vl9 M-503259 M-310900 Sh. Ab Service Equipment Logic Diagram Schematic Primary Comp. Cooling Water to Containment HX CC-V131/V260 M-503259 M-310895 Sh. 4a Primary Comp. Cooling Water M-503259 A4 - Residual Heat Removal (RH)
Service Equipment Logic Diagram Schematic RH Cold Leg Inj. Iso. Viv. RH-V14/26 M-503768/503769 M-310887 Sh. B57,B65 RH Hot Leg Inj. Iso. Vlv. RH-V32/70 M-503768/503769 M-310887 Sh. B58,D90 Chg. Pump Suc. Iso. Vlv. RH-V35 M-503768/503763 M-310887 Sh. B59,B66 SI Pump Suc. Iso. Viv. RH-36 M-503768/503763 M-310887 Cont. Sump Iso. Viv. CBS-V8/V14 M-503252 M-310900 Sh. B84,D40 Prim. Comp. Cooling Water to HX CC-V133/V258 M-503768 M-310895 Sh. 4A Residual Ht. Removal Pumps RH-P-8A/8B M-503761 M-310877 Sh. A57,A77 A5 - Safety Injection System (SI) l Service Equipment Logic Diagram Schematic SI Pumps SI-P-6A/6B M-503900 M-310890 Sh. A56/A76 Cont. Sump Iso. Valve CBS-V8/V14 M-503918 SI Cold Leg Iso. Valve SI-V114 M-503918 M-310890 Sh. B49 SI-P-CA-6B to Hot Legs Isolation Valve SI-V102/V77 SI-P-6A/6B to RWST I Isolation Valve SI-V89/V90 M-503918 M-310890 Sh. B41/B42 SI-Pump Cross Connect SI-V111/Vll2 M-503918 M-310890 Sh. B47/B48 Prim. Comp. Cooling Wtr. M-503918 M-310895 Sh. EH9/3 EA i
A6 - Chemical and Volume Control System (CS)
Service Equipment Logic Diagram Schematic Charging Pump CS-P-2A/2B M-503372,M-503330 M-310891 Sh. A62,A82 Prim. Comp. Cooling Wtr. M-503372 i
Service Equipment Logic Diagram Schematic Emer. Feedwater Pump FW-P-37B M-503586 M-310844 Sh. A80 Emer. FW Pump 37A/37B FW-V71/73 M-503599 M-310844 Sh. 4 4
Discharge and Bypass Vivs. FW-V65/67 M-503599 M-310844 Sh. 4 l 5//2 B - Interrelationship Between Auxiliary Systems and Safety Systems l Auxiliary systems such as service water system (SW) and primary component cooling water system (CC) have interrelationships and dependencies on the following safety systems.
SI - Safety Injection RH - Residual Heat Removal System CBS - Containment Spray System CS - Chemical and Volume Control System Bypassed or inoperability of these auxiliary systems (SW, CC) would automatically indicate, both on the VAS and the system inoperative status monitoring lights, all safety systems which are affected.
Reference logic drawings:
i M-503277 - M-503973 M-503259 - M-503768
( M-503918 - M-503372 i
!- ADDITIONAL
! RESPONSE: The handout will be revised to indicate that alarms and indicators l 5/12 are provided. The indication on the bypass and inoperable status panel is oc the system level for each train. All automatic initiation is through the VAS. Indication on the status panel is j manually initiated in response to the VAS alarm or when the system is bypassed or made inoperable with devices not monitored by the VAS. The VAS and the status panel have logic that will l automatically indicate systems made inoperable when a support system 1s inoperable.
- Typographical errors on A7 and A8 will be corrected.
This items remains open pending the review of the VAS.
{
t l l
9 O
After the meeting, a note to clarify the service water indicators was added to Al of the 3/23 handout. A8 was deleted as the Diesel Generator status monitoring lights and alarms are not considered part of the bypass and inoperable status monitoring system, since the events monitored occur less than once per year. FSAR 7.1.2.6, copy attached, will be revised.
420.11 Summarize the status of those instrumentation and control items (7.1) discussed in the Safety Evaluation Report (and supplements) issued for the construction permit which required resolution during the operating license review.
RESPONSE: There are no unresolved items relating to Chapter 7 of the.SAR 3/23 identified in the construction permit SER (Supplements 1 to 4). gg STATUS: Closed.
5/12 420.12 Various instrumentation and control systeu circuits in the plant (7.1.2.2) (including the reactor protection system, engineered safety features actuation system, instrument power supply distribution System) rely on certain devices to provide electrical isolation capability in order to maintain the independence between redundant safety circuits and between safety circuits and non-safety circuits.
- 1. Identify the type of isolation devices which are used as boundaries to isolate non-safety grade circuits from the safety grade circuits or to isolate redundant safety grade circuits.
- 2. Describe the acceptance criteria and tests performed for each isolation device which is identified in response to Part 1 above. This information should address results of analyses or tests performed to demonstrate proper isolation and should assure that the design does not compromise the required protective system function.
RESPONSE: 1. BOP uses the same type W 7300 system, with the same 3/23 qualifications, as is used by NSSS (NSSS equipment for Seabrook is identical to that for SNUPPS).
- 2. Radiation data management system will require submittal of further documentation of isolation devices used.
- 3. Power supply distribution isolation is covered under RAI 430.40A.
STATUS: The only open item is the description of the RDMS isolation 5/12 devices that is deferred to the next meeting.
420.13 The discussion in Section 7.1.2.2 states that Westinghouse tests (7.1.2.2) on the Series 7300 PCS system covered in WCAP-8892 are considered (7.5.3.3) applicable to Seabrook. As a result of these tests, Westingbouse (7.7.2.1) has stated that the isolator output cables will be allowed to be
O routed with cables carrying voltages not exceeding 580 volts ac or 250 volts dc. The discussion of isolation devices in Section 7.5.3.3 of the FSAR, however, considered the maximum credible fault accidents of 118 volts ac or 140 volts de only. Also, the statement in Section 7.7.2.1 implies that the isolation devices were tested with 118 volts ac and 140 volts de only. In order to clarify the apparent inconsistency, provide the following:
(a) Specify the type of isolation devices used for Seabrook process instrumentation system. If they are not the same as the Series 7300 PCS tested by Westinghouse, specify the fault voltages for which they are rated and provide the supporting test results.
(b) Provide information requested in (a) above for the isolation devices of the nuclear instrumentation system. As implied in WCAP-8892, the tests on Series 7300 PCS did not include the nuclear instrumentation system.
(c) Describe what steps are taken to insure that the maximum credible fault voltages which could be postulated in Seabrook, as a result of BOP cable routing design, will not exceed those for which the isolation devices are qualified.
RESPONSE: The isolation devices used are as described in 420.12.
3/23 Isolation device design is identical and has been qualified the same as for SNUPPS. The routing of cables leaving the cabinets is consistent with the interface criteria in WCAP 8892A.
STATUS: Closed.
5/12 420.14 The FSAR information provided describing the separation criteria (7.1.2.2) for instrument cabinets and the main control board is insufficient. Please discuss the separation criteria as it pertains to the design criteria of IEEE Standard 384-1977, Sections 5.6 and 5.7. Detailed drawings should be used to aid in verifying compliance with the separation criteria.
RESPONSE: Handout submitted to staff. Overview of main control board was 3/23 presented using drawings and pictures. FSAR Sections 7.1.2.2 and 1.8 will be revised to be applicable to both balance of plant and NSSS control panels. The design criteria of IEEE Standard 384-1977, Sections 5.6 and 5.7 for the main control board and instrument cabinets has been met.
STATUS: FSAR revision required.
5/12 HANDOUT: 1. Instrument Cabinets 3/23 Section 5.7 of IEEE-384-1977 is met by having independent cabinets for redundant Class lE instruments, examples of this separation may be found on instrument cabinets MM-CP-152A and MM-CP-152B, both located in the main control room, control building Elevation 75'-0".
- 2. Main Control 1,ard ('4CB)
Sections 5.6.1 through 5.6.6 of IEEE-384-1977 are met as follows, and as described in UE&C Specification 9763-006-170-1, Revision 5:
(a) Section 5.6.1 - The main control board, seismically qualified by analysis and testing per UE&C Specifications 9763-006-170-1 Revision 5, and 9763-SD-170-1, Revision 0, is located in the main control room of the Seabrook station control building (Elevation 75'-0") which is a Seismic Category I structure.
(b) Sections 5.6.2 through 5.6.6 - MCB Zone "B" (front contains the low pressure safety injection; rear contains miscellaneous systems like steam generator blowdown, heat removal, spent fuel) will be used to describe compliance with above referenced sections of IEEE-384-1977. UE&C drawings 9763-F-510102 Revision 6, 9763-F-510ll5 Revision 4 and 9763-F-510116 Revision 4 could be used to ascertain the compliance with the
- standard.
b.1 Internal Separation (5.6.2) - the front section of Zone B is divided into Class lE train "A" (and it's associated non-Class lE circuits train "AA")
on the left-hand side, separated from the Class lE train "B" (and it's associated non-Class lE circuits train "BA") by a full size top-to-bottom steel barrier. However, due to process requirements there are instruments of the opposite train, "B", on the train "A" side; they are separated by a steel enclosure fully surrounding the instrument or open at the rear after a depth 6" deeper than the instrument itself.
The rear section of Zone B is all Class lE train "A" or it's associated non-Class lE circuit train "AA". Again, as in the front section due to process requirements, there are instruments of the opposite train which are separted by a steel enclosure in the same fashion as in the front section.
Refer to next Item, b.2, for wiring separation.
b.2 Internal Wiring Identification (5.6.3) - All wiring within each section is identified by different jacket colors, as follows:
\
Class lE train "A" - red Class lE train "B" - white Non-Class IE train "AA" - black with red stripe Non Class lE train "BA" - black with white stripe Each wire / cable insulation is qualified to be flame retardant per either IPCEA-S-19-81 (NEMA WC3) paragraph 6.13.2 or UL-44 Section 85 or IEEE Standard-383 Section 2.5. In addition, all wiring within each section is run in covered wireways formed from solid or punched sheet steel. Minimum wire bundles were allowed where it was physically impossible to install wireways or where it would have been hazardous to the operator / maintenance personnel.
Class lE and Non-Class lE wiring of the same train are run in the same wireway. The wireways were further identified with red "A" or white "B" to depict the train assignment of the wire being run within the particular wireway.
b.3 Common Terminations (5.6.4) - No common terminations were allowed in the MCE.
b.4 Non-Class lE Wiring (5.6.5) - Class lE and Non-Class lE associated circuits wiring of the same train are run together in the same metallic wireway but are separated by specific identifying jacket colors as described above (b.2).
b.5 Cable Entrance (5.6.6) - Field cables to be terminated on the MCB terminal blocks are routed in train assigned raceways through the cable spreading room which is located directly under the main control room (refer to UE&C Drawing 9763-F-500091, Revision 6). The raceways run all the way up to the floor slots of the same assigned train located in the floor right underneath the MCB. (The floor slots location and train assignment are shown on UE&C Drawings 9763-F-500100 Revision 6, 9763-F-101347 Revision 5 and 9763-F-310432 Revision 8).
420.15 Identify all plant safety-related systems, or portions thereof, -
(7.1) for which the design is incomplete at this time.
RESPONSE: The design of all safety-related systems has been completed. The 3/23 design details associated with procurement and installation are i on-going in accordance with the project schedule.
STATUS: Closed.
5/12
. ~. - - - . . .
t.
420.16 Identify where microprocessors, multiplexers, or computer systems l1 (7.1) are used in or interface with safety-related systems.
RESPONSE: NSSS does not.use microprocessors, multiplexers or computers in or j 3/23 to interface with safety-related systems (multiplexors are used for information transmission).
The radiation data management uses microprocessors and computers.
Detailed descriptions on how the system works will be submitted later.
1 ADDITIONAL RESPONSE: The RDMS is functionally identical to the systems installed at 5/12 Byron-Braidwood, St. Lucie 2, Waterford 3, SNUPPS and Comanche Peak.
i NRC will review handout presented, copy attached. More information is needed on the lE microprocessor sof tware and design 4
features.
l The Class lE monitors are identified in FSAR Tables 12.3-13, 12.3-14 ar.d 12.3-15. They are described in Section 12.3.4.
i 420.17 The FSAR information which discusses conformance to Regulatory (7.1) Guide 1.118 and IEEE-338 is insufficient. Further discussion is (7.2) re q', ire d . As a minimum, provide the following information:
(7.3)
(1.8) 1. Confirm that the Technical Specifications will provide detailed requirements for the operator which insure that blocking of a selected protection function actuator circuit is returned to normal operation af ter testing.
- 2. Discuss response time testing of BOP and NSSS protection systems using the design criteria described in Position C.12 or Regulatory Guide 1.118 and Section 6.3.4 of IEEE 338.
Confirm that the response time testing will be provided in
! the Technical Specifications.
l I
i 3. The FSAR states that, " Temporary jumper wires, temporary test i instrumentation, the removal of fuses and other equipment not i hard-wired into the protection system will be used where applicable". Identify where procedures require such operation. Provide further discussion to describe how the l Seabrook test procedures for the protection systems conform l
to Regulatory Guide 1.118 (Revision 1) Position C.14 guidelines. Identify and justify any exceptions.
l L 4. Confirm that the Technical Specifications will include the RPS and ESFAS response times for reactor trip functions.
f 5. Confirm that the Technical Specifications will include response time testing of all protection system components, i
from the sensor to operation of the final actuation device.
- 6. Provide an example and description of a typical response time test.
e RESPONSE: Handout was distributed and found acceptable with changes 3/23 discussed during meeting. The revised handout is. included in the meeting minutes.
STATUS: FSAR revision required.
5/12 HANDOUT: 1. Technical Specification Tables 3.3-1 reactor trip system, 3/23 3.3-3 engineered safety features actuation, and 3.3-5 reactor trip /ESF actuation system interlocks, provide the operator with the minimum operable channel criteria and the appropriate action statement.
, 2. BOP and NSSS protection system time response tests will be i conducted in accordance with Regulatory Guide 1.118 Revision '
1, IEEE-338-1975, ISA dS67-06, and draft Regulatory Guide Task IC 121-5, January, 1982, with the following exceptions and positions:
(a) Task IC 121-5 Regulatory Position Cl states that the term " nuclear safety-related instrument channels in nuclear power plants" should be understood to mean
- instrument channels in protection systems.
(b) Response time testing will be performed only on those channels having a limiting response time established and
- credited in the safety analysis.
(c) The revised discussion of Regulatory Guide 1.118 in FSAR Section 1.8 (copy attached).
1 Response time testing is specified in Tables 3.3-2 and 3.3-4.
- 3. It is not anticipated that any Seabrook test procedures performed on protection systems will require the use of temporary jumpers, lifted wires or pulled fuses. All procedures will, in fact, utilize the hard-wired test points within the system and therefore, comply with Regulatory Guide 1.118, Revision 1, Position Cl4.
If during plant operation, conditions or test requirements show that deviation from this guide is the only practical method of obtaining the desired test results, then all af fected testing will be performed and documented under the control of a special test procedure. We will inform ICSB, prior to licensing, of any temporary modifications identified during preparation of the surveillance procedures.
- 4. Response times are specified in Tables 3.3-2 and 3.3-4.
- 5. Compliance with Regulatory Guide 1.118, Revision 1, IEEE-338-1975, and ISA dS67-06 ensures that the complete channel is tested with the exception noted on Table 3.3-2 of
! Seabrook Technical Specifications.
i
. . . . . .- .. .._ .- . - ~ . . .. . .---
N ,
i 6.- Response ' time tests have not yet been prepared. Test. methods to be employed are outlined below:-
Pressure Sensors I
.The process-variable will be substituted by a hydraulic ramp, the ramp rate to be selected based on the transient Aor.which the sensor is required to respond..
l In the event that the sensor is required to respond to more than one transient, the ~ ramp rates will be selected to represent the fastest-and slowest transients..
Temperature Sensors Will be tested in place using the loop current step response j (LCSR) method. See NUREG-0809. .;
I Impulse Lines Tests will be conducted during the startup testing phase to establish the relationship between response time and impulse line flow, subsequent tests will be limited to flow testing.
i l- Electronic Channel l The signal conditioning and logic section of the instrument
- channel will be tested by inputting a step-changa at the
- input of the process racks, and measuring the time required until the final device in the channel actuates.
, 420.18 It is stated in FSAR Section 7.1.2.11 that, "A periodic (7.1.2.11) verification test program for sensors within the Westinghouse scope for determining any deterioration of installed sensor's response time, is being sought". NUREG-0809, " Review of Resistance Temperature Detector Time Response Characteristics",
and draf t Standard ISA-dS67.06, " Response Time Testing of Nuclear Safety-Related Instrument Channels in Nuclear Power Plants", are
,_ documents which propose acceptable methods for response time-
- testing nuclear safety-related instrument channels. Please .
l provide further discussion on this matter to unequivocally indicate the test methods to be used for Seabrook.
3
{ RESPONSE: See our Response to 420.17 for a discussion of the proposed '
i 3/23 response time testing program. The referenced portion of 7.1.2.11 will be deleted (see attached copy).
STATUS: FSAR revision required.
5/12 420.19 FSAR Section 7.1.1 does not provide sufficient information to (7.1.1.1) distinguish between those systems designed and built by the
). nuclear' steam system supplier and those designed or built by
- others. Please provide more detailed information.
J 5
1 RESPONSE: Draft revision of FSAR 7.1.1 provided to staff and found 3/23 acceptable and is attached to the meeting notes.
STATUS: 'FSAR revision required.
5/12 420.20 Section 7.1.2.7 of the FSAR discusses conformance to Regulatory (7.1.2.7) Guide 1.53 and IEEE Standard 379-1972. The information provided addresses only Westinghouse provided equipment and associated topical reports. Provide a conformance discussion that addresses the BOP portions of the plant safety systems -and auxiliary systems required for support of safety systems.
RESPONSE: FSAR has been revised to cover single failure criteria for BOP and 3/23 NSSS and is attached to the meeting minutes.
ADDITIONAL RESPONSE: The change to FSAR 7.1.2.7 was reworded. Copy is attached.
5/12 420.21 The information in Section 7.2.1.1.b.6, " Reactor Trip on Turbine (7.2.1.1) Trip", is insufficient. Please provide further design bases discussica on this subject per BTP ICSB 26 requirements. As a minimum you should:
- 1. Using detailed drawings, describe the routing and separation for this trip circuitry from the sensor in the turbine building to the final actuation in the resctor trip system t
( RTS) .
- 2. Discuss how the routing within the non-seismic Category I turbine building is such that the effects of credible faults or failures in this area on these circuits will not challenge the reactor trip system and thus degrade the RTS performance. This should include a discussion of isolation devices.
- 3. Describe the power supply arrangement for the reactor trip on turbine trip circuitry.
- 4. Provide discussion on your proposal to use permissive P-9 (50% power).
- 5. Discuss the testing planned for the reactor trip on turbine trip circuitry.
Identify any other sensors or circuits used to provide input signals to the protection system or perform a function required for safety which are located or routed through non-seismically qualified structures. This should include sensors ,r circuits providing input for reactor trip, emergency safeguards equipment such as auxiliary feedwater system and safety grade inerlocks.
Verification should be provided to show that such sensors and circu'ts meet IEEE-279 and are seismically and environmentally qualified. Identify the testing or analyses performed which
~ .-- - -- -, .-- - - - - . .
insures that -failures of non-seismic structures, mountings, etc.
will not cause failures which could interfere with the operation of any other portion of the protection system.
RESPONSE: Add to the SNUPPS response to " Reactor Trip on Turbine Trip" that 3/23 circuits and sensors used in a non-seismic structure are Class lE
~
and are run in separate conduits meeting Regulatory Guide 1.75 with the exception of seismic qualification. Hydraulic pressure and limit switches on the turbine stop valves are two examples.
the response will be attached to the meeting minutes.
L Permissive P-9 has an adjustable setpoint between '10 - 50%.
Reactor trip on turbine trip circuitry is testable at power.
The turbine impulse chamber pressure transmitters are Class lE and routed as Class lE, with the seismic exception.
- There are no other safety grade sensors routed through non-seismic areas. The only safety-related outputs in non-seismic areas are
- signals to close the feedwater control valves, close the condenser dump valves and trip the turbine generator. These circuits are designed as described above.
ADDITIONAL
}
RESPONSE: The handout was discussed and revised.
5/12 Each turbine stop valve is monitored by two independent switches.
I HANDOUT: Revised SNUPPS Submittal 3/23 Evaluations indicate that the functional performance of the protection system would not be degraded by credible electrical i faults such as opens and shorts in the circuits associated with
! reactor trip or the generation of the P-7 interlock. The contacts of redundant sensors on the steam stop valves and the trip fluid pressure system are connected through the grounded side of the ac supply circuits in the solid state protection system. A ground fault would therefore produce no fault current. Loss of signal caused by open circuits would produce either a partial or a full reactor trip. Faults on the first stage turbine pressure circuits would result in upscale, conservative, output for open circuits p and a sustained current, limited by circuit resistance, for short i circuits. Multiple failures imposed on these redundant circuits
< could potentially disable the P-13 interlock. In this event, the
, nuclear instrumentation power range signals would provide the P-7 l- safety interlock. Refer to Functional Diagram, Sheet 4 of Figure 7.2-1.
i SSPS input circuits and sensors in non-seismic structures are Class lE. The electrical and physical independence of the JG//;L '
( connecting cabling conforms to Regulatory Guide 1.75 as discussed l in FSAR Section 1.8.
i
, _. _ _..._._._ . _ __. _ ._ ___ ~- _ _ . . _ _ _ _ _ - _ _ _ - ~ . . . _ . . __
420.22 FSAR Section 7.2.1.1.b.8 states that, "The manual trip consists of (7.2.1.1) two switches with two outputs on each switch. One output is used to actuate the train A reactor trip breaker, the other output actuates the train B reactor trip breaker." Please describe how this design satisfies the single failure criterion and separation requirements for redundant trains.
RESPONSE: Manual trip design is identical to SNUPPS, Watts Bar, 3/23 Byron-Braidwood. Drawing was reviewed and found acceptable.
STATUS: Closed.
5/12 420.23 Describe how the effects of high temperatures in reference legs of (7.2) steam generator and pressurizer water level measuring instruments subsequent to high energy breaks are evaluated and compensated for in determining setpoints. Identify and describe any modifications planned or taken in response to IEB 79-21. Also, describe the level measurement errors due to environmental temperature effects on other level instruments using reference legs.
RESPONSE: The steam generator level transmitter reference legs will be 3/23 insulated to prevent excessive heating under accident conditions.
Setpoints will include errors for high energy line breaks with the insulation.
For the pressurizer level, we will review SNUPPS report and determine applicablity to Seabrook.
REVISED RESPONSE: SNUPPS did not insulate reference legs in containment. We are 5/12 evaluating their approach for application to Seabrook and will advise the NRC on our final corrective action.
420.24 State whether all of the systems discussed in Sections 7.2, 7.3, (7.2) 7.4 and 7.6 of the FSAR conform to the recommendations of f (7.3) Regulatory Guide 1.62 concerning manual initiation. Identify l
(7.4) any exceptions and discuss how they do not conform to the (7.6) recommendations. Provide justification for nonconformance areas.
I I RESPONSE: Systems discussed in Sections 7.2, 7.3, 7.4 and 7.6 of the FSAR
! 3/23 conform to the recommendations of Regulatory Guide 1.62 concerning manual initiation. There are no exceptions taken.
I STATUS: Closed.
l 5/12 420.25 The information pecvided in Section 7.2.2.2.c.10.(b) on testing (7.2.2.2) of the power range channels of the nuclear instrumentation system, covers only the testing of the high neutron flux trips. Testing of the high neutron flux rate trips is not included. Provide a description of how the flux rate circuitry is tested periodically to verify its performance capability.
O RESPONSE: The power range nuclear instrumentation system and all associated 3/23 bistables including the rate trips are testable at power.
STATUS: Closed.
5/12 420.26 Identify where instrument sensors or transmitters supplying (7.2) information to more than one protection channel are located in a (7.3) common instrument line or connected to a common instrument tap.
The intent of this item is to verify that a single failure in a common instrument line or tap (such as break or blockage) cannot defeat required protection system redundancy.
RESPONSE: Identical to SNUPPS except we do not share taps for pressurizer 3/23 pressure. There are no shared taps for redundant BOP safety instruments.
STATUS: Closed.
5/12 420.27 If safety equipment does not remain in its emergency mode upon (7.3) reset of an engineered safeguards actuation signal, system modification, design change or other corrective action should be planned to assure that protective action of the affected equipment is not compromised once the associated actuation signal is reset.
This issue is addressed by I&E Bulletin 80-06. Please provide a discussion addressing the concerns of the above bulletin. This discussion should assure that you have reviewed the Seabrook design per each of the I&E Bulletin 80-06 concerns. Results of your review should be given.
RESPONSE: We have reviewed the electrical schematics for engineered safety 3/23 feature (CSF) reset controls. In the Seabrook design, all systems serving safety-related functions remain in the emergency mode upon removal of the actuating signal and/or manual resetting of ESF actuation signals. The required testing (per 80-06) will be performed as part of the start-up test program described in
, Chapter 14.
STATUS: Closed.
5/12 420.28 Tne description of the emergency safety feature systems which is (7.3.1.1) provided in the FSAR Section 7.3.1.1 is incomplete in that it does r not provide all of the information which is requested in Section 7.3.1 of the standard format for those safety-related systems, interfaces and components which are supplied by the applicant and mate with the systems which are within the Westinghouse scope of supply. Provide all of the descriptive and design basis information which is requested in the standard format for these systems. In addition, provide the results of an analysis, as is requested in Section 7.3.2 of the standard format, which demonstrates how the requirements of the general design criteria and IEEE Standard 279-1971 are satisfied and the extent to which the recommendations of the applicable Regulatory Guide are satisfied. Identify and justify any exceptions.
O RESPONSE: Tables supplied in response to 420.32 and the additional 3/23 information to be supplied when answering 420.29 will satisfy the requirements of this question.
ADDITIONAL RESPONSE: See 420.29.
5/12 420.29 Confirm that the FMEA referenced in FSAR Section 7.3.2.1: (1) is (7.3.2.1) applicable to all engineered safety features equipment within the BOP and NSSS scope of supply, and (2) is applicable to design changes subsequent to the design analyzed in the referenced WCAP.
RESPONSE: Discussion of this item was deferred to the next meeting.
3/23 ADDITIONAL RESPONSE: The Seabrook design complies with the interface criteria in (28&29) Appendix B of WCAP 8584, Revision 1. The FMEA in WCAP 8584 is 5/12 applicable to all BOP and NSSS safety features equipment at Seabrook including design changes made to the systems analyzed in WCAP 8584.
420.30 Section 7.3.2.2 of the FSAR indicates that conformance to (7.3) Regulatory Guide 1.22 is discussed in Section 7.1.2.8. However, Section 7.1.2.8 addresses Regulatory Guide 1.63. Correct this discrepancy.
RESPONSE: The reference to Section 7.1.2.8 will be changed in Amendment 45 3/23 to Section 7.1.2.5 where Regulatory Guide 1.22 is addressed.
STATUS: FSAR revision required.
5/12 420.31 Using detailed drawings, discuas the automatic and manual operation (7.3.2.2) of the containment spray system including control of the chemical additive system. Discuss how testing of the containment spray system conforms to the recommendations of Regulatory Guide 1.22 and the requirements of BTB ICSB 22. Include in your discussion the tests to be performed for the final actuation devices.
RESPONSE: Draf t of response submitted to staff. Overview of containment 3/23 spray system was presented using drawings. System description and opacation were reviewed. Staf f questioned redundancy of temperature system. Tank temperature is monitored by a temperature indicating switch that actuates a VAS alarm and by an independent temperature indicating controller that controls auxiliary steam to the tank. Fluid systems are totally separable into trains "A" and "B". The electrical systems are also completely separable into trains "A" and "B" as per the piping systems. Provisions are availabic for on-line testing of CBS system as described in FSAR 7.3.2.2.
The assignment of components to slave relays for on-line testing is indicated in the ESF table in the response to 420.32.
ADDITIONAL RESPONSE: The response was clarified to specify that the spray additive 5/12 tank is the tank being discussed.
This item is considered closed.
420.32 Please provide a table (s) listing the components actuated by the (7.3) engineered safety features actuation system. As a minista, the table should include:
- 1. Action required,
- 2. Component description,
- 3. Identification number,
- 4. Actuation signal and channel.
RESPONSE: Tables supplied at the meeting are attached.
3/23 STATUS: Closed.
5/12 420.33 Section 7.3.2.2.e.12 discusses testing during shutdown. Describe (7.3.2.2) provisions for insuring that the " isolation valves" discussed here are returned to their normal operating positions af ter test.
RESPONSE: Administrative controls to ensure that equipment and systems are 3/23 restored to n.stmal af ter testing will be addressed in equipment control procedures that follow the guidance of ANS 18.7, 1976.
The system inoperative status monitoring panel will be manually actuated when a system is made inoperative.
STATUS: Closed.
5/12 4
420.34 Portions of paragraph 7.3.1.2.f, appear not to apply to ESFAS (7.3) response times. In particular, the discussion on reactor trip breakers, latching mechanisms, etc., should be replaced by a discussion of ESF equipment time responses. The applicant should provide a revised discussion for ESFAS (a) defining specific l beginning and end points for which the quoted times apply, and (b) relating these times to the total delay for all equipment and to the accident analysis requirements.
RESPONSE: FSAR 7.3.1.2.f will be revised as indicated on the attached markup.
3/23 STATUS: FSAR revision required.
c 5/12 I !
I_- _. _ ._. _ _ . _ ,.
t e
i 420.35 Using detailed drawings, describe the ventilation systems used to (7.2 & 7.4) support engineered safety features areas including areas containing systems required for safety shutdown. Discuss the 4 design bases for these systems including redundancy, testability, etc.
j RESPONSE: Overview given at meeting on HVAC system for control room.
3/23 Equipment for system is redundant and safety grade. The HVAC instrumentation and control required for safety-related equipment
, . is Class lE and trains "A" and "B" oriented. _ Radiation detectors
~
! for intake air are redundant and safety related. Other systems in the control building are redundant and safety related.
Control of safety-related HVAC systems are operated from the contrcl room and those systems required for remote safe shutdown also have local control. The control room outside air intake lines are shared between Units 1 and 2. Each unit has its own controls and isolation valves.
. STATUS: Closed.
t 5/12 i 420.36 Using detailed system schematics, describe how the Seabrook (7.3.2.3) auxiliary feedwater system meets the requirements of JUREG-0737, TMI Action Plan Item II.E.1.2 (See question 420.01). Be sure to include the following information in the discussion:
j a) the effects of all switch positions on system operation.
1 b) the effects of single power supply failures including the effect of a power supply failure on auxiliary feedwater i control af ter automatic initiation circuits have been reset in a post-accident sequence.
c) any bypasses within the system including the means by which it is insured that the bypasses are removed.
l d) initiation and annunciation of any interlocks or automatic l isolations that could degrade system capability.
l e) the safety classification and design criteria for any air i systems required by the auxiliary feedwater system. This l
should include the design bases for the capacity of air reservoirs required for system operation.
f) design features provided to terminate auxiliary feedwater flow to a steam generator affected by either a steam line or feed line break.
I g) system features associated with shutdown from outside the
! control room.
RESPONSE: Overview of emergency feedwater system was presented to staff 3/23 using drawings for description of system operation.
Emergency feedwater system was discussed with staff and it is considered an open item. Significant concerns identified:
a) Lack of safety grade air system.
, b) Single failure in pneumatic control valve.
c) Loss of one train of power while operating from remote safe shutdown panel.
[ d) On-of f control of the EFW control valves.
STATUS: Agenda items 420.36, 420.38, 420.39, 420.40, 420.41, 420.42, 5/12 420.45, 420.46, 420.47, 420.76, 420.77, the NRC letters dated 4/21/82 and 4/22/82, and RAI's from or.her branches are related to the general discussions of safe shutdewn using safety grade equipment. We are developing our response to these issues and will present them in a meeting to be scheduled fer Washington, D.C.
420.37 Using detailed system schematics, describe the sequence for (7.3) periodic testing of the:
a) main steam line isolation valves b) main feedwater control valves c) main feedwater isolation valves d) auxiliary feedwater system e) steam generator relief valves f) pressurizer PORV The discussion should include features used to insure the availability of the safety function during test and measures taken to insure that equipment cannot be lef t in a bypassed condition after test completion.
! RESPONSE: Periodic testing was discussed using detailed drawings.
3/23 Significant discussion items are:
c a) To be presented at next meeting.
b) Standard Westinghouse testing system used.
c) When testing main feedwater control and main feedwater isolation valves using train "A", the system for train "B" remains completely operable.
d) During testing of emergency feedwater pumps the discharge valve is closed and recirculation valve opened. The system inoperable indication is in accordance with Regulatory Guide 1.47.
t
--_ __ , ~_ - __ -- - - _ . - _ . , _ _._. -.
During testing, the capability exists to test the entire ESFAS as including actuation of the EFW pump.
e) Discussed with no comments.
f) Discussed with no comments.
STATUS: Discussion of the MSIV testing, Item a, is deferred pending 5/12 finalization of the design details.
The remainder of this item is closed.
420.38 The information supplied in FSAR Section 7.4.1 does not adequately (7.4.1) describe the systems required for safe shutdown as required by Section 7.4.1 of the standard format. Therefore, provide all the descriptive and design basis information which is requested by Section 7.4.1 of the standard format. Also, provide the results of an analysis, as requested by Section 7.4.2 of the standard format, which demonstrates how the requirements of the general design criteria and IEEE Std. 279-1971 are satisfied and the extent to which the recommendations of the applicable regulatory guides are satisfied. Identify and justify any exceptions.
RESPONSE: Staff to review handouts presented at this meeting and come back 3/23 with any further questions. Update list for 420.39 and submit with minutes. YAEC given written position on safe shutdown, to be forwarded formally. Rewritten FSAR 7.4 is attached.
ADDITIONAL RESPONSE: The analog instruments associated with the remote shutdown panel 5/12 are Non-lE and are independent of the control room instruments.
The controls at the remote shutdown locations have the same qualification as the controls at the main control board.
See 420.36.
420.39 The information supplied for remote shutdown from outside the control room is insufficient. Therefore, provide further discussion to describe the capability of achieving hot or cold shutdown from outside the control room. As a minimum, provide the following information:
- a. Provide a table listing the controls and display instrumentation required for hot and cold shutdown from outside the control room. Identify the safety classification and train assignments for the safety-related equipment.
- b. Design basis for selection of instrumentation and control equipment on the hot shutdown panel.
- c. Location of transfer switches and remote control station (include layout drawings, etc.).
-d. Design criteria for the remote control station equipment including transfer switches.
i e. Description of distinct control features to both restrict and to assure access, when necessary, to the displays and controls located outside the control room.
- f. Discuss the testing to be performed during plant operation to verify the capability of maintaining the plant in a safe shutdown condition from outside the control room.
- g. Description of isolation, separation and transfer / override provisions. This should include the design basis for preventing electrical interaction between the control room and remote shutdown equipment.
- h. Description of any communication systema required to coordinate operator actions, including redundancy and separation.
- i. Description of control room annunciation of remote control or overridden status of devices under local control.
J. Means for ensuring that cold shutdown can be accomplished.
- k. Explain the footnote in FSAR Section 7.4.1.4 which states that, " Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the control room". Discuss the modifications required on the instrumentation and controls of
! the pressurizer pressure control including opening control for pressurizer relief valves, heaters and spray and.the nuclear instrumentation that are necessary to shutdown the plant from outside the control room. Also discuss the means l of defeating the safety injection signal trip circuit and j closing the accumulator isolation valves when achieving cold I shutdown.
I l
RESPONSE: See 420.38.
l
- 3/23 l
l ADDITIONAL
( RESPONSE: We will investigate the absence of pressurizer level indication in j 5/12 the table that was provided in response to Item a.
l Response to Item g should refer to 7.4.1.1 and 7.4.1.3.a.5 vice l 7.4.11.
j See 420.36.
1
[ HANDOUT: a) Table is attached.
l 3/23 l b) See response to Item 440.13 (attached).
t c) Transfer switches are at the same location as the controls.
l l l -. - - . - - - -. .
d) Controls are the same safety classification as the controls
!= the control room. Instrumentation is not safety-related.
e) The controls are located in areas that are controlled by the security system. The transfer switches are key-locked.
f) Verification of the capability of maintaining the plant in a safe shutdown condition from outside control room will be in accordance with commitment in Chapter 14, Table 14.2-5, Item
- 33. Reactor coolant pumps will not be tripped for this test. Verification of natural circulation will be in accordance with commitment in Chapter 14, Table 14.2-5, Item 22.
g) Isolation is discussed in FSAR 7.4.1.1 and 7.4.1.3.a.5. ,$'/ /2 h) See response to 430.67 (attached).
- 1) Any switch that is in the local position is alarmed by the VAS.
j) See Items a and b.
k) The footnote has been deleted. See rewritten 7.4 submitted in 420.38.
420.40 Concerning safe shutdown from outside the control room, discuss the likelihood that the auxiliary feedwater system will be automatically initiated on. low-low steam generator level following a manual reactor trip and describe the capability of resetting the initiating logic from outside the control room. Describe the method of controlling auxiliary feedwater from outside the control room.
RESPONSE: Even though the emergency feedwater system may be automatically 3/23 initiated as the main control room is evacuated, the emergency feedwater system can be controlled from the remote safe shutdown panel. Additional information required by staff is furnished in the response to 420.38 and 420.39.
STATUS: See 420.36.
5/12 420.41 Subsection 7.4.2 states that, "The results of the analysis which (7.4.2) determined the applicability to the Nuclear Steam Supply System safe shutdown systems of the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1". This statement does not address the balance of plant (BOP) safe shutdown i systems. Also, sufficient information giving results of the analysis performed for safe shutdown systems cannot be found from Table 7.1-1. Therefore, provide the results and a detailed l discussion of how the BOP and NSSS systems required for safe shutdown meet GDCs 13, 19, 34, 35, and 38; IEEE Standard 279 requirements; Regulatory Guides 1.22, 1.47, 1.53, 1.68, and 1.75.
l L
O Be sure that you include a discussion of how the remote shutdown station complies with the above design criteria.
RESPONSE: Closely related to Items 38 and 39. Staff will review to see if 3/23 more response is required.
STATUS: See 420.36.
5/12 420.42 FSAR Section 7.4.2 states that, "It is shown by these analyses, (7.4.2) that safety is not adversely affected by these incidents, with the associated assumptions being that the instrumentation and controls indicated in Subsections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown". Please provide a discussion pertaining to the phrase " associated assumptions". Your
. discussion should address loss of offsite power associated with plant load rejection or turbine trip.
RESPONSE: Covered in the response to 420.38.
1 3/23 STATUS: See 420.36.
5/12 420.43 Please discuss how a single failure within the station service (7.4.2) water system and/or the primary component cooling water system affects safe shutdown.
RESPONSE: Each.of the independent and redundant flow trains of the station 3/23 service water system and the primary component cooling water system is capable of performing their safety functions necessary
- to effect a safe shutdown assuming a single failure. See Sections 9.2.1, 9.2.2 and 9.2.5 for further details.
STATUS: Closed.
5/12 l
l 420.44 Using detailed electrical schematics and logic diagrams, discuss l (9.2.5.5) the tower actuation (TA) signal which is generated to isolate the
- normal service water system and initiate the cooling tower
( system. Be sure to include in your discussion the possibilities
- of inadvertent switchover (loss of offsite power, etc.) and the I affects this would have.
RESPONSE: The tower actuation circuit is being revised. The revised 3/23 drawings will be submitted for review.
STATUS: Implement the revised logic.
5/12 420.45 FSAR Section 7.4.2 states that, " Loss of plant air systems will not (7.4.2) inhibit ability to reach safe shutdown from outside the control room". Using detailed drawings, please provide further discussion on this matter. Clearly indicate any function required to reach 1
safe shutdown from outside the control room which is dependent on air and the means by which the air is provided.
RESPONSE: Instrument air system is redundant, piping is safety grade and 3/23 seismically supported but appropriate safety-grade compressor has not been located. Critical to define how long system can operate from accumulator tanks. Staff questioned atmospheric relief valve as to safety classification - valve itself is safety grade but control system is not. This item is still open.
3 STATUS: See 420.36.
5/12 420.46 Describe the procedures to borate the primary coolant from outside (7.4) the control room when the main control room is inaccessible. How much time is there to do this?
RESPONSE: Handout given to NRC. Staff questioned if MOV's and controls 3/23 mentioned are safety grade. Items are safety grade. If problem exists during review, it will be covered under overall discussion of shutdown. " Adequate time" mentioned in response is minimum of four hours.
STATUS: See 420.36.
5/12 HANDOUT: Boration of the primary coolant will require an alignment of the 3/23 suction of charging pumps from the refueling water storage tank (RWST) to the boric acid storage tank (BAST). This will be required once the plant starts its cooldown. The gravity feed from the BAST to the suction of the charging pumps contains manual isolation valves located in the primary auxiliary building. The RWST suction valves contain motor-operated valves (MOV) that can be controlled from the motor control center in the switchgear. If need be, the MOV's can be operated locally. There is adequate time for an operator to follow the procedure since the plant is in a safe hot shutdown condition.
420.47 Using detailed drawings (schematics, P& ids'), describe the (7.4) automatic and manual operation and control of the atmospheric ;
relief valves. Describe how the design complies with the requirements of IEEE-279 (i.e., testability, single failure, redundancy, indication of operability, direct valve position, indication in control room, etc.).
RESPONSE: Operation of these valves from a remote location is not considered 3/23 a safety-related function; therefore, they are not designed to meet IEEE-279. Overview of operation given at meeting. Item still under review by staff and considered open.
STATUS: See 420.36.
5/12 420.48 Using detailed electrical schematics and piping diagrams, please
, (7.4.2) discuss the automatic and manual operation and control of the 1
(7.3) station service water system and the component coolir.g water 4
system. Be sure to discuss interlocks, automatic switchover, testability, single failure, channel independence, indication of operability, isolation functions, etc.
RESPONSE: Reviewed system design and operation from drawings and 3/23 schematies. Staff will review isolation of non-seismic portion of service water system during earthquake without another accident.
ADDITIONAL RESPONSE: Low service water pump discharge pressure (could be the result of 5/12 tunnel blockage due to an earthquake) will result in tower actuation (TA). The TA signal will isolate the non-seismic portion of the SW system.
420.49 The information supplied in FSAR Section 7.5 concentrates on the (7.5) post accident monitoring instrumentation and does not provide sufficient information to describe safety related display instrumentation needed f ir all operating conditions. Therefore, please expand the FSAR to provide as a minimum additional information on the following:
- 1. ESF Systems Monitoring
- 2. ESF Support Systems Monitoring
- 3. Reactor Protective System Monitoring
- 4. Rod Position Indication System
- 5. Plant Process Display Instrumentation
- 6. Control Boards and Annunciators
- 7. Bypass and Inoperable Status Indication
- 8. Control Room Habitability Instrumentation
- 9. Residual Heat Removal Instrumentation Please use drawings as necessary during your discussion.
RESPONSE: All except Item 6 will be covered in response to Regulatory Guide 3/23 1.97. Summary of VAS and annunciator system will be provided.
ADDITIONAL RESPONSE: Letter SBN-268, dated 5/4/82, forwarded additional information on
- 5/12 the main plant computer system and the VAS.
l The annunciators are standard lightboxes that respond to digital i inputs. Power is supplied from inverters and the de system.
Audible alarms and controls are shared with the VAS.
i The alarm sequence is:
Operator Alarm Ringback Condition Action Visual Audible Audible
- 1. Normal -
Off Off Off
- 2. Off Normal -
Fast On Off Flash
- 3. Off Normal Silence Fast Off Off Flash
- 4. Off Normal Acknowledge Steady Off Off
- 5. No rmal -
Slow Off On Flash (momentary) e
- 6. Normal Reset Off Off Off The annunciator alarms are a subset of the VAS alarms and were
! selected to provide essential alarms if the VAS is inoperable.
The alarm points are shown on Drawings 9763-C-509109 through 509114. Some VAS inputs are obtained from relays in the annunciator that duplicate the input to the annunciator. Failure of the VAS will not affect the annunciator.
FSAR 7.5 will be revised in our response to Regulatory Guide 1.97, Revision 2.
420.50 If reactor controls and vital instruments derive power from common (7.5) electrical distribution systems, the failure of such electrical distribution systems may result in an event requiring operator action concurrent with failure of important instrumentation upon i which these operator actions should be based. IE Bulletin 79-27
- addresses several concerns related to the above subject. You are requested to provide information and a discussion based on each IE Bulletin 79-27 concern. Also, you are to
- 1. Confirm that all a.c. and d.c. instrument buses that could affect the ability to achieve a cold shutdown condition were reviewed. Identify these buses.
- 2. Confirm that all instrumentation and controls required by emergency shutdown procedures were considered in the review.
Identify these instruments and controls at the system level of detail.
- 3. Confirm that clear, simple, unambiguous annunciation of loss of power is provided in the control room for each bus addressed in item 1 above. Identify any exceptions.
- 4. Confirm that the effect of loss of power to each load on each bus identified in item 1 above, including ability to reach cold shutdown, was considered in the review.
l
5.~ Confirm that the re-review of IE Circular No. 79-02 which is required by Action Item 3 of Bulletin 79-27 was extended to include both Class lE and Non-Class lE inverter supplied instrument or control buses. Identify these buses or confirm that they are' included in the listing required by Item 1 above.
1 RESPONSE: Refer to the attached response to IE Bulletin 79-27 and two 3/23 attached responses to IE Circular 79-02.
f 1. All ac and.de instrument buses were reviewed. Refer to the T//;L
/
listing of buses reviewed in the attached response to Bulletin 79-27.
I
- 2. A list of instrumentation and controls required by emergency
, shutdown procedures (Remote Safe . Shutdown) will be included
! in the report "10 CFR 50, Appendix R; Fire Protection of Safe Shutdown Capability". No separate review of instrumentation
- and controls normally used for a control room shutdown has
! been planned.
- 3. Annunciation of loss of power is provided in the main control room through Seabrook video alarm system. The wording of all alarms is subject to review by the station operating staff to insure clarity.
- 4. The effect of loss of power to each load (instrument or i control system) required for remote safe shutdown will be considered in the review of the fire protection of safe shutdown capability.
- 5. Refer to the two attached responses to Circular 79-02. The buses are listed in the response to Bulletin 79-27.
l ADDITIONAL
! RESPONSE: Item 1 was revised. We will clarify the reviews performed for l 5/12 Items 2 and 4. All required instrumentation and controls will be I identified.
l l Our emergency procedures will contain the items requested by I&B l Bulletin 79-27, Items 2.a. 2.b and 2.c.
l We will provide additional information on our inverters as requested by I&C Circular 79-0; (time-delay, modifications).
420.51 Table 7.1-1 indicates that conformance to R.G.1.97 is discussed (7.5) in Section 7.5.3.2. However, Section 7.5.3.2 is a section of definitions only. We find partial discussion on conformance in Section 7.5.3.1. Correct Table 7.1-1. Also, FSAR Section 1.8 states that Regulatory Guide 1.97, Revision 2, is presently being reviewed and the extent of compliance will be addressed at a later date. Discuss the plans and schedule for complying with R.G.
1.97, Revision 2.
f l
RESPONSE: Applicant is working on response to Regulatory Guide 1.97, 3/23 Revision 2. Schedule will be supplied at a later date.
STATUS: We have continued to review Seabrook for compliance with Regulatory 5/12 Guide 1.97, Rev. 2. We are following the applicable discussions within the NRC, particularly those of the CRGR in relation to SECY 82-111.
420.52 Prowide a discussion (using detailed drawings) on the residual (7.6.2) heat removal (RRR) system as it pertains to Branch Technical Position ICSB 3 and RSB 5-1 requirements. Specifically address the following as a minimum:
- 2. Capability of operating the RHR from the control rcam witL either onsite or only offsite power available as required by Position A.3 of BTP RSB 5-1. This should include a discussion of how the RHR system can perform its function assuming a single failure.
- 3. Describe any operator action required outside the control room after a single failure has occurred and justify.
In addition, identify all other points of interface between the Reactor Coolant System (RCS) and other systems whose design pressure is less than that of the RCS. For each ssch interface, discuss the degree of conformance to the requirements of Branch Technical Position ICSB No. 3. Also, discuss how the associated interlock circuitry conforms to the requirements of IEEE Standard 279. The discussion should include illustrations from applicable
! drawings.
RESPONSE: The RHR isolation valves can be tested while on RHR by oper:ating 3/23 only one RHR pump, removing power from one valve associated with the operating pump, simulating high pressure in the isolation channel for the valve that has power removed and verifying that the associated valve in the non-operatf r3 loop closes. The system is restored, the sequence repeated for the other isolation channel, cooling shifted to the other loop and the test sequence repeated.
NRC will review reply to RAI 440.23 and 440.24 that address power sou rce s.
There is no other system interfacing with the reactor coolant system (RCS) whose design pressure is less than that of the RCS.
STATUS: NRC review.
5/12 420.53 FSAR Section 7.6.4, Accumulator Motor-Operated Valves, states that, (7.6.4) "During plant operation, these valves are normally open, and the motor control center supplying power to the operators is
deenergized". Describe how power is removed and how the system complies to Positions B.2, B.3 and B.4 of BTP ICSB 18 (PSB).
Also, identify any other such areas of design and state your conformance to the positions of BTP ICSB 18.
RESPONSE: Covered in response to 420.59.
3/23 STATUS: Closed.
5/12 420.54 FSAR Section 7.3.1.1 states that, "The transfer from the injection (7.3.1.1) to the recirculation phase is initiated automatically and completed (7.6.5) manually by operator action from the main control board".
Describe automatic and manual design features permitting switchover from injection to recirculation mode for emergency core cooling including protection logic, component bypasses and overrides, parameters monitored and controlled and test capabilities. Discuss design features which insure that a single failure will neither cause premature switchover nor prevent switchover when required. Discuss the reset of Safety Injection actuation prior to automatic switchover fom injection to recirculation and the potential for defeat of the automatic switchover function. Confirm whether the low-low level refueling water storage tank alarms which determine the time at which the containment spray is switched to recirealation mode are safety grade.
RESPONSE: Will be discussed later.
3/23 RESPONSE: The step-by-step automatic and manual switchover operations are 5/12 described in detail in FSAR Section 6.3.2.8 and Table 6.3-7. The ECCS/ Containment Spray Recirculation Signal is generated for each train by a combination of the safety injection signal and low-low level in the RWST. The level signal uses 2 out of 4 logic to prevent premature switchover and to ensure switchover is accomplished. Each ESF train uses completely redundant equipment for recirculation to ensure that the safety fanctions are accomplished. The operator is provided with safety grade indicators for RWST and containment sump level, and manual controls for all the valves required for recirculation so that recirculation can be accomplished without any automatic action.
Non-safety grade but independent low-low level alarms are available from the VAS and the annunciator to alert the operator of the need for recirculation.
The safety injection signal sets latching relay K740 that requires separate action to reset af ter the safety injection signal has been reset. This ensures automatic recirculation on low-low level in the RWST even if the safety injection signal is reset before the low-low level is reached. A light will be provided to indicate when K740 is latched to ensure that it it reset after periodic testing.
O 420.55 FSAR Section 5.2.5.8 states that calibration and functional testing
- (5.2.5.8) of the leakage detection systems will be performed prior to initial (7.6) plant startup. Please provide justification since Position C.8 of Regulatory Guide 1.45 states that, " leakage detection systems should be equipped with provisions to readily permit testing for operability and calibration during plant operation".
1 RESPONSE: The electronics can be tested with plant at power. There are 3/23 readouts that can be checked during plant operation. Radiation sensors can be tested at power because they have check source in them. Level sensors will be channel calibrated in accordance with Technical Specifications.
STATUS: Closed.
5/12 420.56 As shown on Drawing 9763-N-310882 SH-B54a, two circuit breakers in (7.6) series are employed in the power and control circuits for the residual heat removal inlet isolation valves. Tripping of either breaker will remove power from the position indicating lights and
- valve position indication will be lost. Discuss how this 1 arrangement complies with Branch Technical Position ICSB No. 3 which calls for suitable valve position indication to the control room.
RESPONSE: Handout submitted to staff. Valve position indicator lights will-3/23 be powered from different source so that true valve position will always be indicated when power is removed from valve motor by racking out breaker. This applies to RHR interface valves.
STATUS: Valve position indication to be revised.
5/12
, HANDOUT: Two circuit. breakers in series are employed in the circuits of 1
3/23 motor-operated valves inside containment. This is part of the i containment penetration protection provided in response to Regulatory Guide 1.63. Refer to FSAR Section 8.3.1.1.c.7a.
. Valve position indication is provided on both RCS-RHR interface j valves which are in series. As with any circuit, when power is t removed because of a fault, indication will also be lost.
We believe that our revised design meets the intent of ICSB 3 Jh>/;[
! position B4.
! In addition to the normal valve position indication lights, the i valve full closed position is also monitored by the station j computer to alarm whenever the valve is not fully closed and the l reactor coolant system is above the pressure rating of the RHR system.
420.57 Section 7.6.2.1 indicates that the interlock circuits-of the
! (7.6) residual heat removal isolation valves, RC-V22 and RC-V87, have a transmitter that is diverse from the transmitter associated with valves RC-V23 and RC-V88. Discuss the method (s) used to achieve this diversity.
{ :
,,- . _ - . , ,, _ , , ..._._.. ._ - _ , . . - . - . ,- - . . - - . , - ._. ~- ..- ,. . ~ , - - . ,
e RESPONSE: Different manufacturers for pressure transmitters are used to 3/23 achieve the diversity.
STATUS: Closed.
5/12 420.58 Discuss conformance of the accumulator uotor-operated valves to (7.6) the recommendations of Branch Technical Positions ICSB No. 4.
RESPONSE: Handout submitted to staff. Change response to indicate valve 3/23 position is monitored through video alarm system (VAS). Details of VAS will be in the response to 420.49.
Staff will review adequacy of alarm.
STATUS: NRC review.
5/12 HANDOUT: The design of the accumulator motor-operated valves conforms to 3/23 the recommendations of ICSB No. 4. Refer to FSAR Section 7.6.4 for a response to Branch Technical Positions B1 and B2.
Branch Technical Position B3:
Valve position is monitored and alarmed by the video alarm system.
Branch Technical Position B4 :
The automatic safety injection signal bypasses all main control board switch functions which may have closed the SI accumulator valve.
The safety injection signal will not automatically return power to
, the de-energized motor control center.
, 420.59 Section 7.6.9 of the FSAR lists the motor-operatta valves which (7.6) will be protected from spurious actuation by removal of motor and control power by de-energizing their motor control centers (MCC 522 and MCC 622). The FSAR also states that control of the breakers supplying power to these MCCs is provided in the main contrcl room. Provide the following information:
(a) The control tne the MCC breaker from the Main Control Board for a typical Safety Injection System accumulator isolation i valve is not shown on schematic diagram 9763-M-310890 Sh.
B35a. Identify the drawing where this is shown.
(b) The residual heat removal inlet isolation valves are not included in the list of valves protected against spurious operation. State whether protection against spurious action of these isolation valves is planned and if so, provide information on how it is accomplished. If not, then justify.
i
RESPONSE: (a) Refer to FSAR Section 8.3.3. Alarm is provided in the 3/23 control room when the breaker is closed.
(b) Reply given in response to RAI 440.23 and will be reviewed by the staff.
ADDITIONAL RESPONSE: We will explain the operation of valves 35, 36, 89, 90 and 93 and 5/12 the ef fects of failure of valve 93 or its posicion switches.
420.60 The following apparent errors have been noted in the schematic (7.6) diagrams.
(a) Drawing M-310980, Sh. B35d, Rev. O Contacts 5-SC on LOCAL REMOTE SWITCH SS-2403 appear incorrectly developed. An X indicating contacts closed should appear under the REMOTE column for contact 5 to allow remote closing of the accumulator valves.
(b) Drawing 9763-M-310900, Sh. B52a, Rev. 1 Motor starter 42 open coil is mislabeled 42/C instead of 42/0.
RESPONSE: We agree with your observation of drawing errors on the two 3/23 schematic sheets mentioned and this will be corrected in the next revision of these drawings.
STATUS: Closed.
5/12 420.61 FSAR Section 7.6.6 discusses interlocks for RCS pressure control (7.6.6) during low temperature operation. Using detailed schematics, discuss how this interlock system complies with Positions B.2, B.3, B.4 and B.7 of BTP RSB 5-2. Be sure to discuss the degree of redundancy in the logic for the low temperature interlock for the RCS pressure control. Also, include a discussion on block valve control.
RESPONSE: Reply for the low temperature operation of the RCS pressure 3/23 control will be under RAI 440.11.
The block valves and manual controls are Class lE, train oriented, with controls being on the main control board.
REVISED RESPONSE: Design of the cold overpressure interlocks will be changed to 5/12 make them single failure proof.
420.62 If control systems are exposed to the environment resulting from (7.7) the rupture of reactor coolant lines, steam lines or feedwater lines, the control systems may malfunction in a manner which would cause consequences to be more severe than assumed in safety analyses. I&E Information Notice 79-22 discusses certain non-safety grade or control equipment, which if subjected to the
F
. t adverse environnect of a high energy line break, could impact the -
safety analyses and the adequacy of the protection functions performed by the safety grade systems.
The staff is concerned that a similar potential may exist at light water facilities now under construction. You are. therefore, requested to perform a review per the I&E Information Notice 79-22 concern to determine what, if any, design changes or operator actions would be necessary to assure that high energy line breaks will not cause control system failures to complicate the event beyond the FSAR analysis. Provide the results of your review including all identified problems and the manner in which you have resolved them.
The specific " scenarios" discussed in the above referenced Information Notice are to be considered as examples of the kinds of interactions which might occur. Your review should include those scenarios, where applicable, but should not necessarily be limited to them.
RESPONSE: We will identify key control systems that effect plant safety and 3/23 analyze for ef fects of high energy line break. Review will be completed and formal response to I&E Information Notice 79-22 submitted.
STATUS: We have received the meno from Check to Tedesco that provides (420.62 & additional guidance. Our review is in progress.
.63)
- 5/12 420.63 If two or more control systems receive power or sensor information (7.7) from common power sources or common sensors (including common i
headers or impulse lines), failures of these power sources or
- sensors or rupture / plugging of a common header or impulse line could result in transients or accidents more severe than considered in plant safety analyses. A number of concerns have been expressed regarding the adequacy of safety systems in mitigation of the kf adt, of control system failures that- could actually occur at nuclear plants, as opposed to those analyzed in i
FSAR Chapter 15 safety analyses. Although the Chapter 15 analyses l are based on conservative assumptions regarding failures of single
! control systems, systematic reviews have not been reporced to demonstrate that multiple control system failures beyond the l Chapter 15 analyses could not occur because of single events.
I Among the types of events that could initiate such multiple l failures, the most significant are, in our judgment, those resulting from failure or malfunction of power supplies or sensors common to two or more control systems.
To provide assurance that the design basis event analyses adequately bound multiple control system failures, you are requested to provide the following information:
(1) Identify those control systems whose failure or malfunction could seriously impact plant safety.
(2) Indicate which, if any, of the control systems identified in (1) receive power from common power sources. The power
, sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction of more than one control system and should extend to the effects of cascading power losses due to the failure of higher level distribution panels and load centers.
(3) -Indicate which, if any, of the control systems identified in Item 1 receive input signals from common sensors. The
- sensors considered should include, but should not necessarily be limited to, common hydraulic headers or lapulse lines feeding pressure, temperature, level or other signals to two
. or more control systems.
(4) Provide justification that any simultaneous malfunctions of the control systems identified in.(2) and (3) resulting from failures or malfunctions of the applicable common power source or sensor are bounded by the analyses in Chapter 15 and would not require action or response beyond the capability of operators or safety systems.
f f RESPONSE: We will submit formal response similar to that submitted on other 3/23 Westinghouse plants.
i STATUS: See 420.62.
5/12 420.64 FSAR Section 7.7.1 discusses steam generator water level control.
(7.7.1) Discuss, using detailed drawings, the operation of this control system. Include information on what consequences (i.e.,
overfilling the steam generator and causing water flow into the steam piping, etc.) might result from a steam generator level control channel failure. Be sure to discuss the high-high steam generator level logic used for main feedwater isolation.
l5// 2. .
RESPONSE: High-high steam generator level trip will be changed to two out of 3/23 four logic.
ADDITIONAL RESPONSE: S/G 1evel is not programmed as a function of power level. 420.67 5/12 from the draft memo dated 3/22/82 is now 420.70.
l 420.65 Recent revieu of a plant (Waterford) revealed a situation where (7.2) heaters are to be used to control temperature and humidity within (7.3) insulated cabinets hcusing electrical transmitters that providt input signals to the reactor protection system. These cabinet heaters were found to be unqualified and a concern was raised since possible failure of the heaters could potentially degrade the transmitters, etc.
.i Please address the above design as it pertains to Seabrook. If cabinet heaters are used, then describe as a minimum the design criteria used for the heaters. 0 4
.. _ =_ _ - _ _ _ _ __ . . _ . . _ __.. _ _ _ _. . ~ . . . _ . _
RESPONSE: Class lE electronic transmitters are not mounted in an insulated 3/03 cabinet with heaters for temperature and humidity control. The subject design, therefore, does not pertain to Seabrook.
STATUS: Closed.
5/12 Note: The NRC memo dated March 22, 1982, on the SSPS slave relay ,j)f"L contacts is now 420.81.
420.66 It is not clear from the drawings provided and the description of (7.2) the turbine trip circuits and mechanisms that the equipment used to trip the turbine following a reactor trip meets the criteria applicable to equipment performing a srCaty function.
It is the staff position that the circuits and equipment used to trip the turbine following a reactor trip should meet the criteria applicable to a safety function with the exception of the fact that the circuits may be routed through non-seismic qualified structures and the turbine itself is not seismically qualified.
Please provide further discussion on how the Seabrook design meets the staff position.
RESPONSE: We will comply with the attached Westinghouse Interface Criteria 5/12 for Implementation of Turbine Trip on Reactor Trip. We are discussing the design changes required with General Electric Co.,
the turbine supplier.
420.67 The reactor coolant system hot and cold leg resistance temperature (7.2) detectors (RTD) used for reactor protection are located in reactor coolant bypass loops. A bypass loop from upstream of the steam generator to downstream of the steam generator is used for the hot leg resistance temperature detector and a bypass loop from downstream of the reactor coolant pump to upstream of the pumps is used for the cold leg resistance temperature detector. The magnitude of the flow affects the overall time response of the temperature signals provided for reactor protection.
It is the staff's position that the magnitude of the RID bypass loop flow be verified to be within required limits at each refueling period and that this requirement be included into the plant technical specifications. Please provide discussion on how the Seabrook design complies with the staff's position. If there are any exceptions please describe and provide justification.
RESPONSE: Westinghouse letter SNP-4340, attached, evaluates the potential 5/12 for reduced flow in the RTD Bypass System due to corrosion product deposition. Based on their analysis, we do not consider flow reduction due to crud to be a problem.
We will verify the bypass flow rates during the preoperational testing program. The low flow alarm in the combined return line will be set at a value to indicate unacceptable flow degradation in either the cold or hot leg bypass manifolds.
s, This response is the same as was made to Catawba. i This item is open pending NRC review.
420.68 Operation of either of two manual reactor trip switches (7.2) deenergizes the reactor trip breaker undervoltage coils and at the same time, energizes the breaker shunt coils for the breakers associated with both' protection logic trains.
It is the staff's position that the plant technical specifications include a requirement to periodically, independently verify the operability of the undervoltage and shunt trip functions. Please describe how the Seabrook design complies with our position. If there are any exceptions please identify with sufficient justification.
, RESPONSE: We defer response pending generic resolution of this item by l 5/12 Westinghouse and the NRC (Ref. NS-EPR-2588, dated 4/29/82).'
1 420.69 Several safety system channels make use of lead, lag or rate signal (7.2) compensation to provide signal time responses consistent with assumptions in the Chapter 15 analyses. The time constants for these signal compensations are adjustable setpoints within the analog portion of the safety system. The staff, position is that the time constant setpoint be incorporated into the plant technical specifications. Please provide a discussion on this matter.
- RESPONSE
- The time constants are in Tables 2.2-1 and 2.2-2 of the Technical 5/12 Specification. Attached is a revised Table 2.2-2 with editorial corrections and inclusion of the time constants that clarify Item 4.E.
i i
420.70 The present Seabrook design shows that three steam generator level (7.2) channels are to be used in a two-out-of-three logic for isolation (7.3) of feedwater on high steam generator level and that one of the-
! three level channels is used for control. This design for-actuation of feedwater isolation does not meet Paragraph 4.7 of i IEEE-279 on " Control and Protection System Interaction". For i
example, the failure of the level channel used for control in the i low direction could defeat the redundancy requirements (i.e., a single failure of one of the remaining channels defeats the two-out-of-three requirements). Therefore it is the staff's position that the system be modified (i.e., addition-of a fourth protection channel) to meet the redundancy requirements or provide l an analysis justifying that isolation of feedwater on high-high
! steam generator level is not required for safety. Please provide a discussion based on the above staff requirements.
RESPONSE: This was addressed in the March 23-25 meetings as Item 420.67.
5/12 Commitment was made to change the S/G high level trip to 2 out of 4 (see 420.64).
420.71 FSAR Figure 7.2-1, Sheet 2 shows a reactor trip initiated by a (7.2) General Warning Alarm from the Solid State Protection System. The t
-3 9-
O Information presented in the FSAR does not sufficiently describe this trip signal. Therefore, please provide additional information to describe and justify this reactor trip.
RESPONSE: The Seabrook SSPS is functionally similar to that discussed at 5/12 Catawba. FSAR Section 7.2.2.2 will be revised per attached markup as was done at Catawba.
420.72 Using detailed drawings (schematics, P&ID's), describe the (7.3) automatic and manual operation and control of the main steam and feedwater isolation valves. Describe as a minimum how the design complies with the requirements of IEEE-279 (i.e., single failure, redundancy indication of operability, direct valve position indication in the control room, automatic actuation, etc.).
RESPONSE: (a) Discussions on circuit modifications to the MISV controls 5/12 continue. Response is deferred pending resolution (see 420.3 7a) .
(b) The MFWIV's were discussed with 420.37.
420.73 Instrumentation for process measurements used for safety functions (7.3) such as reactor trip or emergency core cooling typically are (7.4) provided with the following:
a) An indicator in the control room to provide the operator information on the process variable being monitored which can also be used for periodic surveillance checks of the instrument transmitter.
b) An alarm to indicate to the operator that a specific safety function has been actuated.
c) Indicator lights or other means to inform the operator which specific instrument channel has actuated the safety function.
d) Rod positions, pump flows, or valve positions to verify that the actuated safety equipment has taken the action required for the safety function.
c) Design features to allow test of the instrument channel and actuated equipment without interfering with normal plant operations.
During recent reviews, it has been found that one or more of the features above was not provided for certain instrumentation used to initiate safety functions. Examples include instrumentation used to isolate essential service water to the air compressors, instrumentation used to isolate the non-safety-related portion of the component cooling water system, and instrumentation used to isolate the spray additive tank on low-low level.
The staff position is that instrumentation provided to perform safety functions such as isolating non-seismic portions of systems, closing valves when tank levels reach low level
setpoints, and similar functions should be provided with alarms and indicators commensurate with the importance of the safety function and should be testable without interfering with normal plant operations. The applicants should provide the staff with a list of all instrument channels which perform a safety function where one or more of the features listed in a through e of the concarn above are not currently provided. For each of these instrument channels, the applicants should indicate which of the features a through e are not currently provided. The staff position on these instrument channels is further that the applicants should:
a) Provide an alarm to indicate that the safety function has been actuated if such an alarm is not in the current design.
b) If not in the current design, provide means to inform the operator which specific channel has actuated the safety function.
I c) If not in the current design, provide indication that the actuated safety equipment has taken the action required for the safety function.
d) If not in the current design, provide the capability for testing each safety function without interfering with normal plant operations and without lif ting instrument leads or using jury rigs. The capability for testing should include the transmitter where indicators are not provided to perform 4
operability checks of the transmitters.
The staff will provide requirements in the plant technical specifications for testing these safety functions. Please provide discussion on how the Seabrook design meets the above stated staff position. If there are any exceptions please describe and provide justification.
RESPONSE: A preliminary list was provided. We are estluating the missing 5/12 features and will. respond at the next meeting.
420.74 On November 7,1979, Westinghouse notified the Commission of a (7.3) potential undetectable failure which could exist in the engineered safeguards P-4 interlocks. Test procedures were developed to
{ detect failures which might occur. The procedures require the use of voltage measurements at the terminal blocks of the reactor trip breaker cabinets.
In order to minimize the possibility of accidental shorting or grounding of safety system circuits during testing, suitable test jacks should be provided to facilitate testing of-the P-4 interlocks. Provide a discussion on how the above issue will be resolved for Seabrook.
RESPONSE: In SBN-120, dated May 15, 1980, we committed to the tests described 5/12 in NS-TMA-2204.
1 420.75 On May 21, 1981, Westinghouse notified the Consission of a (7.3) potentially adverse control and protection system interaction (9.3.4) whereby a single random failure in the Volume control Tank level (6.3) control system could lead to a loss of redundancy in the high head safety injection system for certain Westinghouse plants.- Please determine whether this generic problem exists on Seabrook and, if so, how the problem is to be resolved.
RESPONSE: The generic problem is applicable to Seabrook. We are evaluating 5/12 Westinghouse recommendations for procedural changes.
420.76 Discuss the likelihood that emergency core cooling will be (7.4) automatically initiated following a manual reactor trip initiated during a temporary evacuation of the control room. For example, is it possible for the reactor coolant system to be cooled to the i point that the pressurizer empties during the time interval between manual reactor trip and the time an operator can take control of auxiliary feedwater outside the control room? Analyses and operating experience from plants similar to Seabrook should be presented during the discussion. Based upon the likelihood of emergency core cooling actuation following a manual reactor trip, should the capability for resetting the equipment be provided outside the control room?
RESPONSE: See 420.36.
5/12 420.77 The FSAR states that the pressurizer auxiliary spray valve is used (7.4) during cooldown when the reactor coolant pumps are not operating (5.4.10.3) and FSAR Section 7.4 lists the auxiliary spray as a system required for safe shutdown. FSAR Figure 9.3-13 shows-this system as a single path with a single diaphragm operated valve. A single failure could conceivably:
- 1) Prevent the use of auxiliary spray for cooldown,
- 2) Cause inadvertent actuation, or
- 3) Prevent isolation of the system.
l Using detailed fluid and schematic drawings, please provide further discussion describing the operation of the auxiliary spray system.
I RESPONSE: See 420.36.
5/12 l 420.78 Provide a discussion on the termination of possible inadvertent l (7.4) boron dilution. Will automatic equipment be used for termination?
RESPONSE: The revised criteria for the boron dilution accident promulgated 5/12 by NUREG-0800 are under review.
i I
l l
1 l - .. ,
) .'
i o
4 l 420.79 _
Describe the design features used in the rod control system which (7.7.1.2)
- 1) Limit reactivity. insertion rates resulting from single failures within the system.
- 2) Limit incorrect sequencing or positioning of control. rods.
The discussion should cover the assumptions for deterpining the maximum control rod withdrawal speed used in the analyses of reactivity insertion transients.
RESPONSE: Section 7.7.1.2.2 of the FSAR will be revised per attached markup
, 5/12 to describe features that limit reactivity insertions, maximum rod 1 speeds and incorrect sequencing resulting from single failures within the system. This evaluation is identical to that made for
~
the SNUPPS review. The SNUPPS and Seabrook rod control systems are functionally identical.
420.80 The FSAR (Section 5.2.2.8) information describing direct position indication of relief and safety valves is insufficient to allow ,
the staff to complete its review. Therefore, please provide i additional information on how the Seabrook design complies with each specific requirement of NUREG-0737, TMI Item II.D.3.
f RESPONSE: The FSAR will be revised when the details of the valve position i indication system are known (see 420.05 response).
5/12 l
) 480.81 During the Seabrook drawing review it was discovered that safeguards actuation circuits have parallel relay contacts to handle specific load requirements. The slave relays used for the output of the solid state protection system (SSPS) have apparently been qualified by Westinghouse for use in circuits drawing a 3
maximum current of 4.4 amps. It is our understanding that the Seabrook 5 Kv and_15 Ky systems expose the SSPS slave relay.
contacts to a magnitude of 5.2 amps upon safeguards actuation.
l The applicant has decided to use parallel contacts to carry the
- current, relying on simultaneous closure (and opening) of the safeguards contacts upon protection signal actuation.
l This design concept is unacceptable to the staff. We have
- concluded that paralleling contacts.may not solve the concern.with the current ratings of the Westinghouse slave relay contacts since closure (or opening) of the SSPS slave relay contacts at the exact
, same time cannot be assured. One set of contacts will, in most
! instances, function before its redundant counterpart thus allowing.
, the full 5.2 amps to that set of contacts. Also, it appears that the present test methods do not allow for checking operation of each individual set of contacts when paralleled. It is the staff's position that the relays used in the protection system should be qualified for the maximum expected current.
The applicant is requested to modify the Seabrook design to comply with the above staff position.
RESPONSE: We will perform an independent test to verify the contact current 5/12 carrying capabilities of the SSPS slave relays. The test will be l
l r
- - - - - - - _ - - _ - _ - _ _ - _ _ _ _ ___ ____ _______'---*-~---------__m __ __ __ __ _ _ _ _ _ _
f
- a f
l Performed on single contacts controlling actual switchgear components.
Upon completion of the tests, the NRC will be notified on the disposition of the issue regarding the use of these relays.
l The NRC expressed concern that the testing meet similar requirements as were utilized during the ~ W testing. Departures should be justified.
f,
. . . n. . - . - -
~
(
7.1.2.6 Conformance to Regulatory Guide 1.47 The bypass indication system, which does not perform functions essential to public health and safety during an accident, is designed to meet paragraph 4.13 of IEEE Standard 279-1971 and Regulatory Guide 1.47, as described below.
The following rules are used to develop the system design, which satisfies Regulatory Guide 1.47.
- a. The bypass indication system is located in the MCB separately, one for each train, on a system basis.
- b. Testing requirements are factored into the required logic.
- c. If a component is redundant within a redundant train, it will not be alarmed.
- d. If a component is positioned by procedure after an accident and given that the accident analysis does not reflect the consequences of that component out of position prior to the accident, it will alarm when out of normal position.
- e. If a component is required to change state upon receipt of the safeguard signal,' testing of that component would involve placing (
it in a position required for the accident. If an accident sh6uld occur while returning the component to its normal' position, the safeguards signal will reposition it a'utomatical1y. ,
- f. The following lists the various systems considered and the corresponding logic diagrams which illustrate the implementation:
System Logic Diagram Containment Building Spray (CBS) M-503259 l
I Primary Component Cooling Water (CC) M-503277 Chemical & Volume Control (CS) M-503372 Clueci ceae-ster; (OG) "-50 2': ? S Feedwater (FW) M-503599 Residual Heat Removal (RH) M-503768 Safety Injection (SI) M-503918 Service Water (SW) M-503973 f
\
\
i 7.1-24
.-. - . ,.- - ~-
. y za, g y , -
. ~...
f/
r/iz PSNH SEABROOK STATION UNITS 1 & 2 RADIATION DATA MANAGEMENT SYSTEM The Seabrook Station radiation monitoring system is a digital computer-based Radiation Data Management System (RDMs) which consists of local microprocessors for each channel interconnected by redundant communication loops to a redun-dant (two computers) host computer system. The host computer system is common to Unit 1 and Unit 2 radiation monitoring channels. Either of the two com-puters can, by itself, provide the total computing capacity requried for satisfactory operation of the RDMS for both Units 1 and 2. The host computer system, in turn, is connected to an operator display / control console in et.h unit control room, technical support center and the health physics' room.
Class 1E monitors are hardwired to the Class IE monitoring cabinets located in the Control Room.
A block diagram of the system is shown in Figure 1. A description of the major components of the system follows below.
1.0 Local Monitor Control Cabinet 1.1 Microprocessor .
Each radiation monitor includes a field mounted programmable, data processing control and alarm microprocessor. The microprocessor is capalle of accepting the input from the monitor, converting the signal to.a specified engineering unit (micro Ci/cc, mR/Hr, etc.) and sending the processed data to RDMS host computer for processing, display, historic storage and retrieval, alarm and documentation.
. The local control panel at each microprocessor allows control functions, check source testing, calibration and surveillance testing to be performed at the microprocessor. Selection of the local position will automatically be alarmed at both the Operator,and HP Consoles. Set points modified for all microprocessors while in the local position will be automatically time sequence documented on the RDMS host computer printers. Also, all data base information in the RDMS host computer system for that micro-processor will be updated to reflect the new set points. For Class lE monitors, any control or set point change function for that. monitor can be done at the monitor local and at the Class lE Cabinet remotely in the control room.
Local indicators are digital (LED) with three digits of. mantissa and two digits of signed exponent. Indicators are visible with the unaided eye for distances up to 20 feet. ,
For area monitors alarm lights will be beacon type with red for high radiation, yellow for alert. For all other monitors the alarm light will be beacon type with red for high radiation only. A solid state audible E
,i
- ~-
~ '
gg 2
~*
E 5//z alarm horn, for both alert and high radiation, that emits an 800 Hertz at 80 Db or greater at 100 feet will be provided at each microprocessor.-
Each microprocessor includes sufficient memory to'r6tain the following-time history data in the event of total loss of the RDMS host computer system for 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />s: - . . .
- a. Each 1 minute average for 30 minutes
, b. Each 10 minute average for 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> N
- c. Each hourly average for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Sufficient internal battery backup for loss of AC power (minimum of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) at the microprocessor is provided.
Each monitor except 'those using ion chamber detectors include a check source. For all Non-1E monitors, the check source can be initiated from cither the local panel or from the RDMS host computer. . Check source induced readings taken during this time are either recorded separately
! For lE monitors, the' or differentiated from normal radiation readings.
check source can be initiated from the local control panel and the IE cabinets in the control room only.
I 2.0 Class 1E Cabinets .
Separate cabinets are provided in the main control room for control and remote indication of Class 1E monitors. All Class lE-monitors supply their data to the RDMS host computer through an IEEE-279 acceptable isolation device. No information or alarm setting is permitted between
! the RDMS host competer and Class lE equipment.
i Class lE monitors may not have their set points changed, check source insertion, or purges and bypasses initiated or activated from the RDMS host computer. All lE monitors have all changes or activations made locally or from hard wired remote modules. Modules are housed in an i appropriate cabinet with safety channels A and 3 separated. Electronic hardware such as power supplies, interface modules (RK) and recorders l associated with the Class IE channels are located in cabinets CP-180A
~
and B in the control room for Train A and Train B respectively. Recorder power is received from the MCB Class IE power supplies. Additional i output signals (0-10 VDC) for analog-indications (Post Accident monitors) required at the MCB are provided from these cabinets. Alarms required
+
for the Class lE channels are also provided in these cabinets.
=
' 3.0 RDMS Host Computer System . . . ..
l The RDMS host computer system RM-CP-296 consisty.of two central processing units (CPU). They are redundant in that loss of either,fPU will not
- result in loss of any incoming process data, nor loss of display and l
.-.,_m ,- . _ _ . , _...,_,.,..,-_.v., -_. m., . ._ _ ,. , - - .
. fgd./6 f3 r/n documentation at both the operator and nea*U physica consoles. If one CPU is defined as the " primary" CPU and the other defin.ed as the
" alternate" CPU, then the switchover from the failed CPU to its back-up is automatic. The failure of the CPU will be alarmed at both the operator and HP consoles. -Switchover is completed within five seconds with no loss of data.
The CPU's employ state of the art technology to meet the high speed computation and data processing system requirements. Sufficient CPU memory is provided to perform all executive and operating functions specified. A minimum spare CPU memory of 40% is also provided for syatem expansion.
4.0 Operator / Programmer Consoles Six interface locations are provided. Two are defined as the " Operator's Console" and is located in each main control room. Two, others are defined as the technical support center which can access data only (no control or setpoint changes) and are loccted adjacent to each unit's control room. The fifth is defined as the " Health Physics Console (HP Console)" and is located at.the health physics check point area. The sixth is located in the Administration and Service Building computer room to be used for program development.
System capabilities at each console include:
- a. Address each RM channel individually one at a time or in preselected groups. .
- b. Extract information to or from the RM channels.
- c. Change set point of any individual RM channel (except c1' ass lE) one at a time.
- d. Trend any given channel at CRT.
- e. Display alarm messages.
- f. Actuate check source insertion (except class lE channels) and initiate diagnostic routines or any one RM channel at a time.
- g. Monitor portable monitor information from any " plug-in"
~
location if one is plugged in. ,
.(
Bk
.[ #e.1 [;28,/6 f' I m
5/2 3 1 'C
~
ta E %
.s m e
, cu a 12 8 ..I E$ 0
.- 2d 2I .r tr =
} !f $$ $!
- i IA
- e
- s ::S . c e t , 1 ,tec; ' t,* se ? 4
< . ,i ,s ?.
e.
<X' t 13 3.
=
F ..< - !
x_q .:D
- = 05-% .e t, s
- t .3 =-
a n, -- w C 3, 'e d - -o ,%
g .s = s,2.< 2a - s*. *2 to e'
= d : d. '2aE .' i *E j$v3 it t 2 wa= au 4,
'J WT*d.*s V. a . .
. 2,-
.=- e.
- u ,* * *~ . e .5 e'k it...ret"I 0 * * * *' 0
" "*s.
=*3 u kwc r
.. rd *v 'c .# 1 .t ~.C2
.:*3 .
gv d
- g2 oe-- 4 0 %
- . $ ,, ".=a
., 4 4%
2.s .J g ~ 6. - o .s -
.t..
q.d4 dc a'. t *-
vwev o
U*o*d s
as4 El n.Asd3 w e.O co e
e t g%%= 4;V s.
(3u La%
i [jjiji si l
- - a d
I M <d I 4
- I 1P 1' IP I o ir Oif e4
- e. .as m
2.g .
m S Es' a
,9,% 0 f
- h .v f, "
."Cw e* * *dem
.= .- +
. *31
- 1 25-2 a
55Ky 4 y sE-gKL oan a
- y meoD' U I
, .uJM i
i a I.
"3
- .U E e T* { 3 (*g -e'efy .S 3
J5 2:1
- T 3.1{T"= s. .rse# E' d2 J ,---
i .
i; s j .j : I.. F v.
-( 1 -
- = u,,
l I.d I - 0. . ;.
z *. . ,
e h.".
.ge n C. .
- a
- z. " T a. c. g.*
1* ..g 4.
w) f e I $
do e -e $ I yv-$
, ; a n o i i
$ *O Y' *
- 8
{ ';
o w .a ea g I E . u C 4* s , - 4 ; 1 '& -
I, a I 1 2 **
=
. 2
\w I ed g % e -
. e e.' N 'U(.A \ d 'gIh J e
Y . ='Jw I "7 :ge!
' .4 d *l!t 2 - t.'*
- i * ,,, .f I 1* I <si
. ~ . 1; li a' E } ... := i ,$ 3 3T*
1 4- '!*3 L c i k -
u-* li!!i
- >s~ 3*=
,3-o. *, i.. 3 *3 2. w a r v 4.
-6 g o .
- 4 j
- ==
g
) '
i
$ o 5
.e2 :
T *I ' \,_,
- o a n. %
e 4 : : , : u i- si
- i
- i
- 7
- =
ti d-y< 3. >i
+
Lei
)]
2 1=-
111-
- if-r
!{
.Ir
.e . 4;,,,,, _ a< a-> Aa: .
r: *
-Ad I.
-- - - .--=
7 L
- 4 * ~
J M ** @ E S..' W J j Q Q R S/Vr Y O F 7 W E B f M 3 f W n au@ '~ f E D E E 7 7 S .E s^< fr^"
l i - - ,.n.~.-,r - -- -~
Nb #A -?"
g ppsr J 6 HJtheti m"NW'Wf *
^
~
FSAR Yn^A
+ .,_
o"vAA.v
-- ": W .n
.Z,ws zg,n EIi <ia^ ~- U O. 2 0 ,
Seweo 6//x
(.- I
. l 7.1.2.7 Conformance to Regulatory Ceiide 1.53 and IEEE Standard 379-1972 j
The principles described in IEEE Standard 379-1972 were used in the design j of the Westinghouse Protection Systems. The system complies with the intent r ,. .
of this st'andard and the ' additional guidance of Regulatory cuide 1.53 although
~ ~
d the formal analyses have not been documented exactly as outlined. Westinghouse
{ has gone bGond the required analyses and .has , performed a fault tree analysis, i -
Reference (1). . .
The referenced topical report provide details of the analyses of the protection systems previously made to show conformance with: single failure criterion -
set forth in paragraph 4.2 of IEEE Standard 279-1971v-The interpretation of single failure criterion provided .by IEEE Standard 379-1972-does not indicate substantial differences with the Westinghouse interpretation of the criterion except in the methods used to confira design reliability.
Established design criteria in conjunction with sound engineering practices form the bases for the Westinghou,se protection systems. The Reactor Trip l and Engineered Safety Features Actuation Systems are each redundant safety sys te ms .. The required periodic testing of'these system's will: disclose any
- failures;or loss of redundancy which could'h' ave occurred 'in th~e*ince'rval .
between tests, 'thus ensuring the availability of these systems'.' 3 8' ~ -
J . . , . . . ;.:. .
j .,.,,
7,.1.2.8 ,,, Conformance to Regula tory cuide .1.63, ';, , , ,,3,,g,M, -
r ~r
- M. 4,. -
Conformance to Regulatory Guide 1.63 is discussed in Section*8}1 and Subsection 8.3.1.2. ,
Conformance to IEEE Standard 317-1972 7.1.2.9 *
~
.Conformance to, this IEEE standard is discussed in, Section 8.1. .
-~ <' -
i ,. .
.. ~
7.1.2.10 Conformance to IEEE Standard 336-1971 . - . :,
ll .f/ffThe..insta11arion,..ag g pre-operati'onal..,te,s. ting pf; Class. IE.jsys.tems and related instrumentation?and control' eq6ipsient c'o'nform'or I
W." '4 Clas.s/*1E electrical, l 0
- 9till co'nfoYa 'to.'thepower,'ements requir of IEEE/Stndarda .336-1971. . Theiquality assurance program for design, procurementynd; installation isidescribed-in Chapter 17 and.,the pre-operational testPp)rocedures. M. h...s forc eschesystem are f s.,.s' fir. is r.p
( desc'ribed in uchapter.14. .' -
.tn&.56{hdd, n
a d .4
,p .
- ,. Y.5 3-5,.y. , - b'$Wun'e r %
l' -
.S.l.u . 1. . .y , .. '
7.1.2 11p Conformance to IEEE Standard 338-1975 4 - v . 2. . <-W.h.@rh - - - -
9 --
-. ..._-..-._-.--mf.-.=- '
p... ~ A* ~.... ... ~ .... .-,_. . *.The periodic te st-ing.o f-the Reac tor- Trip System and the'Edgin'eered PSa fe ty-- - - --
Features Actuation System conforms to the requirements'of IEEE'- aStan'dard 338- -
1975, with the following cocinents: .o:
The surveillance requirements of.the. technical specifications j a.
for the protection system ensure that the system functional operability
- is maintained comparable to the original design standards.J Periodic c
c -[
tests at frequent intervals demonstrate this capability for; the system, excluding sensors.
l
Wettinghouse interf ace Critaria _for Implementation o61T-0-RI Md,((
in implementing such trin circuits as turbine trip on reactor trip 5l/A ,
- s. ',TT-0 :0) Westinghouse recognizes that full conforman'ce to IEEE 279 and associated standards is not possible due to the f act that the turbine building on most plants is not. a seismic category I structure.
Furthermore, the turbine trip equipment supplied by the turbine manuf acturer, although of appropriate high quality, ic not nonnally seismically or environmentally qualif ted. The NRC has accepted these limitations subject to implementation of a system which is as reliable as reasonably achievable. Westinghouse has established interface i requirments consistent with titese objectives:
- 1. In the event that the Utility / Turbine Manufacturer is able to demonstrate seismic and environmental qualification of the turbine trip equipment, Westinghouse prefers the TT-0-RT circuitry to be impimented in accordance with applicable Class 1E standards.
- 2. In the event that qualification of the turbine trip equipment cannot be demonstrated, the following interface criteria apply:
Reliability _
In ' order to assure an adequate reliability for the TT-0-RT circuitry Westinghouse requires that the circuit design up to the turbine trip solenoids confonu to those sections of IEEE 279 concerning single f4.5 ailure (Section excluding 4.2),Channel seismic), QualityIndependence (Section 4.3),(Channel Integrity Section 4.6), and -
(Section Testability (Section 4.10). tio isolator should be introduced between the Westinghouse protection system and the turbine trip solenoids which then permits down-grading of any pad; of the turbine trip system with '
res>ect to the above stated criteria.
The turbine trip solenoids should be implemented so that the turbine f will be tripped on loss of electric power. Given this arrangement it
.- will be prudent to sploy a highly reliable power source for availability reasons.
l System Faults l
l Faults can be postulated on cabling between the Westinghouse protection system output relay contacts and the turbine trip system (solenoids).
Westinghouse test programs have demonsti ated that coil to contact l
physical and electrical separation constitute an acceptable barrier between electrical systems if relay contact circuits were to be faulted ,
with $80 VAC and 250 VDC. Westinghouse believes that credit can be j taken for this contact to coil barrier for faults not exceeding these ,
potentials should they be imposed on cabling routed to the turbire trip .
systs.
15G50 F
w-i r, .
Q0 a b[ .
Of C .
. 5//1 -
Westinghouse Water Reactor mcarrememonohnen.
Bactric Corporation Olvisions a emsewerimerwsmeiszm
' November 18, 1981 SNP-4340
~
MS-LT-9594 Mr. Joseph H. Smith W S.O. SNP-4705 1
Project Engineering Manager ,
Bechtel Power Corporation 15740 Shady Grove Road l Gaithersburg, Maryl.and 20760
Dear Mr. Smith:
SNUPPS PROJECTS RTD Bypass Loop Flowrate ,
During the NRC Instrumentation and. Control Systems Branch review of the SNUPPS.FSAR, the NRC (Mr. C. E. Rossi) indicated that they will require .
l that the magnitude of the RTD bypass loop flowrate be' verified to be within ,
t required limits at each refueling. In the recently issued Callaway Safety Evaluation Report (NUREG-0830), the NRC reit.erated this requirement and l (( >
stated that ,it will be incorporated in the plant' Technical Specifications.
Westinghouse has perfo'rmed an evaluation of the SNUPPS RTD Bypass System, directed towards assessing the potential effect of increased fouling on the RTD Bypass System delay times. As we understand it the NRC request is based on a concern that an increase in corrosion product deposition within the Bypass System Piping will significantly increase the delay time, with a corresponding increase in the time required for gercration of the protection ~
l grade T H and TC signals.
l A qualitative assessment of this situation leads to the following key points:
e A significant increase in transport time muld be accompanied by a large decrease in bypass piping velocity. Assuming the relationship i AH = KV2 holds true, and AH (driving head) is constant, then a large velocity decrease would result only from a very large increase in K value. , ,
In the usual practice, fouling irside pipes and tub'es is considered to
~
e have significant effect on the heat transfer mechanism but an insignifi-cant effect on hydraulic performance. Examination of the physical para-meters that determine the friction factor "F", i.e., Reynolds Number and Relative Roughness, easily confirm that.only a gigantic increase in -
absolute roughness (epsilon) could really increase the friction factor
\ F and consequentij the K value. Thus a meaningful increase in loss l coefficient cannot be postulated on the,tasis of fouling.
l 1 -
l
l
. -_= .
... V
..o. .
. \. . .tf' f7 p.29 W Mr.. Joseph H. Smith November 18,1981[
( SNP-4340
. MS-LT-9594 1
l Nevertheless a quantitative evaluation was performed-which consisted of -
two parts: (1) Calculation of the current. RTD Bypass System delay time with no fouling (base line resistance coefficients) and (2) calculation of the effect of increased fouling (increased resistance coefficients) on the system delay times. The results of part 1 are listed below along with the Bechtel Drawings used in the evaluation. Note that all of the l delay times satisfy the 1.0 sec functional requirement for maximum :
allowable transport delay time. This is the- time allotted for fluid entering the RTD scoops to reach the last temperature de'tector in the ,
manifold. '
Bechtel Drawinq # Delay Hot Leg Times With No (Sec) ColdFouling Leo (Sec) ;
Loop 1 M-03BB05(Q) Rev. 2 .71 .84 Loop 2 M-03BB06(Q) Rev. 2 ,
,70 ,
.75 1,oop 3 M-03BB14(Q) Pav. 3 .70 .
.98
.. Loop 4. M-03BB15(Q) Revt 2 . 79 * .82.
.+ ._.
~
l In part 2.of the evaluation a parametric study was performed to determine
~
the effect of increased fouling on the delay times. Figure l'is a- plot l of the increase in the hot and cold leg transport delay time as a function of the percent increase in piping loss coefficient (due to fouling). Loop 1 was used as a representative loop to generate this plot but we can expect
- Loops 2, 3, and 4 to behave similarly. Sumarizing thi,s part of the study, the hot leg loss coefficients would have to increase by the amounts listed l below before the 1.0 second maximum delay time would be reached.
1
! Increase in H.L. Loss Coefficient
! Loop Necessary for 1.0 Sec. Delay Time 1 100%
2 103%
3 1065 l
l 4 68%
1 In sumary, changes in loss coefficients of this magnitude are simply .
not credible. If increases in RTD system resistances of this magnitude were to occur we would expect to see similar, effects in the steam generator l\
a'
g
(. O~ NO . b ?
/9
. . e3 9' Mr. Joseph H. Smith November 18, 1981 h^' SNP-4340 MS-LT-9594 tubes. Fouling has never been a significant contributor to increases in systems resistance. Thus, Westinghouse does not feel it is necessary to verify the RTD Bypass Flow Rate periodically.
Another consideration is that the Westinghouse safety analyses assume 2 seconds for manifold transport time and heating. The system is designed for a 1 second transport time. It is the opinion of Westinghouse.that' the above evaluation results and the analytical assumptions. provide the justification for not performing additional surveillance. -
If you have any questions concerning this material, please contact this office.
Very truly yours.
~ '
GM ff/M f
W. L. Luce /bek *'
W R., Spezialetti
.2IUPPS Licensing Manager
- Attachment cc: N. A. Petrick (SNUPPS), 2L, 2A F. D. Crawford (KCP&L), IL, lA D. W. Capone (UE), IL,lA P. A. Ward (Bechtel), IL, 2A J. A. Bailey (KG&E), IL, lA -
Joseph H. , Smith (Bechtel)..Il, lA -
R.- L. Stright (SNUPPS), ll, l A .
$ $*Y $
~>r. , ,
( r= sun.*
yx .67 ft Y D2
. s4 . .
.s
- 1 i
- I I
. 4.' -: -j .- -
. . . . g
- 3
. . s
- : i : .
l I i i t -
.y '. -
i i .
- i. l- :
- ~ ---
__ T- I - ] ~~~ . i.
. - .i .
l.
.'~ 1, ' .
I i .
l~. -
i i .
l . .. l . .
I. . "l :
e.
.......__.4 ..
- . l1 l .
l
_1 I
. .i ! .
. t * . l l.
o i
. _ !. ... . . Ii . __ i .. _ z..
.. . . .t t . -
l
- i : i : : .
i t
.. .. i 44 . .
I .
i
. i i .
. . / /
- . . .i . .. . , .
v .:
.24 _.
g .: . . .: . . .
i j -
.t..
Ng
. - t_..l.. j- L l .;
i . ..i _. ge ._m .4__. _
. \) ... . '. -
i..
l :
i-
[
j _2 .
l :
i.: .
i- - ; -
g i i
- .3. . .::_ l- l p
., . y - ;. , , _,.. l. ; . : .. . ,l . ... _ . .. :. _. t
. ! _: ._..__....l
, : l !
g .._.,..i..
I y .
t
- . i -
_ a, . . ;.. .. l .
q .. . ;. _ . n. . . - n. . - -
s
!. .v- . ;-- [ .. . i; ; . .; . 'j.. .. : .., i. - l . _.il .: -_.- -j-K
.. l
. g. ,.
-,1 ..
y :. ;._
l :: . . .!
.. . m ..:-
. . ."a .l.
_ :; . ... L. _..,l
) :
,- t. l i-
. /4
.. _: ! .f.. l
,.l-....a.._.
.5 g.. .. ._.
i.
m\-
e :
... .; .I. .
. . . . !. .i..
! . i i .I. ,
_ ,i ' ,. . .jl .
. _ .. . ,s .
i - - . . l _ . _ . . .. j, .
-l i ..I: ; g, ..
- t. _... .. J . . i;. .. . :.
1- i 2 _.
. . ;-. .l . -
, . i. . .* - -
_. t . -
- i jz .__ .
l ~ ~ . - i. -
r- I
.;.I .. . . i' . ! ! ' '
. '.; __.' . l . . .
,. .; . . . . . ; . . .. . I '
t * .
.' t J. .rneerss e. A :. $ 7'D ' fro, s.s.t. .
. . _. I I.
. i. . .._I . . ! .. ! .. TY s?'* = : SeVw '7,m . M ii ..
-l ..
~
l ._,.-,
,;_ . ._. l __' 'b_ F.r.J. _ .!s ,.: /:....h
' 'r !, !. ' . ,J .
i i -
.. 1:
. .['!. .
= .; ' hp**m /*r.s. Ce elke**** 7'
_. l_..
' . l.i .
- .'6/~ e " fe .Lerewed And ,)
i =- . . ! . .! . . i i y
.c4 - --
.- - j
!....- i ,, .t 1 ;. . j. - ' ' . .. I ' : _; - .
I _.: p. :_ . _-l
' ! . .. . .. ; ! 1. .
e ..
l i e
' i.__ _i......._.: _ ,
_ .. . _ .; : i __
i . . . i
.:.:..l.
i-}
' .l. ..
.l. -
,. l . . . . _+.. .. l 4 '
l ; !'!
0 20 46 M 86 /06 .
Pssituw7" .DC."REA56 .DU P/P/NG 4.65$ '
\ CDErct&ggr(sue 7c zyeggasyg A~ovuN di.)
e 1
=
TABLE 2.2-2 (continued)
ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION TRIP SETPOINTS
, Total Sensors Functional Unit Allowance (TA) Z_ Drifts (s) Trip Setpoint Allowable Value Y
.7. LOSS OF POWER '
i A. 4 kV Bus Loss of Voltage (later)
B.
(later) (later) (later) (later) 4 kV Bus Degraded Voltage (later) (later) (later) (later) (later)
- 8. COOLING TOWER INITIATION A. Manual NA NA NA NA NA B. Low Service Water Pump Discharge Pressure (later) (later) (later) 7.3G ps.ig_ .
. (later)
- 9. PCCW HEAD TANK LEVEL (later) (later) os (later) (later) (later) -
A. Low RW' S T Water 4.evel Coincident with Safety Injection ~
- 11. Feedwater Isolation -
A. Safety Injection NA NA NA NA NA B. Steam Generator Water Level - 13.0 2.18 1.5 584.5% of $86.3% of narrow High High narrow range range instrument instrument span span 6 C. Low RCS Tavg Coincident with Reactor Trip (later) (later) (later) (later) (later) N%
h N .
D NOTE 5: Time constantsu' tilized in the lead-lag controller for Steam Pressure-Low are and r 2 55 seconds.
i l M.50 seconds N J/pyg f ,' fjp., oxigrohs stristNO /# 7WJ W5 ~U6 &&W7dOALfd NA N5 SNOW -g*p
- yfffffyAE /?Md-H/6H Adi T, =f6 d f > y50 3seMOS.
.rwer.c 5 J Q' ' r'$ , .
- , fi _.; ; , 's i~k' t ',..l fY.^hW; E [a.
- .Y
' [)[ ,p $.f 5 %fy " 'Ityj0f" , C6? v h#F
/ . TABLE 2.2-2 O lnurd) m ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION TRIP SETPOINTS ,
Total Sensors Functional Unit Allowance (TA) ; Z, Drifts (s) Trip Setpoint Allowable Value -
I C. Purge and Exhaust Isolation (On-line) NA Manual NA TA NA NA 1.
- 2. From Safety Injection Automatic Actuation Logic NA NA NA NA NA
- 3. Containment Radioactivity High (later) (later) (later) (later) (later)
- 4. STEAM LINE ISOLATION NA NA NA NA NA A. Manual B. Automatic Actuation Logic NA NA NA NA NA y C. Containment Pressure - High 4.0 l0.71 1.5 5.0 psig (later) _
D. Steamline Pressure - Low 17.9 1.5 2585 psig 2563 psig (Note 5) , ,
'. }10.71
" E. Negative Steam Pressure i u Rate-High 8.0 0.71 15 5100 ps' sec $111.5 psi g
$./
- 5. TURBINE TRIP A. Steam Generator Water Level - 13.0 l2.18 1.5 584.5% of 586.3% of narrow High-High narrow range range instrument instrument span span NA NA NA B. Safety Injection NA '
NA NA NA NA NA NA C. Reactor Trip
- 6. EMERGENCY FEEDWATER
- 5 A. Steam Generator Water Level - 15.0 ;12.18 1.5 215% of narrow 213.2% of narrow Low-Low range instrument range instrument span span Q
B. Safety Injection N
.k
'See 1 above (all SI setpoints) s C. Station Blackout p i
L.
J
TABLE 2.2-2 (continued)
ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION TRIP SETPOINTS Total Sensors Functional Unit Allowance (TA) Z, Drifts (s) Trip Setpoint Allowable Value
- 7. LOSS OF POWER A. 4 kV Bus Loss of Voltage (later) (later) (later) (later) (later)
B. 4 kV Bus Degraded Voltage (later) (later) (later) (later) (later)
- 8. COOLING TOWER INITIATION A. Manual NA NA NA NA NA B. Low Service Water Pump Discharge Pressure (later) (later> later) 7.3C psig (later) ,
m
- on
- 9. PCCW HEAD TANK LEVEL (later) (later) (later) (later) (later)
- 10. RWST SWITCHOVER See IA, IB, 1C, ID, 1E 2(later) gal. 2(later) gal. 9 A. Low RWST Water Level Coincident with Safety Injection ~
- 11. Feedwater Isolation A. Safety Injection NA NA NA NA NA B. Steam Generator Water Level - 13.0 2.18 1.5 584.5% of $86.3% of narrow High High narrow range range instrument -
instrument span span '
C. Low RCS Tavg Coincident with Reactor Trip (later) (later) (later) (later) (later) hh N Q s
NOTE 5: Time constants utilized in the lead-lag controller for Steam Pressure-Low are T1 50 seconds and 7 p,,a . w as,nr., 2 -f seconds.
arwuo
/[.Jr.
e ru wc-M mrtnw< m wwwrnegN ffffffMAE /d4TE-M/6M NE 2,* =56 Ty s fo ssewW. -
,, .g .
.a . , .
^
SEABlooK F5AA,
[, * --
DRAFT M4 MEN hME N T '.,,
47/
[
service. For example, a function that trips the reactor when two out of four channels trip becomes 's one out of three trip when one channel is placed in ',
the trip mode. Both trains of the logic protection system remain in service during this portion of the test.
(2) Check of Logic Matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semi-automatic test panel in the train.
At the completion of the logic matrix tests, one bistable in each channel of process instrumentation or nuclear instrumentation is tripped to check closure of the input error inhibit switch contacts.
The logic test scheme uses pulse techniques to' check the coincidence logic. All possible trip and non' trip combinations are checked. Pulses from the testersare applied to the inputs of the universal logis card at the same terminals that connect to the input relay contacts. Thus there is an overlap between the input relay check and the logic matrix check. Pulses' are fed back from the reactor trip breaker undervoltage coil to the tester. The pu.ses are of stich short i
duration that the reactor trip breaker undervoltage coil armature cannot respond taechanically.
- Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semi-automatic tester to indicate a good or bad logic matrix test. Protection capabilty provided during this portion of the test is from the train not being tested.
The testing capability meets the requirements of Criterion 21 of the 1971 GDC.
I A15Et B y (d) Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service) . In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers thereby eliminating the need to
(
7.2-27
V ,
. . . %26 7/ 'l i
\ (Bodom of Pt?' 7.22,NWlP
)5 ,
TNSER T *B ' '-
-1P C7eneral warning clarm reccfor -fnp.
Eoch of +he. la>o frams of Jhe schd slafe profechon syslem is eenhnuously manifored by /he general aarning claim reufor inp subsys/em . The warning streatfs are aa.hwled if undesirechTe + rom condihons are se+ up by improper ahgnment of feshng syslems direuf malfunefron or fci/ure ,ela. as, lisled beloa). A -freable condihon in a logia -kam is marca/ed m-
+he sonIro/ room . Hoa>ever oF-if any'*/-
.s -Me
,s%.!iP!MkN2.% alaem Q: ome hme . A /Ne ##LS$40,;/
genent atraurfs wi// dah>ma./ic.a//y -/ rip a>d.rnmg}he r
- 6) loss of er+her of /wo 48 volf dc ob l . eiMer of '4mo /5 rol+ de power capphes, b) Phnled direatf card inproper/y mser/ed.
&b Inpof Error Inhibd swik.h m +he
.T.NHiSIT posihon.
l d) Slave relay les}er /Hode Seleclor m l 75ST pcsthan.
e.) /Ha/Nplexing seleclor smilch in INHIBIT
,q posihon .
-**'t' -
--,e - - .._ ,_, _ , ,
5 '
_. pyo;y v
.Zh/ SERT ~8" (donhnued) 5~ 2-N F ) Opposile froin bypes breaker racked in and elosed.
8 n)
Ebrmissive or inentory les+ swikh nof in O/=f posthon.
h ') Logie funciton fes/ Emi/ch nof in CFF
,vosihon .
t0 ** * " /*7 " 9 " ' " "'* '
i) loss of fow"
, , o==
- O l
,. . ?' ,
Q L 9,fy9 /6 / sf 4 ~
Addition to Chapter 7 SectiotiH7.7./. 2 3 for Rod Control System Features (An- f:i N)
(
i Credible rod coiltrol equipment malfunctions which could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap or malposit .oning of the rods are th_
following:
- 1. Failures in the manual rod controls:
- a. Rod Motion Control Switch (In-Hold-Out)
- b. Bank Selector Switch
- 2. Failures in the overlap and bank sequence program control:
- a. Logic Cabinet Systems ,
( b. Power Supply Systems ,, _
- 1. Failures in the Manual Rod Controls 1 The Rod Motion Control switch is a three position lever switch.. The three positions are "In", " Hold" and "Out". These positions are ,
effective when the bank selector switch is in manual. Failure of the rod motion control switch (contacts failing short or activated relay failures) would have the potential, in the worst case, to produce positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position l which selects one of the banks.
When the bank selector switch is in the automatic position, the rods would obey the automatic commands and f ailures in the rod motion control switch Wuld have no effect on the rod motion regardless of
( whether the rod motion control switch is in "In", " Hold" or "Out".
t d
In the case where the Bank Selector switch is s21ecting a-bank and a pyg
, failure occurs in the Rod Motion switch that would command the b,ank g g "out" even when the Rod , Motion Control switch was in an "In" or $/2
( " Hold" position the selected bank could inadvertently withdraw.
This failure is bounded in the safety analysis (Chapter 15) by the uncontrolled bank withdrawal subcritica_1 and at power transients. A reactivity insertion of up to 75 pcm/sec is assumed in the analysis due to rod movement. This value of reactivity insertion rate is consistent with the withdrawal of two banks.
Failure that can cause more than one group of four mechanisms to be moved at one time within a power cabinet is not a credible event
. because the circuit arrangement for the movable and lift cofis would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed such that it will not operate on half current. A second feature in this scenario would be the multiplexing failure detection circuit included in each power cabinet. This circuit would stop rod withdrawal (or insertion).
The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position. Such a case could produce with a
. failure in the rod motion control switch a scenario where the rods could inadvertently withdraw in a programed sequence. The overlap l
and bank sequence are programmed when the selection is in either l automatic or manual . This scenario is also bounded by the j reactivity values assumed in the SAR accident analysis. In this case, the operator can trip the reactor, or the protection system l
would trip the reactor via Power Range Neutron Flux-High, or overtemperature aT.
i Failure of the Bank Selector Switch A failure of the bank selector switch produces no consequences when the "in-hold-out" manual switch is in the " Hold" position. This is due to the following design feature: .
, ^'
. Tha b:nk solector switch is series wired with tha in-hold-out levar p'24.77 switch for manual and individual control rod bank operation. With g the 'in-hold-out' lever switch in the ' hold' position, the bank
( '
selector switch can be positioned without rod movement. ((/S-
- 2. Failures in the Overlap and Bank Sequence Program Control The Rod Control System design prevents the movement of the groups out of sequence as well as limiting t'h e rate of reactivity inse'rtion. The main feature that perfoms the function of preventing mal positioning produced by groups out of sequence is included in the Block Supervisory Memory Buffer and Control. This circuitry accepts' and stores the externally generated comand sig_nal s . Jn_ the__ event of out of sequence input command to the rods while they are in movement, this circuit will inhibit the buffer memory fran accepting the command. If a change of signal command appears, this circuit would stop the system after allowing the slave cyclers to finish their current sequencing. Failure of the components related to this system will produce also Rod deviation
(
alam and insertion limit alahn'isee FSAR Section 7.7). Failures
~
within the system such as failures of supervisory logic ca.rds, pulser cards, etc., will also cause an urgent alam. An urgent alam will be followed by the following actions:
Automatic de-energizing of the lift coil and reduced current energizing of the stationary gripper coils and movable gripper coil s.
Activation of the alam light (urgent failure) on the power supply cabinet front panel.
Activation of rod control urgent failure annunciat. ion window on the plant annunciator.
l
(
l
~
. Tho urgent alann is produced in general by: I2' #! 7 ff g -
- Regulation f ailure detector .
- Phase failure detector
- Logic error detector ,
- Multiplexing error detector
- Interlock failure detector.
- a. Logic Cabinet Failures The rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet) to drive the control rod driving mechanism at' 72 steps'
- per minute. If a failure should occur in the pulses or the reactor control system, the highest stepping rate possible is 77
('
steps per minute, which carFesponds to one step every 780 milliseconds. A comanded stepping ' rate higher than 77 steps per minute would result in 'GO' pulses entering a slave cycler while it is sequencing its mechanisms through a 780 millisecond
- step. This condition stops the control bank motion automatically and alanns are activated locally and in the control' room. It also causes the affected slave cycler to reflect further 'GO' pulses until it is reset.
Failures that cause the 780 millisecond step sequence time to shorten will not result in higher rod speeds since the stepping rate is proportional to the pulsing rate. Simultaneous failures
! in the pulser or rod control system and in the clock circuits that detennine the 780 millisecond stepping sequence could result in higher CRDM speed, however, in the unlikely event of these simultaneous multiple f ailures the maximum CRDM operation
(
speed would be no more than approximately 100 steps per minute due to mechanical limitation. This speed has been verified by tests conducted on the CRDM's.
- The positive reactivity insertion rates for th:se failure modss 7
) including the 100 steps per minute, are bounded by the Chapter g
(
15 SAR analysis assumptions. -
S /1 Failures causing movement of the rods out of sequence No single failure was discovered (WCAP 8976) that would cause a
~
rapid uncontrolled withdrawal of Control Bank 0 (taken as worst case) when operating in the automatic bank overlap control mode with the reactor at near full power output. The analysis revealed that many of the failures postula-ted were in a safe direction and that rod movement is blocked by the rod Urgent Al a m.
- b. power Supply System Failures Analysis of the power cabinet disclosed no single component, ,,
i failures that would cause the uncontrolled isithdrawal of a group
.of rods serviced by the power cabinet. The analysis
(,
substantiates that the design-ef -a power cabinet is
" fail-preferred" in regards to a rod withdrawal accident if a l component fails. The end results of the failure is either that of blocking rod movement or that of dropping an individual rod or rods or a group of rods. No failure, within the power cabinet, which could cause erroneous drive mechanism operation will remain undetect'ed. Sufficient alam monitoring (including i ' urgent' alam) is provided in the design of the power cabinet for fault detection of those failures which could cause erroneous operation of a group of mechanisms. As noted in the foregoing, diverse monitoring systems are available for l
detection of failures that cause the erroneous operation of an I individual control rod drive mechanism.
I
..
- toncsusion
' In sumary, no single failure within the rod control system can cause fM7[
either reactivity insertions or mal-positioning of the control rods /T4 resulting in core thermal conditions not bounded by analyses contained g/2 in Chapter 15.
( - ..
l l
l l
I I
.J7@SA _ . _ _ . _ _ . _ . _ . . . . _ _ , _ _ _ _ _ . _ _ _ _ _ _ _ _ _ -- _ - - - _ _ _ - - - - - - -