Text

-

O Department of Energy Washington, D.C. 20545 Docket No. 50-537 HQ:S:83:194 26 D03

- J Att Mr. Paul S. Check, Director CRBR Program Office Office of Nuclear Peactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C.

20555

Dear Mr. Check:

INSTRUMENTATION AND CONTROL SYSTEMS, PRELIMINARY SAFETY ANALYSIS REPORT (PSAR) SECTION 7 Enclosed is additional information on the Clinch River Breeder Reactor Plant instrumentation and control systems. The marked up PSAR pages will be incorporated into a future amendment.

Sincerely.

JdhnR.Longen ker Acting Director, Office of Breeder Demonstration Projects Office of Nuclear Energy 4 Enclosures cc: Service List l

Standard Distribution l

Licensing Distribution Ol DO t

0Ohokh7 4

l; PDR

ENCLOSURE ITEM:

Reactor Shutdown System Power Supplies (See letter HQ:S 82:147, discussion of Novembed 18 and 19, 1982 meeting item 12)

RECOLUTION:

See attached mark-up of PSAR SECTION 7.2.1.2.4, Reactor Shutdown System Power Supplies.

h

• INSERT 7.2-13 f

f*

~

~

7.2.1.2.4 P.EACTOR SHUTDOWN SYSTEM POWER SUPPLIES

~-

The Primary and Secondary reactor. shutdown systems are powered from the three Class 1E 120/209 volt Vital-(Uninterruptable) AC Power Systems.

A P.edundant' channels wit'hin each shutdownI system are powered from separate independent load groups with one channel connected to the same vit'al AC power sys/ logic train from each system tem. This commonality between one

' set of redundant channels / logic trains is not considered to impact their

. independence because of the following design features:'

The design of the Vital AC Power System assures independence between o

the three redundant power divisions such that failures within a power division load group.Will not propagate to a redundant load group.

o loss of one vital power division will result in tripping one logic a

train in each reactor shutdown system.

a' Provision.of isolation devices in the individual pow *r supplies within the two ' reactor shutdown systems will prevent any circuit failure in one. -.

redundant channel / logic train of one system from affecting the proper safety function of the other system.

e ' Features will be provided within the Primary and Secondary systems to accommodate ' electrical surges from the AC vital power source without loss of safety function in either systen.

i An analysis will be performed to identify any transients which could originate from within one of the reactor shutdown systems and be coupled through the AC vital dutribution bus to the other shutdown system. After the analysis is j '

completed a test program will be defined to confirm the continued operation of the remaining reactor shutdown equipment connected to the same vital power A description of any such test program will be provided prior to the source.

application for an Operating License.

ENCLOSURE ITEM:

SSPfS (Solid State Programmable Logic System)

(See letter HQ:S:82:147 discussion of November #18 and 19, 1982 meeting item 19)

-RESOLUTION:

See attached revision to the response to Question CS421.15.

l l

1 i

I l

,r--

w-r w----

+

-..u

-m 4

a 2

,..D!..

t uestion eso1.15 Identify and document where alcroprocessors, multiplexers, or computer systems may be used in or Interf ar.e with saf ety-related systems.

?

Resnonse Many microprocessors, multiplexers, and computers are used in CRBRP systems; however, in general, they are used in non-Class 1E applications.

Whenever a microprocessor, multi plexer or computer. acquires a Class 1E signal, that signal Is Isolated by a qualIfled Class 1E Isolstor before belng utilIzed by a non-Clasa 1E system.

~

i The two systems which use microprocessors, multiplexers or computers for Class 1E applications are the Solid State Progranmable Logic System ($5PLS) and the Radiation Monitoring System.

Information about these systems is provided 1

below. The Plant Data Handling and Display System (PDH&DS) is the largest I

computer system used In the plant.

Information about thIs systam Is also provided below.

The Radiation Monitoring System has Renote Processor Stations which are microporcessor based, radiation monitoring electronic and communication assembl 1 es'.

PSAR Paragraph 11.4.2.1 descrIbas the Renote Process Stations.

The microprocessor receives raw count rate and process system data, and maniput ates the data 1nto the dest red f arm.

Data exchange and moniter control 7

is via channel dedicated multiplexed signal pattis.. Non-Class IE equipment con 4

exercise control over a Class IE radiation monitor.

Any data extracted from the Class 1E monitors for use in. non-Class 1E equipment is via Class 1E grade buffers.

The Solid State Progranmable Logle System controls and actuates Saf ety-Related, Class IE equipment.

It contains the control logic, signal conditioners, Isolation devices, and auxillary circuits.

The SSPLS can potential ly use microprocessor based circuitry.

PSAR Paragraph 8.3.1.1.2 pggg describes the SSPLS.

I A

The CRBRP Plant Data Handling and Display System (PDH&DS) is a non-saf ety-related microprocessor based system that Interf aces with saf ety-related systems and non-saf ety-related systems as well for the purpose of retrieving data ior operator Inf ormation.

The system provides for Information display and data handling, Inoperable status monitoring of saf ety systems and emergency response f actiIty data dispiay.

In alI cases, Class 1E grade butf ers are used f or isolatt on between the PDH&DS and saf ety-related systems.

The FDH&DS is described in PSAR paragraph 7.8.

I

~

INSERT 1 The so'11d state programmable logic system ($$PLS) can potentially use

. microprocessor based circuitry for control of safety-related equipment.

Multiplexers and computers are not used in SSPLS.

- The SSPLS will be utilized to control the following categories of equipment from the control room and remote shutdown panels:

a) Circuit breakers b) Motor starters c) Motor operated valves and solenoid valves i

i The SSPLS wi)1 receive manual inputs from the control pushbuttons i

and inputs from the field and other equipment for control of each device.

The SSPLS will perform the necessary logic operations and interlocking functions and provide final outputs to each piece of equipment to be controlled. It contains. control logic, signal conditioners, The SSPLS equipment Class 1E to non Class 1E isolation devices, power supplies anc auxiliary circuits.

will.be qualified to IEEE Standards 279-1971, 323-1974, 344-1975 and 383-1974 as required for all Class IE equipment.

The.SSPLS is comprised of three (3) separate and functionally redundant safety-related divisions-such that the failure of one division will not affect any. component or equipment of the other two divisions.

Equipment of different safety divisions are located in separate cells of the plant.

Each of the 'three safety divisions has the capability to safely shutdown the plant.

In addition, each functional l

circuit has been provided with dedicated components such that a circuit j

or component failure will c,nly affect the operation of a single equipment.

Microprocessors, if used, will be tested and qualified to meet all requirements applicable to Class IE equipment as described above.

In addition, the microprocessor based circuitry will be dedicated to control only one device so that failure of the microprocessor will not affect l

the failure of any other controlled component.

l irrespective of the type of hardware used (discrete components or microprocessor), the channel information is processed to the end actuator and each piece of the process is testable on a periodic basis to demonstrate integrity. This includes any manual actuation functions supplied by the l

system to insure compliance with IEEE 279.

If microprocessor based i

circuitry is used, the software used to implement the microprocessor logic 4

will also be testable. The software used will be subjected to verification

\\

and validation and will meet the requirements of IEEE 730-1981,(Standards

[

for Software Quality Assurance Plans).

The features provided for periodic I

testing can also be used to operate the equipment manually.

Also, in the unlikely event of a random failure of the SSPLS control circuitry for any device controlled by the SSPLS, the redundant device in the other SSPLS safety division (s) can be initiated manually or automatically.

=

ENCLOSURE ITEM:

Recirculating Gas Cooling System Controls Concern was expressed about the adequacy of identification of the safety related portions of the Recirculating Gas Cooling System controls in Section 7.7.

RESOLUTION:

See attached mark-up of PSAR Section 7.7.1.10, Nuclear Island Auxiliary Instrumentation and Control Systems.

x (Modification to the section referenced for the for the Recirculating Gas.)

)

s 9

c..,

p Sectlen I

RecirculetIng Gas 9.16.5 Auxlitary Cooling Fivid 9.7.5 Inert Gas Receiving and Processing 9.5.

" !"'i

' ' ~ '

1: purity Monitoring and Analysis 9.8.5 i

Auxillery Liquid Metal 9.3 4=

g (This Includes only those portions of the Auxillery Liquid Metal systa:

,X):]

that are not associated with the Direct Heat Removal Service (OHRS) or the Spent Fuel Storage Systee Cox-vessel storage). The OHRS and the $ pent

..f4 Fuel Storage Systeen ere required fer eefety and their associated

' ~ 7-. .

Instrumentation and controls are discussed in sections 7.6.3, 9'.1.3 and 9.3.3).

7.7.1.11 Balance of Plant t hafrs---faf f nn RMd Contretl EvatL; A number of instrumentation end. Control Systems are provided to support

'~

verlous Balance of Plant Systems. These systems do not perform 3 safety-relcted function, nor sould their failure prevent the functioning of safety-related systems.

7.7.1.11.1 Trented Wa+ar inatria.emtm+ tan and con +rni syntasi Tho Treated Water System includes the Porteble Water System, the Normal Plant Service Water System. the secondery Service Closed Cooling Water System, The Emergency Plan Service Water System, the Normal end Emergency Plant Chilled WeTer Systems, and the Makeup Water Treatment System.

~

>=

' i t

- se 7.7-15e A ve.

82 O

ENCLOSURE ITEM:

I&E Bulletin No. 80-06 (See item 39 in letter HQ:S:82:095..NRC's rev ew indicated a need to further clarify response to Question CS421.16.)

RESOLUTION:

See attached revision to the response to Question CS421.16.

9

,. Qu'estion CS421.~16 I & E Bulletin 80-06 addressed concerns related to safety equipment not remaining in its emergency mode upon reset. The applicant should specify and justify any. places in the design of CRBR safety system logic where safety equipment will not remain in its emergency mode upon reset of an engineered safeguards actuation signal.

Response

There are no places in the design of the CRBRP safety program logic where, once actuated, safety equipment will not remain in its emergency mode upon i

automatic or manual reset of an engineered safeguards actuation signal.

Equipment can only be returned to its normal condition by manual action (exceptasnoted). Operation of the CIS automatic back pressure valves (explained below) is an exception to this since manual action is not required for these valves to return to their normal position (open).

However, these valves will automatically return to their emergency position (closad) when an actuation signal (low pressure) is present. The electrical systems are designed to ensure:

i a) Circuit breakers will close on the presence of an emergency signal where driven equipment is powered through medium or low voltage switchgear. The breakers will remain closed even after actuating signal has been reset.

Opening of the breakers is achieved through any of the following: manual operation, or electrical fault, or absence of process interlocks which otherwise are necessary for continuous operation of the equipment.

i b) Where operated equipment _is powered through motor control centers or i

power distribution parels seal-in circuitry is provided for the momentary contacts. The circuit will remain energized even when the actuating signal resets, and can be de-energized only by manual operation, or electrical fault, or by absence of process interlocks

. which are otherwise necessary for continuous operation of the equipment.

Examples of the system designs follow:

Primary and Secondary Reactor Shutdown System Once initiated, the Primary and Secondary reactor shutdown systems and the automatic Containment Isolation System (CIS) remain in a tripped condition until manually reset by the operator.

These systems do not automatically reset if the actuation signal resets.

i ContainmentIsolationSystem(CIS)

As part of the CIS design, automatic back pressure valves are used on the argon supply, nitrogen supply and service air supply lines which penetrate containment. These valves are backpressure regulated and close automatically if the supply side pressure drops below the preset limit. The valve actuation point has been chosen to guarantee flow into the containment building if the supply side pressure is above the preset limit. Selection of the actuation point includes consideration of the maximum accident pressure within containment.

In addition, remote manual control switches are available to the operating staff in the control room which allow manual operation of these 4

valves.

QCS421.16-1 Amend. 69 RnlDR

Reactor Heat Transport Instrumentation System (RTTIS)

The SGAHRS initiation signal are developed by the PPS system.. The PPS system sends two redundant primary and two secondary signals to the RHTIS 1 out of 4 trip logic.

Once a trip signal is sensed by the RHTIS it " latches in" and the RHTIS trip logic will not reset automatically when the primary initiation signal developed by the PPS system resets. All SGAHRS components will continue to perform in the "SGAHRS initiation mode" until the operator manually resets the three SGAHRS initiation trips in the RHTIS. The operator will only reset the SGAHRS's initiation circuits when SGAHRS is no longer needed for decay heat removal. After resetting, the SGAHRS is automatically restarted should conditions indicate that sufficient decay heat is not being removed - as indicated by low steam drum level. Then, SGAHRS's equipment will again automatically maintain the correct drum level.

Aerosol Release Mitigation System (ARMS)

The Aerosol Release Mitigating System (ARMS) sends a signal to the steam generator ventilation system upon detecting aerosols in the steam generator bays. ARMS detector coincidence (2 of 3) circuits sends a signal to the Nuclear Island HVAC System which is used to melt fusible link closing damper valves in the HVAC duct. The fusible link controller cannot be reset without a maintenance effort to replace the link.

In addition to the fusible link, the present ARMS detector circuit design does not allow resetting a tripped detector if the alarm condition persists.

Design will also include provision for preventing a reset if either an alarm or a fault condition exists. This latter provision accomodates the situation where an alarm condition (sodium leak) results in destruction of the detector.

I i

i QCS421.16-2 Amend 69 July 1982

.