Text

NUREG 75/087 pa iteau j'

~* },

U.S. NUCLEAR REGULATORY C3MMISSIBN o,

+

STANDARD REVIEW PLAN C

e i

1 OFFICE OF NUCLEAR REACTOR RCGULATION ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY SECTION 7.6 REVIEW RESPONSIBILITIES Primary - Electrical Instrumentation and Control Systems Branch (EICSB)

Secondary - Core Performance Branch (CPB)

Reactor Systems Branch (RSB)

Containment Systems Branch (CSB)

Auxiliary and Power Conversion Systems Branch (APCSB)

Mechanical Engineering Branch (MEB)

Quality Assurance Branch (QAB)

I.

AREAS OF REVIEW The group of instrumentation systems reviewed under this plan are those required for safety that are not identified as part of the reactor protection system, engineered safety features systems, safety-related displa instrumentation systems, or systems required for safe shut-They consist to a large extent of groups of interlocks intended to protect other

down, vital systems from potentially damaging transients during normal operation and under recident Examples of such systems are cold water interlocks, refueling interlocks, conditions.

interlocks that prevent overpressurization of low pressure systems, reactor vessel instru-mentation, and accumulator valve interlocks. They also include the process and effluent radiological monitors which should be reviewed for the adequacy of their seismic design, redundancy and emergency power (See SRP 11.5).

The review of these systems encompasses the sensors, initiating circuits, logic elements, bypasses, interlocks, redundancy and diversity features, actuated devices, testing pro-visions, and equipment qualifications.

The review should The EICSB has primary responsibility for the review of these systems.

confinn that these systems and essential supporting systems will perfonn design functions when required during all applicable operational and emergency conditions of the plant, and that the design of these systems conforms to all applicable acceptance criteria.

The descriptive information contained in the applicant's safety analysis report (SAR),

including single line diagrams, electrical schematics, piping and instrumentation diagrams (P&lDs), and physical arrangement diagrams, is reviewed to ascertain that "other instrumentation systems required for safety" meet the acceptance criteria dit. cussed in USNRC STANDARD REVIEW PLAN 0.:',:"" "t'" 0::",,"O' ",,t:",'"" t

',".O'.::lll* ;"" '",0:'*" '"a't:.*".,l'a '.""" f ""*"' ",0l."."",l".',",,N.'"

." ",":.,,,:',0*..::.:.:.:.:.:7 "* ::".*"10. ' '.."*" t".:!".4"42

",'".='.".7,11'".".0, *t,=t,"h"::,"3',:".

,.~....,e...,,,,,,,

R.gW.w.a.W hi

a. 0.C. M m

11/24/75 9511010335 751124 PDR NUREQ 75/087 R PDR

- -.. -.~

_ -.- -. _ _. ~. -. ~... -.-. -. - -

Standard Rsview Plan (SRP) 7.1 and listed in Table 7-1.

For a construction permit (CP) rsview, a commitmtnt to meat these critaria can suffice in cases where the design of these systems has not been completed. Foranoperatinglicense(OL) review,however,theactual design must be found to meet these criteria.

As a part of the primary review responsibility of the E!CSD, it should be verified that

.1.

The necessary redundancy of power sources, logic, and instrumentation are proaded for the operation and status monitoring of "otk r instrumentation systems required for safety." This requires the review of the dessriptive information contained in the SAR, functional diagrams, electrical schematics, and P&lDs.

2.

The "other instrumentation systems required for safety" can perform necessary func-tions after sustaining a single failure. This requires review of the information as in (1) above, togett.;r with the drawings showing the physical layout of the electrical and instrumentation equipment and cabling. The review also involves verification that the design criteria for physical separation of redundant electrical equipment and cabling are acceptable, the design criteria for providing control and motive power to these systems are Jcceptable, and the single failure criterion has been included in the design considerations for manually-controlled electrically-operated valves.

3.

The instrumentation and electrical equipment, cabling, cable trays related to, and structures housing parts of "other instrumentation systems required for safety" are designed in accordance with criteria required for Class IE and seismic Category I systems and structures, respectively. Also, proper identification of equipment, cabling, and c.able trays to include color-coding in addition to alphanumeric markings is verified 4.

Environmental qualification of the electrical and instrumentation equipment and cabling has been established by tests and analyses showing that the equipment involved can perfonn needed safety-related functions in environments that may develop as a result of design basis accidents or anticipated operational occurrences.

It should be established that the seismic qualification program is acceptable to the MEB as discussed in SRP 7.1 and later in this Section. It should be verified that all electrical and instrumentation equipment of "other instrumentation systems required for safety" have been included in the seismic qualification program.

5.

On-line testability of the systems and indication of bypassed or inoperable status of the systems required for safety are provided.

The APCSB should evaluate the adequacy of those auxiliary systems required for the proper operation of "other instrumentation systems required for safety." These include compressed air systems, air conditioning systems, heat tracing systems, etc. In addition, the APCS 8 7.6-2 11/24/75 a

4

-,we-e w-

--w-r m

e - - -, i-

-e-,--

w

.g.--rw-+,--

i.a

- - +

si-g.-+.

,.-, --.i-,-

...- -.~. - -. -. -. - -.

should review the physical arrangen,ent of components and structures related to "other instru-mentation systGms required for safety" and supporting systems, and determine that single events will not disable redundant parts of these systems. The CPB will verify that boron dilution rates achievable, or the accidental startup of an unborated or cold reactor coolant loop, result in acceptable reactivity insertion rates as discussed in SRP 4.3.

The CSB should review the containment ventilation and atmosphere control systems provided to maintain environmental conditions required for operation of electrical and instrumenta-tion equipment associated with "other instrumentation systems required for safety" and located inside containment.

The MEB review should confirm that the seismic qualification of the instrumentation and electrical systems is acceptable. This should include the seismic design criteria, analyses, testing procedures, and restraint measures employed in the seismic design and installation of Category 1 instrumentation and electrical equipment including trays, control room boards, and instrument racks and panels, as covered in SRP 3.10.

The RSB review should identify "other instrumentation systems required for safety" and confinn that the configuration and design bases of the systems are correct, &nd that design parameters such as temperature, pressure, flow rate, and reactivity can be controlled within acceptable limits. Information should be provided to the E!CSB as to any corrections needed in the SAR and any exceptions to acceptance criteria taken by the applicant.

The QAB review should verify that the quality assurance program proposed by the applicant includes "other instrumentation systems required for safety."

11.

ACCEPTANCE CRITERIA The design, materials, qualification testing, and surveillance of "other instrumentation systems required for safety" are covered by several general design criteria (GDC). IEEE standards, regulatory guides, and branch technical positions which are applicable in whole A list of the applicable criteria, standards, guides, and branch positions is or in part.

given in Table 7-1 and Appendix 7-A to this chapter.

The "other instrumentation systems required for safety" are acceptable when it is deter-mined that these systems satisfy the following requirements:

1.

They have the required redundancy.

2, They meet the single failure criterion.

They have the required capacity and reliability to perform intended safety functions 3.

on demand.

4.

They are capable of functioning during and after certain design basis events such as earthquakes, accidents, ano anticipated operational occurrences.

i 7.6-3 11/2*17-

.e m

.y

.-s-.

+ -,, - -. -., -

. ~ -

5.

.They are testable during reactor operation.

The critsrf a Itsted in Ttble 7-1 are utilized as the bases for determining that these requirements are met and that the "other instrumentation systems required for safety" are acceptable. How these criteria are applied during the review process is discussed in Section III of this plan. Specific points with regard to the acceptance criteria are detailed below.

l.

System Redundancy Requirements GDC 26 and 33 and IEEE Std 279specify the requirements that "other instrumentation systems required for safety." among others, must meet with regard to all operating conditions (such as loss of offsite power), so that they can perform needed safety functions assuming a single failure. If a determination is made th1t these systems meet the requirements of these criteria, they are acceptable with regard to redundancy requirements.

2.

Conformance With the Single Failure Criterion IEEE Std 279, IEEE Std 379, and degulatory Guide 1.53 provide that safety systems should be capable of performing caeded safety functions after sustaining a single failure. Regarding the application of the single failure criterion to the design of manually-controlled electrically-operated salves in safety systems, the acceptability of proposed designs is based on Branch Technical Position EICSB 18. This position states that it is acceptable to disconnect electric power to a safety-related valve as means of designing against an active valve malfunction.

3.

Identification of Cables and Cable Trays The method used for identifying power and signal cables and cable trays as safety-related equipment, and the identification scheme used to distinguish between redundant cables, cable trays, and instrument panels should be in accordance with the recommenda-tions of Regulatory Guide 1.75.

4.

Vital Supporting Systems The instrumentation, control, and electric equipment associated with auxiliary systems that support "other systems required for safety" should meet the same acceptance criteria as the systems they support.

5.

Testing, Quality Assurance, and System Availability Surveillance GDC 1 and 21; IEEE Stds 279, 336, and 338; and Regulatory Guides 1.22, 1.47,and 1.68 contain the applicable acceptance criteria with regard to preoperational and periodic testing, quality assurance, and design provisions for indicating the availability of "other instrumentation systems required for safety."

For the areas of review identified in Section I as review responsibilities of other branches, the acceptance criteria are included in the corresponding standard review plans.

7.6-4 i

11/24/75 s

1

REVIES PROCEDURES The review is conducted to ascertain that the designs of "other instrumentation systQms required for safety" (or design comitments in the case of CP's) are acceptable in terms of the acceptance criteria listed in Section 11. The main objectives of the review of these systems are to detennine that they include the required redundancy, meet the single failure criterion, provide the required capacity and reliability to perform intended safety functions on demand, and can function during and after certain design basis events such as earthquakes, accidents, and anticipated operational occurrences.

For a CP application, the descriptive information contained in the preliminary safety analysis report (PSAR), including the design bases and their justification with regard to the acceptance criteria, accident analyses, electrical single line and P&l0's, are reviewed to determine that the basic design features and the comitments made at this stage provide assurance that the final design will meet the acceptance criteria. During the OL review, it is verified that the acceptance criteria are met through review of the final electrical and instrumentation drawings and the physical layout drawings, and a site visit during which a spot-check verification of the design is performed.

The various elements of the review are carried out as follows:

1.

The descriptive information in the SAR, including the electrical one-line and P&ID's (for CP and OL reviews), and electrical schematics (for the OL review), is reviewed to verify that the necessary redundancy is provided. This review includes 1

instrumentation channels used to sense vital parameters such as temperature, pressure, water level, etc., the associated logic and actuated devices, and the motive and control sources.

2.

Conformance with the single failure criterion as specified by IEEE Std 279, IEEE Std 379, and Regulatory Guide 1.53 is verified by review of the same information as for redundancy and may be done, to some degree by necessity, at the same time. The guidance provided by Regulatory Guide 1.53 is excellent for ascertaining that a given design is single failure proof. A particularly important point to check is one cited in Position 4 of Regulatory Guide 1.53, where a single d-c source supplies control power for one channel of system logic and for the redundant actuator circuit.

For a multi unit design where electrical systems are shared, resulting in more and 3.

complex interaction modes, a fault-tree and decision-tree analysis may be requested from the applicant to show that single failures, or single events resulting in multiple failures, will not result in unacceptable consequences with respect to the capability of "other instrumentation systems required for safety" to perform safety functions when required. Additional guidance with regard to the single failure criterion is given in SRP 7.2 and 7.3.

7.6-5 11/24/75 i

1

4.

. For manually-controlled electrically-operated valves in safoty related systems, the acceptability of proposed daigns is based on Branch Vochnical Position E!CSB 18.

This position basically states that it is acceptable to disconnect electric power to a safety-related valve as means of removing the possibility of an active failure of that valve.

S.

Regulatory Guide 1.75, and more specifically, Sections 5.1,2 and 5.6.3 provide guidance for satisfying the acceptance criteria with respect to the identification of power and signal cables, cable trays, and instrument panels related to "other instrumentation systems required for safety." The criteria for identification and separation of redundant systems as discussed in Regulatory Guide 1.75 are presented in sufficient detail to make their application self-explan.' tory. GDC 1 and 21; IEEE Stds 279, 336 and 3381 and Regulatory Guides 1.22, 147, and 1,68 provide the requirements that the design of these systems must meet with regard to preoperational and periodic testing. The primary review responsiblity for preoperational testing is with the QAB.

periodic and downtime restrictions are specified in the technical specifications.

The review procedures for technical specifications are covered in SRp 7.1.

6.

The process of aligning various systems for certain modes of operation may involve the interconnection of high pressure and low pressure systems. During nonnal operation, these systems must be isolated from one another. For example, the residual heat removal (RHR) system of some reactor designs is interfaced with the high pressure reactor coolant system. There should be two isolation valves in series, with diverse interlocks that will prevent operation of these valves unless the primary reactor coolant pressure is below a predetermined value. For a detailed description of the s

isolation requirements, see Branch Technical Position E!CSB 3.

7.

The main steam line radiation monitoring system in boiling water reactors is provided to m nitor the gross release of fission products in the reactor coolant and initiate protective action if the level of such release exceeds a predetermined level. The reviewer should assure that the instrumentation channels provided for this purpose are divided into two redundant and independent groups. Also, the two groups should be powered from independent power channels of the emergency power system.

Normally, four gama sensitive channels are provided to monitor the radiation level in the main steam lines. The reviewer should assure that the geometric arrangement and physical location of these is such that a fission product release will be detected with any number of main steam lines in operation, and that it will be detected at the earliest possible time following a fuel failure. It is important that the failure of any one of these four channels will not result in an inadvertent action. The initiating logic should be checked to make sure that this is the case.

The reviewer should verify that the design has provisions for testing and that operability can be adequately tested.

8.

The reviewer should verify that the "other instrumentation systems required for safety" have been qualified to operate under normal, operational transient, accident, 7.6-6 11/24/75

\\

I

j and post-accident environmental conditions and that they satisfy the reconnendations l

of IEEE Std T3. Ve rwiser also verifies that equipment and structures relatQd to these systems are. seismically qualified or designed, and the seismic qualification i

and analysis program submitted by the applicant is acceptable to the MEB and ElCSB.

The environmental quellfication of components and cabling of these systems should

]

be the same as for the systems discussed in SRP 7.3 and 3.11.

9.

An important part of the review is the engineering drawing review. A drawing review should include the following:

1 Verification that a complete set of drawings has been submitted that includes l

a.

logic diagrams, P&lD's, and location layout drawings for these systems.

i I

b.

Verification that the submitted drawings represent the actual system designs j

and layouts for the particular plant, and that those intended to be " typical" of a system are so identified, s

Verification that the design and layout meet the applicable criteria listed in c.

Section !! of this plan.

a 10.

A site visit and inspection should be performed before the evaluation findings are written for OL reviews. A site inspection should include spot-check verifications j

that the design and layout criteria are actually implemented at the hardware assembly stage. A site visit should be coordinated with the licensing project manager and the regional office that has jurisdiction over the plant. Items to investigate during the visit include:

I l

Separation and identification of redundant safety related instrumentation channels,

?

a.

l cabling, cable trays, and instrument rack terminations.

}

b.

Separation of actuating switches in control panels for redundant safety-related equipment such as inboard and outboard isolation valves, coolant pumps, diesel-l generator sets, etc.

Testing provisions and calibration procedures for instrumentation channels c.

required for safety.

See Appendix 7-B to this chapter for a complete outline of items to be covered in site visits.

~ In certain instances, it will be the reviewer's judgement that for a specific case under review, emphasis should be placed en specific aspects of the design, while other aspects of the design need not receive the same emphasis and in-depth review. Typical reasons for such a non-uniform placement of emphasis are the introduction of new design features or the utilizatian in the design of design features previously reviewed and found acceptable.

7.6-7 j

11/24/75 8

9 W-ei w -

e'ww=*

w

ew-w-r,--w--s, w,

i-we.

w w-w-

• wew-

+

-w-w--

e-w-, - -w-

,or~w

.-s-r n

ww y-w->

re',

IV.

EVALUA710N FINDINGS E!CSB verifles that sufficien2 information has been submitted and that the review supports conclusions of the following type, to be included in the staff's safety evaluation reports f

]

"The other instrumentation systems required for safety" consist of safety related instrumentation sys N s not identified as parts of the reactor protection system, engineered safety fw. ares systems, safety-related display instrumentation systems, or systems required for safe shutdown. They are, to a large extent, groups of interlocks intended to protect other vital systems from potentially damaging transients during nonnal operating and accident conditions.

"Their review encompasses the sensors, initiating units, logic, bypasses, interlocks, redundancy and diversity features, actuated devices, testing provisions, and equipment qualifications. The review includes single line diagrams (CP & OL), schematic diagrams (OL), and descriptive infomation on this group of systems and supporting auxiliaries that are essential for their operation. The review has included the applicant's proposed design criteria and design bases and analyses of the manner in which the design of these systems conform to the proposed design criteria and are adequate.

"The basis for acceptance in the staff review of these systems has been conformance of 4

the applicant's designs, design criteria, and design bases to the Connission's regulations as set forth in the general design criteria, and to app'* cable regulatory guides, bninch technical positions, and industry standards. These ar listed in Table 7 1.

"The staff concludes that the design of these systems conforms to applicable regula-tions, guides, technical positions, and industry standards, and is acceptable."

V.

REFERENCES 1.

Standard Review Plan Table 7-1, " Acceptance Criteria for Controls."

2.

Standard Review Plan Appendix 7-A, " Branch Technical Positions (EICSB)."

3.

Standard Review Plan Appendix 7 8, " General Agenda, Station Site Visits."

7.6 8 11/24/75

.i-..,,,,,,..

y-w. w

-e

Sgp 77

.