Text

-..

NUREG 7B/087 ps asen f

o

t U.S. NUCLEAR RECULATCRY COMMISSION l

)

STANDARD REVIEW PLAN

\\

OFFICE OF NUCLEAR REACTOR REGULATION APPEN0!X 7 A BRANCH TECHNICAL PO$!TIONS (E!C$8)

The E!C$8 Branch Technical Positions (RTP's) represent guidelines intended to supplement the acceptance criteria established in Commission regulations and regulatory guides, and in ap-plicable IEEE standards. The BTP's originate in technical problems or questions of inter-pretation that artse in the detailed reviews of plant designs. The staff must make a judge-ment in each such case, in order to complete its review of the particular application. Where the same technical problem or question of interpretation arises in several cases, the staff's judgement on the point at issue is formalized in a BTP, The BTP is primarily an instruction to staff reviewers that outlines an acceptable approach to the particular issue and ensures a uniform treatment of the issue by staff reviewers. The approaches taken in the BTP's. like the recomendations of regulatory guides. are not mandatory, but do provide defined, acceptable, and immediate solutions to some of the technical problems and questions of interpretation that arise in the review process, In some instances. regulatory guides may be developed from BTP's after a sufficient experience in their use has accumulated, All E!C$8 BTP's applicable to Chapters 7 and 8 have been collected in this Appendix for conve.

nience.

They are listed below:

Branch Technical Positions of the Electrical.

BTP EIC$8 Instrumentation and Control Systems Branch I.

Backfitting of the Protection and Emergency Power Systems of Nuclear Reactors.

2, Olesel Generator Reliability Qualification Testing, 3.

!$olation of Low Pressure Systems From the High Pressure Reactor j

Coolant System, 4.

Requirements on Motor 0perated Valves in the ECCS Accumulator Lines, 5,

Scram Breaker Test Requirements Technical $pecifications, USNRC STAND ARD REVIEW PLAN L"..,"O.*, *l**./'*!.7*" '.".'OJ*.***.'..'U.'.l".*.',.""'Z ',*,"0'.'7ln".7*4'c".'"J".ff* 'JO,* ':*2?l %",,*,1".,'Z'"',".".' "'

!;, ="J.J,.",.*#J.7.,.;.".'O. fa',.f*T"."..* !L.".4" .".'. ! '.0..?.*,.T.f."J'40..' ';'*01. " l". '.7.**Z'J",l,.".'s *.'.f**.7"O,*.'Z*l.T.*,",

• u.,...

..u.,4,...........,..............,,,,.,,..,,,,...a..,,,,,..

g g. 4_...y..g 4. u

... u

..,...., c.... o.

11/24/75 9511010362 7S1124 PDR NUREG 75/007 R PDR

6.

Capacity Vest Requirements of Station Batteries - Technical Specifications.

7.

Shared Onsite Emergency Electric Power Systems for Multi Unit Generating Stations.

8.

Use of Diesel Generator Sets for Peaking.

9.

Definition and Use of " Channel Calibration" - Technical Specifications.

10.

Electrical and Mechanical Equipment Seismic Qualification Program.

11.

Stability of Offsite Power Systems.

12.

Protection System Trip Point Changes for Operatinn with Reactor Coolant Pumps Out of Service.

13.

Design Criteria for Auxiliary Feedwater Systems.

14.

Spurious Withdrawals of Single Control Rods in Pressurized Water Reactors.

15.

Reactor Coolant Pump Breaker Qualification.

16.

ControlElementAssembly(CEA)InterlocksinCombustionEngineering Reactors.

I I

17.

Diesel-Generator Protective Trip Circuit Bypasses.

18.

Application of the Single Failure Criteria to Manually-Controlled Elec-trically-Operated Valves, 19.

Acceptability of Design Criteria for Hydrogen Mixing and Drywell Vacuum l

Relief Systems.

20.

Design of Instrumentation and Controls Provided to Accomplish Change-over from injection to Recirculation Mode.

21.

Guidance for Appilcation of Regulatory Guide 1.47.

22.

Guidance for Application of Regulatory Guide 1.22.

I 23.

Qualification of Safety Related Display Instrumentation for Post.

Accident Condition Monitoring and Safe Shutdown.

24.

Testing of Reactor Trip System and Engineered Safety Feature Actuation System Sensor Response Times.

7A.2 11/74/75 g

+

25.

Guidance for the Interpretation of General Design Criterion 37 for festing the Operability of the Emerg;ncy Core Cooling System as a Sole.

26.

Requirements for Reactor Protection System Anticipatory Trips.

27.

Design Criteria for Thermal Overload Protection for Motors of Motor-Operated Valves.

7A 3 11/24/75 5

a

BRANCH TECHNICAL, POSifl0N E!CSB 1 BACKFITVING OF THE PROTECTION AND EMERGENC7 POWER SYSTEMS OF NUCLEAR REACTORS A.

BACKGROUND The acceptance criteria used by the staff in the evaluation of protection and emergency power systems undergo improvement from time to time, With each change it is necessary to deter-minewhetherpreviouslyapproveddesignsshouldbemodified(backfitted)tomeettherevised criteria. This determination is made on the basis of whether a significant incremental increase in safety of the plant would be obtained that would justify the various difft-culties of the change.

The actions which raise the question of possible backfitting aret 1.

Application for a full tenn operating Itcense for plants now operating with a provisional operating license.

2.

Evaluation of a significant plant modification proposed by the staff or the licensee.

3.

Appilcation for a full-term operating license for plants now operating under D00 91 B exemptions.

B.

BRANCH TECHNICAL PCSITION For cases falling in the categories 1-3 in(A),atnve the following applyn 1.

Instrumentation and electric equipment essential to safety which must function in an accident environment should be analyzed or tested to demonstrate this capability.

2.

Protection circuits essential to safety should meet the single failure criterion of Section 4.2 of IEEE 279.

3.

Where d.c power is required for safety, redundant d c sources should be provided and the d-c circuits should meet the single failure criterion.

4.

For reactor plants supplying electric power to electric utility grids, redundant sources of onsite a-c power should be provided and the a.C circuits should meet the single failure criterion. This aspect of the design of research and test reactors should be evaluated on an individual case basis.

C.

REFERENCES

1. - Note for P. A. Morris from E. G. Case. August 6, 1971, 7A 4 11/24/75

BRANCH TECHNICAL POSITION E!CSB 2 DIESEL GENERATOR RELIABILITY QUALIFICATION TESTING A.

_D_AC KGROUND The increase in standby electrical generating capacity required for safety loads of the current large water cooled power reactors has caused several applicants to propose standby power source design using diesel generators or diesel generator configurations not previously used. The staff concluded that qualification testing of these larger capacity machines or configurations would be required to demonstrate a capability and reliability at least equivalent to that of machines currently used for nuclear plant standby applications.

The proposals of nonstandard diesel generator arrangements for Sequoyah, Fort St. Vrain, Hutchinson Island, and Fitzpatrick made it necessary to develop a consistent approach for determining acceptability. Regulatory Guides 1.6 and 1.9 were utilized as the bases.

B.

BRANCH TECHNICAL POSITION A start and load reliability test program should be required for all diesel-generator sets of a type or size not previously used as standby emergency power sources in nuclear power plant service. The objective of this program should be to establish a 0.99 reliability for starting and accepting design load in the desired time. An acceptable test program should include the following requirements:

1.

At least two full load and margin tests acceptable to the staff should be performed on each diesel generator set to demonstrate the start and load capability of the units with some margin in excess of the design requirements. Proposed full load and margin testing should be evaluated on en individual case basis to take account of the differences in unit design.

2.

Prior to initial fuel loading, at least 300 valid start and load tests should be performed with no more than three failures allowed. At least 90% of these start tests shall be made from design cold ambient conditions (design hot standby conditions if standby temperature control system is provided) and 10% from design hot equilibrium temperature conditions. This would include all valid tests performed offsite. A valid start and load test shall be defined as a start from the specified temperature conditions with loading to at least 50% of continuous rating within the required time intervals, and continued operation until temperature equilibrium is attained.

3.

A failure rate in excess of one per hundred should require further testing as well as review of the system design adequacy, 1

7A 5 11/24/75 4

. _.. - ~ _. _ -..

=-

C.

RErfRENCES 1.

Fort St Vrain Safety Evaluation Report, May 1, 19F1.

2.

Zion 1 and 2 Safety Evaluation Report, March 10, 1972, 7A.6 11/24/75

BRANCH TECHNICAL POS!?!0N E!CSB 3 ISOLATION OF LOW PRESSURE SYSVEMS FROM THE HIGH PRESSURE REACTOR CCOLANT SYSTEM A.

BA,CKGROUND A

During nonnal and emergency conditions it is necessary to keep low pressure systems that are connected to the high pressure reactor coolant system properly isolated in order to avoid damage by overpressurization or the potential for loss of integrity of the low pressure system and possible radioactive releases. There have been a number of recommen.

dations for accomplishing this aim, Until a more definitive guide is published, the criteria in in Part B.below. provide an adequate and acceptable design solution for this concern.

B.

BRANCH TECHNICAL POSITION The following measures should be incorporated in designs of the interfaces be' tween low pressure systems and the high pressure reactor coolant system:

1.

At least two vahes in series should be provided to isolate any subsystem whenever the primary system pressure is above the pressure rating of the subsystem.

2.

For system interfaces where both valves are motor-operated, the valves should have independent and diverse interlocks to prevent them from both being opened unless the primary system pressure is below the subsystem design pressure. Also, the valve operators should receive a signal to close automatically whenever the primary system pressure exceeds the subsystem design pressure.

3.

For those system interfaces where one check valve and one motor-operated valve are provided, the motor-operated valve should be interlocked to prevent the valve from opening whenever the primary pressure is above the subsystem design pressure, and to close automatically whenever the primary system pressure exceeds the subsystem design pressure.

4..

Suitable valve position indication should be provided in the control room for the interface valves.

5.

For those interfaces where the subsystem is required for ECCS operation, the above recommendations need not be implemented, System interfaces of this type should be evaluated on an individual case basis.

7A-7 11/24/75 i

.._--~..._....__._..._,_..___..m.

l

. C.

. REFERENCES l

i la Memorandum' to E. G. Case from P. A. Morris, February 6,1971.

2.

Memorandum to P. A. Morris from D. Skovholt, February 19, 1971.

l l

3.

- Note for E. G. Case from D. F. Knuth, April 13, 1972.

I l

l I

l l

\\'N s

j l

i i

l i

n

'7A-8 K

'11/24/75 a

~<

_5 n

e

,.c

--... -.. -.... ~. -

BRANCH TECHNICAL POSIT 0N EICSB 4 REQUIREMENTS ON MOTOR-OPERATED VALVES IN THE ECCS ACCUMULATOR LINES J

A.

BACKGROUND For many postulated loss-of-coolant accidents,the performance of the emergency core cooling system (ECCS)inpressurizedwaterreactorplantsdependsuponproperfunctioningofthe safety injection tanks (also referred to as " accumulators" or " flooding tanks" in some applications). In these plants, a motor-operated isolation valve (M0!V) and two check valves are provided in series between each safety injection tank and the reactor coolant (primary) system.

The MOIV's must be considered 6 be " operating bypasses" because, when closed, they pre-vent the safety injection tanks from performing the intended protective function. IEEE Std 279-1971 has a requirement for " operating bypasses" which states that the bypasses of a protective function will be removed automatically whenever pemissive conditions are not met. This branch technical position provides specific guidance 1n meeting the intent of

~

IEEE Std 279-1971 for safety injaction tank M0!V's.

It should be noted that BTP E!CSB 18, " Application of the Single Failure Criterion to Manually-Controlled Electrically-Operated Valves," also applies to these isolation valves and should be used in conjunction with this position.

B.

BRANCH TECHNICAL POSITION The following features should be incorporated in the design of MOIV systems for safety in-jection tanks to meet the intent of IEEE Std 279-1971:

1.

Automatic opening of the valves when either primary coolant system pressure exceeds a preselected value (to be specified in the technical specifications), or a safety in-jection signal is present. Both primary coolant system pressure and safety injecticn signals should be provided to the valve operator.

2.

Visual indication in the control room of the open or closed status of the valve.

3.

An audible and visual alarm, independent of itemCD,above, that is actuated by a sensor on the valve when the valve is not in the fully-open position.

7A-9 x

11/24/75 e <

e t

4.

Utilization of a safety injection signal to remove automatically (override) any bypass feature that may be providrd to allow an isolation valve to be closed for short periods of time when the reactor coolant system is at pressure (in accordance with provisions of the technical specifications),

l C.

REFERENCES 1.

Memorandum to E. G.' Case from P. A. Morris. February 10. 1971.

2.

Arkansas 1. Unit 1. Safety Evaluation Report. January 23. 1973, i

l l

l 1

N 7A-10 11/24/75

l BRANCH TECHNICAL POS! TION EICSB 5 SCRAM BREAKER TEST REQUIREMENTS - TECHNICAL SPECIFICATIONS 4

A.

BACKGROUND There have been some in;ansistencies in the description of scram circuit test procedurec in l

FSARs and technical specifications requirements. Some FSARs for plants with Westinghouse f

reactors describe the scram circuit test procedures and include a position for testing the scram breakers, but there are no provisions for doing so in the proposed technical specifi-cations. It is the purpose of this branch technical position to establish a unifonn practice in this matter, 4

i j

B.

BRANCH TECHNICAL POSITION The requirement that control rod drive trip breakers be tested monthly should be included in all plant Technical Specifications issued. For a model, refer to the Oconne technical specifications page 4.1-4. Table 4.1-1, item 2.

C.

REFERENCE 1.

Memorandum to PWR Branch Chiefs from R. C. DeYoung, January 28, 1972.

\\

7A-11 11/24/75 g_m._

BRANCH TECHNICAL POSITION EICSB 6 CAPACITY TES? REQUIREMENTS OF l.TATION BATTERIES - TECHNICAL SPECIFICATIONS A.

BACKGROUND The capacity test requirements for station batteries are addressed in IEEE Std-450-1972 and IEEE Std-309 the 1971 and 1974 editions. The purpose of this branch technical position is j

to provide guidance for meeting the recomendations of these standards.

B.

BRANCH TECHNICAL POSIT M All technical specifications s,iall include a requirement for periodic surveillance ttsting of onsite Class IE batteries. The test should meet the intent of Section 5.3.6 rJ lt:EE Std 308-1971 to determine battery capacity including as a minimum the following re,quirements:

(1) An acceptance test of battery capacity shall be perfonned according to Section 4.1 of IEEE Std 450-1972.

(2) The performance discharge test listed in Table 2 of IEEF Std 308-1971 shall be per-formed according to Sections 4.2 and 5.4 of IEEE Std 450-1972.

(3) A battery service test 6: scribed in Section 5.6 of IEEE Std 450-1972, shall be per-fonned during each refueling operation or at some other outage with intervals between tests not to exceed 18 months in order to satisfy Section 6.4 of IEEE Std 308-1971.

(4)- A detailed description of the battery service test shall be included in Section 8.3 of the Safety Analysis Report.

C.

REFERENCE 1.

Memorandum to R. H. Vollmer from J. G. Keppler. March 20,1972, 2.

Memorandum to R. Carlson from V. D. Thomas. January 18. 1972.

l 7A-12 1

11/24/75 om e

BRANCH TECHNICAL POSITION EICSB 7 SHARED EMERGENCY ELECTRIC POWER SYSTEMS FOR MULTI-UNIT GENERATIN3 STATIONS A.

BACKGROUND The detailed operating license reviews of multi-unit statir" using shared onsite power systems revealed that in almost every case sharing result-a reduccion in the nt,mber of

~

and capacity of the onsite power sources to below that nomally provided for the same number of units located at separate sites. This reduced capacity introduced a number of interactions that are potential safet/ problems. These interactions concern (1) the inter-connection of ESF control circuits of each unit such that failures and maintenance or testing operations in one unit affect -the availability of ESF in other units, (2) coordina-tion between unit operators required in order to cope with an accident in one unit and safe shutdown of the remaining unit (s), and (3) system overload conditions as a consequence of a real accidmt in a unit coincident with a false or spurious accident signal in another unit. The purpose of this branch technical position is to provide guidance in ahuring proper compliance with the requirements of General Design Criterion 5.

B.

BRANCH TECHNICAL POSITION 1.

For multi-unit generating stations now under design and construction and for which construction pemit applications were made before May 1,1973, the design of shared onsite emergency power systems should:

a.

Assure that a single failure, including a false or spurious accident signal, does not reduce the capability to supply automatically minimum engineered safety feature (ESF) loads in any unit and safely shut down the remaining units, b.

Provide onsite power capacity sufficient to energize seismic Category I equipinent to attain a safe and orderly cold shutdown of all units, assuming a single fail-ure and loss of offsite power.

c.

Limit the interactions between unit engineered safety feature electrical circuits such that any allowable combination of maintenance and test operations in the units will not affect the capability to supply power automatically to minimum ESF loads in any unit.

d.

Minimize the coordination required between unit operators in order to accomplish j

(a),0), and (clabove. Although each design will be evaluated on an individual basis in this regard, all shared onsite power systems should meet the following:

7A-13 s

11/24/75 M

.e e

= = ^

i (1) Coordination between the unit operators should not be nIcessary in ordtr to provida for W and N, above.

(2) Complete information regarding the status of the shared system should be provided for each operator.

e.

Conform with IEEE Std 30 6 971 and Regulatory Guides 1.6 and 1.9.

2.

The onsite emergency electrical power systems of multi-unit generating stations for which construction permit applications are made af ter May 1.1973, should conform to i

the following criterion:

l l

"Each unit shall have separate and independent onsite emergency electrical power systems, both a-c and d-c, capable of supplying minimum ESF loads and the loads required for achieving and maintaining a safe and orderly r.old shutdown of the unit, assuming a single failure and loss of offsite power."

C.

REFERENCES 1.

'4emorandum to V. Moore from V. Stello, August 24, 1973.

2.

liemorandum to L. Rogers from J. F. O' Leary, August 25, 1972.

3.

Memorandum to J. M. Hendrie from T. A. Ippolito, November 19, 1973.

4.

Memorandum to G. A. Arlotto from V. Stello, December 10,1973.

7A-14 11/24/75

+

w g-yw m

e17e-T-y

+ - -

e-w%-.

e

-i,

+-e-

.e-~

N r

+,-=N

BRANCH TECHNICAL POSITION EICSB 8

)

USE OF DIESEL-GENERAT0r, SETS FOR PEAKING A.

BACKGROUND General Design Criterion 17 requires that provisions be included to minimize the probabil-

{

ity of losing electric power from any of the remsining supplies as a result of, or co-incident with loss of the main generator, loss of power from the grid, or loss of standby power supplies. Additionally, IEEE Std 308 requires that the preferred (offsite) and stand-by power supplies shall not have a common failure mode. Common failure mode is defined as "a mechanism by which a single design basis event can cause redundant equipment to be inoperable." Although IEEE Std 308 does not preclude the use of emergency diesels for non-safety purposes, the staff cor.cludes that the potential for common failure modes should preclude interconnection of onsite and offsite power sources except for short periods for load testing.

Review of the use of emergency diesel-generator sets for peaking service leads to the con-clusion that the required frequent interconnection of the preferred and standby power supplies increases the probability of their conynon failure.

B.

BRANCH TECHNICAL POSITION

]

General Design Criterion 17 and Section 5.2.l(5) of IEEE Std 308-1971 should be interpreted as prohibiting the use of plant emergency power diesel-generator sets for purposes other than that of supplying standby power when needed..in particular, emergency power diesel-generator sets should not be used for peaking service.

1 C.

REFERENCES 1.

Note to D. F. Knuth and V. A. Moore from J. M. Hendrie, January 23, 1973.

2.

Memorandum to J. M. Hendrie and D. F. Knuth from V. A. Moore, January 4, 1973.

i l

7A-15 11/24/75 e

m e-

-g-

,,y g

nn m--.g-

BRANCH TECHNICAL POSITION E!CSB 9 DEFINITION AND USE OF " CHANNEL CALIBRATION' - TECHNICAL SPECIFICATIONS A.

BACKGROUND In several PWR technical specificitions,the term " channel calibration" was used to describe a " daily adjustment" for amplifie? gain of the nuclear instrumentation power range channels.

This adjustment was perfomed to maintain agreement between the indicated reactor nuclear power level and the reactor thermal power calculation. This adjustment is not considered by the staff to be a channel calibration. A calibration procedure performed on a monthly basis requires the following:

a.

Performance of a functional test using a simulated signal to verify bistable action (protective trips including rod block trips and permissive interlocks) on a monthly

basis, b.

Calibration of the upper and lower chambers of each flux channel for txial offset utilizing the in-core detectors r.n a calendar quarter basis.

c.

Perfomance of a functional test using a simulated signal to verify positive and

\\

negative rate bistable action on a monthly basis.

t i

Perfonnance of a total system response time test is required during each refueling outage.

[

B.

BRANCH TECHNICAL POSITION The " daily adjustment," which does not fulfill the intent or requirements of a calibration procedure, should remain as a daily requirement but be deleted from the " channel calibra-tion" category in the technical specifications.

C.

REFERENCES 1.

Memorandum to R. L. Tedesco from V. Stello, April 19,1973.

2.

Memorandum to R. C. DeYoung from R. L. Tedesco, April 27. 1973.

7A-16 11/24/75 i

BRANCH TECHNICAL POSITION E!CSB 10 ELECTRICAL AND MECHANICAL EQUIPMENT SE!$MIC CJALIFICATION PROGRAM A.

BACKGROUND Subsequent to the publication of IEEE Std 344-1971. the staff determined that compliance with the standard was not in itself sufficient to assure an acceptable seismic qualifica-tion program for electrical and mechanical equipment. As a result, a supplement to IEEE Std 344-1971 was developed by the staff.

B.

BRANCH TECHNICAL POSITION 1.

For plants for which construction permit applications were docketed before October 27 1972. and for which operating license reviews are not completed, information should x

be provided describing in detail the methods used for qualifying equipment under IEEE Std 344-1971. " Guide for Seismic Qualification of Class ! Electric Equipment for Nuclear Power Generating Stations."

2.

For plants for which construction pemit applications are docketed after October 27 1972, the following supplementary requirements to IEEE Std 344-1971 should be met:

a.

Seismic Test for Equipment Operability (1)

A test and analysis program is required to confirm the functional opera-bility of all seismic Category I electrical and mechanical equipment dur-ing and after a earthquake of magnitude up to and including the SSE.

Analysis without testing may be acceptable only if structural integrity alone can assure the intended function. When a complete seismic testing is impracticable, a combination of tests and analyses may be acceptable.

(2)

The characteristics of the required input motion (i.e., the support motion in the seismic event) should be specified by one of the following:

(a) Response spectrum.

(b) Power spectral density function.

(c) Time history.

Such characteristics, as derived from the structures or systems seismic l

l i

i 7A-17 I

l i

1 l

11/24/75 l

l I

analyses, should be representative of the input motion at the equipment mounting locations.

I (3) Equipment should be tested in the operational condition. Operability should be verified during and after the testing.

(4) The actual input motion for the testing should be characterized in the same manner as the required input motion, and conservatism in amplitude and frequency content should be demonstrated. The frequency spectrum used should cover the range from I through 33 Hz. Any exceptions require justification.

(5) Seismic excitation generally has a broad frequency content. Random vibra-tion input motion should be used. However, single frequency inputs, such l

as sine beats, may be applicable provided one of the following conditions are met:

(a) The characteristics of the required input motion indicate that the motion is dominated by one frequency (e.g., by structural filtering effects).

(b) The anticipated response of the equipment is adequately represented by one mode.

(c) The test input has sufficient intensity and duration to excite all modes to the required magnitude, such that the testing response spectra will envelop the corresponding seismic event response spectra of the individual modes.

(6) The input motion should be applied to the vertical axis and one principal horizontal axis (or two orthogonal horizontal axes) simultaneously unless it can be demonstrated that the equipment response along the vertical direction is not sensitive to the vibratory motion along the horizontal direction, and vice versa. The time phasing of the inputs in the vertical and horizontal directions must be such that a purely rectilinear resultant input is avoided. An acceptable alternative is to have verti, cal and horizontal inputs in-phase, and then repeated with inputs 180 degrees out-of-phase. In addition, the test must be repeated with the equipment rotated 90 degrees horizontally.

(7) The fixture design should meet the following requirements:

(a) Simulate the actual service mounting.

(b) Cause no dynamic coupling to the test item.

7A-18 l

11/24/75 o

(8) The in situ application of vibratory devices to superimpose seismic vibra-tory loadings on a complex active device for optraoility testing is accept-able when it can be shown that a meaningful test can be made in this fashion.

(9) The test program may be based upon selectively testing a representative number of mechanical components according to type, load level, size, etc.

on a prototype basis, b.

Seismic Design Adequacy of Supports (1) Analyses or tests should be perfonned for all supports of electrical and mechanical equipment to ensure their structural capability to withstand seismic excitation.

(2) The analytical results must include the following:

(a) The required input motions to the mounted equipment should be obtained andcharacterizedinthemannerasstatedinSection2.a(2),above.

(b) The combined stresses of the support structures whould be within the limits of ASME aoiler and Pressure Vessel Code Section 111. Sub-section NF, " Component Support Structures," or other comparable stress limits.

(3) Supports should be tested with equipment installed. If the equipment is inoperative during the support test, the response at the equipment mounting locations should be monit e sd and characterized in the manner as statedinSection2.a(2).

I. such case, equipment should be tested separately and the actual 1.tput to the equipment should be more conserva-tive in emplitude and frequency content than the monitored response.

(4) The_requirementsofSections2.a.(2),(4),(5),(6),and(7),above,are applicable when tests are conducted on the equipment supports.

C.

REFERENCES 1.

Note to Electrical, instrumentation and Control Systems Branch from T. A. Ippolito, January 7, 1974.

l l

7A-19 l

11/24/75 9

t

BRANCH TECHNICAL POSITION E!CSB 11 STABILITY OF OFFSITE POWER SYSTEMS A.

BACKGROUND The staff has traditionally required each applicant to perform stability studies for the electrical transmission grid which would be used to provide the offsite power sources to the plant. The basic requirement is that loss of the largest operating unit on the grid will not result in loss of grid stability and availability of offsite power to the plant under consideration. In some cases, such as plants on the island of Puerto Rico, the plant is connected to an isolated power system of limited generating capacity. These kinds of isolated power systems are inherently less stable than equivalent systems with supporting grid interties. It is also obvious that limited systems are more vulnerable to natural disasters such as tornadoes or hurricanes.

B.

BRANCH TECHNICAL POSITION 1.

The staff has concluded, from a review of appropriate reliability data, that power systems with supporting grid interties meet the grid availability criterion with some margin. This conclusion is applicable to the review of most plants located on the U. S.

mainland.

2.

There is also strong indication that an isolated system large enough to justify in-clusion of a nuclear unit will also meet this criterion. However, as a conservative approach, the staff will examine the available generating capacity of a system, in-cluding interties if available, to withstand outage of the largest unit. If the available capacity is judged marginal to provide adequate stability of the grid, additional measures should be taken. These may include provisions for additional capability and margin for the onsite power system beyond the normal requirements, or other measures as may be appropriate in a particular case. The additional measures to be taken should be determined on an individual case basis.

O i

7A-20 11/24/75 t

i 4

e,_

3 y.

.y

.-...-. ~.. -

~. - -.-

BRANCH TECHNICAL POS!?!ON E!CSB 12 PROTECTION SYSTEM TRIP POINT CHANGES FOR OPERATION WITH REACTOR COOLANT PUMPS OUT OF SERVICE A.

BACKGROUND _

For the past several years, including a time prior to the development of IEEE Std 279, the staff has required automatic adjustment to more restrictive settings of trips affecting The basis reactor safety by means of circuits satisfying the single failure criterion.

for this requirement is that the function can be accomplished more reliably by automatic circulty than by a human operator. This design practice, which has also been adopted independently by the national laboratories and by much of industry, served as the basis for paragraph 4.15. " Multiple Set Points " of IEEE Std 279.

More recently, all applicants have stated that their protection systems were designed to meet IEEE Std 279. Paragraph 4.15 of IEEE Std 279specified that where a mode of reactor operation requires a more restrictive set point, the means for insuring the more restrictive A

set point shall be positive and must meet the other requirements of IEEE Std 279.

number of designs have been proposed and accepted which reliably and simply satisfy this requirement. During the review of some applications, however, certain design deficiencies have been found. The purpose of this position is to provide additional guidance on the application of Section 4.15 of IEEE Std 279.

B.

BRANCH TECHNICAL POSITION 1.

If more restrictive safety trip points are required for operation with a reactor coolant pump out of service, and if operation with a reactor coolant pump out of service is of sufficient likelihood to be a planned mode of operation, th6 change to the more restrictive trip points should be accomplished automatically.

2.

Plants with designs not in accordance with the above should have included in the j

plant technical specifications a requirement that the reactor be shut down prior to changing the set points manually.

j C.

REFERENCES l.

Report to the ACR$ on the protection system trip point changes for operation with the reactor coolant pumps out of service, July 28,1970.

J 2.

Memorandum to R. C. DeYoung from V. Stello, September 14,1973(RESAR).

i I

3.

Millstone-3 Safety Evaluation Report, September 24,1973.

l 4.

Beaver Valley-2 Safety Evaluation Report, October 10,1973, 7A-?)

11/24/75

=.

_. ~

I BRANCH TECHNICAL. P03! TION EICSB 13 DESIGN CRITERIA FOR AUX!LIARY FEE 0 WATER SYSTEMS 4

j A.

BACKGROUND The function of the auxiliary feedwater system in pressurir M water reactors is to provide an emergency source of feedwater supply to the steam genereurs, it is required to ensure safe shutdown in the event of a main turbine trip with loss of offsite power. The system is also started on a safety injection signal. Feedwater is pumped to each steam generator through normally open :ontrol valves. It was found that in some plant designs the auxiliary feedwater system did not meet the single failure criterion. It is the purpose of this i

branch technical position to provide guidance and to establish uniform requirements for acceptable designs of auxiliary feedwater systems.

B.

BRANCH TECHNICAL POSITION 1

The auxiliary feedwater system should be capable of satisfying the lystem functional requirements af ter a postulated break in the auxiliary feedwater piping inside containment together with a single electrical failure. The basis for the position is that an auxiliary feedwater piping break would result in tripping the unit and, in turn, might cause loss of offsite power. Standard staff assumptions for analyzing postulated accidents include the assumption of loss of offsite power if the affected unit generator is tripped by the accident. Such a circumstance would leave the plant without adequate means for removal of afterheat even though the reactor coolant pressure boundary was intact, an unacceptable resul t.

Plant heat removal systems must, in any postulated piping break, be capable of removing afterheat to the ultimate heat sink assuming a single electrical (active) failure anywhere in the auxiliary feedwater system or in the onsite power system.

C.

REFERENCES 1.

Note from T. A. Ippolito to EICSB, December 12,1973.

7A-22 11/24/75 n

BRANCH TECHNICAL POSIVION ElCSB 14 SPURIOUS d!THORAWALS OF SINGLE CONTROL RODS IN PRESSURIZED WATER REACTORS A.

BACKGROUND Recent operating experience with PWR's and subsequent reviews of PWR designs with regard to the requirements of General Design Criteria 20 and 25 have sbown that single failures can cause inadvertent single rod withdrawals. The intent of this branch technical position is to provide specific guidance toward an acceptable interpretation and application of GOC 20 and 25.

B.

BRANCH TECHNICAL POSITION For this Appligants have to demonstrate compliance with the requirements of GDC 20 and 25.

purpose,it has to be shown by analysis that the consequences of uncontrolled or erroneous withdrawal of a single control rod under any possible conditions of reactor operation does not result in exceeding specified acceptable fuel design limits. If the results of this analysis show that the limits may be exceeded, the applicant must provide the results of failure modes and effects analyses to show that a single failure occurring in the control system. or an operator error, will not cause the uncontrolled or erroneous withdrawal of a single control rod. If the results of these analyses show that it is possible for un-controlled or erroneous withdrawal of single control rods to occur, and the specified fuel design limits could be exceeded as a result, then the protection system must be designed to detect and terminate the resulting transient before the fuel design limits are exceeded.

C.

REFERENCES 1.

Surry 3 and 4 Safety Evaluation Report March 26, 1974.

2.

Byron & Braidwood. First Set of Questions-Addendum, memorandum to R. C. DeYoung from V. Stello. December 12. 1973, 7A-23 11/24/75

BRANCH TECHNICAL POSITION EICSB 15 REACTOR COOLANT PUMP BREAKER QUALIFICATION A.

BACKGROUND An sssumption usually made in accident analyses is that for complete loss of forced reactor

{

coolant flow (resulting from a failure of the main coolant pump power supply that is pre-saged by an underfrequency condition), a reactor trip is initiated along with disengagement of the reactor coolant pumps from the power grid to assure that the pumps' kinetic energy is available for flow coastdown. Therefore, unless the pump breakers are Class IE and are housed in a seismic Category I structure, the required disengagement of the pump motors from the power grid when it experiences the underfrequency condition might not occur. It I

is the intent of this branch technical position to provide guidance in meeting this concern.

B.

BRANCH TECHNICAL POSITION 1.

If credit is taken for reactor coolant pump coastdown in the accident analyses, the pump breakers must be qualified in accordance with the requirements of IEEE Std 279-1971 and IEEE Std 308-1971. Further, they must be located in a seismic Category I structure.

2.

Any reactor pump system trip sensors associated with these breakers should meet the requirements of IEEE Std 279-1971, regardless of whether or not credit is taken for pump coastdown. If credit is not taken for pump coastdown, the building or structure housing these breakers does not have to be seismic Category I.

It has been tentatively l

established that unless the applicant can demonstrate by analysis that an underfrequency rate of 15 Hz/sec. will not prevent the pumps from perfoming their coastdown function, the tripping of the reactor coolant pump breakers will be considered a required safety

action, j

C.

REFERENCES 1.

Vogtle Safety Evaluation Report, December 18, 1973.

f l

i l

I 7A-24 11/24/75 e

.__._..m_

BRANCH TECHNICAL POSITION ElCSB 16 CONTROL ELEGENT A$$EMBLY (CEA) INTERLOCKS IN COMBUSTION ENGINEERING REACTORS 1

1 J

A.

BACKGROUND Certain control element assembly interlocks provided in Combustion Engineering designs i

l have not been treated as safety-related. It has been determined by the' staff that, unless it can be shown by analysis that these interlocks are not required to assure fuel integrity.

j they should be treated as required for safety.

B.

BRANCH TECHNICAL POSITION i

The following interlocks in CE designs are considered safety-related, and unless it can be substantiated otherwise by supporting analyses, they should be designed to meet the require-ments of IEEE Std 279.. The interlocks in question are intended to prevent the following actions:

]

1, insertion of shutdown CEA's before the regulating CEA's are inserted.

2.

Simultaneous withdrawal of more than two groups of CEA's.

3.

Withdrawal of a CEA group or groups out of proper sequence.

C.

REFERENCES 1.

Memorandum to p. A. Morris from E. G. Case, May 5. 1970.

I j

l l

7A-25 11/24/75 N

r

- ~. -,

--.--.-c

BRANCH TECHNICAL POSITION EICSB 17 DIESEL-GENERATOR PROTECTIVE TRIP CIRCUIT BYPASSES A.

BACKGROUND Where protective trips are provided to protect the standby diesel-generators from possible damage or degradation, these protective trips could interfere with* the successful function-ing of the diesel-generators when they are most needed, i.e., during an accident condition.

In nuclear power plant applications.the criterion should be to provide standby power when needed to mitigate the effects of an accident condition, rather than to protect the diesel-generators from possible damage or degradation.

B.

BRANCH TECHNICAL p0SITION 1.

The design of standby diesel-generator systems should retain only the engine overspeed and the generator differential trips and bypass all other trips under an accident condition. All those trips that are bypassed for en accident condition may be retained for the diesel-generator routine tests. T.is concept will reduce the probability of spurious trips during accident conditions and will also reduce the exposure of the equipment to damage from malfunctions during routine tests.

2.

The design should include capability for testing the status and operability of the bypass circuits and should alann abnormal values of all the bypassed parameters in the I

control room.

3.

If other trips, in addition to the engine overspeed and generator differential, are retained for accident conditions, an acceptable design should provide two or more l

independent measurements of each of these trip parameters. Trip logic should be such i

that diesel-generator trip would require specific coincident logic.

4.

The bypass cir;uitry for the diesel-generator protective trips should oe designed to I

meet the requirements of IEEE Std 279-1971.

C.

REFERENCES 1.

Memorandum to R. C. DeYoung from D. F. Knuth, March 3,1972.

2.

St. Lucie Units 1 and 2 (Operating License and Construction Permit).

3.

SWESSAR-P1 - Stone and Webster Corporation Standard Plant Design.

7A-26 l

11/24/75 e

___--_____.._-_m--_

m

-..-.-. ~.-

BRANCH TECHNICAL POSITION E!CSB 18 APPLICATION OF THE SihCLE FAILURE CRITER10N TO MANUALLY-CONTROLLED ELECTRICALLY-0PERATED VALVES A.

BACKGROUND Where a single failu-in an electrical system can result in loss of capability to perform a safety function, the effect on plant safety must be evaluated. This is necessary regard-less of whether the loss of safety function is caused by-a component failing to perform a requisite mechanical motion, or by a component performing an undesirable mechanical motion.

This position establishes the acceptability of disconnecting power to electrical components of a fluid system as one means of designing against a single failure that might cause an un-desirable component action. These provisions are based on the assumption that the component is then equivalent to a similar component that is not designed for electrical operation, e.g., a valve that can be opened or closed only by direct manual operation of the valve.

They are also based on the assumption that no single failure can both restore power to the electrical system and cause mechanical motion of the components served by the electrical system. The validity of these assumptions should be verified when applying this position.

B.

BRANCH TECHNICAL POSITION 1.

Failures in both the " fail to function" sense and the " undesirable function" sense of components in electrical systems of valves and other fluid system components should be considered in designing against a singh failure, even though the valve or other fluid system component may not be called upoa to function in a given safety operational sequence.

2.

Where it is determined that failure of an electr cal system component can cause undesired mechanical motion of a valve or other fluid system component and this motion results in loss of the system safety function, it is acceptable, in lieu of design changes that also may be acceptable, to disconnect power to the electric systems j

of the valve or other fluid system component. The plant technical specifications should include a list of all electrically-operated valves, and the required positions of these f

valves, to which the requirement for removal of electric power is applied in order to satisfy the single failure criterion.

3.

Electrically-operated valves that are classified as " active" valves, i.e., are required to open or close in various safety system operational sequences, but are manually-controlled, should be operated from the main control room. Such valves may not be included among those valves from which power is removed in order to meet the single failure criterion unless: (s) electrical power can be restored to the valves from the

\\

main control room,(b) valve operation is not necessary for at leasten minutes following occurrence of the event reouiring such operation, and(c) it is demonstrated 7A-27 11/24/75

-ee,

--u.+we--m w.

-w-.ww-e-----me,pe>,,,-y un.y-m-u-me.

---g,.,-,weyy r->

....,.,.ie Py,,

e m

.,y ir x

m yg,u r,-s,.--

.-.3pw,p 7,-

cy y.

y

.7~

. ~ - -

that there is reasonable assurance that all necessary operator actions till be per-formed althin the time shown to be adequate by the analysis. The plant technical specifications should include a list of the required positions of manually controlled.

I electrically-operated valves and should identify those valves to which the require-ment for removal of electric power is applied in order to satisfy the single failure criterion.

4.

When the single failure criterion is satisfied by removal of electrical power from valves described in(2) and (3), above, these valves should have redundant position indication in the main control room and the position indication system should.itself.

meet the single failure criterion.

1 5.

The phrase " electrically operated valves" includes both valves operated directly by an i

electrical device (e.g., a motor-operated valve or a solenoid-operated valve) and those valvesoperatedindirectlybyanelectricaldevice(e.g.,anairoperatedvalvewhose air supply is controlled by an electrical solenoid valve).

j C.

REFERENCES 1.-

Memorandum to R. C. DeYoung and V. A. Moore from V. Stello. October 1.1973.

l l

l

)

)

1 l

l 7A-28 1

11/24/75 1

j BRANCH TECHNICAL POSITION ElCSB 19 ACCEPTABILITY OF DESIGN CRITERIA FOR HYOROGEN MIX!NG AND ORYWELL.

VACUUM RELIEF SYSTEMS i

i 1

A.

BACKGROUND i

Certain design problems arise from the containment design concept which utilizes a drywell and suppression pool for heat removal af ter a loss of coolant accident (LOCA). Two such 1

problems are 0) the hydrogen concentration in the drywell may, in a relatively short time, exceed the limits described in BTP CSB 6 2 (a saf 3ty related problem), and(2) eventual cooling of the drywell will cause steam to condense, resulting in a partial vacuum which can draw A

I water from the suppression pool and partially flood the drywl) (a problem related to equip.

l mentdeteric.-ationandrepaircosts,notsafety),

i A hydrogen mixing system is proposed to mix the atmosphere in the larger containment volume outside the drywell with that in the drywell, thereby reducing the overall hydrogen con-centration to an acceptable level. In some designs.the hydrogen mixing system bypasses the suppression pool, resulting in an additional load on the containment heat removal system, and in the possibility of overpressurizing the containment. (There are times during a LOCA when bypassing the suppression pool would quickly overpressurize the containment.)

Some designs propose to avoid flooding of the drywell by means of a vacuum relief system utilizing the valves of the hydrogen mixing system, in view of the stresses to which the reactor operator might be subject during and following a LOCA it has been concluded that automatic as well as manual initiation at the system level should be provided in BWR 6/ Mark !!! plants.

B.

BRANCH TECHNICAL POSITION 1.

The design of the hydrogen mixing system should provide for both manual and automatic initiation and should conform to all criteria for protection systems, including the provisions of IEEE Std 279-1971 and Regulatory Guides 1.22 and 1.62. Automatic initiation should come from the sensors which sense that the hydrogen concentration in the drywell has exceeded the limits described in BTP CSB 6 2.

l 7A-29 11/24/75

l 2.

The design should previde interlocks in both the tutomatic and manual circuits that will precluda the opening of valves which bypass the suppression pool before blowdown is complete.

4 3.

If the hydrogen mixing system bypasses the suppression pool, the containment heat re-moval system should be automatically initiated whenever the hydrogen mixing system is initiated.

4.

The containment heat removal system should be automatically initiated upon indication of high pressure in the containment.

1 5.

In conformance with paragraph 4.8 of IEEE Std 279-1p", all signal inputs to the hydrogen mixing system and to those portions of the s u.tum relief system which are comon to the hydrogen mixing system, should be direct measures, to the extent practical, of the desired variable. Exceptions should be identified and justified.

C.

REFERENCES 1.

Draft Memorandum to J. M. Hendrie from T. A. Ippolito. October 12, 1973, 2.

Branch Technical Position CSB 6 2, " Guidelines for the Evaluation of the Bypass Leakage in Dual Containment Plants." attached to Standard Review Plan 6.2.5.

1 l

1 I

1 7A-30 11/24/75

,,m

-- - =----, --

~- -

BRANCH TECHNICAL POSITION E!CSB 20 DESIGN OF INSTRUMENTATION AND CONTROLS PROVIDED TO ACCOMPLISH CHANGE 0VER FROM fNJECTION TO RECIRCULATION MODE A.

BACKGROUND Designs are reviewed with regard to the automatic and manual initiation of protective actions, as set forth in paragraph 4.17 of IEEE Std 279-1971. For some recent designs, the staff concluded that the proposed design of the circuits used to change over to the recirculation mode of operation following a loss-of-coolant accident did not conform to IEEE Std 279-1971, and the complexity of the proposed changeover procedure raised questions as to whether the operator could be expected to perform correctly the required actions within the time and based on the infonnation available to him.

B.

BRANCH TECHNICAL POSITION 1.

A design that provides manual initiation at the system level of the transfer to the recirculation mcde, while not ideal, is suificient and satisfies the intent of IEEE Std 279-1971 provided that adequate instrumentation and information display are available to the operator so that he can make the correct decision at the correct time. Furthermore, it should be shown that in case of operator error, there are sufficient time and s 'ficient information available so that the operator can correct 4

)

the error, and the consequences of such an error are acceptable.

l 2.

Automatic transfer to the recirculation mode is preferable to manual trar.sfer, for the reasons cited above, and should be provided for standard plant designs submitted for review on a generic basis under the Commission's standardization policy.

C.

REFERENCES 1.

Memorandum to R. C. DeYoung from V. Stello. October 10.1973(BeaverValley-2 Safety i

Evaluation Report - EICSB).

7A-31 11/24/75

~

BRANCH TECHNICAL POSITION EICSB 21 GUIDANCE FOR APPLICATION OF 9IGULATORY GUIDE 1.47 A.

BACKGROUND The recommendations of Regulatory Guide 1.47 t.eed further detailing as to methods of pro-viding an acceptable design for the bypass and inoperable status indicators for engineered safety feature (ESF) systems. The purpose of this branch technical position is to provide supplemental guidance for implementation of the reconnendations of Regulatory Guide 1.47.

B.

BRANCH TECHNICAL POSITION The design criteria for bypass and inoperable status indication systems for ESF should reflect the importance of providing accurate information for the operator and of reducing the possibility for the indicating equipment to affect adversely the monitored safety systems. In developing the design criteria, the following should be considered:

1.

The bypass indicators should be arranged to enable the operator to detennine the status of each safety system and determine whether continued reactor operation is permissible.

2.

When a protective function of a shared system can be bypassed, indication of that by-pass condition should be provided in the control room of each affected unit.

3.

Means by which the operator can cancel erroneous bypass indications, if provided, should be justified by demonstrating that the postulated cases of erroneous indications cannot be eliminated by another practical design.

4.

Unless the indication system is designed in conformance with criteria established for safety systems, it should not be used to perform functions that are essential to safety. Administrative procedures should not require innediate operator action based solely on the bypass indications.

5.

The indication system should be designed and installed in a manner which precludes the possibility of adverse effects on plant safety systems. Failure or bypass of a pro-tective function should not be a credible consequence of failures occurring in the indication equipment, and the bypass indication should.not reduce the required in.

dependence between redundant safety systems.

6.

The indication system should include a capability of assuring its opf.rable status during normal plant operation to the extent that the indicating and annunciating function can be verified.

l C.

REFERENCES 1.

Memorandum to J. M. Hendrie from V. A. Moore. February 27. 1973.

7A-32 i

11/24/75 l

u h

I i

i BRANCH TECHNICAL POSITION EICSB 22 GUIDANCE FOR APPLICATION OF REGULA70R7 GUIDE 1.22 l

i A.

BACKGROUND A recent application listed eight functiors that are not tested while the reactor is operating at power. The applicant claimed that the periodic testing complied with Regulatory Guide 1.22.

j l

Regulatory Guide 1.22 does make provisions for actuated equipment that is not tested during reactor operation but it does not have provisions for excluding any portion of the pro-tection system from the requirements of paragraphs 4.9 and 4.10 of IEEE Std 279-1971.

B.

BRANCH TECHNICAL POSITION j

All portions of the protection systems should be designed in accordance with IEEE Std 279-1971, f

as required by 10 CFR 550.55a(h). All actuated equipment that is not tested durfng reactor operation should be identified and a discussion of how each conforms to the provisions of l

paragraph D.4 of Regulatory Guide 1.22 should be submitted.

l f

C.

REFERENCES l

1.

Memorandum to R. C. DeYoung from V. Stello, September 24, 1973. -(Millstone 3. Second Round of Questions).

l l

l 7A-33 11/24/75 e

t 4

-a

BRANCH TECHNICAL POSITION EICSB 23 QUALIFICATION OF SAFETY-RELATED DISPLAY INSTRUMENTATION FOR POST-ACCIDENT CONDITION MONITORING AND SAFE SHUTDOWN A.

BACKGROUND Instrumentation systems for post-a: "ent monitoring and safe shutdown must survive the accident to be effective when needeo. Environmental qualification should be in accordance with the provisions of IEEE Std 323-1974 and IEEE Std 344-1971. The recorders of these instrumentation systems are not required to function with accuracy during the safe shutdown earthquake; they must function with accuracy after the ground motion subsides without require-ing any maintenance.

B.

BRANCH TECHNICAL POSITION The safety-related display instrumentation for post-accident monitoring and safe shutdown should be:

1.

Redundant, with indicators in the control room for both channels and with at least one channel recorded.

2.

Energized from the onsite emergency power supplies.

3.

Designed in accordance with the requirements of IEEE Std 279-1971.

4 Qualified in accordance with the requirements of IEEE Std 323-1974 and IEEE Std 344-1971 as supplemented by BTP EICSB 10 with the exception that the recorders are not required to function within their required accuracy during the safe shutdown earthquake, but must function within their required accuracy immediately after the ground motion subsides without requiring any maintenance.

C.

REFERENCES 1.

Memorandum to V. A. Moore from V. Stello October 12.1973(GESSAR).

7A-34 11/24/75 t

J

BRANCH TECHNICAL POSITION EICSB 24 TESTING OF REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM SENSOR RESPONSE TIMES j

A.

BACKGROUND l

The accident analyses in safety analysis reports assume certain response times for the reactor protection systems. Periodic verification of the protection system response times j

should be made to assure that they are within the design specifications assumed in the accident analyses.

B.

BRANCH TECHNICAL POSITION 1.

Periodic tests for verification of system response times of reactor trip systems and I

engineered safety feature actuation systems should include the response times of the t

sensors whenever practical.

l l

2.

In some cases, indirect means of verifying sensor response times may be used. Details of such indirect means of verifying sensor response times should be included in applications and will be reviewed by the staff on an individual case basis untti some uniformity of practice develops and generic guidance can be provided.

3.

Exceptions to the above should be specifico?y identified and justified.

C.

REFERENCES l

Memorandum to V. A. Moore from V. Stello, October 12, 1973. (GESSAR Second Round of N

l Questions. No. 2 and No. 9).

I 1

l 7A-35 l

J j

11/24/75

-o e.

n w,-

r

BRANCH TECHNICAL POSITION EICSB 25 GUIDANCE FOR THE INTERPRETATION OF GENERAL DESIGN CRITERION 37 FOR TESTING THE OPERABILITY OF THE EMERGENCY CORE COOLING SYSTEM AS A WHOLE A.

BACKGROUND General Design Criterion 37 requires, in part, that the emergency core cooling system be designed to permit testing the operability of the system as a whole under conditions as close to design as practical. It is stated in one recent application that the safety 1

injection and residual heat removal pumps are made inoperable during the system tests.

1 B.

BRANCH TECHNICAL POSITION In order to comply with the requirements of GDC 37, all ECCS pumps should be included in the system test.

C.

REFERENCES 1.

Memorandum to R. C. DeYoung from V. Stello, September 14,1973(R:SAR).

e 7A-36 11/24/75 3.

g --

..-. -- ~.. - -.

BRANCH TECHNICAL POSITION EICSB 26 REQUIREMENTS FOR REACTOR PROTECTION SYSTEM ANTICIPATORY TRIPS A.

. BACKGROUND

$#.aral reactor designs have incorporated a number of anticipatory or "back-up" trips for which no credit was taken in the accident analyses. These trips, as a rule, were not designed to the requirements of IEEE Std 279 and therefore introduced non-safety grade I

equipment into the reactor protection system. It was determined by the staff that this I

was not an acceptable practice, becaJse of possible degradation of the reactor protection system.

B.

BRANCH TECHNICAL POSITION I

All reactor trips incorporated in the reactor protection system should be designed to meet the requirements of IEEE Std 279, without exception. This position applies to the entire trip function from the sensor to the final actuated device.

C.

REFERENCES 1.

Shearon Harris Safety Evaluation Report. September 15. 1972, 2.

Memorandum to V. A. Moore from V. Stello. October 12. 1973 (GESSAR).

7A-37 11/24/75

BRANCH TECHNICAL POSITION EICSB 27 DESIGN CRITERIA FOR THERMAL OVERLOAD PROTECTION FOR MOTORS OF MOTOR-OPERATED VALVES 1

A.

BACKGROUND The National Electrical Code (NEC) recommends an overload setting of 1151 to 125% of motor full-load current for most continuous duty motors.

According to the NEC, a short-time (intermittent) duty motor, such as a valve operator motor, shall be considered as protected against overcurrent by the branch circuit device, provided the overcurrent protection does not exceed the specified values in the code. The maximum rating of motor branch circuit protective fusing recommended by the NEC is 300% of motor full-load current.

The accuracy obtainable with a thermal overload relay trip generally varies from -55 to 0%

of'its trip set point. Since the primary concern in the application of overload relays is to protect the motor windings against excess heating, this negative tolerance in the relay trip characteristics is considered in the safe direction, as it will trip sooner to protect the motor. This feature of thermal overload relays could interfere with the successful functioning of a safety-related system. In nuclear power plant safety system applications, the criterion should be to drive the valve to its proper position to mitigate the effects of an accident condition, rather than to be concerned with degradation or failure of the motor due to excess heating.

B.

BRANCH TECHNICAL POSITION 1.

Thermal overload protection, if provided for safety-related system motor-opere+,ed valves, should have the trip set point set at a value high enough to prevent spurious trips due to design inaccuracies, trip set point drift, or variation in the ambient temperature at the installed location. The trip set point chosen should be consistent with that of any branch circuit protectivo device used. ' Periodic tests should be per-formed on each of the therwel overload devices to verify the accuracy and reliability of the overload trip set point.

2.

Thermal overload protection may be bypassed under accident conditions. The bypass circuitry should be designed to IEEE Std 279-1971 criteria, as appropriate for the rest of the safety-related system.

C.

REFERENCES 1.

Memorandum to J. M. Hendrie from T. A. Ippolito, April 11, 1974.

7A-38 11/24/75 w

v

g

's 4,

• M

-e i

5

,