ML20114F596
Text
_ _ _ _
,,,. J s
~ i
?g Il N
I e
g.
1 W 8 1991 s
(
wil;ec IWIORAIIDial FOR: Robert L. Tedesco. Assistant Director for Licensing b
Division of Licensing g
FRWl:
Paul 5. Check. Assistant Director for Plant Systems b
Dtvision of Systess Integration SIE NCT:
WATERFORD STEAM ELECTRIC SEATI0lt Ull!T 3 SAFETY EVALUATION llEPORT. FSAR SECT!0ll 7. Ill5TRISENTATION AND C0 SYSTEMS fy@OLULl f
([ffl/
plant fless: Materiterd Steen Electric Station y
j 8estet fle.: 50-382 6
G f.
j-2 Litensing Stage: OL f,g y 2 2 198; m -
9'\\ "* g %*'
Responsible Branch: LB ft B
g project
- 5. Black Resppsible cuer:
J. Rosenthal
~
D Requested Cenpletten Date: May 8. 1981 t
v m
en Enclosed is the SER for Waterford 3. F5AR Section 7. Instrumentation and control Systems. The SER uns written by our consultants. Argonne National Laboratory, and edited and sehjoined by IC58.
Open itema em discussed in Section 7.1.2. Specifte Findings, of the SER and in the 4e4 of the SER. The fle11 ewing open itous have been identified:
1.
Section 7.2. 7.3 - Qualification of in containment instrument cabinet heaters and associated controls.
2.
Section 7.3 - Contalement Isolation Actuation Signal diversity using les prfery pressure.
3.
Section 7.3 - Energency Feedseter Isolation on Main Steam Isolation Signal.
p 4.
Section 7.3 - Energency Feeduster Centrol.
l S.
Section 7.5 - Conflermance with R.S.1.47. Eypass and Inoperable Status i
Indication.
'Ai 3
ction 7.2. 7.3. 7.5 - IE Sulletin No. 79-21 (steam generator level 3
neasurement accuracy).
(
Section 7.4. 7.5. 7.7 - IE Bulletin No. 79-27 (safe shutdown following loss of an instruent bus).
!N; 8.
Section 7.1. 7.3 - Transfier to Spare E5F Pump.
i e_
- Mr ?.!
" ?:??:t*: E &^'
b::t :-d crM6 ef =-'x:=d sdetF---
-features)..
.3-i
..g.ggg74g/g 7 ojq,g
,93
.........g,,,,ne e :.........
............J8'matha,1,,,,,,,,
g, w,,
m us eo. =cw ea**
OFFICIAL. RECORD COPY
"~ 'f 1
',a
o o
j mars 6.
imarnw
-c-
- 10. Section 7.4 - Monitoring Safe Shutdown.
- 11. Section 7.1. 7.2. 7.3. 7.5 - RCP Shaft Break (modification of reactor pro-taction system).
- 12. Section 7.6 - Containment Vacuum Relief System.
- 13. Section 7.5 - Conformance with R.G.1.97. Rev. 2.... Post Accident Monitoring....
14 Section 7.7 - $1ngle failure of Control System Study.
- 15. Section 7.2 - Operation of Reactor Protective System with One Channel in Bypass.
a.:: tion 7.1. 7.2. 7.3 - Buffer Qualification.
4
- 17. Section 7.1.7.2. 7.3 - Conformance with R.G.1.118... Periodic Testing....
- 18. Section 7.1. 7.2 - Core Protection Calculators.
- 19. Site Visit.
- 20. 1NI (Den Items - need design details.
This report incorporates infonmation received by ICS8 on or before April 24, 1981.
If you have any questions. please contact ICS8.
Paul S. Check. Assistant Director for Plant Systems Division of Systems Integration
Enclosure:
As stated DISTRIBUTION:
sa M. Srinivasan lEcket W e S. Black ICSB Reading file F. Nireglia PCheck J. Elsberges ( R )
JRosenthal (PF)
J. h thal Waterford Subject file r- --
....I.CSa,,gy,,,...t. CSS., g,,
ICSB,.f,f'I g
- 'P
"*> 4RMM.NA.1.i.c.c. M.S r,in,j vas a.m.
.F.Rog a,
PSC1ec[
"I. 5/.f/11......... 5/,],/,8.1,,,,,,,5/,{/,81,,,
5/g/81 c==ceo.
m.14o OFFICIAL RECORD COPY
E.
o SA~rTY EVALOAT!CN REPC91
'JATERFORD STEAM ELE' TRIC STATION, CIIT 3 C
7.0 INSTRC'ENTATION AND CO!ITROLS 7.1 Introduction 7.1.1 General We have evaluated the protection and control systems of the 'Jacerford Steam Electric Station Unic No. 3, Docket No. 50-382 using as basis
(
the Coemaission's General Design Criteria, (2) the Institute of Electrical and Electronic Engineers (IEEE) standards including IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," (3) the applicable regulatory guides for power reactors, and (4) the applicable staff technical positions.
The final design of the Waterford 3 Plant Protection and the NSSS control systems is similar to that of the Arkansas Nuclear One - Unit 2 (ANO-2),
NRC Docket No. 50-368. The Engineered Safety Features (ESF) :na see not part of the NSSS, and the Balance of Plant (BOP) control systems are similar in design to these of the St. Lucie fl Nuclear Power Plant (Cocke:
No. 50-335 ).
We concentrated in our review on those areas where changes were race in
- ne cesign presented in the PSAR for tne construction ::ermit, anem : e
- esign differs from the plants referenced as similar by the applican:, 2n:
the areas which have remained of concern during reviews of c:ne-s -i' r plants.
1
Seismic and envimnmental qualification of instrumentation and con:r:1 systens is addressed in the staff review of Chapter 3.10 anc 3.11 of the applicant's FSAR.
7.1.2 Specific Findings - Open Items We have discussed in this report the issues that need to be resolved.
A list of SER open itens follows. Resolution of these ite.:s will te mported in a supplement to this mport.
1.
Qualification of in containment instrument cabinet heaters and associated ::n:W.
Electrical transmitters which provide mactor coolant system pressure sensi g fbr the reactor pmtective system are located in insulated cabinets insice containment. Inpulse lines connect these pressure transmitters to :::e pressar :e-Nonqualified heaters and associated contmis have been installe; in these cabinets to control temperature and humidity. Credit for these heaters is no:
taken in the safety analysis. The concem was raised that fails:a of the heater controls, such that the cabinet heaters were in continuous operation, could potentially degrade the pmssum transducers and in turn inyalidate the safety analyses.
1he appitcant is to address this concern.
- 2. Containment Isolation Actuation Sipal Initiated By Low Primary Pressure.
De current design of the Engineered Safety Feature System (ESFS) as described in Chapter 7 of the FSAR will msult in generation of a containment isolati:n 3e actuation signal (CIAS) en detection of high containment pressure.
applicant has consitted to mdify the design such that a C:AS would te generated upon detection of high containment oressure or icw pressuri:er :msse:
Cesign of the modified system has not been comleted.
- he applicant is to conclate the design of this feature and suomit :Pe "-a;
]
design for ICS8 review.
l
M ft.a;m.
. 1 3.
Emergency Feedwater Isolation Initiated By " sin Steam Isolation 5+ ;na;.
1 I
The current design of the ESFS as described in Chapter 7 (henc en: 3, 2n
.r.
1 1980) of the FSAR will result in isolation of Emergency Fee 6a:er (EF.C.:c-generation of a Main Steam Isolation Signal (MSIS). MSIS is generated :n y
detection of low steam generator pressure. The Emergency Feecwater Actua:icn
]
Signal (EFAS) is generated on detection of low steam generator level augu en:ec
]
by steam generator differential pressure to feed enly scod genera:ce icgic.
g These systens as currently designed serve cross purposes. *he system is :: :e e::
sedified to delete ETA isolation by a MSIS (and analy:e system respense for :-is
- p configuration), or modify the design such that EFAS overrides MSIS control af : e bj r.a EFW isolation valves.
g.]
.Kj. i The applicant is to conclete design of these engineered safe:y fea:ures anc
>U u
submit the final design for ICSS review.
E" l
4 Emergency Feedwater Control.
The current design of the ESFS as described in Chaoter 7 of One F5M diti esui:
Y in generation of an Emergency Feedwater Actuation Signal'(EFAS) :n :e: ecd:n A.
~
,. 2,n of low steam generator level. EFAS does not " seal in".
When the s eam genera::r g
level rises above the low steam generator level setpoint (due to E.74 actuation)
$f the EFAS "droos out".
Subsequent s eaming in the SG will ence again dr:o :ne
$.{
water level reinstating EFAS. 3e c:ncern was raised tha
- he ETA isola 1:n S
w valves would be coninanded to oscillate from a full cpen to full closed :osi :en W
until such time that the operator over rode the EFAS and took control (ano h
n,
=lation) of the EFW system. The applicant stated that the control sys am ib.
s teing mdesigned to modulate ETd flow.
"ej
(,3 The appitcant is to complete design of the E.24 control system and sacmit - e W j h;)
final design for ICSS review.
Qb 5.
Conformance with Regulatory Guide 1.47.
I.
The' intent of Regulatory Guide 1.47 is to display bypassec and inc:erso e 7 1 status of equipeent on a systems level. *he applicant has :esignec ne ura n ki for this system. me sof.sare is jet to de written.
Ew
.m x
i$
$N r-
__, a
1 4 _ ur
.a.
2s 4
E The applicant is to provide the criteria to be used in the selecticn of ec;i:w
'I to be monitored, and provide the criteria to be employed in the dis: lay Of 9
inter-relationships and dependences on the equipment subsystem and sys:em 'e.e?
Supporting systems such as motive power and component cooling are to be ::nsi:em as well as fundaruntal engineered safety features.
a 4
It is noted that the p1Tniic6mput'ar at 'daterford has expansive surveillance
~ and'TagicK1 ducNun sepkBtHty anu.w he als w scrivr a '.fris- *unc-ton. ""
f3
- E' Bulletin No. 79-21.
4 ac:uracy y
Concerns related to pressuri:er and steam generator level easure un:
due to reference leg environnantal exposure were raised in IE Sulletin 79-21.
[
Responses to this concern were provided by the applicant in res;onse to fj Questions 30.5 and 30.12. These responses address the adequacy of information to the operator, ande-vis a vis operator information are acceptable.
At our meeting the concern was raised that the steam generator icw level setpoint may be used to initiate the EFAS and in turn EF4 for an extended period of time following a high energy line break in cintainment. Curing :.,a:
time period the' containsent termerature and pressure and hence the steam Hence, steam generator level reference leg environnant will change with time.
generator level calibration will be tima variant.
~he The applicant is to provide the SG level setpoint selection criteria.
setpoint is to be conservatively selected to encompass the above c:ncern.
7.
!E Bulletin No. 79-27.
The applicant respense to this bulletin addresses nardware susceptability.
The errchasis of the bulletin is procedural. Scecifically, plant procedures
'i$
should be adequate to permit achievement of safe shutdcwn, given loss of single instruaunt bus.
if 5
The applicant will identify ecuipmen required for safe snut:cwn as : art :#
g{
M the Appendix R (fire protecticn) Nyiew. *he apolican: will at:ress :E3 ~7 2'
- C53 ::nc:;s :m following this review and submit related procedural criteria.
related to the IE3 79-27 mview and procedural criteria 4111 te inc:r:cnnc k.. b2 4
O in a supplement to the SER.
- CSB will not review the actual accecuras.
w$
-S-
- 3.
Transfer to Spare ESF Purro.
sure safety infection ;n, -;t:
8.
Waterford 3"is equipped with a spare high pres
- he puro is ins:sMec t
Installation of HPSI A8 is not a regulatory requiremen.d with op
-75:
to avoid administrative shutdcwns associateHPSI A8 SI Train A or 8 in lieu a' :ne Cdicated HPSI A or S should HPS! A or 8 be removes which intum m trains.
HPSI AS. takes power from 4.16 kV bus 3A83-HPSI A8 is comanded to
{
diesel backed buses 3A3-5 or 283-S.
iay contacts are erroioyed A single mode switch and several' relays and mS. and insure HPS initiate HPSI AS, disable HPSI A or l
8.
l to:
consistent with use of HPSI AB.
tion) an integrated systa'n level y
ICS8 will require (by plant Technical Specifica(pu@s, acuer, con i :e.
test of the high pressum ECCS systemd in service and when it is rer ok when the HPSI A8 purp is place tion of the HPSI A8 initiating We will review drawings and physical separa We ars =ncerr.ed that i
circuits during our forthcoming site vis t. ise redundant train separation.
a spare puso as described above may co@romincluded in a supplem
.esults of our review will be
?
~h e
- 40. 80-06.
md safety features.
(
IE Sulletin
~ ~3 30-06 addmsses raeset and override of engineet to address t 7.
~5 e
- c. :icants res;cnse to the staff reques d during our April 15 -eeting.
1 4
> :alie:in and response were discusse g
f ation.
calican; agreed to submit additional in orm 19 e
$3 Menitoring Safe Shutdcwn.
ins:r nota i:n
- 7 dewn 4
ICS8 has requested informaticn related to safe snut 10.
he soplican: us l (L;?-13).
he contml room and enthe auxiliary control pane R
da provided responses to our :cecific questions.
t i:,
y sccordancs wit 'O LU 2r:
'S A Safe Shutdown Analysis is to be conducted h
in an d -ai,:3m Appendix R.
cold shutdcwn after a fire and icentify a
M shutdown from outside.he c:ntrol ocm.
f.
str.rnentation led Ontml e-d.';
A f shut cwn y
ICS8 has suspended review setetion 6f :he 3:stican: s sa<e put:cwn :na:., sis.
1
ws.
t.
6-
- 11. RCP Shaf t Break.
l The applicant has been requested to perfor; an analysis of a njeo ss' ec mactor coolant puno shaft break (Regulatory Guide 1.70 Revision :.
n 15-1, 3.4). The applicant will propose modifications to the plant ; nun
..e system (to initiate an earlier reactor trip than would occur without tne design undifications) in order to reduce the predicted severity of this e.ent The applicant has been advised to perform analyses of this event with and without design modifications and submit proposed design ocifications casec :n results of the analyses.
- 12. Containment Vacuum Relief System.
The applicant has been requested to describe the Containment Vacuum Relief System instrumentation (Q 30.28). The applicants response (A.endment 17, May 1981) is insufficient. At our meeting of April 15, 1981, the applicant agmed to provide a revised, coglete response.
- 13. Conformance with Regulatory Guide 1.97, Revision 2.
The applicant has been requested to comit to co@ly with Regulatory Guice 1.97, Revision 2..... Post Accident.tnitoring..... on the imoterentation schedule of Section D. Iglementation, of the guide (Q '30.33).
To date (Amendment 17, May 1981) the applicant has not responded to this rmes At our meeting of April 15, 1981, the applicant agreed to submit a resconse, stating that the app 1tcant would comit to the intent of the guide.
1 e Failure of Control System 5tudy.
1 Se applicant has been requested to perfonn a study of single failures of the contn21 system to ascertain-t f such s1rrgie failures and sLbsequent consecuential failunts will lead to event s rquences :nore severe than analyzed in Chapter 15 of the FSAR.
The applicant is to comit to perform the study 2nd provide a schedu'e for.nts e ffo rt.
.o 7.
- 15. ::eration of :ne 4 2c::e Protective Sys:em Wi:n ne ? v" e-
- he appi t cant has or:cosed to c:e ra te the
-a nc ce p ro tac *. e :.
four channels in bypass.
~he sys tem would then
.nc :en.: 3 ;
protective system.
(With one channel tria:ed..ne s/s :2m <.c J :
1 of 3 channel protective sys t:m).
The proposal is based :n 3.
channel independence. To demonstrate incependence the 20ci:can: ut -
.1 separation of power supplies, logic and sensors. Waterford 3 nas teen *s -
as a two battery system, that is, the four protective channels cb:ain ;
e-four separate vital AC instrunent buses, which inturn obtain sewe
'-On r.,o AC/DC power divisions. Hence, the demonstration of a :nannel ince:ee:e ce -
a priori, incomplete.
Separation of pressum sensors to RPS channels was discussed at lengtn during a drawing mvfew of April 14, 1981. The applicant shcwed separation of pmssum sensors using schematics and physical layout drawings. de will -eview physical separation of sensors and logic during our forthcoming site visit.
Should logic and sensor separation be demonstrated, we will require (by clant Technical Specification) that the RPS be used as a four enannel system ditn bypass of a kncwn defective channel for no more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, and require tr's of a known defective channel after 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
- 16. Buffer Qualification.
Isolation devices are employed to isolate " safety" and "non-safety" electrical ci rcui ts.
In response to questions at our meeting of April 15 the apolicant agreed to provide the qualification criteria used in the selecticn.procuramnt, and installation of these isolation devices.
he applicant is to provide the installation criteria employed at Water' ora 3 to issure that no credible fault will result in a potential at 'the safety U M i
terminals of the isolation device in excess of the qualification potential.
i
()!
- r ance witn Regulatory Guide 1.118.
- ory Guide 1.118, Periodic Tes ting of Electrical P>er anc Drotec:::n :,5 rs,
.c IEEE 338-1977.
The guide is applicable to :ost, June 1973 Onstruc: :n
- 1polican ts. Waterford's CP predates the guide.
s I
l
.8 The applicant's previous response to staff regt est to address t n; gu :e (Q 32.6) is incoglete. The applicant is t,o semit infor ation explain:,g s:ecific conformance and non-conformance with Regulatory Guide 1.118.
'c s e aspects of the design which are not in conformance with Regulatory Guice
' 118 should be shown to be in conformance with GCC 18 and GDC 21 of Accenci. J.,
.3 CFR Part 50, and Sections 4.8 and 4.9 of IEEE Standard 279-1971.
- 18. Cort Protection Calculators.
The Core Protective Calculators (CPCs) were not reviewed, per se, at Waterford 3.
We have taken the operating experience of ANO-2, the previous review and acceptance of the ANO-2 CPCs, and the similarity of the Waterford 3 and ANO-2 CPCs. into account in reaching this decision.
The conclusions of the acceptability of the CPCs at Waterford 3 are based on the following:
(1) With the exception of Position 20 which addresses data links between the CPC and the plant coguter the applicant should provide a formal comit-ment to met the requirements on CPCs in Table 7.1 of NUREG-0308, " Safety Evaluation Report. Arkansas Nuclear One, Unit 2".
(2) The data links between the plant coguter and the CPCs may be connected only if the plant Technical Specifications include provisions to assure that (a) plant procedures shall be in effect to control modifications to CPC addressable constants (b) these procedures are consistent with nothods described in the bases to the Technical Specifications (c) CPC Addressable constants and their physically realistic allowed ranges (i.e., upper and lower bounds) are identified in the Technical Specificatt:ns (d) values of Addressable Constants outside the allcwed range are not to "be entered without approval of the Plant Safety Comittee (e) An incepencent 7
verification shall be conducted to confirm that Addressable Constant Modifications have been made as approved by the Plant Safety Comittee or the Engineering Staff (whichever is applicable) (f) Modifications to the CPC Addressable Constants based on infor.ation obtaired througn *.ne P11nt l
Cossuter Data Links shall not be made without approval of the Plant Safety Cosed ttee.
r d
j f
b m
e 9
(3) CPC operating experience at ANO-2 and CPC environmental tests indicate a sensitivity of the CPCs to fluctuations.and extremes in ther-al envir:nmen:.
1 The Waterford 3 Technical Specifications should, therefore, require CPC functional tests to confirm continued operability of each CPC channel whenever the CPC cabinet thermal environnent exceeds allcwable ranges.
J The allowable ranges should be justified on the basis of environmental tests of the CPCs and CPC operational experience at #40-2.
1 The implementation of the CPC design including both hardwart and software will be confirmed during the CPC test program. We will audit the test program to verify acceptable performance during these tests.
I Subject to the acceptable taplerantation by the applicant of the three positions stated above and successful cosplation of the test program, we consider the CPC design to be acceptable.
- 19. Site Visit.
IC58 is tentatively scheduled to conduct a site visit (Appendix 7-8 NUREG-75/087) during the week of May 18, 1981. Results of our site visit will be included in a supplenant to the SER.
- 20. TMI Open Items.
The appitcants response to date to TMI Items II.D.3. II.F.1 and II.F.2 provides inadeouste design detail. The applicant should provide sufficient detail to demenstreto conformance with MUREG-0737 C1arification of iMI Action P1an Pequire-sWNtt.
Resolution of SER open Itess 3, 4, and 13 art required to adequately address TMI Items.II.E.I.2 and II.F.3.
j 10 -
l l
7.1.3 Conclusions l
With resolution of the open items enumerated above (Section 7.1.2)., we can conclude that the applicant has identified the safety-related instrumentation and control systems and the applicable safety criteria, and that these criteria conform to the Comission's regulations as set forth in the General Design Criteria, applicable Regulatory Guides, Branch Technical Positions, and industry standards. These are listed in Table 7-1 of the Standard Review Plan. We will also be able to conclude that iglementation of these systems in accordance with these criteria provides reasonable assurance that, the plant will perform as designed in normal operation. anticipated operational occurrences, and postulated accident conditions.
m------
m-l 1
7.2 Reactor Protective System 7.2.1
System Description
j The Plant Protection System (PPS) whicn is designed and built by Cosibustion Engineering consists of a Reactor Protective System (RPS),
i j
i described below, and an Engineered Safety Features Actuation System (ESFAS),
described in Section 7.3.
3 W
i Ai The resetor protective system monitors selected parameters in the
.g 9
Nuclear Steam Supply System (NSSS) and the containment, and trips the
- f.
.gme-reactor whenever established operational limits are reached. The trip
[
rt parameters are Myn (1)
Eigh linear power level (2)
Eigh logarithmic power level (3)
Eigh local power density (4)
Low departure from aucleate boiling ratio (DNBR)
(5)
Eigh pressuriser pressure (6)
Low pressuriser aressure (7)
Low steam generator No. I water level a"~
'(8)
Low steam generator No. 2 water level (9)
Eigh steam generator No. I water level (10) Eigh steam generator No. 2 water level (11) Law steam generator No. 1 pressure (12) Low steam generator No. 2 pressure (13) Righ containment pressure.
Four protection channels are provided for each of the trip parameters listed above. Whenever a trip parameter reaches the predetermined trip /al e, y
the channel bistable is tripped resulting in the deenergization of the f$
channel trip relays. Contacts from the trip relays are arranged into six logic matrices representing all possible two-out-of-four co2inations h
v.
for arty of the four cedundant protective channels. Each logic matrix
' '[
g+
contains four output relays. Contacts of these relays are used to form four trip paths that control the power to the undervoltage coils of the yi s5 circuit breakers to the control element drive echanism (CEDM) power
- ]
)
,r sgplies.. Four circuit breakers are provided. They are arranged in two 2
groups, ce,asisting of two breakers in each, to control the power from w
two parellel motor-generator sets. Opening one breaker in each of the
?
tuo groups will remove the power to both CEDM power supplies allowing all of the control eksent assemblies to drop into the core. Sumarizing,
' coincident trip signals from two protective channels for the same trip parameter will scram the reactor.
In addition to the automatic trip of the reactor described above, means are also provided for a manual trip by the operator. Two independent sets of trip pushbuttons are provided, each consisting of two pushbuttons.
Actuation of the pushbuttons of either set will trip the reactor. The two pushbuttons in a set need not be depressed simultaneously.
The protective channels for the high local power density, and the low departure from nucleate boiling ratio (DNBR) utilize digital core protection calculators (CPCs) to generate a trip signal. The remainder
'a f of the RPS uses hardwired analogue circuitry.
l4N M
?
N nWR
,.3...
_ny y
.y- 0 La The reactor trip system for the Waterford-3 as described in the FSA7 functionally the same as that provided for the previously revicie '
/s::C -
The dif ferences between the designs of these two plar es, 2 plant.
(CP),
deviations from the design reviewed for the construction permit and other areas of concern are discussed in the following sections.
Differences from Preliminary Cesion i
7.2.2 I
The reactor protective system described in the Final Safety Analysis Report (TSAR) has been significantly modified from the originally (PSAP reviea). _ ~Me proposed system reviewed for the construction permit changes, listed by the applicant, are as follows:
The high local power density trip is added.
(1)
The thermal margin / low pressure trip is replaced by the low DN3R (2) trip.
The core protection calculators (CPCa) are added to provide the (3) high local power density and low DNBR trips; and the thermal margin / low pressure calculator is eliminated.
i The low reactor coolant flow trip function is incorporated in the i
5 (4) low DNBR trip.
r i
Reactor coolant flowrate is calculated by use of reactor coolant i
(5) pump speed instead of being inf erred by differential pressure S{
measurement.
Control element assembly (CEA) position signals are incorporated 4
(6) in the reactor protective system (RPS). Two CSA calculators are provided.
j
.I 4
4
4 H
hi gh r:ite A high logarithmic power level trip has replaced the (7) change trip.
These design changes provide additional operating flexibility, and As discussec enhanced protection for CEA position deviation events.
in Section 7.2.1 above, the final design of the reactor protective for for the Waterford 3 is the same as that of the ANO-2 plant, except folicwing changes in the core protection calculators discussed in the On this basis we find the design acceptable.
section.
Core Protection Calculators _
ilizes a digital computer-7.2.3 The final design of the reactor protective system ut for based system, consisting of four core protection calculators, (DNBR), and the deriving the low departdre from nucleate boiling ratio As stated by the applicant, high local power density trip functions.
Waterford-3 is the core protection calculator system for the i h was functionally the same as that provided for the ANO-2 plant wh c Since, however, the applicant has reviewed extensively by the staff.
l t
indicated some changes because of different number of control ide a detailed assenh11ee (CEAs), we requested that the applicant prov otection semperison of the design of the Waterford-3 and.G0-2 core pr The applicant's response included :he calculator systems (QO32.7).
following statements:
for The hardware qualification and design criteria are the same (1) in cable Minor changes exist the Waterford-3 and ANO-2.
Also the number of CIAs is different.
lengths.
i I
a
Y.,
m-(2) no CPC DNBR calculations will be derived frem the CZ-1 correlation (design code TORC) lastead of the W-3 correlation b
(design code COSMO) used for ANO-2.
j (3) he CPC/CEAC algorithms will be modified to reflect the enange in
[?
the number of control element assemblies and control element g
.n.-
assembly subgroups.
((
k0 (4) ne CPS /CEAC data base constants are subject to change frem ANC-:'
sf EM to Waterford-3, since a large number of these constants depend d
(.'. l upon specific core and coolant system characteristics.
d HR tgg The applicant has also stated that the CPC/CEAC sof tware for Waterford-71 3 will include inprovements in software design that are based upon in-6 plant syntes esperience for SONCS 2 and 3, and ANO-2.
All software changes will be performed in accordance with "CPC Protection Algorithm Software Change Procedure CEN-39(A)-P, Revision 2'? and Supplement 1-P, Revision 01. This procedure was reviewe'd and approved by the staff on the AIID-2 docket.
l All of the differences in the C7C sof tware between ANO-2 and Waterford-3 will be reflected in the Waterford-3 Functional Descriptions, Software Specifications, and assembly language program listings. NSSS vender changes to the CPC software are reviewed in conjunction with staff review of FSAR Chapter 4.4, Core Thermal Hydraulic Cesign. Applicant changes to the CPC software is to be restricted by plant Technical Specifications (SER Open Item 18).
Based on the applicant's description and the proposed implerentation of :ne changes in the core protection calculator system, ne ::ncluce inab di n resolution of SER Cpen Item 18, tne core protection :alculaters ve sc:er r' for the '4aterford 3 reactor amtective system.
f3 i
w
7.2.4 Steen Generator and Pressurizer Water I.evel Steam generator water level, both low and high, is used as a trip i
parameter in the reactor protective system. The low steam genera n l
water level is also one of the parameters in the engineered safety features actuation system (ESFAS). The pressurizer water level signal l
is not a parameter of the plant protection system but it is a variabb in the Post Accident Monitoring Instrumentation System (PAM S) and as such is safety related.
1 The level measurement system for Waterford-3 uses level transmitters j
that are connected to the steam generators or the pressuri:er by an I
I open colume reference leg. A concern has been raised previously on j
similar systess IE Bulletin No. 79-21, regarding the effect on the seasurement accuracy caused by the heatup of the reference leg due to 4 l
high energy line* break inside containment. This effect would cause tre r
indicated level to be higher than the actual, resulting in erroneous
(%
w information to the protection and control systems, and to tne operator.
U In addition, an error can be introduced in the level measurenant by cnanges h
in fluid pressure.
g n.
~he applicant has analysed the Waterford 3 level measurement system ind h
orovided correction tables to be used by plant operators to account #v
.;j reference leg heatup and varying fluid pressurt effects.
3e effects :#
.y flashing and hydrogen effervescence are not accounted for in these a::es.
The applicant states that in applying the level corrections, :ne ::ern:rs will be trained to assume that the reference ieg tercernure is n : e y
highest containment tencerature reacre: from the :eg'nning ' t9e eve--
?
i q
-)
-7 The actual setpoints for the low steam generator water level trips na,e not yet been selected. The applicant states that the methods used for determining the trip setpoints will ensure that the signal initiates tne action required by the plant safety analyses throughout the range of ambient tesperatures encountertd by this instrumentation, including accident conditions. We will require that the applicant provide definiti,e setpoint selection criteria to ensure that the setpoint is conservatively selected to encompass the above concem (SER Open Item 6). and that ne setpoint is selected consistant with GDC 13 and R.G.1.105.
We will report our findings in a supplenant to this report.
7.2.5 L2zi.m of Redundant Power Supplies e
7.2.5.1 HPS Power Supo11es The fbur channel reactor pmtective system is powered from four redundant 120-V uninterruptible vital ac instrument buses which in turn obtain power from two AC/DC power divisions (power from four AC motor control centers and two batterfas). The power supply dependency congremises the purported RPS four channel independency.
The applicant has proposed to operate the installed four channel RPS as a three channel system with an installed spare. As was previously reviewed and concluded by the staff on similar designs, we will require that the RPS te
- erated as a four channel system. See SER Open Item 15 and related Item 13.
.i.2 Logic Matrix Power Supplies To prevent a reactor trip on the loss of a single bus, each of the six :PS logic metrices are powered by two redundant de power supplies whicn are eac.9 connected to a separate uninterruptible ac power bus. The same 3:cm:n 5
also taken in the engineered safety features actuation system, to :reve.
inadvertent actuation of engineered safety features eoui: ment.
'3 ar-arge-
3 ment challenges the isolation and hence independence of he ;n:,: err.r.n A tes*
The same configuration is encloyed at ANO-2.
ac power buses.
<r.
program was conducted to demonstrate that the de power sappi tes ara i
the ANO-2 review. The applican: na; isolation devices in conjunction w th confirmed that the power supply testing performed for ANO-2 is a to the Waterford 3 power supplies.
Based on this confinnation of the applicability of the pcwer supply tes the Waterford 3 power supply configuration is acceptable.
7.2.6 Testing the complete reactor trip system can be As described by the applicant, tested without having to disconnect any of the components or need for The applicaet also has comeicted in the Technical jumpers.
Specifications to perform at certain intervals the reactor trip system for These tests include also the sensors, except roepasse time test.
The response time of the neutron flux signal the meetros detectors.
portion of the channel is to be measured from detector outout or ino to the first electronic congonent in the channel.
The applicant was requested (Q 32.6) to show how the Waterford 3 te Die aoolican: s:a te:
follows the reconuendatians of Regulatory Guide 1.113.
i that since this guide was publisned after design criteria had been esta it was impossible to consider testing as outlined in Section 0.7 of that We have requested tnat the applicant orovide additional cetailed infor-a on the areas where the proposed testing crogram coes not folicw :n of Regulatory Guide 1.118 (SER Open Item 17).to demonstrate ina: :ne :es -
W nC a our 5
i.*
supplement to this report.
I i
h
.g: ' w$- i.$
9-7.2.7 Bypasses Trip channel bypass can be initiated manually by a controlled sc:ess switch. Interlocks allow only one channel for any one type trip to be bypassed at one time. The bypass is manually initiated and manually removed. In addition, operating bypasses are provided for the DNBR and local power density, pressuriser pressure, and high logarithmi: pcuer level trips at established power levels. These bypasses are initiated manually and are automatically removed whenever the permissive conditions no longer exist.
7.2.8 Conclusions The reactor trip system includes the initiating circuits, logic, bypasses, interlocks, redundancy, diversity, and actuated devices utilized to isolement reactor shutdown. The scope of the review included the descriptive inforestion function logic diagrams, schematics, and control Wiring Diagress, and physical arrangement drawings.
With resolution of the Open Items 1, 6,11,15,16,17 and 18 describec in Section 7.1.2, we can conclude, with reasonable assurance, that the reactor trip system conforms to applicable regulations, guides, technical positions, and industrial standards, stated in SPR Section 7.1, and is therefore acceptable.
l l
~
h I
i I
[. & 5 ;
7.3 Engineered Safety Features Actuation System 7.3.1 system Description The Engineered Safety Features Actuation System (ESFAS) is part of the plaat protection system. ESFAS generates signals to actuate Engineered Safety Features (EST) equipment. The signals generated by the ESFAS, and the associated trip input parameters, are:
l (1) safety injection actuation signal (SIAS) - low pressurizer l
pressure or high containment pressure..
)
(2) Containment cooling actuation signal (CCAS) - same as for the SIAS above.
(3) Containment isolation actuation signal (CIAS) - same as for the s!As above (as committed by the applicant. See Section 7.3.3 below).
(4) Containment spray actuation signal (CSAS) - high containment pressure coincident with SIAS signal.
(5) Msin steam isolation signal (MSIS) - low steam generator pressure, No. 1 or No. 2.
(6) Emergency feedwater actuation signal to steam generator No. 1 (EFAS-1) - low steen generator No. 1 level coincident with either no low pressure in steem generator No. 1, or high differencial pressure betwcen the steen generators with the higher pressure in senas generator No.1.
(7) Emergency feedwater actuation signal to steam generator No. 2 (EFAS-2) - identical to above, except the conditions are for steam generator No. 2 versus steam generator No.1.
(8) Recirculation actuation signal (RAS) - low refueling water storage l
pool (RWSP) level.
i 1
o U
l 5
2-Each of the trip parawieters listed above is cionitored by four redund. int protective channels. The actuation systew logic is configured in the b
same manner as for the reactor trip system (see Section 7.2) with the y
.t.
Jour trip path outputs arranged into two redundant, two-out-of-four
- 7
?k selective logics. Each redundant logic actuates one of the two g
h redundant groups of corresponding engineered safety features gj v.
1 l
equipment. Summarising, coincident trip signals from two protective P.F chamaels for the same trip parameter will actuate both trains of correspeeding engineered safety features equipment.
hl s
1 As stated by the applicant, the engineered safety features actuation
.y system for the Waterford-3 plant is functionally the same as that for I
AND-2. Nevertheless, we found in our review certain areas of concern. These areas are discussed below. A discussion of changes in the preliminary design is also proviaed below.
I 7.3.2 Di fference< from Preliminary naci an The applicant identifies the following changes from the preliminary design provided in the PSAR that was reviewed for the construction perisit I I I
(1) The emergency feedwater actuation signal has been added.
(2) Variable setpoints for initiation of SIAS, CCAS, and CSAS on low i
i l
pressuriser pressure have been added.
}
{
(3) Variable setpoints for initiation of MSIS on low steam generator
{
1 pressure are added.
]
(4) The group testing capability is added.
l
~
\\
o > _ g-
_3 The variable setpoint of the low pressurizer pressure trip alloin controlled pressure reductions, such as shutdown depressurization, without initiating safety injection, containment cooling, or containment spray. The lowering of the trip setpoint is accomplished sammally in limited steps. On increasing pressure, the trip setpoint is raised automatically. The same arrangement is used also for the variable setpoint for the low steam generator pressure trip (the varian setpoint. trip for the steam generator pressure is also provided for tne reactor protective system).
The components in various engineered safety feature systems are divided into groups. Selection is made such that actuation of a certain group will not affect normal plant operation. Providing the group testing capability allows testing of various components with the plant at power.
The revised engineered safety features actuation system for Waterford-3 as discussed in Section 7.3.1 above, is functionally the same as W provided for the ANO-2.
On this basis the changes made in the preliminary design are considered acceptable.
7.3.3 Diversity of Actuation Signals The applicant has conmitted to provide diversity in the generation of the containment isolation actuation signal by adding :ne low pressurizer pressure to the high containment pressure origina; /
oroposed as the sole variable. With *his change, functicnal ti eursi /
is provided for the SIAS, CMS, and CIAS signals (*tems *. nru 3 -
Section 7.3.1 above).
The renaining engineered 33fety 'estures 3::.:
signals. Itams.1 thru 3 in Section 7.2 ; aoove, :ecenc :n "c~
i
m lEL-av ;.
.; c e certain single variable, e.g., containment spray actuation st;nal a e ~.
on high containment pressure.
Final design modifications to the CIAS circuitry to initiate con:atme -
isolation on low pressurizer level have not been completed (SER pen ::er..:
We will. review the final design modifications and include our findings in 3 supplement to this riport.
i 7.3.4 Emergency Fee &ater System The Emergency Fee &ater System (EFS)-is automatically initiated by Emergency Fee &ater Actuation Signals (EFAS) 1 and 2.
These signals are generited by detection of low steam generator level and steam generator diffemntial pressure. Feed only good generator logic is ecoloyed. EFAS is part of the Engineered Safety Features Actuation System and meets the requimments of Task Action Plan Item II.E.1.2.
As described in Section 7.3.1.1.6 of the FSAR, opening of the emergency feehater valves to the intact steam generator is initiated (EFAS) when the water level decreases below the low level trip setpoint. After the level rises above this setpoint, the valves will be closed.
EFAS does i
i not " seal in".
We are concerned about apparent oscillation of steam i
generator water level at the low level setpoint and the suitability of the emergency fee &ater isolation valves and associated piping for this ty::e of service. The applicant has stated that the EP4 control system has no:
been finalized (SER Open Item 4). We will report resolution of this concem l
in a supplement to this report.
4
1 I
7.3.5 Resetting of the ESFAS Signals j
i IE Bulletin No. 80-06 addresses reset and overrice of engineerec s vn; features. The applicant will submit additional infor ation in -es:: cme IEB 80-06 (SER Open Item 9).
/
7.3.6 Conclusions I
The engineered safety featums actuation systems include the instrbmenta: :-
and controls used to detect a plant condition requiring operation of an anc l
engineered safety features (ESF) system, to initiate action of tne ?,
to control its operation. The scope of review of the ESFAS incluced l
Instrument Schematics and Logic Diagrams and Control '4f ring Diagrams anc j
descriptive information for the ESFAS and for those a'uxil,iary supporting j
9 systems that are essential to the operation of either the ESFAS or the engineered safety features systems themselves.
J l
With msolution of the Open Items 1, 2, 3, 4, 6, 8, 9, 11, 16, and 17 9
d discussed in Section 7.1.2, we can conclude, with reasonable assurance, el g$
that the design of the engineered safety features actuation systems conforn to applicable regulations, guides, branch technical positions, and industry standards, stated in SRP Section 7.1, and is therefore acceptable.
A
?.,
$lo he x
- p b
G 4
Wf H
E
,,rh
Systems Recuired for Safe Shutdown 7.4 7.4.1 General Instrumentation and control systems that are required to establish anc maintain a safe shutdown condition for the plant are identified in Ch In many cases these instrumentation and control systems 7.4 of the FSAR.
are utilized in the performance of nor-nal and emergency plant ope and as such are not exclusively utili:ed for the safe snutdown funct The systens, considered by the applicant, as required for safe shut are:
(1) Imergency feedwater system (2) Atmospheric steam dump valves (3) Shutdown cooling system Chemical and volume control systes, boron addition portion (4)
Emergency shutdown from outside of the main control room.
(5)
The fo11owing ESF support systems are also required to function:
(1) Component cooling water system.
Onsite power system, including diesel generator system.
, (2)
Resting, ventilar.ing, and air conditioning systems for areas (3) 7 containing systems and equipmenc required for safe shutdown.
Diesel fuel oil storage and transport sysees.
(4)
Although the applicant does not consider, and the staff concurs.
- hat al criteria of the IEEE Standard 279 to be directly applicable to tne system required for safe shutdown, the requirements of Section 4 of that standa d :es As stated by *he applicant, the desien cee were followed in the design.
redundancy and separation for the systems to wet the single failum Also capaoility is provided for test and calibratico ic e '/
criterion.
that all automatic and unual actuaticn and centrol Oevices l'e 209P1
. A p
3
?:
The applicant will perform a Safe Shutdown Analysis in accordance with
,c 10 CFR Part 50, Appendix R.
This analysis will identify equipment neeced b
to obtain and maintain cold shutdown after a fire and identify instrumentatico g
and control needed for emergency shutdown outside the control room (SER Q
Open Item 10). This analysis will either confirm the adequacy, or mquire the modification, of the list of systems now identified as required for safe shutdown. We will review the instrumentation and control in the
{4 H(A contml room and at the auxiliary control panel, of those systems identified in the Safe Shutdown Analysis and report our findings in a supplement to this report.
l w$.
The results of our review of specific areas of the design are as follows.
[
7.4.2 Shutdown Cooling System The shutdown cooling system (SDCS) is a low pressure system, larcated outside
- f containment, which interfaces with the RCS. During the shutdown cooling operation, a portion of the reactor coolant is circulated through the shut-down cooling heat exchangers via the low pressure safety injection pas.
Either of the two pumps in con 61 nation with the associated shutdown heat exchanger is sufficient for proper system operation. The electrical devices needed for the operation of these systems are supplied from redundant and independent Class IE power sources.
Over pressurization and consequential failure of the SDCS would result in a t
loss of coolant accident outside of containment. Overpressure protection is provided by redundant isolation valves. Thene are two SDCS suction lines, one in RCS loop No. I and on in RCA loop No. 2, each possessing three in
~
series isolation valves. Two of these valves in each of the l'res are located inside the containment, the third valve is located outside the containment.
l Valves located inside the containment are provided with interlocks to orne -
I W
Eri
1 3
opening and to initiate automatic closure wneneser the ccolant pressure exceeds a preset value. There are four power supplies for these val,es,...
ac and two de, divided into two redundant systens, one for the val,es 'c # + c-
~
of the two suction lines. This configuration provides redundancy anc een the single failure criterion on a loss of a power source.
The isolation valve interlocks, described in Section 7.4.1.3 and also in Section 7.6.1.1 of the FSAR, prevent opening of the valves until the pressare decreases below 377 psig, and close the valves automatically when the pressure reaches 500 psig. pressurizer pressure is utilized as an input to the interlock circuits. Four independent pressure monitoring channels are provided, one for each of the isolation valves. Pressare sensor equipment diversity. two sensors from each of two manufacturers, has been provided, and is in conformance with Branch Technical Position ICSB 3.
7.4.3 Eseroency Shutdown Fms Outside The Contml Room The auxiliary control panel, located outside the main control room, contains controls and instrumentation to enable the operator to achieve and maintain the plant in the hot standby condition in the event that the main control room must be abandoned. The transfer of controls from the main control room to the auxiliary contml panel is done manually by the means of transfer switches mounted on auxiliary panels. Cperation'of the transfer switches is annunicated in the control rsom. The control room, transfer switches, and auxiliary
~
control panel.are phys.ical.ly. separated. Physical separation adequacy is addressed in the staff's fire pmtection review discussed in Section 9.5.'.
af this SER.
8 i
i
E7QN -
e_
A Safe Shutdown Analysis is to be conducted in accordance wi th 10 CFR sr$:
Part 50 Appendix R.
This analysis will identify equipment r.eedec to I
obtain and maintain cold shutdown after a fire. This study will i denti fy instrumentation and control needed for shutdown from outside the control room, and will be used to demonstrate confonnance with GCC 19.
7.4.4 Conclusions lhe myiew of systems mquired for safe shutdown includes the sensors, initiating circuitry, logic elements, interlocks, redundancy features, actuated devices, and auxiliary devices that provide the instrumentation and control functions that pmvent the reactor from returning to criticality and provide means for adequate residual heat removal from the core, containment, and other vital cosponents and systems.
The scope of myiew of systems required for safe shutdown for the plant
, included Instrumentation Schematics and Logic Diagrams and Control Wiring Of agrams and descriptive information for these.. systems.and for auxiliary tems essential for their operation. The review has included the apolicant's proposed design criteria, design bases, and analyses.
With resolution of Open Itas.10 discussed in Section 7.1.2, we can conclude, with reasonable assurance, that the design of systems required for safe shutdown conforms to the applicable regulations, guides, technical positions, and industry standards stated in SRP Section 7.1, and is therefore acceptable.
5 L
7.5 Safety Related Display Instrumentation 7.5.1 General The safety related display instrumentation provides information to :ne operator to ascertain the : tatus of the reactor core, reactor coolant system, containsent. and safety related process systems so that the opera::;r may perform manual actions inportant to plant safety.
The applicant has tabulated the display instrusentation in the following categories:
(1) Flant process display system (2) Reactor protective system monitoring (3) Engineered safety features (ESF) system monitoring (4) ISF support systems insertssentation (3) Control element assembly (CEA) position indication (6) Auxiliary control panel instrumentation (see Section 7.4)
(7) Post accident monitorins instrumentation.
(8) Bypass and inoperable status indication (9) Safety persneter display system (SPDS).
Information is displayed in the main control room using hardwired displa/s an:
computer driven CRT displays. Audible alarms and visual annunicators are provided to alert the operator to deviations from normal operating conditions, such as pre-trip alarms and trips of the plant protection system, and tre status, malfunction, bypass or override conditions of safety systems.
]
' ama 2
The results of our review are presented belcw.
7.5.2 Post Accident Nnitoring Instranentation_
The post accident monitoring instrunentation (PAMI) provides infor ar:r to the operator to moni'.or and cope with post-accident conditions.
)
In our review we found what we considered inadequacies in the DAMI syste.
- ?
We have requested (SER Open Item 13) the applicant to inforn f.,
design.
his intent to meting the requirements of Regulatory Guide 1.97, Revision 2, Decereer 1980, Section D. Iglementation, which states that " Plants scnecu:e:
to be licensed to operate befort June 1.1983 should meet the requiremens of NUREG-0737 and the Connission Memorandum and Order (CLI ^0-2;) anc :ne schedules of these docuents or prior to the issuance of a license to operate, which ever date is later. The balance of the pmvisions of :nis We will include our evaluation of guide should be cowleted by June 1983."
the applicant's response in a supplement to this report.
j 7.5.3 Svoese and Inoperable status Indication In our review of the inoperable status indication system, as original'.y described in the FSAR, we found that no indication was provided for a for safety.
number of systema that are considered to be important These included such systems as the Containment Cooling System, combustible cas controt System, Diesel Fuel oil Storage and Transfer areas. 3 e Icplicant System, and HVAC systems for safety related equipment has revised the system to provide inocerable status indication for these systems, and we consider this issue reso'ved.
m -m e
-u-
- -----u r-~~-
---s--vw~
. g.
3 i ided into three The indicators on the inoperable status panel are d v n a ce=non electric groupe according to the safety syste:ss' dependence o The display lights are back These are SA, 53, and SAB.
power supply.
The lights have a split lit, maintained position pushbuttons.
The The upper light is actuated by the plant computer.
architecture.
h espective operator can extinguish the light by depressing t e r This light This actuates simultaneously the lower light.
pushbuttoa.
depressing the again can be extinguished only by the operator by Harthaired status indication of major components respective pushbutton.
is also displayed in the control room.
mile system hardware has been designed, associated softwa We have requested that the applicant provide software design written.
We will report our findings in a supplement to criteria (SER Open Item 5).
this report.
tem will he human engineering aspects of the display function for this sys be addressed by the Division of Human Factors Safety.
safety Parameter Disolay systes_
7.5 4 In response to the requirements of NUREG-0696, " Functional Crice ide Emergency Response Facilities," the applicant has proposed to prov The fo'r Waterford-3 a Plant Safety Parameter Display System (SPDS).
T displays on proposed SPDS system consists of plant computer-driven CR Duplication of the SPDS displays is to be the main control board.
l
!l t
h t
i R
e
4 provided in the Technical Support Center (TSC) and the E:ne r;ency Operations Facility (EOF).
A computer-driven CRT disp;ay system was selected pri:narily on the basis of flexibility. This includes flexibility in changing the display formats, choice and grouping of displays by operator, and flexibility for incorporation of advanced concepts and techniques in the future. The applicant has coenitted to obtain an independent organisation to evaluate the capability of the exisiting plant computer systema in meeting the design criteria set by NUREC-0696 for the SPDS system. Also, an independent coordinated computer power supply reliability study is to be performed. We will review the evaluation results and include our findings in a supplement to this report.
7.5.5 Conclusions With resolution of the Open Items 5, 7.11. and 13 discussed in Section l
7.1.2, we can conclude with reasonable assurance, that the design of 1
safety-related display instrumentation conforms to applicable regulations, guides, technical positions, and industry standards, stated in SRP Section 7.1, and is therefore acceptable.
i i
i a
e 3
ke i
9 k
N N
$e(
!0 x
~ ~
.-n_
7.6 All Other Instrumentation Svstems 3enuire-! for Caforv 7.6.1 General The systems listed by the applicant in this category are:
(1) Shutdown cooling systen interlocks (2) Safety injection tank isolation valve interlocks (3) Refueling interlocks (4) Spent fuel pool cooling and cleanup system (5) Containment purge isolation signal (6) Reactor coolant system leak detection system (7) Area and process radiation monitoring (8) Containment vacuum relief system (9) Low temperature overpressure protection.
The shutdown cooling system interlocks, included in this section, are also discussed in Section 7.4 of the FSAR. Our review of these interlocks is provided with the evaluation of the shutdown cooling system in Section 7.4.2 of this report. The refueling interlocks, although listed in the required-for-safety category as required by SRP, are considered by the applicant as not safety related since no credit is taken for these interlocks in accident analyses. The results of our review of the remaining systems are provided below.
7.6.2 Safety Injection Tank Isolation valve Interlocks Four safety injection tanks (SITS) are used to flood the core with borated water following depressurization as a result of a !.CCA.
Duri 2 normal plant operation, each safety injection tank is isolated frc, tS-reactor coolant system by two check valves in series.
In n.tdition..i
__y
9CE*99 :, -
g
.. motor-operated isolation valve on each safety tank disch-t:
m :s e Interlocks, provided by pressurizer pressure ceasurenent. %nre:,
closing the valves until the pressure decreases below 400 as';, an 1.
matically open the valves when the pressure reaches 500 psig.
In acci*.:
the valves will open automatically on a safety injection actuation si."C (see Section 7.3).
The applicant considers the requirements of IEEE Standard 279 as not t ra~:
applicable to the valve interlocks.
The appl i can t has, howe ve r, p re s i.:e analysis of how the design meets the requirements of Section 4 of IEEE 2'?.
The valves are locked open and the valve motor breaker handle is padict e.
in the open position. Valve position indicating lights are provided tne main control room. An audible alarm is actuated whenever the pressure is above 500 psig and a valve is not fully open. The position indication and audible alarm are independent of the motor control power.
The design as described by the applicant follows the recommendations of Branch Tecnni: 3 Position ICSS 4, and ICSB 18,and is 01erefore acceptable.
7.6.3 Containment Purge System The containment atmosphere purge system consists of a containment air makeuc unit and a containment purge exhaust which is connected to the exhaust por*. tan of the reactor auxiliary building normal ventilation system. Radiation,oni ta rc located insid? the containnent generate a containment purge isolation it :r ii (CPIS) to the purge system isolation valves. Closing tne valves prevents purging the containment when the radiation is above an acceptable level.
The applicant has described conformance of this system to IEEE 2 79-19 71. Cec" c c The system is testable from the control room.
Jn these bases we :
system acceptable.
- o 3-Reactor Coolant System I.eak Detection Svstem_
7.6.4 of ins trumenta:i rn v- ::-
The means provided for leak detection consist general leakage frem the reactor coolant pressute can detect are monitored for detection of The process variables that boundary.
in and temperature
- pressure, leakage include liquid level, flow rate, a:=osphe-e Also the containment various sumps, tanks, and fluid lines.
is monitored for particulate, iodine, and gaseous radioactivity.
of Radioactivity in the containment atmosphere indicates the presence fa fission products due to a reactor coolant system leak, or leakage o contaminated secondary fluid system.
The design of Waterford 3 reactor coolant system leak detection sys*
K3; consistent with the reconnendations of the Regulatory Guice 1.45 (M On this basis we find this system acceptable.
7.6.5 Containment Vacuum Relief System _
Two redundant containment vacuum breakers have been provided f or protection against loss of containment integrity under external loading No information, however, can be found in the FSAR that conditions.
'Je have requested would allow us to evaluate the design adequacy.
(SER Open Item 12) the applicant to descrice :ne instrumentati:n r:e :e:.
We will inc: ce :ur e. C.a: -
and the design critaria applied for this system.
of the applicant's response in a supplement :o this recort.
\\
"-~*P---.
. ~
l
?.c
,j
_4 7.6.6 Low Temperature Overpressure Protection The overpressum protection of the reactor coolant system f ur "
temperature conditions is provided by relief valves locatec -
W shutdown cooling system (SDCS) suction lines. 'The relief valves je spring-loaded (bellows) type. There is no instrumentation associa tec
)
directly with these valves. Computer indication is provided to aler the operator when the SDCS isolation valves may be opened, thus man.e;:<
aligning the SDCS relief valves to the reactor coolant system.
'h e s e nc ~
l for the relief valves are such that the setpoints for the SDCS isola tion i
valve interlocks will not be reached due to a low temperature ove prass ea event and the SDCS relief valves will remain aligned to the reactor i
coolant system (See Section 7.4.2 of this report on the isolation valve interlocks).
The use of redundant, mechanical relief valves provides a reliable icw temperature overpressure protection system and is consistent with tne mquirements of GDC 15.
7.6.7 Conclusions With resolution of SER Open Item 12, Containment Vacuum Relief System Instrianentation, we can conclude, with reasonable assurance, that the design of these systems conforms to applicable regulations, guides, technical positions, and industry standards. stated in SRP Section '.1, and is therefore acceptable.
'..* '!: y. N [hhk, 2.. <... __
ir 4
- i
- J-7.7 Control Systems Not Recuired for Saf ty 7.7.1 Ceneral The control and instrumentation systess that are considered by *w applicant as required for the control of the plant, but not eswnti2'.
for safety, are:
(1)
Reactor regulating system (2)
Boron control (3)
Pressurizer pressure control (4)
Pressurizar level control (5)
Feedwater control system (6)
Steam bypass control system (7)
Main turbine control's (8)
Core operating limit supervisory system (9)
Plant computer system (10)
In-core instrumentation system (11) Ex-core neutron flux monitoring (12) Reactor power cutback system (13) Megewett demand setter system.
l
.l De 4Dplicant has stated that the.'4555 contml systens for Watn#Fc ' im l
identical to those of At10-2, except for some differences in the ster :/ n; sys tem. The reactor pcwer cutback system, and the ::egawatt feranc ;e.*.3-system are not provided for Att0-2.
21 7.7.2 Diffemnces From kreliminary Cesien Additions. ade to the preliminary design of the control systers, n listed by the applicant, are.
(1) Core operating limit supervisory system has been acded.
(2) Megawatt demand setter system has been added.
(3) Movable detector system has been added to the incore instrumentati:n sys tem.
The core operating limit supervisory system consists of process instr:.mentatwr.
and algorithms iglemented by the plant computer to continually mnitor tne limiting conditions for operation on peak linear heat rate, margin to ;NBo.,
total core power, and azimuthal tilt. COLSS is an automated aid to
- te operator who is charged with maintaining the plant within the limiting conditions for operation. The movable incere detector system will permit incore intercalibration of the fixed position incore neutron detectors.
Both of the above systems are installed at ANO-2.
These systems ennance data aquisition and on this basis these changes in the preifminar/ cesign are acceptable. The megawatt demand setter and the reactor power cutback systess are unique to 'daterford 3 plant. A discussion of these systens is provided below. Also discussed below art the concerns regarding control system failures.
7.7.3 Megawatt Demand Setter System and Reactor Power Cutback System i
'.7.3.1 Megewatt Demand Setter System The megawatt demand setter system (MDS) monitors liSSS limits to assure I
that plant power output is consistent with actual iSSS operating conditions. The MDS accepts increase or decrease power inad :ccmands from either the automatic dispatch system (A2S) remote station, or a3 set by the operator at the local MDS panet.
This demand is :cor e :
. '!* t:
..a 3-with various NSSS operating limits including those available from core operating limit supervisory system (coLSS). A load race change consistent with the operating limits is then issued to the :urbire digital electro-hydraulic (DER) control system.
If conditions exist in which the turbine is limiting or the NSSS is limiting, or a failure renders the NDS system inoperative, the MDS system may be placed in an "off" mode, or in a tracking mode until the specific condition is cleared.
t 1
7.7.3. 2 Reactor Power Cutback System The reactor power cutback system is a control system designed to accommodate certain types of imbalances in the operation of the ptant, by providing a " step" reduction in reactor power. This is accomplished by dropping one or several preselected groups of full length control element assemblies (CEAs) simultaneously into the core. The reactor power cutback system also provides control signals to the turbine to rebalance turbine and reactor power following the initial reduction in reactor power, as well as to restors steam generator water level and pressure to their normal controlled values.
7.7.3.3 Basis of Acceptability l
The safety analyses have been performed assuming either automatic oceration of the control systans, if automatic operation would tend to mue tne I
consequences of an event mom adverse, or operation in a anual mee I
(control system disabled), if automatic operation would tend to axe tne
)f consequences of an event less severe.
In this case, the %gawat-Te anc j
Setter System, and Reactor Power Catback Syste s, 3m asseed to te i
disabled.
i li I
bi h-
.a.
Credit for operation of these systems is not assuned in :ne :a te,
Failures of these systems, in and of themselves, and exclusi,e r r -
consequential failures (See SER Open Item 14), are less sevem inar sequences explicitly considered in the Waterford 3 safety aneljsis.
., a consider addition of these systems acceptable.
The Megawatt Demand Setter System, and the Reactor Power Cutback System are first of a kind systems. Failures of these systems will cna11enge engineered safety features.
Therefore we require that the applicant repur 5
(by sutHwittal of a Licensing Event Report) inadvertent or spurious oper a tion i
h or malfunction (exclusive of testing) of these systems which challenge the i
a engineered safety features including reactor trip.
These reports (LERs) j art to be submitteJ for at least the first two fuel cycles of operation.
i i
Subsequently, the appifcant may review and submit the operating experience
{
gained with these systems and request relief fmm the reporting requirerrent.
i
- )
This reporting requirement is to be made a condition of the Operating License.
Q 7.7.4 Loss of Power to Control Systems N
A concem was raised in IE Bulletin 79-27 regarding the loss of a non-g Class IE power bus resulting in a consequential control system malfunction h
and significant loss of information to tsa ope ator. We have requested tne IW applictnt to provide us with results of the Waterford 3 plant review with h{
respect to Bulletin 79-27 (SER Open Item 7). We will include our evaluati:n
- d. -
~ i supolement to this report.
b lfl Control System Failures Following a High Energy Line Break g
en IE Bulletin 79-22 addresses consequential centrol system failura 'olice nc :
- I I-high energy line break. We reques ted (0 030. 37) tne acclicant to identi'f
$li
- 3 the control sys tems, i f any, which nill be subject to the envine ent ~
]
ing from a high enere;y line break and uncse fa11ure coul:
impact t%
w j
analyses. The applicant's response ( Anenue it 17, w / 1H:)
, i-a if yd
~, _, _..,.. -.,,
-_~m-
t i-o...
.s-7.7.6 Single Failure of Contml System Study The applicant has been requested to perform a study of single failms :#
the control system to ascertain if such single failures and subsequent consequential failures will lead to sequences more severe than analyzed in Chapter 15 of the FSAR (SER Open Item 14 and Unresolved Safety Issw A-47).
7.7.7 Conclusions The staff has reviewed the controls for systems not required for safety, to determine the affects of failures or malfunctions of these controls on l
the reactor protection system and other plant safety-related systems.
Wi th resolution of SER Open Items 7 and 14, we can conclude, wi+;h reasonabla assuranca that failures of malfunctions of these controls should not be expected to cegrace the capabilities of plant safety systems in any significant degree, or to lead to plant conditions more severe than those for which the safety systems are designed.
l l
I
-. _ _.., _. _ _ _ _ _ _ _ _. _ ~ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -
-