ML20138L237

From kanterella
Jump to navigation Jump to search
Forwards Missing Sections of 850826 Draft Ser.Sections Document NRC Evaluation of Indicated Portions of FSAR
ML20138L237
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 10/18/1985
From: Novak T
Office of Nuclear Reactor Regulation
To: Goldberg J
HOUSTON LIGHTING & POWER CO.
References
NUDOCS 8510310230
Download: ML20138L237 (96)
v  d  e


Text

.. ,

Docket Nos.: 50-498 and 50-499 Mr. J. H. Goldberg Group Vice President - Nuclear Houston Lighting and Power Company Post Office Box 1700 Houston, Texas 77001

Dear Mr. Goldberg:

SUBJECT:

DRAFT SAFETY EVALUATION SECTIONS FOR THE SOUTH TEXAS PROJECT, UNITS 1 AND 2 The NRC staff issued a Draft Safety Evaluation Report (DSER) on August 26, 1985 reflecting the status of the staff review. It was indicated that the DSER was not a complete document. In an effort to complete some of the missing sections of the DSER, enclosed are sections documenting the evalu-ation by the staff on the indicated portions of the FSAR. These sections are in addition to our transmittal of October 4,1985. The documentation could change as the review progresses; however, in its current form the evaluations should serve as the basis for discussions to resolve the remaining technical issues.

Please contact the Project Manager, N. Prasad Kadambi at (301) 492-7272 if you have any questions.

Sincerely, Original signed by:

Thomas M. Novak Thomas M. Novak, Assistant Director for Licensing Division of Licensing

Enclosure:

As stated cc: See next page Distribution '

Docket Filey JLee EJordan NRC PDR NPKadambi Local POR OELD, Attorney PRC System ACRS(16)

NSIC JPartlow LB#3 Reading BGrimes Y:

DL LB#3 LBf3 ighton y \.) i NPKadambi/es G I k 10/lb/85 10/ /85 'l /j 85 8510310230 851018 PDR ADOCK 05000498 E PDR J

i s So i , , \

Mr. J. H. Goldberg Houston Lighting and Power Company South Texas Project cc:

Brian Berwick, Esq. Resident Inspector / South Texas Assistant Attorney General Project Environmental Protection Division c/o U.S. Nuclear Regulatory Commission P. O. Box 12548 P. O. Box 910 Capitol Station Bay City, Texas 77414 Austin, Texas 78711 Mr. Jonathan Davis -

Mr. J. T. Westermeir Assistant City Attorney Manager, South Texas Project City of Austin Houston Lighting and Power Company P. O. Box 1088 P. O. Box 1700 Austin, Texas 78767 Houston, Texas 77001 Ms. Pat Coy Mr. H. L. Peterson Citizens Concerned About Nuclear Mr. G. Pokorny Power City of Austin 5106 Casa Oro P. O. Box 1088 San Antonio, Texas 78233 Austin, Texas 78767 Mr. Mark R. Wisenberg Mr. J. B. Poston Manager, Nuclear Licensing Mr. A. Von.Rosenberg Houston Lighting and Power Company City Public Service Boad P. O. Box 1700 P. O. Box 1771 Houston, Texas 77001 San Antonio, Texas 78296 Mr. Charles Halligan Jack R. Newman, Esq. Mr. Burton L. Lex Newman & Holtzinger, P.C. Bechtel Corporation 1615 L Street, NW P. O. Box 2166 Washington, D.C. 20036 Houston, Texas 77001 Melbert Schwartz, Jr., Esq. Mr. E. R. Brooks --

Baker & Botts Mr. R. L. Range One Shell Plaza Central Power and Light Company Houston, Texas 77002 P. O. Box 2122

. Corpus Christi, Texas 78403 Mrs. Peggy Buchorn Executive Director Citizens for Equitable Utilities. Inc. .

Route 1. Box 1684 Brazoria, Texas 77422

i I

Houston Lighting & Power Company -

2- South Texas Project cc:

Regional Administrator, Region IV U.S. Nuclear Regulatory Comission Office of Executive Director for Operations 611 Ryan Plaza Drive, Suite 1000 Arlington, Texas 76011 Mr. Lanny Sinkin Citizens Concerned About Nuclear Power

! 3022 Porter Street, NW #304 l Washington, D.C. 20008 Mr. S. Head, Representative Houston Lighting and Power Company

)

Suite 1309

! 7910 Woodmont Avenue j Bethesda, Maryland 20814 1

^

1 i .

i l

i l

l l

l i

i i

  • y- m+,w yo--ep -t---**vw- e-e'mu--gee n -e-g---e----v--$_,Mw-w-n-s-y <myyw+wwwaw. maw 9,, e--, ,cw-ywmm. & cw.ea-= wevr- 'w-s-u-w--e+>71-g r i-- - - -+ + -- - - - ---"

~

v l

l l

4.5.1 Control Rod Drive Structural Materials I

The staff concludes that the structural materials for the control rod drive mechanism are acceptable and satisfy the requirements of GDC 1,14, and 26 and 10 CFR 50.55a. -

l This conclusion is based on the applicant having demonstrated that the prop-erties of materials selected for components of the control rod drive mechanism exposed to the reactor coolant satisfy Appendix I of Section III of the ASME Code, and Parts A, B, and C of Section II of the Code and conform with the staff position that the yield strength of coldworked austenitic stainless steels does not exceed 90,000 psi. Conformance to the recommiendations of RG 1.85 is discussed in Section 5.2.1.2 of this SER.

The controls imposed upon the ferrite content of austenitic stainless steel filler materials satisfy the recmunendations of RG 1.31. " Control of Ferrite Content in Stainless Steel Weld Metal " or the applicant's alternative approaches are acceptable to the staff as discussed in SER Section 5.2.3.

The controls imposed upon austenitic stainless steels to reduce sensitization

~

j satisfy, to the extent practical, the recommendations of RG 1.44, " Control of the Use of Sensitized Stainless Steel " or the applicant's alternative approaches are acceptable to the staff as discussed in SER Section 5.2.3.

The applicant has confirmed that the tempering temperatures and aging tempera- ,

l tures of heat-treatable materials in the control rod drive mechanism are specified 1

4

,,-y,-- ,,,-sr,m,-, - - - - -,,,- --, , - ,--,m- - - , -,-,,--,m.-,.~s a- ,---~_ + - - - - - - -- , - - - - ~ - - -

e .

1 to eliminate the susceptibility to stress corrosion cracking in reactor coolant. The fabrication and heat-treatment practices performed provide reasonable assurance that stress corrosion cracking will not occur during the design life of the components. The compatibility of all materials used in the control rod system in contact with the reactor coolant satisfies the criteria of Articles NB-2160 and NB-3120 of Section III of the ASME Code.

Cleaning and cleanliness control are in accordance with ANSI Standard N 45.2.1-1973, " Cleaning of Fluid Systems and Associated Components During Construction Phase of Nuclear Power Plants," and follow to the extent prac-ticable the recommendations of Regulatory Guide 1.37, " Quality Assurance Requirements for Cleaning Fluid Systems and Associated Components of Water-Cooled Nuclear Power Plants." The applicant's alternative approaches have been reviewed and approved by the staff as discussed in SER Section 5.2.3.

4.5.2 Reactor Internal Materials The staff concludes that the materials used for the construction of the reactor internal and core-support structure are acceptable and meet the requirements of GDC 1 and 10 CFR 50.55a (" Codes and Standards"). The conclusion is based upon the following considerations.

The applicant has met the requirements of GDC 1 and 10 CFR 50.55a with respect i to assuring that the design, fabrication, and testing of the materials used in

^

the reactor internal and core-support structure are of high quality standards and adequate for structural integrity. The controls imposed upon components constructed of austenitic stainless steel satisfy, to the extent practical,'the recommendations of RGs 1.31 and 1.44. Where the recommendations of these RGs were not followed, the staff reviewed alternative approaches taken by the appli-cant and found them acceptable as discussed in SER Section 5.2.3.

The materials used for construction of components of the reactor internal and t

core support structure have been identified by specification and found to be I

l l

.- _ ._ . -. - .- - . -- T-- __ _ - - __. - _ _ _ _

o o in conformance with the requirements of ASME Code Section II, Parts A, B, and C and ASME Code Section III, Article NG-2000. Conformance to the recommenda-tions of RG 1.85, " Code Case Acceptability--ASME Section III Division 1," is discussed in Section 5.2.1.2 of this SER. As proven by extensive tests and satisfactory performance, the specified materials are compatible with the expected environment, and corrosion is expected to be negligible. The controls imposed on the reactor coolant chemistry provide reasonable assurance that the reactor internal and core-supoort structure will be adequately protected during operation from conditions which could lead to stress corrosion of the materials ard loss of component structural integrity.

The material selection fabrication practices, examination and testing pro-redures, and control practices performed in accordance with these recommenda-tions provide reasonable assurance that the materials used for the reactor internal and core-support structure are in a metallurgical condition to pre-clude inservice deterioration. Conformance with requirements of the ASME -

Code and the recommendations of the RGs constitute an acceptable basis for meeting, in part, requirements of GDC 1 and 10 CFR 50.55a.

5.2.3 Reactor Coolant Pressure Boundary Haterials The staff concludes that the plant's design is acceptable and satisfies the' requirements of GDC 1, 4 (" Environmental and Missile Design Bases"), 14

(" Reactor Coolant Pressure Boundary"), 30 (" Quality of Reactor Coolant Pres-sure Boundary"), and 31 of Appendix A of 10 CFR 50; the ' requirements of 10 CFR 50.55a. This conclusion is based on the staff's review of the FSAR.

The materials used for construction of components of the RCPB have been iden-tified by specification and found to be in conformance with the requirements of ASME Code Section III. Compliance with the above Code provisions for materials specifications satisfies the quality standards requirements of GDC 1, GDC 30, and 10 CFR 55.55a.

4-The materials of construction of the RCPB exposed to the reactor coolant have been identified, and all of the materials are compatible with the primary cool-ant water. This includes conforming to the recom.nendations of RG 1.44, " Control of the Use of Sensitized Stainless Steel," or the alternative approaches taken by the applicant that are acceptable to the staff. The applicant's exception to regulatory position C4 of establishing 200 F as the upper limit for dissolved oxygen concentration above 0.1 ppm is based upon the NSSS' practice for oxygen removal not being fully effective until approximately 250 F. As the start up operation is of relatively short time duration, the length of time when the reactor coolant water is 200 F until 225"F when oxygen scavenging by hydrazine is initiated is very short. It is doubtful that corrosion or stress corrosion cracking of any significance would occur in this short time frame to materials in contact with reactor coolant. In addition, the reactor coolant is chemically controlled in accordance with appropriate Technical Specifications. The compatibility of the reactor 4

coolant pressure boundary materials with these chemical and oxygen control methods has been proven by extensive testing and satisfactory performance.

General corrosion of all materials in contact with reactor coolant is negli-

gible; accordingly, general corrosion is not of concern. Compatibility of the materials with the coolant and compliance with the Code provisions satisfy the requirements of GDC 4 relative to compatibility of components with environmental conditions.

l The materials of construction fo'r the RCPB are compatible with the thermal insulation used in these areas. The thermal insulation used on the RCPB is '

either the reflective stainless steel type or is made of nonmetallic com- '

l pounded materials that are in conformance with the recommendations of RG 1.36, j

" Nonmetallic Thermal Insulation for Austenitic Stainless Steels." Conformance with the above recommendations satisfies the requirements of GDC 14 and GDC 31

  • i relative to prevention of failure of the RCPB.

I I

e

, . - - _ _ . - _ , , _ - - - , . - - , - - . - - - ~ - ,y. -n , , ,__._, - -a--

___..,,----c-

,,n-y .--,-,,,,..,,rg - ,,

a .

5-The ferritic steel tubular products and the tubular products fabricated from austenitic stainless steel have been found to be acceptable by nondestructive examinations in accordance with provisions of ASME Code Section III. Compli-ance with these Code requirements satisfies the quality standards requirements of GDC 1, GDC 30, and 10 CFR 50.55a.

The fracture toughness tests required by the ASME Code, augmented by Appen-dix G (10 CFR 50), provide reasonable assurance that adequate safety margins against nonductile behavior or rapidly propagating fracture can be estab-lished for all pressure retaining components of the RCPB. The use of Appendix G of ASME Code Section III and the results of fracture toughness tests performed in accordance with the Code and NRC regulations in estab-lishing safe operating procedures provide adequate safety margins during operating, testing, maintenance, and postulated accident conditions. Com-pliance with these Code provisions and NRC regulations satisfies the require-ments of GDC 31 and 10 CFR 50.55a regarding prevention of fracture of the RCPB.

The applicant has taken alternative approaches to the r'ecommendations of RG 1.50, " Control of Preheat Temperature for Welding Low Alloy Steels." The alternative approaches taken by the applicant are (1) welding procedures are qualified within the preheat temperature range rather than at the minimum preheat temperature and (2) preheat temperatures are maintained for an extended period of time rather than until the start of post weld heat treat-ment.

The staff concludes that these alternative approaches are adequate to prevent hydrogen cracking (the concern of RG 1.50) and will not cause other hazards. Accordingly, the staff accepts these alternative approaches.

The controls used provide reasonable assurance that components made from low-alloy steels will not crack during fabrication. If cracking does occur, the required Code inspections should detect such flaws. These controls satisfy the quality standards requirements of GOC 1, GDC 30, and 10 CFR 50.55a.

The controls imposed on electroslag welding of ferritic steels are in accordance with the recommendations of Regulatory Guide 1.34, " Control of Electroslag Weld

-ea---Ae aus -

Properties," and provide assurance that welds fabricated by the process will have high integrity and will have a sufficient degree of toughness to furnish adequate safety margins during operating, testing, maintenance, and postulated accident conditions. Conformance with the recommendations of Regulatory Guide 1.34 i

also satisfies the quality standards requirements of GDC 1, GDC 30, and S50.55a.

1 The controls imposed on welding ferritic and austenitic steels under con-ditions of limited accessibility satisfy, to the extent practical, the recommendations of RG 1.71, " Welder Qualification for Areas of Limited Accessibility." As an alternative approach to Position C.1 of RG 1.71, the applicdnt's contractors maintain close supervisory control of the welders, and welding situations in production reoccur often enough to ensure that the most skilled welders are used in areas of limited access-ibility.

The staff concludes that, because such welds are inspected, qualification of the welders making acceptable welds occurs under the Code.

)"

These controls satisfy the quality standards requirements of GDC 1, GDC 50, and 10 CFR 50.55a. The controls imposed on weld cladding of low-alloy steel components by austenitic stainless steel are in accordance with the recom-mendation of RG 1.43.

The controls to avoid stress corrosion cracking in RCPB components con- ..

I structed of austenitic stainless steels satisfy, to the extent practical, the recommendations of RG 1.37, " Quality Assurance Requirements for Cleaning l , of Fluid System and Associated Components of Water-Cooled Nuclear Plants."

The staff acknowledges that to prohibit chemical compounds with sulfur, chlorides, fluorides, etc. of all items that come in contact with austenitic stainless steels is not practical. The approach by the applicant of controlling the chemical contents of these items that come in contact with austenitic stainless steel components to reasonably low levels is acceptable to the staff.

The thermo-mechanical processing of austenitic stainless steel components in the reactor coolant pressure boundary are controlled to limit the yield strength of the components to maximum of 90,000 psi.

I i

l- - - - _ . , . - - - - - - - -

- . - - ~ . - - - - . . " - - - . , . - . . . -~~ l -.. .-- X *-._ 2 L ..---.L _.-.- -. ---- - - . - . - - - - - , .

l 1

t 7-The controls followed during material selection, fabrication, examination, protection, sensitization, and contamination provide reasonable assurance that the RCP8 components of austenitic stainless steels are in a metallurgi-cal condition that minimizes susceptibility to stress corrosion cracking during service. These controls satisfy the requirements of GDC 4 relative to compatibility of components with environmental conditions and require-ments of GDC 14 relative to prevention of leakage and failure of the RCPB.

The controls imposed during welding of austenitic stainless steels in the RCPB (1) satisfy, to the extent practical, the recommendations of RG 1.31,

" Control of Ferrite Content in Stainless Steel Weld Metal," and RG 1.71, or (2) the staff reviewed the alternative approaches taken by the applicant and found them acceptable. The applicant's alternative approach of using chemical analysis in lieu of magnetic measurement devices to analyze the weld metal deposit to determine ferrite content has been discussed in WCAP-8324 and was previously approved by the staff in a letter dated December 23, 1974, from D. B. Vassallo, NRC, to R. Salvatori, Westinghouse. The applicant's alter-i native approaches to R.G. 1.71 were discussed previously in this SER Section.

The controls provide reasonable assurance that (1) welded components of austenitic stainless steel did not develop microfissures during welding and, (2) they have high structural integrity. These controls satisfy the quality i standards requirements of GDC 1, GDC 30, and 10 CFR 50.55a, and satisfy the requirements of GDC 14 relative to prevention of leakage and failure of the RCPB.

5.3.1 Reactor Vessel Materials The staff concludes that the reactor vessel materials are acceptable and satisfy the requirements of GDC 1, 4, 14, 30, 31, and 32; the material testing and monitoring requirements of Appendices B, G, and H of.10 CFR 50; and the requirements of 10 CFR 50.55a.

p y__ , . _,. y-,7 ,, , , , . . ,

-. . _=

4 .

The materials used for construction of the reactor vessel and its appurtenances have been identified by specification and found to be in conformance with ASME Code Section III. Special requirements of the applicant with regard to control of residual elements in ferritic materials have been identified and are con-sidered acceptable. Compliance with the above Code provisions for material specifications satisfies the quality standards requirements of GDC 1, GDC 30, and 10 CFR 50.55a.

Ordinary processes were used fcr the manufacture, fabrication, welding, and nondestructive examinations of the reactor vessel and its apporte-nances. Nondestructive examinations in addition to Code requirements were also performed. Because the applicant has certified that the requirements of ASME Code Section III have been complied with, the processes and exami-

nations used are considered acceptable. Compliance with these Code provisions satisfies the quality standards requirements of GDC 1, GDC 30, and 10 CFR 50.55a.

When welding components of ferritic steels, Code controls are supplemented by conformance with the recommendations of regulatory guides as follows:

(1) The controls imposed on welding preheat temperatures are in conformance to the extent practical with the recommendations of RG 1.50. The staf,f reviewed and found acceptable the alternative approaches taken by the applicant (see Section 5.2.3 of this SER). These controls (a) provide reasonable assurance that components made from low-alloy steels did not J

crack during' fabrication and (b) minimize the potential for subsequent cracking. These controls also satisfy the quality standards requireme,nts of GDC 1, GDC 30, and 10 CFR 50.55a.

i (2) The controls imposed on electroslag welding af ferritic steels are in conformance with the recom.cndations of Regulatory Guide 1.34, " Control of Electroslag Weld Properties." These controls on the process ensure

,n.- -

- . , , - , - ~ - - . - . .-. - - - - - - --

-9 that the welds fabricated will have high integrity and will have a suf-ficient degree of toughness to furnish adequate safety margins. These controls satisfy the quality standards requirements of GDC 1, GDC 30, and 650.55a.

(3) The controls imposed during weld cladding of ferritic steel components 4

are in conformance with the recommendations of RG 1.43. These controls provide assurance that underclad cracking did not occur during weld cladding of the reactor vessel and satisfy the quality standards require-i ments of GDC 1, GDC 30, and S50.55a.

When welding components of austenitic stainless steels, Code controls are supplemented by conformance with the recommendations of regulatory guides as follows:

(1) The controls imposed on delta ferrite in austenitic stainless steel j

welds satisfy most of the recommendations of RG 1.31. The staff reviewed and finds acceptable the alternate approaches taken by the applicant (see Section 5.2.3 of this SER).

(2) The controls imposed on electroslag welding of austenitic stainless ..

steels are in conformance with the recommendations of Regulatory Guide 1.34 (see item 2 above). These controls satisfy the quality standards requirements of GDC 1, GDC 30 and 550.55a.

The controls (during all stages of welding) to avoid contamination and .

sensitization that could cause stress corrosion cracking in austenitic stainless steels conform with the recommendations of regulatory guides as follows:

(1) The controls to avoid contamination and excessive sensitization of austenitic stainless steel satisfy, to the extent practical, the recommendations of RG 1.44. The staff reviewed and finds acceptable t

6 I

.-.c -

,-e-s e, -

i the alternative approaches taken by the applicant (see Section 5.2.3 of this SER). The controls used provide reasonable assurance that welded components were not contaminated or excessively sensitized before and during the welding process. These controls satisfy the quality standards requirements of GDC 1, GDC 30, and 10 CFR 50.55a, and the GDC 4 require-ment relative to material compatibility.

(2) The controls regarding onsite cleaning and cleanliness controls of j

austenitic stainless steel are in conformance with the recommendations of RG 1.37 or the alternate approaches taken by the applicant have been reviewed and approved by the staff (see 5.2.3). These controls 4

provide reasonable assurance that austenitic stainless steel components

~

were properly cleaned onsite and Appendix B of 10 CFR 50 regarding controls for onsite cleaning of materials and components is satisfied.

Integrity of the reactor vessel studs and fasteners is ensured by confor-mance to the extent practical with the recommendations of RG 1.65, " Materials and Inspections for Reactor Vessel Closure Studs." The applicant's alter-native approaches of (1) using a modified SA540, Grade B-24 steel for closure j

stud material, which is allowed by Code Case 1605 and (2) not specifying a maximum ultimate tensile strength and relying on the bolting material's 4

low alloy steel chemistry, heat treatment, and toughness requirements to coli-I trol ultimate tensile strength are acceptable to the staff. Compliance with these recommendations and the applicant's alternative approaches satisfy the quality standards. requirements of GDC 1, GOC 30, and 10 CFR 50.55a; the pre-vention of fracture of the RCPB requirement of GDC 31; and the requirements of Appendix G of 10 CFR 50, as detailed in the provisions of the ASME Code '

i Sections II and III.

5.4.2.1 Steam Generator Materials The staff concludes that the steam generator materials specified are acceptable l

and meet the requirements of GDC 1, 14, 15, and 31, and Appendix B to 10 CFR 50.

This conclusion is based on the discussion in the following paragraphs. ,

t 9

l .

: TW _ r_ = __ :: a.  := _ .

. . l i

The applicant has satisfied the requirements of GDC 1 with respect to codes and standards by ensuring that the materials selected for use in Class 1 and 4

Class 2 components were fabricated and inspected in conformance with codes, standards, and specifications acceptable to the staff. Welding qualification, fabrication, and inspection during manufacture and assembly of the steam generators were done in conformance with the requirements of ASME Code Sections

! III and IX.

4 4

The requirements of GDC 14 and 15 have been satisfied to ensure that the reactor coolant boundary and associated auxiliary systems have been designed, fabri-cated, erected, and tested so they have an extremely low probability of abnor-mal leakage, of rapid failure, and of gross rupt..e, during normal operation

) and anticipated operational occurrences.

3 The primary side of the steam generator is designed and fabricated to com-l 1 ply with ASME Code Class 1 criteria, as required by the staff. The secon-dary side pressure boundary parts of the steam generator are designed, manufactured, and tested to ASME Code Class I criteria although the staff

.l required classification is ASME Code Class 2.

I The crevice between the tubesheet and the inserted tube is minimal because the tube was expanded to the full depth of insertion of the tube in the tubesheet. The tube expansion and subsequent positive contact pressure between the tube and the tubesheet preclude a buildup of impurities from forming in the cre' vice region and reduce the probability of crevice boiling.

The tubes are seal welded to the tubesheet to ensu e maintenance of separat_e

paths between the primary and secondary water flo's.

) To provide additional control of water chemistry, copper was eliminated in i

the secondary loop, titanium tubing was utilized in the condensers, and precation and mixed bed full flow condensate polishers have been added.

l I .

i O

, , . . , . _ _ , - , - _ , , _ _ . . _ _ . , _ , , - _ , _ _ - , _ .,7. _m__,... . _ _ ,- . - ..

The requirements of GDC 31 have been satisfied with respect to the fracture toughness of the ferritic materials because the pressure boundary materials of ASME Code Class 1 components of the steam generators will comply with the fracture toughness requirements and tests of Subarticle NB-2300 of ASME Code i

Section III.

The materials of the ASME Code Class 2 components of the steam generators will comply with the fracture toughness requirements of Subarticle NC-2300 of ASME Code Section III.

The requirements of Appendix B of 10 CFR 50 have been satisfied because the j

onsite cleaning and cleanliness controls during fabrication conform to the recommendations of RG 1.37 or the applicant's alternative approaches are acceptable (see 5.2.3).

10.3.6 Main Steam and Feedwater Materials The staff concludes that the main steam and feedwater system materials are acceptable and satisfy the relevant requirements of 10 CFR 50, 10 CFR 50.55a, GDC 1 (" Quality Standards and Records"), and Appendix B to 10 CFR 50. This conclusion is based on the following:

~

l l' The applicant selected materials for Class 2 and 3 components of the steam i

and feedwater systems that satisfy Appendix I of Section III of the ASME Boiler and Pressure Vessel Code, as well as Parts A, B, and C of Section II of the Code. Conformance to the recommendations of RG 1.85, " Materials Code Case Acceptability--ASME Section III, Division 1," is discussed in Section ,

5.2.1.2 of this SER.

The fracture toughness properties of ferritic steel materials satisfy the

, requirements of the Code. The fracture toughness tests and mechanical pro-l perties required by the Code provide reasonable assurance that ferritic materials will have adequate safety margins against the possibility of non-ductile behavior or rapidly propagating fracture. '

I

1 1

13 -

[ The applicant has conformed, to the extent practical, to the recommendations I

of RG 1.71, " Welder Qualification for Areas of Limited Accessibility," by -

adhering to the regulatory positions in RG 1.71 or by adhering to alternative l I

approaches which the staff has reviewed and found to be acceptable (see Section 5.2.3 of this SER). The onsite cleaning and cleanliness controls during fabrication follow the recommendations given in RG 1.37, " Quality Assurance Requirements for Cleaning of Fluia Systems and Associated Components of Water-Cooled Nuclear Power Plants," and the requirements of ANSI N45.2.1-1973, j " Cleaning of Fluid Systems and Associated Components During Construction Phase of Nuclear Power Plants," or the staff has reviewed the applicant's alternative approaches and finds them acceptable, as discussed in Section 5.2.3 of this SER.

J

]

4 1

4 ,

1

+

l l

.I

~

l 1

1

,_ .s_ , ,,_, - ..-._.r-.-. _ _ _ _ _ - - .w, - . -t-r +--- tee, +- wie--+ e-- ,- --+-e-rm-- -n e eew r--+ < - - ---+we,,v--' +-e- + - m+w -m-----

7. INSTRUMENTATION AND CONTROLS 7.1 Introduction 7.1.1 Acceptance Criteria FSAR Section 7.1 contains information pertaining to safety-related instrumenta-tion and control systems, their design bases, and acceptance criteria. The staff has reviewed the applicant's design, design criteria, and design bases for j the instrumentation and control systems for South Texas Project. The acceptance i

criteria used as the basis for this evaluation are those identified in the SRP (NUREG-0800) in Tabie 7-1, " Acceptance Criteria for Instrumentation and Control Systems Important to Safety." and Table 7-2, "TMI Action Plan Requirements for Instrumentation and Control Systems Important to Safety." These acceptance

) criteria include the applicable GDC and the Institute of Electrical and Elec-j tronics Engineers (IEEE) Std. 279, " Criteria for Protection System for Nuclear Power Generating Stations" (10 CFR 50.55a(h)). Guidelines for implementation of the requirements of the acceptance criteria are provided in IEEE standards, Regulatory Guides (RGs), and Branch Technical Positions (BTPs) identified in SRP Section 7.1. Conformance to the acceptance criteria provides the bases for" concluding that the instrumentation and control systems meet the requirements of 10.CFR 50.

7.1.2 Method of Review l

At South Texas Project, a Westinghouse nuclear steam supply system (NSSS) with balance-of-plant (80P) design provided by Bechtel Corporation is used.

j Many safety-related instrumentation and control systems are similar to those t

1 O

y ---- -

-y--.--,-,y---,v..-  %-- -,------y, --- . , - - - --, ,, -.---,-----,r,--p, - - , -. ,.w -

p,.,-- ---,--------e-------,-,--,---,w-

i at Comanche Peak and have been previously reviewed and approved by the staff.

l

The staff concentrated its review on those areas where the South Texas Project '

)

l design differs from previously reviewed designs and on those areas which 'have

~

remained of concern during reviews of other similar plants.

l There are two unique features on instrumentation and control system design at South Texas Project (STP). ,

j (1) The STP uses three trains engineered safety features actuation system,

{ the staff's evaluation on three trains ESFAS is addressed in Section 7.3 of this repcrt, i

(2) The STP uses a Qualified Display Processing System (QDPS) to perform l the following functions:

l (a) data acquisition and qualified display for post accident monitoring.

Il

! (b) safety grade control and position indication of auxiliary -

feedwater control valves, steam generator PORVs, reactor r

l vessel head vent valves, and essential cooling water flow control ,

/ ,

to safety related HVAC chillers.

(c) data acquisition for alternate shutdown capability. l l

i (d) reactor protection on steam generator water level compensation system (SGWLCS) and hot leg averaging for overpower temperature trip. j 2 {

, - - , --- .- . , - - - - - , - , , .-.~ ,,--.- --- l?-- ' ,,,, _ j l..-,,, . - - - , . _ , - , . - , , - - . - - , - - . -

Since the QDPS design is a microprocessor based technology, the staff requested the applicant to submit their verification and validation (V&V) program for the development of Class IE software. The staff's evaluation of the system archi-tecture and the V&V program for the QOPS will be addressed in a supplement to l this report.

Several meetings were held with the applicant and the NSSS and 80P designers to clarify the design and to discuss staff concerns. Detail drawings -

including piping and instrumentation diagrams, logic diagrams, control wiring diagrams, electrical one-line diagrams, and electrical schematic diagrams -

were audited during the review.

7.1.3 General Conclusion The applicant has identified the instrumentation and control systems important to safety and the acceptance criteria that are applicable to those systems as

) identified in the SRP. The applicant has also identified the guidelines -

including the RGs and the industry codes and standards - that are applicable -

to the systems as identified in FSAR Table 7.1-1.

On the basis of the review of FSAR Section 7.1, the staff concludes that the implementation of the identified acceptance criteria and guidelines satisfies '

the requirements of GDC 1, " Quality Standards and Records," with respect to the design fabrication, erection, and testing to quality standards commensurate with the importance of the safety functions to be perfonned. The staff finds, t

f 3

- +

m -- =r4 -*

wm '= '" e **m* - ' * '

that the NSSS and the 80P instrumentation and control systems important to safety, addressed in FSAR Section 7.1, satisfy the requirements of GDC 1 and, therefore, are acceptable.

7.1.4 Specific Findings 7.1.4.1 Open Items The staff's conclusions noted herein are applicable to the instrumentation and control systems important to safety with the exception of the open items listed below. The staff will review these items and report their resolution in a supplement to this report. The applicable sections of this report which 4

address these items are indicated in parentheses following each open item.

(1) Design modification for automatic reactor trip using shunt coil trip attachment (7.2.2.2)

(2) Reactor coolant system temperature measurement (7.2.2.3)

(3)- Safety injection signal to close main steam isolation valve (7.3.2.2)

(4) Isolators Test Report (7.3.2.5)

(5) Engineered safety feature (ESF) reset controls (7.3.2.8)

(6) Auxiliary feedwater control (7.4.2.1) 1 t

4 4

l

_';TT' _ , . _ _ __

'~__.,"--"~ . , _ T ?! ~ .__, _.T.! Z T Z ~ _ _ _ __ _. ._ ._ _ _ _ . _ . . . _ _ _ _ _ . _ _ _ _ - .

1 (7) Post accident monitoring instrumentation conformance to R.G.1.97, Revision 2 (7.5.2.4)

(8) Qualified display processing system software program verification and validation (7.5.7.5)

(9) Qualified display processing system interface with Class 1E control system (7.5.2.6)

(10) Qualified display processing system interface with alternate shutdown capability (7.5.2.7)

(11) Steam generator level reference leg compensation (7.5.2.8)

(12) Control system failure caused by high energy line breaks (7.7.2.2) 7.1.4.2 Confirmatory Items I

In a number of cases, the applicant has committed to provide additional docu-mentation to address concerns raised by the staff during its review. On the basis of the information provided during meetings and discussions with the applicant, the technical issue has been resolved in an acceptable manner. How '

ever, the applicant must formally document his commitments for resolution of these items. The sections of this report that address these items are indi-4 cated in parentheses.

5

,q- , . _ ~ . . . . , - > -r ,,_ %,, ,. ._ .-__- - , . , -_ __, .-. _+ _.--,_--w _-,,

o .

(1) Failure modes and effects analyses on the ESFAS (7.3.2.11)

(2) Non-Class IE signal to Class 1E control circuits (7.3.2.12)

(3) Testing for remote shutdown operation (7.4.2.2) l (4) NUREG-0737. Item II.K.3.9, Proportional integral derivative controller modification (7.7.2.3) 7.1.4.3 Technical Specification Item

(1) The staff requested detailed information on the methodology used to establish the Technical Specification trip setpoints and allowable values for the reactor protection system (in-cluding reactor trip and engineered safety feature channels) including' the lead, lag, and rate time constant setpoints assumed to operate in the FSAR accident and transient analyses. --

i (2) The staff requested detailed information on response time test-ing as specified in the plant Technical Specification.

The detailed trip setpoint review and response time review will be performed as part of the staff's review of the plant Technical Specifications.

6 am >me.noeo e-"**h -+6 ** '~#* ' ~ '

7.1.4.4 Site Visit A site review will be performed for the purpose of confirming that the physical arrangement and installation of electrical equipment are in accordance with the design criteria and descriptive information reviewed by the staff. The site review will be completed before a license is issued; any problems found will be addressed in a supplement to this report.

7.1.4.5 Fire Protection Review The review of the auxiliary shutdown panel discussed in Section 7.4 of this report includes the compliance of this panel with GDC 19, " Control Room." The aspects of the auxiliary shutdown panel related to fire protection and tne review for conformance to 10 CFR 50, Appendix R (safe shutdown analysis), are included in Section 9.5 of this report.

7.1.5 TMI-2 Action Plan Items Guidance on implementation of the TMI Action Plan was provided to applicants in

) NUREG-0737. The items related to instrumentation and control systems are listed below. The specific section of the report addressing each item is indicated in parentheses. '

(1) II.D.3 - Direct Indication of PORV and Safety Valve Position (7.5.2.1) .

I 7

l

-- . _ ,. ,_.,n._,,__ _, ._, _ . . ~ -. . . . -

l l

l 4

J (2) II.E.1.2 - Auxiliary Feedwater System Automatic Initiation and Flow

) Indication (7.3.2.9)

(3) II.F.1 - Accident Monitoring Instrumentation, Positions 4, 5, and 6 I

(7.5.2.2) .

(4) II.F.3 - Instrumentation for Monitoring Accident Conditions (R.G. 1.97, Rev. 2) (7.5.2.4)

(5) II.K.3.9 - Proportional Integral Derivative Controller Modification (7.7.2.3)

(6) II.K.3.I2 - Confirm Existence of Anticipatory Reactor Trip Upon l Turbine Trip (7.-2.2.4)

J l

1 i

! 8 l

i O

-g-,-r ,,c--y -.v -, - ,g. yr -------$ e,.ry----r-=-wv- www,--- ---i-,., , - , , -,,- a wr-, -=y--t- -m w w mw= = ww m-- e e ee,-m- w-wry- -, -- ,- w*-v-Tv,e -- we,y-w-e -e--rT---t*--- -e

. - . ._. - . ~ - .. . .-

7.2 Reactor Trip System (RTS) 7.2.1 Description l

\

The Reactor Trip System (RTS) is designed to automatically limit reactor operation within the limits established in the safety analysis. This function is accomplished by tripping the reactor when predetermined safety limits are approached or reached. The RTS monitors variables that are directly related <

to system limitations or calculated from process variables. When a variable exceeds a set point, the reactor is tripped by inserting control rods. The RTS initiates a turbine trip when a reactor trip occurs. The RTS consists of sensors and analog and digital circuitry arranged in coincidence logic for monitoring plant parameters. Signals from the analog channels are used in redundant logic trains. Each of the two trains, R and S, opens a separate and independent reactor trip breaker. During normal power operation, a direct current undervoltage coil on each reactor trip breaker holds the breaker closed. For a reactor trip, the removal of power to the undervoltage coils opens the breakers. Opening either of two series-connected breakers interrupts the power from the rod drive motor generator sets and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until the l trip breakers are manually reset. The trip breakers cannot be manually reset until the abnormal condition that initiated the trip is corrected. Bypass l

breakers are provided to permit the testing of the primary breakers.

The following reactor trips are provided in the South Texas Project, Units 1 and 2 design. The number in parentheses after each trip function indicates the coincident logic, for example (2/4) indicates two-out-of-four logic trip.

(1) Nuclear Overpower Trips

('a ) Power range high neutron flux trip (2/4)

~

i (b) Intermediato range high neutron flux trip (1/2)

(c) Source range high neutron flux trip (1/2)

(d) Power range high positive neutron flux rate trip (2/4) i (e) Power range high negative neutron flux rate trip (2/4) 4 9

-. . .- ,,9 w- - - w,s.,- .,-n 9- -- ------w sr w =er m _ --w+W r7-------N--r-w-* " --t---+'- ---N4" e v ~-- *'C- F e-* - ' ' - - - -+-T'- - - " - " "'"

. l (2) Core Thermal Overpower Trips (a) Overtemperature delta T trip (2/4)

(b) Overpower delta T trip (2/4)

(3) Reactor Coolant System Pressurizer Pressure and Water Level Trips (a) Pressurizer low pressure trip (2/4)

(b) Pressurizer high pressure trip (2/4)

(c) Pressurizer high-water-level trip (2/3)

I (4) Reactor Coolant System Low Flow Trips (a) Low reactor coolant flow (2/3 in any loop)

(b) Reactor coolant pu'mp bus undervoltage trip (2/4)

(c) Reactor coolant pump bus underfrequency trip (2/4)

(5) Steam Generator Low-Low Water Level Trip (2/4 in any loop)

(6) Turbine Trip (anticipatory) (2/3 low trip fluid pressure or 2/4 turbine stop valves closed)

(7) Safety Injection Signal (8) Urgent Alarm in both Solid State Protection System Trains  ;

(9) Manual Trip (1/2) ~

The power range high neutron flux trip has two bistables in each channel for two separate trip settings. The high trip setting is active during all modes of operation. The lower trip setting is active only during reactor start-up 7

and shutdown when the reactor is below approximately 10 percent power (P-10 '

i interlock.)*

  • Unless otherwise indicated, set point values discussed in this Safety Evaluation Report are not final values. Final set points will be determined at the time the plant Technical Specifications are issued.

10 i

i

(

. .- - . _~ - __ - .___~ ~

1 An intermediate range high neutron flux trip provides backup protection to the lower power range trip during reactor start-up and shutdown when the reactor is below approximately 10 percent power (P-10 interlock).

i i

A source range high neutron flux trip provides protection during reactor start-up and shutdown when the neutron flux is below a preset value in the intermediate range (P-6 interlock).

A power range high positive neutron flux rate trip occurs when a sudden abnormal increase in nuclear power is detected. This trip provides departure from nucleate boiling ratio (DNBR) protection against certain rod ejection acci-dents and is active during all modes of operation.

A power range high negative neutron flux rate trip occurs when a sudden j abnormal decrease in nuclear power is detected. This trip provides protection against two or more dropped rods and is active during all modes of operation.

The overtemperature T trip protects the core against low DNBR. The set point j for this trip is continuously calculated by analog circuits to compensate for '

the effects of temperature, pressure, and axial neutron flux difference on DNBR limits. I f,

l The overpower T trip protects against excessive power (fuel rod protection).

I The set point for this trip is continuously calculated by analog circuits to "

compensate for the effects of temperature and axial neutron flux difference.

i The pressurizer low pressure trip is used to protect against low pressure that could lead to DNBR, The reactor is tripped when the pressurizer pressure l (compensated for rate of change) fails below a preset limit. This trip is '

l blocked below approximately 10 percent power (P-7 interlock) to allow start-l up and controlled shutdown.

I i

The pressurizer high pressure trip is used to protect the reactor coolant i

system against system overpressure. The same sensors used for the pressurizer 11 O

-- - . - + , . = . - +----i, .m+w-rw-r-e-+-- ye --wr- 'c--w -wtr*- --w.- er- --' we- -y--- *--ye

Iow pressure trip are used for the high pressure trip. There are no interlocks or permissives associated with this trip function.

The pressurizer high-water-level trip is provided as a diverse trip to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below approximately 10 percent power (P-7 interlock) to allow start-up and controlled shutdown.

Low reactor coolant flow is sensed by two-out-of-three transmitters connected to elbow taps in each coolant loop. The reactor is tripped on low flow in one loop above the power setting of interlock P-8 or in two loops between the <

power settings of interlocks P-7 and P-8. The low flow trip is blocked below i=

the power setting of interlock P-7 (approximately 10% power). This trip protects the core against DNB resulting from a loss of primary coolant flow.

The reactor coolant pump undervoltage trip is provided to protect against low flow that can result from loss of voltage to more than one reactor coolant pump motor. One undervoltage sensing relay is provided for each pump in the Class IE cubicles located between the RCP breakers and the motors.

The relay provides an output signal when the pump voltage goes below i

approximately 70 percent of rated voltage. Signals from these relays are i time-delayed to prevent spurious trips. The trip is bypassed if the power level is below approximately 10 percent power (P-7 interlock). "

j ,The reactor coolant pump underfrequency trip protects against low flow resulting from bus underfrequency. One underfrequency sensing relay is provided for each reactor coolant pump motor. The sensing relay is located in the Class 1E cubicles. Signals from these relays are time-delayed to prevent '

spurious trips. The trip is bypassed if the power level is below approximately 10 percent power (P-7 interlock).

The steam generator low water level trip protects the reactor from loss of l heat sink. This trip is actuated on two-out-of-four low-low water level signals occurring in any steam generator.

12

A reactor trip on a turbine trip (anticipatory) is actuated from emergency trip fluid pressure signals or by two-out-of-four closed signals from the turbine steam stop valves. A turbine trip causes a reactor trip above approximately 50% power (P-9 interlock).

~

A safety injection signal initiates a reactor trip. This trip protects the core against a loss of reactor coolant or a steam-line rupture.

An Urgent Alarm is generated when any of the following conditions occur in the corresponding logic train R or S.

i

1. Printed circuit board removed or not properly inserted.
2. Closing of corresponding bypass breaker.
3. Operation of the logic train test switches.

Three separated Urgent Alarms, one corresponding to each actuation train A, B, or C, are provided when any one of the following conditions occur in the corresponding actuation train.

1. Actuation train in test.
2. Loss of AC power to actuation train.
3. Corresponding Safeguards Test Cabinets in Test.
4. Loss of AC power to the corresponding safeguards test cabinet.

Occurrence of an Urgent Alarm in any two out of three actuation trains simultaneously results in a reactor trip.

The manual trip consists of two switches. Operation of either switch de-energizes the reactor trip breaker undervoltage coils in each logic train. '

At the same time, the shunt coils in these breakers are energized, thereby providing a diverse means to ensure that the breakers are tripped. There are

no interlocks which can block this trip.

13

.- - - _ - - . . - _ _ - - -- .. .-.__-_--r- . - - _ _ _ -- _

The analog portion of the RTS consists of a portion of the Process Instrumentation System (PIS) and the Nuclear Instrumentation System (NIS).

The PIS includes those devices that measure temperature, pressure, fluid flow, and level. The PIS also includes the power supplies, signal conditioning, and bistables that provide initiation of protective functions. The NIS includes the neutron flux monitoring instruments, power supplies, signal conditioning, and bistables that provide initiation of protective functions.

The digital portion of the RTS consists of the Solid State Logic Protection System (SSLPS). The SSLPS takes binary inputs (voltage /no voltage) from the PIS and NIS channels corresponding to normal / trip conditions for plant paraneters. The SSLPS utilizes these signals in the required logic combinations and generates trip signals (no voltage) to the undervoltage coils of the reactor trip circuit breakers. The system also provides annunciator, status light, computer input signals that indicate the conditions of the bistable input signals, partial and full ' trip functions, and the status of various blocking, permissive, and actuation functions. In addition, the SSLPS includes the logic circuits for testing.

Analog signals derived from protection channels are used for nonprotective functions such as control, remote indication, and computer monitoring and 'are provided by the use of isolation amplifiers located in the protective system cabinets. The isolation amplifiers are designed such that a short circuit, j open circuit, or the application of credible fault voltages on the isolated ..

l output (transverse mode) of the circuit (non-Class 1E side) will not affect the Class 1E circuits. The signals obtained from the isolation amplifiers are not 4 returned to the protective system cabinets.

The South Texas project uses QDPS to perform data acquisition for reactor pro- ,

! tection, control and post-accident monitoring. Consistent with the design of j the protection systems, interfacing between the QDPS and non-Class 1E circuitry is implemented through a qualified isolation device. The design prevents degra-dation of the Class IE portions of the QDPS which could result from feedback of I i

. l

14 i

l

- - - - ~ ~ ~ - - - ' -----w-- r-, - ~ ~ g p-e q wm ---------e r~- , -,,1-r rg--

= )

1 credible faults occurring in the non-Class IE circuits. This will be addressed i

as part of our review of the QDPS system architecture in Section 7.5.1.1.

7.2.2 Specific Findings 7.2.2.1 Lead, Lag, and Rate Time Constant Setpoints Used In Safety System Channels Several safety system channels make use of lead, lag, or rate signal compensation to provide signal time responses consistent with assumptions in the Chapter 15 analyses. The time constants for these signal compensations are adjustable setpoints within the analog portion of the safety system. The staff position is that the time constant setpoint be incorporated into the plant technical specifications. This issue will be reviewed during the plant technical specifications review stage. Additional information and formal documentation is required. This is a Technical Specification item.

7.2.2.2 Design modification for automatic reactor trip using shunt coil trip attachment The Westinghouse Owners Group (WOG) has submitted a generic design modification to provide automatic reactor trip system (RTS) actuation of the breaker shunt trip attachments in response to Salem ATWS events. The staff has reviewed and accepted the generic design modification and has identified additional information required on a plant specific basis. The applicant has .

not however, provided a response to Generic Letter 83-28 which established the

requirements for this modification. The resolution of this matter will be addressed in a supplement to this report. This is an open item.

7.2.2.3 Reactor Coolant System Temperature Measurement .

The reactor coolant system hot and cold leg resistance teinperature detectors

(RTD) used for reactor protection are located in reactor coolant bypass loops.

A bypass loop from upstream of the steam generator to downstream of the steam generator is used for the hot leg resistance temperature detector and a bypass

! loop from downstream of the reactor coolant pump to upstream of the pumps is used for the cold leg resistance temperature detector.

15 l

The magnitude of the flow affects the overall time response of the temperature signals provided for reactor protection.

It is the staff's position that the magnitude of the RC bypass loop flow be verified to be within required limits at each refueling period. The applicant has been requested to provide a discussion on how the South Texas design complies with the staff's position. By letter dated August 2, 1985, the appli-cant indicated that the reactor coolant temperature measurement system will be modified. The QDPS will perform averaging of reactor coolant hot leg RTD signals. The applicant has not documented the design changes in the FSAR.

This is an open item.

i 7.2.2.4 NUREG-0737, Item II.K.3.12 - Confirm Existence of Anticipatory Reactor Trip Upon Turbine Trip The South Texas project design includes an anticipatory reactor trip on a turbine trip above 50* of rated thermal power (P-9 interlock). The staff finds that the design is in compliance with the Action Plan guidelines.

i 7.2.3 Evaluation Conclusion Later.

O v

16

+_ , , - . . .. , ,. - . . , . , _ _ _ . ~ _ _ _ _

7.3 Engineered Safety Features System 7.3.1 System Description The Engineered Safety Features Actuation System (ESFAS) is a portion of the plant protection system which monitors selected plant parameters and upon detection of out-of-limit conditions of these parameters will initiate actuation signals to the appropriate engineered safety features (ESF) systems and essential. auxiliary support systems equipment. The ESFAS includes both automatic and manual initiation of these systems. Also included along with the ESFAS are the control systems which regulate operation of ESF systems following their initiation by the protection system.

The ESFAS is a functionally defined system and consists of:

(1) Process instrumentation and control system (2) Solid state and relay logic protection system (3) Safeguards test circuits (4) Manual actuation circuits The ESFAS includes two discrete types of circuitry: 1)ananalogportion consisting of two to four redundant channels per parameter or variable to monitor various plant parameters such as the reactor coolant system and steam j system pressures, temperatures, and flows, and containment pressures; and 2) a digital portion consisting of redundant logic trains which receive inputs from ,

the analog protection channels and perform the logic to actuate the ESF systems. The STP design consists of three actuation trains - A, B and C to actuate three ESF train equipments. The ESF and ESF support systems requiring

ESFAS actuation are

, 1. Standby diesel generators and ESF load sequencers

2. Emergency Core Cooling System (Safety Injection System)
3. Main steam line and feedwater (FW) isolation .
4. Containment isolation (Phase A and Containment Ventilation Isolation)
5. Containment heat removal (Reactor Containment Fan Coolers and Containment Spray System) 17 l

l l

6. Auxiliary Feedwater System
7. Component Cooling Water System
8. Essential Cooling Water System j 9. Essential Chilled Water System
10. Control Room Envelope HVAC System
11. Various HVAC equipment as required to support these ESF components and  ;

systems i

j The initiation signals for each of the ESFAS functions are as follows. The i numbers in parentheses after each initiation channel indicate the coincident logic as for example, two-out-of-four (2/4).

l 1. Standby diesel generators and ESF load sequencers l Mode I: Safety Injection (SI) Actuation j Initiated by: SI actuation signal (from Logic Train R or S) l i

I i Mode II: Loss of offsite power (Loop)' l l Initiated by: 4.16 KV ESF bus under-voltage (2/4) i Mode III: SI Actuation coincident with Loop l Initiated by: Simultaneous presence of SI actuation signal j and 2/4 under-voltage signal on 4.16 KV ESF bus i 2. Emergency Core Cooling System (Safety Injection) l i

j a. Manual (1/2) .

I

b. High-1Containmentpressure(2/3) t

! c. Low Compensated steam line pressure (2/3 in any steam line) ,

j d. Low Pressurizer Pressure (2/4)

e. Low-low compensated Tcold (2/3 in any loop) 18 i

l i

f i

1 l

l

3. Main Steam Line Isolation t

I

! a. High steam pressure rate (2/3 in any steam line)

b. Safety Injection (See item 2)  :

j c. manual (1/2) i 4 Feedwater Line Isolation l a. High-high steam generator water level (2/4 in any SG)

b. Safety Injection (see item 2)
c. Low compensated Tcold (2/3 in any loop)
d. Low Primary loop flow or low T,yg in 2/4 loops ,
e. High FW flow in any loop interlock with P-15 '

i f. manual (1/2)

5. Containment Isolation Phase A i

! a. manual (1/2) ,

b. Safety Injection (see item 2) j 6. Containment Spray Actuation l a. Manual (either of two sets, both switches in a set must be actuated) f b. High-3 containment pressure (2/4) ,

i 1

! 7. Containment Ventilation Isolation

a. manual (1/2)
b. Safety Injection (see item 2) , ,

, c. Highradiation(1/2)  !

l

8. Auxiliary Feedwater Initiation

! 3. manual (1/2) p f b. Safety Injection (see item 2)

! c. Low-low Steam Generator level (2/4 in any SG) ,

19 .

e = ,1-r vm -wo- r w e ,-cemw---ev-+---w----w wwea me..--- S ewe,-i-w---ny gy=,wg- y- w v n - w---g-r--h r--

1

9. Control Room Envelop Isolation
a. Safety Injection (see item 2)
b. High Radiation (1/2)
c. High toxic chemicals (1/2)

! d. smoke (1/2) (

1 l

e. Loss of offsite power
f. manual ,

1 7.3.1.1 Standby Diesel Generators and ESF Load Sequencers Actuation d

There are three independent, physically separated, standby diesel generators supplying power to three associated load groups designated Train A, Train 8, and Train C. Each standby diesel generator is automatically started and pickup the ESF loads based on three modes of operation
1. Mode I: Safety Injection (SI) Actuation I 2. Mode II: Loss of offsite Power (Loop)
3. Mode III: SI Actuation Coincident with Loop l

i Each sequencer detects the existence of Mode I by the safety injection signals.

) The ESF load sequencer logic verifies the non-existence of a Mode II signal.

The ESF load sequencer then automatically energizes the equipment required for

{ this mode in programmed steps. With an SI signal present and no loss of ..

offsite power, the operator can reset the SI actuation signal and the diesel l generator can then be manually shut down from the control room or locally. If i l a loss of offsite power occurs, the sequencer will shed all loads on the ESF

, 4.16 KV bus, start the diesel generator, trip the 4.16 KV power supply .

breakers from offsite source and then energize the equipment in programed .

steps.

i 7.3.1.2 Emergency Core Cooling System Actuation I The Emergency Core Cooling System (ECCS) cools the reactor core and provides shutdown capability for pipe breaks in the Reactor Coolant System (RCS) which cause a loss of primary coolant greater than that which can be made up by the j

t L

normal makeup system, for rod cluster control assembly ejection, for pipe .

1 20 i

i 1

1 .

l j breaks in the steam system, and for a steam generator tube failure. The primary function of the ECCS is to remove the stored and fission product decay j heat from the reactor core during accident conditions. The ECCS consists of ,

l the High-head safety injection pumps, Low-head safety injection pumps, -

I accumulators, residual heat removal heat exchangers, refueling water storage j tank (RWST) along with the associated piping, valves and instrumentation and other related equipment.

{ The ECCS provides shutdown capability for the accidents described above by '

injecting borated water into the reactor coolant system. The system safety j function can be performed with a single active failure (short term) or passive

failure (long term). The emergency diesel-generators supply power in the event that a loss of offsite power occurs, i

I

There are three modes of operation for ECCS.

i Mode A: Injection Phase l The low head and high head safety injection pumps take suction from the

) refueling water storage tank (RWST) and deliver coolant into the reactor

) through the cold leg connections.

Mode B: Cold Leg Recirculation ,

I '

j The low head and high head safety injection pumps take suction from the

! containment sump and deliver coolant into the reactor through the cold leg

,f connections. Switchover from the injection mode to the cold leg recirculation l mode is initiated automatically when the RWST level reaches low-low level j setpoint. .

l Mode C: Hot Leg Recirculation i

! The SI pumps take suction from the containment sump and deliver coolant into

the reactor through the hot leg connections. Switchover from Mode 8 to Mode C 1

1 is initiated manually. Only two ECCS trains will be transferred while maintaining the third train in Mode 3.

! 21 i

._..__...E.__.._..____--.f_.._.. ___,_4____,__--._._._..____.-_

- . - - . _ _ - . - . _ - - .. _ - . . . _ - .. .- . . _ = _. .-

1 . .

7.3.1.3 Main Steam Line Isolation Actuation i

j The function of the main steam line isolation is a protection against a steam  ;

line break accident in order to prevent uncontrolled blowdown of all steam l

generators. The naln steam lines can be isolated automatically by the safety i injection (SI) signal and the high steam pressure rate signal, and can be

manually isolated from control board by one-of-two manual control switches.

The isolation signal will close both main steam isolation valve (MSIV) and bypass isolation valve. The actuation circuit has redundant solenoid valves l to vent the instrument air and close the MSIV and the bypass valve. The _

solenoids are powered from separate Class 1E power sources. Besides two main steam line isolation control switches to close valves on all loops, there is individual control switch to isolate individual loop. The MSIV bypass line is used for gradual wann-up during the steam generator startup. The bypass valve is normally closed during power operation.

l 7.3.1.4 Main Feedwater Line Isolation Actuation  !

The function of the feedwater line isolation is to protect the containment j from overpressurization and to prevent excessive cooldown of the reactor ,

vessel from the steam line break accident. The feedwater line isolation i signal is generated on safety injection, high steam generator water level, or  !

excessive cooldown protection. The excessive cooldown protection signal is

) from low compensated reactor coolant T-cold on any loop coincident with .

! reactor trip (P-15). The feedwater line isolation signal will trip all feedwater pumps, trip turbine and close all feedwater isolation valves and l feedwater flow control valves. The feedwater isolation valve is closed by I pneumatic pressure when the hydraulic fluid pressure is relieved. Two i

complete actuation systems are provided for each valve operator corresponding .

l to the two redundant ESFAS trains.

7.3.1.5 Containment Isolation System Actuation i

l The function of the Containment Isolation System is to isolate the process lines which pass through the containment structure. The containment isolation i 22 .

I i

i i

1 1 _ _ . . - _ . - .-,- - -. - - . -..:-..-.--.--._ -

- . - - -. . . . . = ~ - . - _ _ . - - - . - - - - - - - -

system is designed to limit the release of radioactive materials from the

containment following an accident. The containment isolation system is automatically actuated by signals developed by the ESFAS. Phase A Containment I i isolation and Containment ventilation isolation signals isolate all

] nonessential lines. These signals are initiated by the SI signal which is derived from two-out-of-three high containment pressure signals and other ESF

actuation signals. Containment ventilation isolation is also initiated by a j ,

containment high radiation signal. The main steam line isolation and main feedwater line isolation systems are considered as part of containment j isolation system. The South Texas project does not use phase B containment j isolation signal to isolate any process line.

Certain systems are required to perform a safety function following an

accident and the isolation valves for these systems must be opened automatically or remote-manually or remain open for the system to operate. .
These systems are listed below.

l

a. Low Head Safety Injection (LHSI), High Head Safety Injection (HHSI)
and Containment Spray i

i ..

l b. Component Cooling Water System (CCWS) to Containment Cooling Fans, j Residual Heat Removal Heat Exchangers l c. Auxiliary Feedwater System (AFW) .

]

d. Steam supply line to turbine driven AFW pump
e. Reactor Coolant Pump Seal Injection ,

i j f. Containment Sump Recirculation Lines I,

I g. Containment Pressure Sensing Lines I

i j h. Reactor Coolant System Wide Range Pressure Sensing Lines ,

l

1. Containment Hydrogen Monitoring / Post Accident Sampling Lines l

l 23 -

a

[

i

-_--~ _ - ._

_ -~_- . . - _ - - . - - . - -_ ..- -_- - . _ - . . ~ . - - .

i . .

7.3.1.6 Containment Fan Cooler System Actuation l

The Containment Fan Cooler units are designed to remove heat from the containment during both normal operation and accident conditions. During normal operation, the containment fan coolers are cooled by the chilled water system. Following a safety injection signal, the fan coolers cooling system

will be switched to the component cooling water system. No manual actions are

] required for fan cooler operation during accident conditions. Should a loss l of offsite power occur, the ESF load sequencers control the loading of the '

diesel generators. The containment fans start in about 15 seconds. Without a loss of offsite power, the ESF load sequencers start those fan units that are j not in operation prior to receipt of the SI signal. Those already in j operation remain operating following the SI signal. There are two fan coole,r j units per train, for a total six units per plant. Only three out of six units f are required for design based accident mitigation.

i I

j 7.3.1.7 Containment Spray Actuation Three redundant trains of containment spray system (CSS) provide a spray of

)I cold borated water, containing sodium hydroxide (Na0H), from the upper regions l of the containment to reduce the containment pressure and temperature and to i remove fission products following a LOCA, or a HELB accident. The CSS has two j phases of operation which are initiated sequentially following system 1

actuation. They are the injection phase and the recirculation phase. Once ..

I

the CSS actuation signal is initiated, isolation valves open to begin the l injection phase and the valves associated with the spray additive tank open to

! allow NaOH to mix with the spray. For the recirculation phase, spray pump

' f suction is automatically switched from the refueling water storage tank (RWST) '

to the containment recirculation sump when low level in the RWST is reached. .

The system includes features for periodic testing to confirm proper

functioning.

I I 24 ,

! l l

l

\

4 1 {

i .

,, ., ----.----,...--,,-_-,_--w,_.,,,,,,.,--

7.3.1.8 Auxiliary Feedwater System Actuation -

The function of the auxiliary feedwater system (AFWS) is to provide an adequate supply of water to the steam generators if the main feedwater system is not available. The AFWS consists of three motor-driven pumps and one turbine driven pump with associated valves, controls, and instrumentation.

Each motor-driven pump supplies water to one steam generator. Each pump motor is supplied power from a separate engineered safety bus. The turbine-driven pump supplies water to fourth steam generator. Normally closed, fail-closed cross-connections are provided between the four AFWS trains to pennit flow

from any pump to any steam generator. The auxiliary feedwater actuation system will automatically start the pumps and provide feedwater to the steam
generators. The initiating conditions are listed in,section 7.3.1 item (8).

1 i

The AFWS's water supply is from the auxiliary feedwater storage tank (AFST) which is designed to seismic Category I safety class 3 requirements and to I

withstand environmental design conditions, including flood, earthquake, hurricane, tornado loadings and tornado missiles. The AFST retains a sufficient quantity of water (500,000 gallons) for a safe shutdown of the reactor. The make up water to AFST is from condenser hotwell and the demineralizedsecondarymake-upwatertank(300,000 gallons).

l The AFWS can be manually initiated and controlled from the main control board j or the auxiliary shutdown panel. The AFWS control is discussed in Section 7.4 ..

I of this report.

7.3.1.9 Component Cooling Water System Actuation The Component Cooling Water System (CCWS) consists of three separate redundant ,

trains. Each train has a pump, a heat exchanger, associated piping, and i

valves. After a design based accident (DBA), all three CCWS trains will
operate if operable, but two trains are sufficient of performing the heat removal function for DBA. The following components are cooled by the CCWS

i i

l 25 i

I

- . ~ , - r-.-.,.m-m.- --.y, m.---w~--w---e-yw,-

l l

1. RHR heat exchangers -
2. Containment fan coolers
3. Seal water heat exchangers  !
4. RCP lube oil coolers and thermal barriers
5. RCP motor air coolers
6. RHR pump seal coolers
7. Centrifugal charging pump supplementary coolers and lube oil coolers 3 8. Positive displacement pump supplementary coolers

(

) The following non-ESF components are also cooled by the CCWS, however, they

! are isolated by motor operated va!ves which close on an SI signal.

i 1. Excess letdown heat exchanger

2. Reactor coolant drain tank heat exchanger

! 3. Boron recycle system evaporator

! 4. Boron thermal regeneration system chiller

5. Post accident sampling system coolers  !

j 6. Liquid waste processing evaporator

7. Spent fuel pool heat exchangers
8. Letdown heat exchangers
i i i An SI signal opens the pneumatic valve to provide cooling water to each RHR l

heat exchanger. Also an SI signal shifts the cooling water supply to the  !

containment fan coolers from the chilled water system to the CCWS. ,

{ Each CCW pump is connected to a separate ESF bus. During normal startup or 7 l shutdown, two CCWS trains are required. The pump control logic provides for  ;

i automatic starting of the standby pump in the event of low system pressure or  ;

l low essential cooling water pressure. The CCW po.p starting logic also starts ,

s the associated essential cooling water pump, 1

j j 7.3.1.10 Essential Cooling Water System Actuation l The Essential Cooling Water System (ECWS) is designed to supply cooling water

! to various safety related heat removal components during all modes of l operation. The ECWS consists of three trains. Each train contains a pump, j 26 , i l l i

i i .

. _ . ___ . .- - . - - - - _ _ . . _ - - - ~ _ _ _ _ - _ . - _ ~ _ - _

i . .

a self cleaning stratner, piping, valves, and instrumentation. Each ECWS l

)

train services one set of diesel generator heat exchanger, one component

cooling water (CCW) heat exchanger, two essential chiller condensers, and one CCW pump supplementary cooler.

l f During normal plant operation, each ECWS pump is automatically started when its associated CCW pump is started. Upon a loss of offsite power or actuation

! of a safety injection signal, all three ECW pumps are automatically started by

{ the ESF load sequencers. Upon actuation of an SI signal, the ECW blowdown isolation valves are automatically closed.

7.3.1.11 Essential Chilled Water System Actuation 1

The Essential Chilled Water System is a safety related system which consists of three 50 percent capacity redundant trains. Each train contains a i essential chilled water pump, two evaporator / condenser units, piping, valves, i

! and instrumentation. The essential chilled water system provides chilled water to the safety related air conditioning units. Each train is completely l l isolated from the other trains, and no common piping is provided. All chilled  !

! water system trains are placed in operation automatically upon receipt of a f

) safety injection signal. The water chillers and the chilled water pumps are  !

operable from the main control room.

i

! 7.3.1.12 Control Room Envelop HVAC System Actuation ,,

The control room envelop HVAC system is a safety related system which consists of three 50 percent capacity redundant trains. Two of three trains are needed i during plant normal operation, hot standby, shutdown, post accident condition, I or loss of offsite power. Each train consists of main air handling units ,

i return air fan, makeup air filter unit, air cleanup filter unit, exhaust air fan, ductwork and duct reheat coils. .

l f'

j The control room envelope is maintained at 0.125" W.G. positive pressure with l a maximum makeup air design of 2000 cubic ft. per minute. Upon detection of  ;

high airborne radioactivity at the outside air intake, or a safety injection  !

signal, the makeup air will be filtered by means of carbon filter units. In

} 27 .

I I

m I

__ _ _ . _ _ _ . _ . . _ ._.i.1 _ __ -_._ _ ..___.__._

the event of a loss of offsite power, or the detection of high concentrations of toxic chemicals or smoke at the outside air intake, the redundant leak tight isolation dampers are closed automatically. No makeup air will be supplied to the control room envelop. In the event of a fire causing smoke in areas confined within the control room envelope boundary, the operator can manually place the system into the smoke purge mode of operation.

7.3.1.13 Electrical Auxiliary Building (EAB) Heating, Ventilating and AirConditioning(HVAC)SystemActuation Three redundant trains of HVAC system are powered by separate, independent ESF buses. Two of the three trains are required to function during all modes of operation. Each train consists of a main air handling unit, return air fans, exhaust air fans, ductwork and duct reheat coils. The EAB HVAC system is cooled by the essential chilled water system. The EAB HVAC system is auto-matically controlled by the ESF load sequencers after a design based accident.

The. EAB HVAC system serves the following major areas:

1. Battery and distribution panel rooms
2. Electrical switchgear rooms
3. Cable spreading rooms 4 Auxiliary shutdown panel area
5. Power cable vaults
6. Radiation monitor room
7. Miscellaneous office and equipment rooms
8. Electrical penetration areas 7.3.1.14 Fuel Handling Building HVAC Exhaust System Actuation The Fuel Handling Building (FHB) HVAC exhaust system serves the safety related components which include spent fuel pool pumps, heat exchangers, high head safety injection pumps, low head safety injection pumps, containment spray pumps, and containment sump isolation valves. Air is supplied to various areas of 28 9

5 ..

. . _ _ _ - __ ~ _=. _= _._ . . - . _ _ . . _ - .

i t

the FHB by three trains. Each train consists of the prefilters, electric heating coils, cooling coils, and supply fans. Normally, exhaust air bypasses the filter units and is exhausted directly to the plant main vent stack. Upon detection of high radiation or safety injection signal, exhaust air is routed  !

i through the redundant carbon filter units, the exhaust booster fans, main '

exhaust air fans, and then delivered to the plant main vent stack. The carbon filters are provided to remove radioactive iodine gases. Pressure differential across the filters are indicated and recorded in thb main control room. High pressure differential across filter bank, high temperature, high radiation, or trip of any fan in FHB HVAC system will be alarmed. During loss of offsite -

j power event, all active components recei e power from their respective  !

independent ESF power train.

?

i ,

i

i i

i l

) ..

l J

i I

)

i i 29 l

1

~

i

I a

l 7.3.2 Specific Findings 7.3.2.1 Three-Train Engineered Safety Feature Actuation System The three-train Engineered Safety Feature Actuation System (ESFAS) basic design is the same as two-train ESFAS. It consists of two input (logic) trains R and S and three output (actuation) trains A, B and C. Redundant Class 1E signals first feed into trains R and S input relay cabinets. The analog signals are converted to digital signals, and then feed through solid-state voting logic to determine the actuation status. The actuation signals will be carried out by l three redundant separate master relay drivers located in three separate actua-f tion train cabinets. The master relay driver drives several master relays. The  ;

! master relay from either train R or S can energize a slave relay in the actua- '

tion train. The only difference for three-train ESFAS is the additional contact l used in actuating the slave relays.

! The staff has a concern on the separation requirements between the master relay l "R" and the master relay "S" which drive a common slave relay in the actuation l train cabinet. The applicant responded that these relays are located in the separate compartments inside the cabinet. The separation requirements of f R.G. 1.75 are met. Iuring a site visit on March 28, 1985, the staff has veri-fled the separation arrangement. The staff has reviewed the three-train ESFAS

) logic design, wiring and installation drawings, power supply arrangement, and ,

i testing capability, and concluded that the three-train ESFAS design is accept-i able.

I 1

l 30 I

l

- - - - , - - - - - - , - ,,,m mn- -r-v, ---,,-,------q,-e=,----w ww- -- >,-~,-,r-,,-,,--,w,, ,-,--,-,-------mn,-,-,,----,--r---- - -r- r,-- -.v~r- --,w---,---,

7.3.2.2 Safety Injection Signal to Close Main Steam Isolation Valves The South Texas Project has a unique design on main steam isolation logic. The

' ~

main steam isolation valves (MSIVs) are automatically closed by the Safety

Injection (SI) signal. The staff has a concern that spurious actuation of the SI signal would result in more frequent MSIV closures, potentially resulting i '

in more safety valves lifting, possibly sticking, over-pressurization of the steam generator tubes, etc. Most other Westinghouse plants use Containment HI-2 signal to close main steam isolation valves. The applicant was requested to re-examine this design. This is an open item subject to additional justifica-l tion on this design.

a I

7.3.2.3 Main Steam Isolation Valve Control Circuit i

During its review of the MSIV schematic, the staff identified a possible failure 4

in the actuation circuitry. The specific failure is the "open permissive"

switch contact remaining closed. This closed contact is not detected during partial stroke test, and would only be detected during the actuate test, which  ;

is performed at a less frequent interval. This closed contact would prevent the safeguards signal within the train from closure of the MSIV. This potential failure and the detection method should be addressed.

In a letter dated June 17, 1985, the applicant responded to the staff's concern.

The applicant will modify the circuits so that the "open permissive" switch 32 l

1 l.

- ::-  :::  :::_ 2 -.2 - .: . .. - . - - - - - -. .-- -__.

contact is in series with the isolation signal contacts rather than in parallel.

In this way the postulated contact failure will not prevent the safeguard signals to close the MSIV. The staff has reviewed the modified design and finds the design acceptable.

7.3.2.4 Main Feedwater Isolation Valve Testing During its review of the main feedwater isolation valve (MFIV) schematic, the staff identified a concern that during MFIV test, operation of both solenoids for venting the hydraulic fluid (which causes the MFIV to fail in the closed position) is not monitored to assure proper operation.

In a letter dated June 17, 1985, the applicant responded to the staff's concern.

In order to verify that the solenoids have both been de-energized and opened, the circuit will be modified to use limit switch contacts from the solenoids as well as the 90 percent stroke test limit switch from the MFIV to illuminate the white light that indicates successful completion of the valve test. When the solenoids are de-energized and the MFIV has closed down to 90 percent, the white light will be illuminated. Illumination of the white light will verify

the operation of the hydraulic fluid. The staff has reviewed the modified design and finds the design acceptable.

7.3.2.5 Isolators Test Report The staff requested the applicant to describe design criteria and test per-formed on the isolation devices in the balance of plant systems and to 33 .

1 l l

address results of analyses or tests performed to demonstrate proper isolation between separation groups and between safety and non-safety systems.

. i j In a letter dated June 17, 1985, the applicant stated that qualification tests

were being performed on the following four types of isolators

l i

j (1) Digital (optical) isolators for the emergency response facility data acquisition display system (ERFDADS) computer inputs.

j (2) Analog (transformer coupled) isolators for the ERFDADS inputs.

i i

j (3) Digital (optical) isolators for the radiation monitoring computer system.

4 i

j (4) Digital isolators for the diesel generator control panels, t

l i

It is the staff's position that the above devices be qualified isolators for interfacing between safety and non-safety systems. The applicant shall provide the following information to NRC for review and approval prior to granting an j operating license:

f i a. For each type of device used to accomplish electrical isolation at South 1 .,

l Texas, describe the specific testing performed to demonstrate that the .

2 device is acceptable for its application (s). This description should in-f clude elementary diagrams where necessary to indicate the test configura-j tion and how the maximum credible faults were applied to the devices, f

i

34 f

i j

i i

I

  • l- .

e--n.-

b. Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
c. Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered (i.e., open and short circuits).

1

d. Define the pass / fail acceptance criteria for each type of device.
e. Provide information to verify that the isolation devices comply with the environmental qualifications (10 CFR 50.49) and the seismic qualifications which are the basis for plant licensing.

This is an open item.

7.3.2.6 Testing of Engineered Safeguard P-4 Interlock l

On November 7,1979, Westinghouse notified the Commission of an undetectable failure that could exist in the engineered safeguards P-4 interlocks. In a 1

letter dated July 15, 1985, the applicant addressed its design on P-4 inter-locks. The South Texas design is different than that of the earlier Westing- .

house plants, in that the P-4 contacts for each train's trip and bypass breakers are wired individually to the solid state protection system. The status of the trip and bypass breakers are indicated on the control board. Verification of P-4 contact status will be administrative 1y controlled following any condition 35 -

. ~ . -. - _ - - - - - - - = - --- -. -. .- . _ . . . _ _ - _-

I i

l 'that requires opening of the reactor trip breakers and following reclosure of the trip breakers. Operability of the P-4 contacts will also be checked as part j of the Technical Specification surveillance testing program. The staff finds  ;

I the design acceptable. -

i

! 7.3.2.7 Level Measurement Errors Resulting From Environmental Temperature i

! Effects on Level Instrument Reference Legs  !

\

l  !

1 The staff requested that the applicant evaluate the effects of high tempera- l l tures in reference legs of water level measurement systems resulting from i

h,igh-energy-line breaks. This issue was addressed for operating reactors I through IE Bulletin 79-21. In FSAR Section 7.5, the applicant stated that the steam generator narrow range water level measurement will be automatically compensated for the effect of temperature changes in the reference leg by the l qualified display processing system (QDPS). The staff's evaluatisn on the j QDPS to perform the reference leg compensation will be addressed in Section 7.5 of this report. .

} 7.3.2.8 Engineered Safety Feature (ESF) Reset Controls l (IEBulletin80-06 Concerns) i i

i As was done for operating reactors through IE Bulletin 80-06, dated ,

j March 13, 1980, the staff requested that the applicant review all safety sys-4 6

l tems to determine if any safety equipment would change state after reset. '

1 l In FSAR Amendment 43, the applicant stated that the requested reviews have been i

performed and that all of the ESF systems are designed to remain in the 36 .

i t

i f _ .., _ . _ _ ,.,.. _ . _ _ _.,_- _ _ ._ "

i . .

l emergency mode at the component level after resetting the ESF actuation signals at the system level. The equipment remains in its emerger:y mode until the I

operator takes manual action on a component-by-component basis.

, The staff finds that the design is consistent with the intent of the bulletin. -

1 However, the applicant has not committed to perform a confirmatory test, which j is required by the Bulletin, to verify the conclusions of this review. This 3

is an open item subject to the applicant's conunitment to perform the confirma-tory test.

1

!- 7.3.2.9 NUREG-0737. Item II.E.1.2, AFWS Automatic Initiation and Flow 1  !

i Indication 1

l l The automatic system used to initiate the operation of the auxiliary feedwater

! system is part of ESFAS. The redundant actuation channels that provide signals I

to the pumps and valves are physically separated and electrically independent. I Redundant trains are powered from independent Class 1E power sources. The  !

initiation signals and circuits are testable during power operation, and the test requirements are included in the plant Technical Specifications. Manual initiation and control can be performed from the main control board or the t

auxiliary shutdown panel. No single failure within the manual or automatic i

[

initiation system for the auxiliary feedwater system will prevent initiation . j i

I of the system by manual or automatic means. The environmental qualification '

, is addressed in Section 3.11 of this report.

}

l l 37 r

l ,

I

One auxiliary feedwater flow instrument and one wide range level instrument i

l are provided for each steam generator. The level and flow instrument channels I

for each steam generator are powered from Class 1E power sources. The staff concludes, based on their review, that the design satisfies the requirements of

! NUREG-0737, Item II.E.1.2.

l 1

l 7.3.2.10 Power lockout feature for Motor-operated valves

(

l t l Branch Technical Position PSB-18 addresses power lockout during normal reactor l operation for valves whose inadvertent operation could affect plant safety.  !

~

l In the South Texas Project design, this requirement is satisfied by adding

! the remote controlled motorized breakers in the valve motor power circuits.

I j A power lockout remote control switch is provided on the main control board i-  !

for each power lockout valve. For all such valves, redundant valve position indications are provided. The redundant valve position indications are powered from two independent power sources. The power lockout indication is

! also provided to the bypass / inoperable status panel. The staff finds this I

j design acceptable.

j f

i 7.3.2.11 Failure Modes and Effects Analyses on the ESFAS i

l R.G.1.70, " Standard Format and Content of FSAR" requires the applicant to ,  ;

i address the Failure Modes and Effects Analyses (FMEA) on the Engineered  !

Safety Features Actuation System (ESFAS). The applicant has made reference to

! a Westinghouse document WCAP-8584, " Failure Modes and Effects Analyses (FMEA)

I t of the ESFAS." The staff raised a question concerning whether the WCAP-8584

{

i

38 . ,

)

l .

! ~

I i .

-- _- .. = - - - . - - _ = = -. ---

on the two-train system can be applicable to the three-train system. During a design review meeting on March 27, 1985, the applicant presented the design comparison between the two-train ESFAS and the three-train ESFAS. For the reactor trip function, they are handled in the same way. For the ESFAS function, the three-train ESFAS voting logics in train R or S each drive up to 3 relay drives. The relay drivers then interface with master relays, which then interface with slave relays. The hardware used is the same; it is tested i

in a similar fashion. The only real difference is that the three-train ESFAS

! uses an additional contact in actuating the slave relays. The three-train design drawings were reviewed, including provisions for testing, separation, etc. Based upon its review, the staff concludes that the WCAP 8584 on the two-train ESFAS FMEA appears to be applicable to the three-train system. The applicant is required to document the justification in the FSAR by referring WCAP-8584 for three-train design, and to verify the interface criteria are being met at BOP design. This is a confirmatory item.

7.3.2.12 Non-Glass 1E Signal to Class 1E Control Circuits l

l The staff requested the applicant to provide a list of non-Class 1E control signals that are used as inputs to Class 1E control circuits and assess their effects on the safety systems. The applicant has identified fifteen cases which have non-1E interface. A failure modes and effects analysis was performed.

The applicant has concluded that the failure on non-Class 1E signals will not defeat the safety function. This is a confirmatory item subject to staff's 39 1

l l

review of all the related electrical drawings, isolation devices which are not available at the present time.

7.3.2.13 Solid-State Logic Protection System Test Circuit Modification i

l On August 6, 1982 Westinghouse informed NRC under 10 CFR 50.55(e) that a potential significant deficiency was identified in the solid-state logic l

protection system (SSLPS) test circuits.

During testing of the master relays, the voltage applied to the slave relay is reduced from 120-V ac to 15-V de to preclude their operation during this phase I

of the testing. Also during this test a light is placed in series with the master relay contact, which is normally used to pick up the slave relays. On completion of these tests, the light used to confirm the continuity of master relay contacts and slave relay coil is removed from the circuit. The problem

! revealed is that these tests do not confirm that the continuity light is re-moved from the circuit. If the light remained in series with the slave relay coil, the operability of the protective action would not be assumed. By letter dated July 18, 1985, the applicant has committed a circuit modification de-l veloped by the equipment vendor (Westinghouse) to resolve the concern. Based on a review of the proposed modification, the staff finds it acceptable.

l 7.3.3 Evaluation Conclusion

! Later, t

l l

I 40 .

4

l i

j 7.4 Systems Required For Safe Shutdown 7.4.1 System Description i

This section describes the equipment and associated controls and instrumentation of systems required for safe shutdown. It also describes  !

controls and instrumentation outside the main control room that enable safe shutdown of the plant in case the main control room needs to be evacuated,

]

j l 7.4.1.1 Safe Shutdown System i 1

i The South Texas Project Safe Shutdown is " hot standby" as defined in the Technical Specification. The systems required for safe shutdown are those  !

l required to control the reactor coolant system temperature and pressure, to l borate the reactor coolant, ar.d to provide adequate residual heat removal.

[ The essential systems (or components) listed below are used for safe shutdown.

(1) Auxiliary feedwater system (2) Main steam safety relief valves (3) Centrifugal Charging pumps l (4) Boric acid transfer pumps (5) Letdown stop valves j (6) Essential cooling water pumps l (7) Component cooling water pumps (8) Reactor containment fan coolers ,  !

] (9) Diesel generators and associated onsite electrical power systems

] (10) Control room ventilation system l (11) Emergency ventilation system for those area housing safe shutdown i equipment The following two components are used for safe shutdown, but are not considered ~

as essential.

~

, (1) Main steam PORVs j . (2) Pressurizer backup heaters l 1

41

~

1 .

t

e 0 To effect a unit shutdown, the unit will be brought to, and maintained at, a safe shutdown condition under control from the main control room or remote safe shutdown locations. Controls for the systems discussed above are required to maintain a safe shutdown under non-accident conditions. The applicant has identified the following monitoring indicators as essential to maintaining safe shutdown:

(1) Steam generator water level (2) Steam generator pressure (3) Pressurizer water level (4) RCS wide range pressure (5) RCS wide range temperature (T hot and Tcold)

(6) Auxiliary feedwater flow to each steam generator (7) Auxiliary feedwater storage tank level (8) Chemical and volume control system charging flow (9) Reactor coolant pump seal injection flow To achieve and maintain safe shutdown, the reactor and the turbine are tripped. The controls and the indicators for all of the equipment listed above are provided in the main control room. In addition, an auxiliary shutdown panel is provided that allow the plant to be maintained in a hot standby condition or taken to cold shutdown should the main control room become uninhabitable.

7.4.1.2 Remote Shutdown Capability ,.

If temporary evacuation of the control room is required because of some abnormal station condition, the operators can establish and maintain the station in a hot standby condition from outside the control room through the use of controls and indicators located at the auxiliary shutdown panel (ASP), ,

transfer switch panels and other local control stations.

The auxiliary shutdown panel contains both Class 1E and non-Class IE controls and indicators. Electrical separation is maintained between separation groups within the panel by metal barriers. The controls on the ASP are electrically 42 .

! . . )

isolated from those in the control room by transfer switches located on the transfer switch panels with the exception of the controls associated with the turbine driven auxiliary feedwater pump, which is located on the ASP. Sa fe ty-related display is provided by the QDPS via redundant plasma display units located on the ASP. Other nonsafety-related parameters are available at the ASP via the Emergency Response Facilities Data Acquisition and Display Systen (ERFDADS). The transfer of control from the control room to the ASP is alarmed j and indicated in the control room through the engineered safety feature status monitoring system. Access to the ASP is administratively controlled. Communi-

cations are provided between the ASP, the control room, switchgear room, and the Technical Support Center via the de-powered headset system.

1 7.4.1.3 Transfer switch panels The six transfer switch panels are located in the Electrical Auxiliary l

Building (EAB) with two of the panels located in each of their associated  !

?

! switchgear rooms. The switches and controls provided on the transfer switch 2

panels are Class 1E. Electrical and physical separation is maintained between j the separation groups. In addition to providing control transfer between the j control room and the ASP control circuits, the transfer panels also provide i control for equipment that requires one time or infrequent control during safe l shutdown.

) I l 7.4.1.4 Other local control stations .

i

In addition to the controls and indicators provided at the ASP and transfer switch panels, the following controls are provided outside the control room:

(1) Reactor trip capability is provided at the reactor trip i

i switchgear. ,

4 l

2 (2) Start /Stop controls and transfer switches for the diesel generators located on each diesel generator local panel, r i

j (3) Start /Stop controls and transfer switches for the essential chillers located on each essential chiller local panel.

! 43 .

i f

e

(4) Start /Stop controls and transfer switches for Essential Cooling Water Intake Structure ventilation fans located at motor control centers.

! (5) Open/Close controls for various valves not requiring imediate

or constant control located at motor control centers.

(6) Disconnect switches for solenoid valves to fail open or close air operated valves located at the auxiliary relay cabinets.

7.4.2 Specific Findings

! 7.4.2.1 Auxiliary Feedwater Control The staff's review of the auxiliary feedwater system (AFWS) included the following:

(1) automatic initiation (2) capability of controllirg flow to establish and maintain steam l

generator level (3) capability of controlling the steam generator pressure (4) capability of isolating a faulted steam generator resulting from ,

feedwater or steam line break (5) capability for post-trip control from auxiliary shutdown panel The motor-driven pumps are automatically started by the load sequencers. How-ever, the isolation valve will not be open until a two-out of-four low-low water level signal from any steam generator or a Safety Injection (SI) signal is received. The AFW turbine driven pump is supplied with steam from steam generator 10 through the steam inlet valve, the steam inlet bypass valve and the turbine trip throttle valve. These valves all receive open signal on an AFW initiation. The steam inlet valve receives its open signal through a time 44 .

l . .

i 1

i I i j delay (approximately 15 seconds). This time delay allows steam flow through l the steam inlet bypass valve to accelerate the turbine to a speed which allows  !

the turbine governor to assume speed control prior to the steam inlet valve

opening. Manual control of these valves can be performed from the control l room or from the auxiliary shutdown panel. The Qualified Display Processing

] System (QOPS) controls the flow into the SGs through the auxiliary feedwater j regulating valves. The safety grade valve control function is performed by a '

l microprocessor based control system. Contact output signals for automatic j control and position indication of auxiliary feedwater regulator valves within j upper and lower flow limits. These signals maintain auxiliary feedwater flow

) within acceptable limits until manual control is assumed by the operator.

l Manual control capability is provided both in the control room and on the ,

i auxiliary shutdown panel.

i i

l The steam generator PORVs and their controls are designed as safety-related

  • 1uipment. A pressure transmitter and pressure controller are provided for i each of the SGs to actuate the PORV and control the steam pressure at a predetermined setting. Manual control capability is provided both in the l control room and on the auxiliary shutdown panel for PORV regulation. The l

00PS provides closed-loop centrol and position indication for the steam generatcr PORVs. ,

Auxiliary feedwat1r flow to the steam generator is limited by the regulating l

).

valve. The regulating valve restricts the flow to a depressurized steam , i j generator. A motor-operated isolation valve and a check valve are provided in l each of the auxiliary feedwater supply lines. The isolation valve can be l operated either from the main control board or the auxiliary shutdown panel. ,

l l The capability is provided to control the auxiliary feedwater pumps and to

{ isolate a depressurized loop as well as for post-trip control of the auxiliary l

) feedwater system at the auxiliary shutdown panel.  !

i l Branch Technical Position ASB 10-1 requires that the auxiliary feedwater system 1 should consist of at least two full-capacity Independent systems that include

! diverse power sources. The AFW turbine driven pump design has not demonstrated i

45 .

i f  !

l i

i its conformance with BTP ASB 10-1. The steam supply only comes from single l steam generator. Any single active failure will disable the Turbine-Orive pump. The applicant has not provided the AFW system reliability analysis. This

( is an open item.

I 7.4.2.2 Testing for Remote Shutdown Operation j During the review process, a concern was raised by the staff regarding the remote shutdcwn capability and the need for a test to verify design adequacy.

l 1 Additional information is required to document a test description in FSAR j Section 14, and a test is required to verify design adequacy of remote shutdown j operation during startup testing. This is a confirmatory item.

1 i

{ 7.4.3 Evaluation Conclusion

{ Later.

i t

l .

i l

b l

L i

i l

46

- _ _ _ _ . _ _ _ - _ _ _ _ _ ~ _ _ _ _ _ _ _ _ _ _ _ .. .= _ _ _. _ _

7.5 Information Systems Important to Safety

7.5.1 Description The information systems important to safety are composed of oisplay <

l instruments that provide information to the operator to enable him to perform required manual actions follcwing a reactor trip. Information that thr.-

operator needs to maintain the plant in a hot standby condition nr to proceed 1

to cold shutdown within the limits of the Technical Specifications is also ,.

I j displayed. The operator uses these information systems to monitor conditions 1

) >

in the reactor, the reactor coolant system, and in the containment and process  ;

l systems during normal operation of the plant, including anticipated i

operational occurrences, and for postaccident monitoring. The display systems.

also include bypassed and inoperable status information. i e

i i The protective system provides the operator with information pertinent to i

systems status and safety. All transmitted signals (flow, pressure, temperature, neutron flux, etc.) which can cause a reactor trip are either i L

4 indicated or recorded for each channel. Parameters associated with automatic i j actuation as well as those required to enable the operator to manually l initiate Engineered Safety Features Systems are displayed. The indicators provided for the actuating parameters display the same analog signals 4

monitored by the Engineered Safety Features Actuation System. Any reactor .

trip will actuate an alarm and an annunciator. Such protective actions are

indicated and identified down to the channel level, i

i i

I 47 l 1

I i i l 1 .

L_

e Alarms and annunciators are also used to alert the operator of deviations from normal conditions sc that the operator may take appropriate corrective action to avoid a reactor trip. Actuation of any reactor trip channel will actuate an alarm.

t 7.5.1.1 Qualffed Display Processing System Architecture The Qualified Display Processing System (QOPS) is an integrated data acquisition and display system to cover the post accident monitoring, safety parameter display, inadequate core cooling monitoring, emergency response capability and some limited safety grade control functions. The 00PS performs:

1. data acquisition and qualified display for post-accident monitoring, or referred to as Plant Safety Monitoring system (PSMS).
2. safety grade control and position indication for steam generator PORV, auxiliary feedwater control valve, reactor vessel head vent valves, and essential cooling water chillers. ,,
3. data acquisition and qualified display for auxiliary shutdown panel operation if a fire is in the control room or in the rela / room.

4 steam generator level measurement compensation for the effect of temper-aturri changes at the reference leg.

48

= _ . . -- - - - - .- - -- - .- - - -____ _ -__-.-

) . .

l I 1

1 l

The QDPS consists of four redundant, channelized, Class 1E auxiliary process l t

l cabinets (APC). These APCS receive Class IE signals from protection system  !

processing cabinet or directly from Class 1E sensors. The APCS send data to redundant data base processing units (DPUs), which provide information to the i operator via plasma display. A fifth non-Class 1E APC provides data i

acquisition for non-Class 1E signals which are needed to complete logical j graphic displays. The APCS perform the engineering units conversion, limit check, and isolation or buffering. The DPUs perform algorithms, and formating j displays for the plasma display units. The operator can use function keyboard ,

J  !

{ at display unit requesting information. There are a total of eight plasma l display units. Six units located in the control room. They are grouped into  !

! i two redundant sets, each set consists of three units. The remaining two i l display units are located on the auxiliary shutdown p:nel. There are three

{ i demultiplexers which provide outputs to drive analog meters, recorders, computer, and annunciators. Two of the three demultiplexers are located in ,

i the control room, the third unit is located in the auxiliary shutdown area.  ;

i i The demultiplexers are non-Class 1E devi'ces. Signals from DPU to  !

demultiplexers is via isolated redundant data links. The staff's evaluation of j the QDPS architecture is addressed in Section 7.5.2.9 of this report. l t

} 7.5.1.2 Post Accident Monitoring Instrumentation i

In FSAR Appendix 70 the applicant has defined the R.G.1.97 variables for post 3

accident monitoring instrumentation. In addition. Table 7.5-1 further identi- <

fics the instrument range, environmental and seismic qualification status. l I  !

49 i

j ,

! l 1

I

4 i

a l number of channels for ea:h variable, display device and location, power source, i

and the schedule for implementation. The applicant uses the Oudlified Display l Processing System (QDPS) to monitor the post accident conditions.

l  !

L l The QOPS provides the following RG 1.97 Category 1 Parameters: ,

Reactor Coolant System Pressure - Wide Range ,

I l T - Wide Range Hot ,

j TCold - Wide Range l Steam Generator Level - Wide Range  ;

j Steam Generator Level - Narrow Range  !

4 j Pressurizer Level 4

j Contain.nent Pressure l Steamline Pressure i I l Refueling Water Storage Tank Level (

i r

! Containment Water Level - Wide Range v Containment Wate'r Level - Narrow Range Auxiliary Feedwater Storage Tank Level Auxiliary Feedwater Flow I L

Core Exft Temperature i 1

i

! Reactor Coolant System Subcooling Neutron Flux - Extended Range l

Neutron Flux - Startup Rate l i l 1 Reactor Vessel Water Level l f

i Containment Hydrogen Concentration 50 -

i i

i l

1

The QDOS provides the following RG 1.97 Category 2 Parameters:

Pressurizer Pressure Charging System Flow Letdown Flow Volume Control Tank Level Reactor Coolant Pump Seal Injection Flow Main Feedwater Flow High Head Safety injection Flow Low Head Safety injection Flow Emergency Core Cooling System Accumulator Pressure Containment Spray Flow Component Cooling Water Pump Otscharge Pressure Component Cooling Water Header Temperature Component Cooling Water Surge Tani Level Component Cooling Water Flow to ESF Components Essential Cooling Water Flow Residual Heat Removal System Flow Residual Heat Removal Heat Exchanger Discharge Temperature The following Post Accident Monitoring Recorders are driven by the QDPS demultiplexer: .

Reactor Coolant System Pressure - Wide Range Steam Generator Level - Wide Range Containment Pressure 51 .

4 i

e i Containment Water Level - Wide Range j Containment Water Level - Narrow Range <

i l Auxiliary Feedwater Storage Tank Level l c

i Auxiliary Feedwater Flow Core Exit Temperature l

Reactor Coolant System Subcoolinq  !

i a Neutron Flux - Extended Range '

l j Neutron Flux - Startup Rate i ,

Reactor Vessel Water Level

) Containment Hydrogen Concentration 1

! l The staff evaluation of conformance with R.G.1.97 Revision 2 is addressed in l

) Section 7.5.2.4 of this report.

i '

1 l  !

i i 7.5.1.3 Bypass and Inoperable Status Indication System l

A system level bypass and inoperable indicator is provided for each safety

! related system. There is a separated lampbox for each ESF train. The '

i

{ component level lampbox windows provide visual indication that a specific ESF I

{ has been bypassed or deliberately rendered inoperable during normal plant l 4

l operating modes. This indication also provides system level annunciation to ,

l l alert the operator that an ESF system or any of its support systems has been  !

}

I bypassed or deliberately rendered inoperable during normal plant operating i

e i

52 ,

, t i

I l

modes. The following conditions (as applicable) are automatically detected  !

for each monitored component of the ESF system:

I

1. loss of control power l
2. control handswitch in pull-to-lock position [

i

3. circuit breaker not in operating position 4 control transferred from the control room to a remote panel
5. component not in its proper aligned position i Deliberate manual actions which render ESF actuated components and devices I

inoperable are automatically displayed on a component level. Active components not directly actuated by ESF signal but rendered inoperative  :

once a year or more frequently such that it compromises the safety function of the ESF system are also automatically displayed.

The capability for initiating a manual bypass indication and an alarm is  !

provided via a system level manual bypass switch to indicate the bypass /in-operable condition to the operator for those components or conditions which are not automatically monitored.

Manual bypass / inoperable indication may be set up or removed under administra-l tive control. The automatic indication feature of the ESF Status Monitoring .

System cannot be removed by operator action.  ;

l Bypass and/or status indication on a system level is provided for the fol-Iowing safety related systems:

53 .

i

,I ,

4

{

I

1. Solid-State Protection System  !

l 2. Safety Injection System (including RHR system ccmponents required 1 for accident mitigation or safe shutdcwn) i

3. Containment Spray System L j 4 Containment Isolation Phase A
5. Containment Ventilation Isolation 6.

Class 1E 125 vde and 120 v Vital AC Systems j

7. Combustible Gas Control System

(

8. Containment Heat Removal System i
9. Fuel Handling Building heating, ventilating, and air conditioning Exhaust Subsystem t
10. Electrical Penetration Space HVAC System l 11. Control Room Envelope and Electrical Auxiliary Building Main Area j HVAC System
12. Feedwater Isolation 1

I

13. Steam Line Isolation 14 Auxiliary Feedwater System 1

,1 e

)t The following support systems activate bypass indication of all supported  !

safety systems listed above when they are bypassed or rendered inoperable:

1. Component Cooling Water System

(

2. Essential Croling Water System -

i l' i

3. ESFPowerSupplySystem(includingthestandbydieselgeneratorsandthe

! ESFloadsequencers) '

(

p l t

4. Essential Chilled Water System i  !

! s4 '

j . .

i l ,

i  !

1 i j 7.5.2 Specific Findings

] 7.5.2.1 NUREG-0737 item !!.D.3. Direct Indication of Relief and Safety [

} Valve Position j j The two pressurizer PORVs are solenoid actuated valves which are operated i

! automatically or by remote manual control. Each valve has a stem-mounted magnetic reed switches for position indication. Valve position is indicated and j alarmed in the control room and indicated on the tux 111ary shutdown panel. The f

three pressurizer safety valves are spring loaded, opened by direct fluid i

pressure action. Each valve has a acoustic sensing device which actuates an l t

j alarm when the valve is not fully closed. The temperature for each safety valve '

i j and PORV is measured in the discharge lines and indicated in the control room.

2 '

An increase in a discharge line temperature is an indication of leakage or i

j relief through the associated valve. High temperature will be alarmed in the i i control room. The valve position sensors are seismically and environmentally I

l i

j qualifted. The valve position indication is powered from vital instrument bus '

and the backup method of determining valve position are available as an aid to I

[

operator diagnosis of an action. The staf f finds that the design is in con- [

) ..

{ fonnance with the Action Plan guidelines and is, therefore, acceptable.

~

5 7.5.2.2 NUREG-0737, item !!.F.1 Accident Monitoring Instrumentation.

Positions (4), (5), and (6)

Positions (4),(5),and(6)ofthisActionPlanitemrequireinstallationof  ;

t j the extended range containment pressure monitors, containment water level  ;

monitors, and containment hydrogen concentration monitors. Table 7.51 of the  ;

FSAR indicated that the information on these parameters is as follows:

f l 55

-) i l

i

-r- - - - - - - , - - - - . -

1  !

! i i ,

I (1) cont:inment pressure (extended range) '

j (a) the instruments are environmentally and seismically qualified.

(b) the instrument range extended from 0 to 180 psig.

1 (c) two channels are provided.  !

! (d) two displays and one recorder are provided at QDPS.  !;

! l i  :

j (2) containmentwaterlevel(widerange) l-l! (a) the instruments are environmentally and seismically qualified.

i (b) the instrument range is 0 to 6 feet, equivalent to O to 609.000 i q gallons of water.

(c) three channels are provided.

j (d) two displays and one recorder are provided at 00PS.  ;

l 4

1 (3) containment hydrogen monitor

! (a) the instruments are environmentally and seismically qualified.

(b) the instrument range extended from 0 to 10% concentration.

l l

(c) two channels are provided.

i (d) two displays and one recorder are provided at QDPS.

[4 In a !&C design review meeting on March 27, 1985, the applicant provided the i instrument accuracy and functional requirements for these three items as l

l

{ follows: .

i t

) containment pressures accuracy approximately 2 to 3%

i .

! functions determine potential for breach of containment '

{  :

i I

1 56 .

1

\

containment water level: accuracy 26 inches function: diagnosis of LOCA containment hydrogen monitors: accuracy approximately 51 function: input for manual actuation of hydrogen recombiners The tnformation listed above satisfies the requirements of NUREG-0737, Item

!!.F.1, Positions (4), (5) and (6). The staff finds that these instruments will not cause ambiguous indication for the operator during the accident condition. The accuracy is adequate for the intended function and is, therefore, acceptable.

7.5.2.3 Loss of Non Class 1E Instrumentation and Control Power System BusDuringOperation(IEBulletin79-27)

The staff requested that the applicant review the instrumentation and control systems which could affect the ability to achieve a safe shutdown condition, the adequacy of emergency procedures to be used by control room operat)rs with respect to loss of power to each Class 1E and non Class 1E bus supplying power to instrumentation and control system. This issue was addressed for operating reactor through IE Bulletin 79-27. In FSAR Amendment 46, the applicant responded that non Class 1E power is rot required to support the ability to ,

achieve hot standby or cold shutdown conditions. All the equipment required to achieve hot standby or cold shutdown is supplied power from one of the redundant Class 1E power sources. ThenonClass1Epowersupply(suchas computer alarms and annunciation) indicates to the operator of abnormal 57 .

t

. - . _ _ _ _ _ _ . = -_ - ..

I =

! l I -

l l

l j conditions and control systems normally used during plant operating modes.

The pcwer source for the computer and the plant annunciator system is backed j up by a battery. The appropriate emergency procedures are being prepared for i

use at South Texas Project; they will address appropriate actions to be taken l on the loss of an instrument bus. Therefore, the applicant concluded that the loss of power to any one instrumentation and control bus will not inhibit the .

i i ability to achieve a safe shutdown condition. The review and evaluation indicate that design modifications are not required. The staff agrees with this conclusion and finds it acceptable, i I

j 7.5.2.4 Post Accident Monitoring Instrumentation Conformance to R.G. 1.97, Revision 2 i

The evaluation of conformance to R.G.1.97, Revision 2 will be addressed  !

l later. This is e open item.

l 7.5.2.5 Qualified Display Processing System Software Verification l andValidationProgram(VAV)

! I 4

)>

TheQualifiedDisplayProcessingSystem(QOPS)isamicroprocessorbased l

i system. The software implementation of the verification and validation i program is under review. The staff will conduct three audits to evaluate the .

l l products from the V&V activities. This is an open item. l 1

l 2

l I

58 J

l . ,

l t

i l

l

O O

] -

l 7.5.2.6 Qualified Display Processing System Interface With Class IE -

Control System a

h i

There are four Class IE control functions which are performed by the QDPS:

4

1. Close-loop control and position indication for the steam generator power operated relief valves (PORV).

C

2. Contact output signals for automatic control and position indication of i auxiliary feedwater control valves within upper and lower flow limits. ,
3. Open-loop control and position indication for the reactor vessel

, head vent valves.

j 4 Control for essential cooling water chillers.

The applicant has not fully documented his design. Additional information is required. This is an open item.

1 7.5.2.7 Qualified Display Processing System Interface With Alternate Shutdown Capability The qualified Display processing system (QPDS) is used to provide data acquisition, display, and a limited number of control functions which are 59 i

I l _ - . - ._ . -- -_ - . - _ - _ . _ _ - _ _ - . . _ . . _ _ _ - _ . . . _ _ _ _

I transferred to the auxiliary shutdown panel and other local control point following a control room fire. Because the QPDS design has not been completed. *.he evaluation of alternate shutdown capability will be addressed

! later. This is an open item.

7.5.2.8 Steam Generator Level Reference Leg Compensation The qualified Display process system is used to automatically compensate the steam generator level signals for the effect of temperature changes in the reference leg. Because the QPDS software p,rogram has not been completed, the evaluation of SG level reference leg compensation will be addressed later.

This is an open item. l l

7.5.2.9 Qualified Display Processing System (QDPS)

The adequacy of the Qualified Display Processing System will be l addressed later. This is an open item.

l 7.5.3 Evaluation Conclusion i

Later.

4 i

i t

! 60

- - - - - ..::1- -. .  : . . - - - -- . - - - - - - - . -

7.6 Interlock Systems Important to Safety 7.6.1 Description a

This section addresses the safety-related interlocks that:

(1) prevent the overpressurization of low-pressure systems (2) ensure the availability of emergency core cooling system (ECCS) accumulators (3) ensure the availability of ECCS long term cooling a

(4) prevent the overpressurization of the primary cooling system during low-temperature operation (5) protect safety-related components I

The objective of the review was to confirm that design considerations such as redundancy, independence, single failures, qualification, bypasses, status indication, and testing are consistent with the design bases of these safety related systems.

7.6.2 Specific Findings ,

7.6.2.1 Residual Heat Removal System Isolation Valve Interlock The residual heat removal (RHR) system isolation valve interlocks are provided to prevent overpressurization of the RHR system. There are two motor-operated i 61 -

.n ,

.-g -. , , , ,-.p . - ,

, , ..y ,. _ _ _ _ . . , w -

i--- y_nw,,,

gate valves in series in each inlet line from the reactor coolant system (RCS) to the RHR system. They are normally closed and are manually opened from the control room for residual heat removal after RCS pressure and temperature are reduced to approximately 400 psig and 350 F, respectively. The two valves in each RHR inlet line are powered from different Class 1E power sources. Each valve is interlocked to prevent its opening if RCS pressure is greater than 425 psig during plant cooldown, and to automatically close if RCS pressure ex-cceds 750 psig. The two valves in each RHR train receive pressure signals from j different pressure transmitters which are supplied by different manufacturers.

The RHR system is isolated from the RCS on the discharge side by two check valves in each return line. The staff finds that the RHR system isolation valve interlock design conforms to the independence, separation, and diversity criteria. The design also satisfies BTP ICSB-3, " Isolation of Low Pressure Systems from the High Pressure Reactor Coolant System." Therefore, the design of the RHR system isolation valve interlock is acceptable.

7.6.2.2 Accumulator Isolation Valve Interlock i

A motor-operated isolation valve is provided at each accumulator outlet. These valves are normally open during plant operation. To prevent an inadvertent j closing of these valves, power to the valve operator is locked out. During plant shutdown, the accumulator valves are in a closed position. To prevent an ,

inadvertent opening of these valves during that period, the accumulator valve breakers should be opened. Administrative control are required to ensure that these valve breakers are closed during the prestartup procedures. These valves are interlocked so that:

62 -

    • r = *
  • e-w- +-e- *+# , ,, .

4 1

(1) they open automatically on receipt of a safety injection (SI) signal (2) they open automatically whenever the RCS pressure is above SI unblock (P-11) setpoint '

(3) they cannot be closed as long as the SI signal is present Administrative controls require the performance of a periodic check valve leakage test. The interlock will ensure that the safety function is maintained during the test. There are two sets of valve position indicating lights on the main control board. One set of lights is operated by a valve motor limit l switch, and the other set is actuated by a valve stem limit switch. The lights are powered by a separate Class IE power supply that will not be affected by the removal of power from the valve motor circuit breakers. An alarm will sound when either of the limit switch senses that the valve is not fully ooen.

l The staff finds that the design conforms to BTP ICSB-4 and is acceptable.

7.6.2.3 ECCS Switchgear from Injection to Recirculation Mode of Operation Interlock l

The ECCS automatic switchover from injection mode to recirculation mode is '

derived from the Refueling Water Storage Tank (RWST) low-low level signal coin-  ;

cident with the latched safety injection (SI) signal. The automatic switchover signal actuates the following ECCS components: ,

4 (1) Close the high head and the low head SI pump miniflow motor operated valves 63 l .

t

  • = *1E - ++ -

o-en--e . s -

(2) Open the containment sump isolation motor operated valves J

(3) Initiate alarm in the main control room to notify the operator that switchover has commenced l In the automatic switchover circuit, the SI signal is individually sealed in, so that loss of the SI actuation signal will not cause the automatic switchover circuit to return to the condition held prior to SI actuation. The SI signal is maintained until manually reset from the control room. This switchover reset permits the operator to close the sump isolation valve for maintenance I purpose. Additionally, an interlock which prevents the RWST isolation valves from being opened unless the sump isolation valve in the same train is closed.

The staff has reviewed the electrical drawings and evaluated the single failure j criterion against the availability of ECCS long term cooling and finds the design acceptable.

7.6.2.4 Reactor Coolant System Overpressure Protection During

! Low-Temperature Operation 4

The pressurizer power-operated relief valves (PORVs) are used to provide over-pressure protection of the RCS during low-temperature operation. The PORVs are i

automatically opened when RCS pressure exceeds a programmed setpoint based on ,

1 RCS temperature. During normal operation the low-temperature operation system 64 6

l' l..'-.---..-..

l J

is manually blocked to preclude single failure resulting in inadvertent opera-tion of a PORV. The wide-range RCS temperature measurements are used to provide the programmed overpressure setpoint. One train uses an auctioneered lowest hot-leg i

temperature signal, and the other uses an auctioneered lowest cold-leg tempera-

ture signal. During a plant shutdown a low RCS temperature alarm alerts the i

operator to arm the system for low temperature power operation of the RCS.

l When the system is armed, an alarm will occur if the block valve upstream of the PORV is not fully open. Also an alarm is provided to alert the operator

, when RCS pressure approaches the programmed setpoint for PORV operation. The i

staff reviewed the electrical schematics for pressurizer PORV control and the block valve control for all modes of operation. The staff finds the design i

acceptable.

, 7.6.2.5 Interlocks for Equipment Protection The applicant identified the following interlocks are important to safety-related components:

a j (1) RHR pump Low Flow Interlock The RHR pump low flow interlock stops a running RHR pump when the discharge flow is below a preset value. To improve operability and reliability, the low flow interlock for each pump is channelized into independent redundant t

protection sets. .This interlock is only effective when the main control board ,

i j switch for the pump is in the NORMAL position, it will not prohibit the pump to start when the switch holds steady in the START position. The switch is a three position switch and is spring returned to NORMAL from the STOP and START positions. The staff has reviewed the electrical drawings and finds that 1

1

. 65 -

t

-- g--g --se--+-y -m-4 y-----t-erg-- -----------.+---------e-*%r,w -

y,-.de--v-#e-q%-.-=-w-- w---e-+-->-T-- -

3-me=ee+<-= i-+9"rr- y w + = = se- e + + - - -=+%'m+~e~ew

j a single failure will only affect one RHR train, and therefore, the design is l acceptable.

l (2) Volume Control Tank Low-Low Level Interlock The volume control tank (VCT) low-low level interlock closes the two VCT out-l let isolation valves and opens the two suction valves from the Refueling Water l Storage Tant to the charging pumps. This control system ensures that the 4 ,

charging pumps always have a source of fluid during normal plant operation and i

protects them against loss of net positive suction head and the consequent of cavitation damage. This same action is performed upon receipt of the Safety Injection signal. The staff has reviewed the electrical drawings and finds the 3

design acceptable.

1 (3) Spray Additive Tank Low-Low Level Interlock The spray additive tank low-low level interlock closes the tank's discharge  !

f valve to preclude nitrogen from being drawn into the suction of the contain-l ment spray pumps. The interlock signal for each valve is channelized into independent redundant protection sets. The staff has reviewed the electrical

drawings and finds that a single failure will only affect one spray pump, and therefore, the design is acceptable.

l (4) CVCS Seal Injection Charging Header Low Pressure Interlock .

j The charging header low pressure coincidence with containment isolation Phase A i

signal closes the CVCS seal water injection containment isolation valves. This interlock allows seal injection to the reactor coolant pump to be continued so long as the charging system is operating. The purpose of this interlock is to 1

66 -

L'= : = := == = _.- . = - . - - -- -. - - _ . - ._- - --. .- - -

protect the reactor coolant pump. The applicant justifies that RCP seal in-jection system as an essential system. The staff has reviewed the electrical drawings and the justifications for this interlock, and finds the design acceptable.

(5) Letdown Valves Pressurizer Low Level Interlock The pressurizer low level interlock closes the letdown stop valves and the letdown orifice isolation valves when the pressurizer water level is below a preset value. The purpose of this interlock is to maintain RCS inventory by isolating letdown. The pressurizer low level interlock signal is channelized into independent redundant protection sets. These valves also receive a con-tainment isolation Phase A signal. The closure signals to each letdown valve J

are delayed so that downstream valve can close before the stop valves, to pre-vent flashing in the regenerative heat exchanger. The staff has reviewed the electrical drawings and finds the design acceptable.

+

1 (6) Reactor Coolant Purity Control Interlock The reactor coolant purity control interlock uses the boric acid tanks low-low signals to close the concentrated boric acid polishing isolation valves.

The purpose of this interlock is to isolate the non-safety grade Reactor Coolant Purity Control System from the boric acid storage subsystem of the l Chemical and Volume Control System (CVCS). The interlock ensures that any ,

postulated failures in the nonseismic, non-safety Reactor Coolant Purity Control System do not allow loss of boric acid required for shutdown. The ,

interlock causes the valve's solenoid to deenergize and the valve to fail closed when the water level in either boric acid tank is below the low-low level setpoint. The staff has reviewed the electrical drawings and finds the design acceptable. -

l 67 .

- h .+w.... y --__ .- +

. - - . . ___ _ _ __ --_ _. _--_ ..m -_ -. _ ._._ _ _ __

7.7 Control Systems 7.7.1 System Description Section 7.7 of the FSAR describes instrumentation and controls of major plant

~

control systems whose functions are not essential for the safety of the plant. These control systems include the following:

(1) Reactor Control System (2) Rod Control System (3) Plant Control Signals for Monitoring and Indicating (4) Plant Control System Interlocks I

(5) Pressurizer Pressure Control System (6) Pressurizer Water Level Control System (7) Steam Generator Water Level Control System (8) Steam Dump Control System (9) Incore Instrumentation (10) Boron Concentration Measurement System 7.7.1.1 Reactor Control System The Reactor Control System maintains reactor coolant average temperature (T,yg) within prescribed limits by generating demand signals for moving the control rods. The system enables the nuclear plant to follow load changes

, automatically, including the acceptance of step load increases or decreases of ,

10 percent and a ramp increase or decrease of 5 percent per minute within the

had range of 15 percent to 100 percent, without reactor trip, steam dump, or pressure relief valve actuation, subject to possible transient xenon limitations. The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. -

68

- - - , - , , , , w- ---w--- .m -e.,- ,.. , - m - .m-, w w-,,,c e e ~ 1--m,- ~waww-r-w----

- _ _ . - _ _ = _ . - = -

l

! 7.7.1.2 Rod Control System

! The Rod Control System receives rod speed and direction signals from the

! reactor control system. The rod speed demand signal varies over the range of

) 3.75 to 45 inches per minute (6 to 72 steps /minuta), depending on the magnitude of the input signal. Manual control is provided to move the control bank in or out at a prescribed fixed speed. A permissive interlock (C-5) derived from measurements of turbine impulse chamber pressure prevents i automatic control when the turbine load is below 15 percent.

The shutdown banks are always in the fully withdrawn position during normal operation and are moved to this position at a constant speed by manual control prior to criticality. The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into two j groups to obtain smaller incremental reactivity changes per step. All Rod Cluster Control Assemblies (RCCAs) in a group are electrically paralleled to ,

4 move simultaneously. There is individual position indication for each RCCA.

A reactor trip signal causes all the rods to fall by gravity into the core.

l and thus totally overrides the control system.

i 4

7.7.1.3 Plant Control Signals for Monitoring and Indicating l Plant Control System Signals are used to provide indications for monitoring plant conditions to ensure that variables are maintained within operating ,

limits. The following discusses those systems used to monitor the operating l status of the reactor.

I

69 i

1 r .. . . .

. o o .

The power range nuclear instrumentation channels are used to monitor core power level, axial flux imbalance, and radial flux imbalance. These channels are capable of recording overpower excursions up to 200 perce.it of full power.

The following alarms are provided: -

(1) Deviation of indicated nuclear power from the four channels (2) Upper core power radial tilt from the upper sections of the detectors for the four channels (3) Lower core power radial tilt from the lower sections of the detectors for the four channels (4) Axial flux difference imbalance (this alarm is derived from the plant computer).

Two separate systems are provided to sense and display cr.ntrol rod position.

  • The digital position indication system measures the actu11 position of each rod. The control board display unit contains a column of Light-Emitting Diodes (LEDs) for each rod. At any given time, one LED illuminated in each column shows the position for that particular rod. The Demand Position System counts pulses generated in the Rod Drive Control System to provide a .

digital display of the demanded (not actual) bank position. Operating procedures require the reactor operator to compare the demanded position to the position indicated by the Digital Rod Position Indication System (DRPIS) to verify correct operation of the Rod Control System.

70 -

e

A rod deviation alarm is generated by the DRPIS if a preset limit is exceeded as a result of a comparison of any rod in a control bank with the other rods

! in the bank. The deviation alarm for a shutdown rod is actuated when a preset insertion limit is-exc'eeded. The demanded and measured rod position signals are also monitored by the plant computer which provides a visual printout and l t

] an audible alam whenever an individual rod position signal deviates from the '

other rods in the bank by a preset limit. The alarm can be set with appropriate
allowance for instrument error and within sufficiently narrow limits to preclude exceeding core design hot channel factors. A rod bottom signal from the DRPIS 1

is used to generate a " Rod Bottom Rod Drop" alarm.

When the reactor is critical, the normal indication of the status of reactivity in the core is the position of the control rod bank in relation to  ;

reactor power (as indicated by the RCS loop oT) and the coolant average j temperature. These parameters are used to calculate insertion limits for the control banks. Two alarms are provided for each control bank. The " low" i

alarm alerts the operator to an approach to the rod insertion limits which I

will require boron addition by following normal procedures with the Chemical l

and Volume Control System (CVCS). The " low-low" alarm alerts the operator to take imediate action to add boron to the RCS by any one of several alternate I methods.

l 7.7.1.4 Plant Control System Interlocks j Rod stops are provided to prevent abnormal plant conditions which could result

) from excessive control rod withdrawal initiated by either a control system ,

j 71 i

r 1

i .

_ ___ _ [ [_. - . _ . _ . _ _ , , . _ , . , _ _ . . . _ _ . _ _ _ . _ . , _ _ . _ _ . , . _ _ . . -[_.

malfunction or operator violation of administrative procedures. Conditions that block both automatic and manual rod withdrawal are high neutron flux, overtemperature AT and overpower AT. Automatic rod withdrawal is also blocked

- ' when the turbine impulse chamber pressure is below set point.

Automatic turbine load runback is initiated by an approach to an overpower or overtemperature condition. The runback prevents high power operation that might lead to an undesirable condition which, if reached, would be protected by reactor trip. Turbine load reference reduction is initiated by either an overtemperature or overpower AT signal. The same signals initiate rod stop described above. The turbine runback is continued until the AT signals are equal to or less than AT rod stop.

An interlock is provided to limit turbine loading during a rapid return to l power transient when a reduction in reactor coolant temperature is used to increase reactor power through the negative moderator coefficient. This -

interlock limits the reduction in coolant temperature so that it does not reach cooldown accident limits and preserves satisfactory steam generator operating conditions. Subsequent automatic turbine loading can begin after the interlock set point has been cleared by an increase in coolant j temperature, which is accomplished by reducing the boron concentration in the coolant.

7.7.1.5 Pressurizer Pressure Control Sy: tem The Reactor Coolant System pressure is controlled by using either the pressurizer heaters or the spray (in the steam region) of the pressurizer plus steam relief for large transients.

72 e

= _. -.-.__- - _ - .- - _ - _ - _-

I 4

The electrical immerson heaters are located near the bottom of the pressurizer. f A portion of the heater group is proportionally controlled to correct for small pressure variations. These variations are caused by heat losses. l

{i I

including heat losses due to a small continuous spray. The remaining (backup) heaters are automatically energized when all proportional heaters are l 1

l energizeo and the compensated pressure signal continues to decrease. i I  !

The spray nozzles are located on the top of the pressurizer. Spray is  !

initiated when the pressure controller spray demand signal is above a given set  !

point. The spray rate increases proportionally with increasing spray demand -

signal until it reaches a maximum value. Steam condensed by the spray reduces I the pressurizer pressure. A small continuous spray is normally maintained to

) reduce thermal stresses and thermal shock and to help maintain unifom water I i

chemistry and temperature in the pressurizer. l

)

Power-operated relief valves limit system pressure for large positive pressure l transients and reduce the possibility of actuating the pressurizer safety f

! valves.

1 i

7.7.1.6 Pressurizer Water Level Control System I l The pressurizer operates by maintaining a steam cushion over the reactor f .

coolant. As the density of the reactor coolant varies with temperature, the ,

{ steam-water interface is adjusted to compensate for the density variations 1

i with relatively small pressure disturbances. The water inventory in the i

Reactor Coolant System is maintained by the CVCS. During normal plant i

operation, the charging flow is varied to automatically produce the flow i

i t

73 -

--m -me-m --,,r-e- ,wwoe--e= w-b m--r,

l demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant average temperature, with the highest measured average temperature (auctioneered) being used. The pres-surizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature re-duction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes.

7.7.1.7 Steam Generator Water Level Control System Each steam generator is equipped with a three-element feedwater flow controller which is planned to operate with a constant water level setpoint.

The three-element feedwater controller regulates the feedwater valve by con-tinuously comparing the feedwater flow signal, the SG water level signal, the programmed level setpoint, and the pressure-compensated steam flow signal.

The feedwater pump speed is varied to maintain a programmed pressure differential between the steam header and the feedwater pump discharge header.

The speed controller continuously compares the measured AP with a programmed AP ref which is a linear function of steam flow. Manual override of the feed-water control system is available at all times.

7.7.1.8 Steam Dump Control System .

The Steam Dump System, together with the Rod Control System, is designed to accept a 50-percent loss of net load without tripping the reactor. The system functions automatically by bypassing steam directly to the condenser and/or the atmosphere to maintain an artificial load on the primary system. The Rod Control System can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. -

i 74

.- - - _ - - - - - _ _ - - -. .. --- - - _ . . _ = _ . . -- .

A demand signal for the load-rejection steam dump controller is generated if the difference between the reference average temperature based on turbine impulse chamber pressure and the lead / lag-compensated auctioneered Tavg exceeds a preset value. To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided.

i This circuit senses the rate of decrease in the turbine load as detected by the turbine impulse chamber pressure and blocks the steam dump unless the rate exceeds a preset value.

Following a turbine trip, the load-rejection steam dump controller is deactivated and the turbine trip steam dump controller becomes active. The demand signal for this controller is generated if the difference between the lead / lag-compensated, auctioneered Tavg and the no-load reference Tavg exceeds j a preset value. As the error signal reduces in magnitude following tripping of the dump valves, the dump valves are modulated by the controller to regulate the rate of heat removal and thus gradually establish the equilibrium hot shutdown condition, i

Removal of the residual heat during a shutdown is accomplished by the steam-pressure controller, which controls the steam flow to the condensers based on measured steam pressure. This controller operates a portion of the same steam dump valves to the condenser which are used following load .

rejection or plant trip.

75 I

a C>

4 1

i

, 7.7.1.9 Incore Instrumentation The Incore Instrumentation System consists of 50 chromel-alumel thermocouples at fixed core outlet positions, and six movable miniature neutron detectors i

j which can be positioned at the center of selected fuel assemblies, t i

i ,

i Chromel-alumel thermocouples are threaded into guide tubes that penetrate the i

{ reactor vessel head through seal assemblies and terminate at the exit flow end

of the fuel assemblies. Thenncouple readings are monitored by the QDPS.

i The movable neutron detectors are fission chambers that can be remotely l I -

j positioned in retractable guide thimbles to provide flux mapping of the core.  !

1 The equipment for control, position indication, and flux recording for each I detector is located in the control room.

i

)

7.7.1.10 Boron Concentration Measurement System l

The Baron Concentration Measurement System (BCMS) utilizes a sampler assembly i unit which contains a neutron source and neutron detector. The sampler unit is 2

j located in a shield tank. The shield tank is filled with ordinary tap water. ,

t j Piping within the shield tank is arranged to provide coolant sample flow I

between the neutron source and the neutron detector. Neutrons originating at  !

t the source are thermalized in the sample and surrounding moderator and pass i l through the sample and impinge upon the detector. The baron concentration is .

{ calculated by monitoring the neutron count-rate. The neutron cross-section of the boron in the sample is a function of the sample temperature. Therefore,  !

i automatically controlled heaters are provided to maintain the temperature of i the water in the shield tank, and thus the temperature of the sample, constant. '

l I

, 76 -

l l t i

amm t't'%r-w m q er --* --Mg.--y-,,,-e-,w,,wmie-e-ew.---rmy-- ,-f- w-,,-yw-wyr,,, .c4---. m % , r m ww_ ,+--mm%,---

a >

The BCMS provides continuous monitoring of the reactor coolant boron con-centration. Therefore, adjustments of boron concentration in the reactor coolant can be monitored as they are being made.

The BCMS is designed for use as an advisory system. It is not used for fundamental operating decisions but, rather, provides information as to when additional check analyses are warranted.

O 9

77 -

7.7.2 Specific Findings 7.7.2.1 Control System Failures Caused by Malfunctions of Common Power Source or Instrument Line To provide assurance that the FSAR Chapter 15 analyses adequately bound events I initiated by a single credible failure or malfunction, the staff asked the

applicant to identify any power source or sensors that provide power or signals to two or more control functions and demonstrate that failures or malfunctions of these power sources or sensors will not result in consequences more severe than those of the Chapter 15 analyses or beyond the capability of the operator or the safety systems. In FSAR Amendment 46, the applicant provided a re-

! sponse to this concern. A detailed analysis of the effects of power source, j sensor, and impulse line failure was performed for each of the following i

i control systems:

i i

(1) reactor control i

(2) steam dump (3) pressurizer pressure control (4) pressurizer level control (5) feedwater control The applicant has provided a summary of the events resulting from each postu- .

l lated failure and identified the specific Chapter 15 analysis that delineates the bounding consequences of the failure. The staff has reviewed the bases for the applicant's study and concludes that there is reasonable assurance that the consequences of single failures within the control systems are bounded by analyses in FSAR Chapte'r 15 and, therefore, are acceptable.

78 -

--#m- - --- . --, - - - - __ -y- -. _-- - -- r--y-,,- 1-w.-

- s 7.7.2.2 Control System Failure Caused by High-Energy-Line Breaks i

Operating reactor licensees were informed by IE Information Notice 79-22 that if certain nonsafety-grade c 'ntrol equipment were subjected to the adverse environment of a high-energy-line break, this may impact the safety analyses and the adequacy of the protection functions performed by the safety-grade equipment. The staff has requested a review to determine whether the harsh j environment associated with high-energy-line breaks might cause control system malfunction and result in a consequence more severe than those of the FSAR Chapter 15 analyses or beyond the capability of operators or safety systems.

In FSAR Amendment 46, the applicant provided a response to this ccncern. The applicant performed an analysis on four control systems that could potentially

malfunction as a result of a high-energy-line break inside or outside contain-q ment. These control systems include

(1) steam generator power-operated relief valve (PORV) control (2) pressurizer power-operated relief valve control (3) main feedwater control (4) automatic rod control A review was made of the above four control systems for a postulated failure due to adverse environment of a high energy line break. .

(1) A failure of the steam generator PORY Since the steam generator PORY system is a Class IE system, all portions of the steam generator PORV that could be exposed to an adverse environment are iso-lat'ed in the Isolation Valve Cubicle (IVC) on a loop-by-loop basis. Only one 79 -

4

\ -

$ i i

PORV could be affected by adverse conditions and that PORV would be in the 4 >

j affected loop. The staff finds that the consequence of steam generator PORV

] failure in the faultyloop is acceptable. l

! (2) A failure of the pressurizer PORV >

l The instrumentation for the pressurizer PORV control system is fully qualified t

] for the adverse environment. A high energy line break will not cause a mal-function within this system, therefore, the staff finds this acceptable.  !

{

i (3) A failure of the main feedwater control system

! The steam flow and steam generator water level transmitters are located inside i

the containment and are environmentally qualified for the adverse environment. -

t The feedwater flow transmitters are located inside the turbine building and j i i

the feedwater process controls are located in the Electrical Auxiliary Building, i i The feedwater isolation valves and associated instrumentation are compartment- i

! alized by loop,within the isolation valve cubicle, thus restricting exposure 1

I to the harsh environment to the loop with the break. A failure on main feed-1 l water control system either on low-low steam generator level or on high-high i ..

steam generator level is bounded by the protection system and is, therefore, i

acceptable. j i

t I (4) A failure of the automatic rod control system f I

i l The applicant stated (in response to Q32.44) that for a steamline rupture, l j the excore detectors which supply input to the rod control system could be  !

exposed to the adverse environment and initiate rod withdrawal. The applicant

! further stated that these excore detectors have been environmentally qualified i i

f 80 .

1 l

l--. . .

I for a limited period of time (5 minutes) af ter a MSLB. It is not clear whether the excore detectors are qualified beyond 5 minutes due to the adverse environ-l ment following a small steam line rupture which has not caused a reactor trip.

Additional information is required either to justify that "5 minutes" is a sufficient time to perform the safety action or to qualify the instruments and i the related components for a longer period of time to be consistent with the

~

i postulated scenario. This is an open item.

7.7.2.3 NUREG-0737, Item II.K.3.9, Proportional Integral Derivative (PID) i Controller Modification J

This item is a post-implementation review item. The applicant shall inform the i NRC when the modification has been completed. This is a confirmatory item subject to formal documentation on completion of the proportional integral derivative controller modification.

7.7.3 Evaluation Conclusion Later.

B e

Y 81 l

t heue eeh.ge aae g , e

, ~ e,, ,-, ----------,,,,-a,---m-,, , , , - - - , - - - ,yo ,w, ,, ~ - - - - - -,n- n- -----~ -,--,- ,------- - - - - - - , -e

Retrieved from "https://kanterella.com/w/index.php?title=ML20138L237&oldid=3369182"