Text

c# deg UNITED STATES ,

4

.' NUCLEAR REGULATORY cOMMtsSION

&'s

-lk]e[v j wAssinoTom, o.c.2ous

• . . ~ e

. %A.@....d JUl. 2 6 $p MEMORANDUM FOR: H. Schierling SEP Coordinator, Plant Systems Branch, DOR FROM: D. Tondi, Sect'.on Leader, Plant Systems Branch

. THRU: W. Butler, Chief, Plant Systems Branch, DDR

SUBJECT:

SYSTEMATIC EVALUATION PROGRAM (SEP)

In response to the D. Eisenhut to W. Butler memorandum, dated July 13, 1977, enclosed are the arguments for retaining and dropping the following SEP topics:

III .10. B Thermal Overload Protection for Motors of Motor Operated (Chiramal) Valves VI.8.A.3 ECCS Actuation System (Chiramal) i VI.8.C.1 Appendix K - Electrical Instrumentation and Control  !

j (Chiramal) Systems Branch (EICSB) Re-reviews

! VI.8.F Accumulator Isolation Valves Power and Control System .

(Chiramal) Design VI.12.A Testing of Reactor Trip System and Engineered Safety l i

(Shemanski) Features Including Response Time Testing VI.12.B Shared Engineered Safety Features, On-Site Emergency f (Shemanski) Power, and Service Systems for Multiple Unit Facilities VII.1.C Isolation of Reactor Protection System from Non-Safety (Butcher) Systems Including Qualifications of Isolation Devices J VII.1.D Protection System Automatic Trip Point Changes for ,

Operation with Reactor Coolant Pumps Out of Service (Butcher)

VII.2 Engineered Safety Features (ESF) System Control Logic (Butcher) and Design VII.3 Systems Required for Safe Shutdown (Shemanski) 8803040200 800229 PDR FOIA CONNOR O7-054 PDR

- JUL 2 6 277 VIII.2 Onsite Emergency Power Systems - Diesel Generator (Chiramal)

VIII.3.B DC Power System Bus Voltage Monitoring and Annunciation (Shemanski)

The following two items were recategorized, per our discussion, as G1 items (other NRR activity already undarway) and therefore are not included:

VII.l.C.b

• Trip Uncertain by and Setpoint Analysis Review of (Butcher) Operating Data Base VII.4

• Effects of Failure in Non-Safety Related Systems (Butcher) on Selected Engineered Safety Features b .~$ .'

O. Tondi, Section Leader Plant Systems Branch Division of Operating Reactors 1

1

. l l

III-10.B Thernal Overload Protection for Motors of Motor-Operated Valves Pro 1: Thernal overload protection for motors of safety-related M0V's should ,

)

have the trip point set sufficiently high to prevent spurious trips.

Periodic tests should verify the accuracy and reliability of over- l load trip set points. ,

Pro 2: The thermal overload protection may be bypassed under accident conditions so that the motor will drive the valve to its req 0 ired position and not trip.

Con 1: The majority of operations of these motors will be during testing of the valves. In these cases the thermal overload should be available to protect the motors. Since the probability of an accident is very low, it i: unnecessary to bypass the overload protection for just these few occasions. (The surveillance testing of the motor operated valves is sufficient to verify operability).

I l

i

. . I l

VI 8. A.3 ECCS Actuation System Pro 1: The periodic functional testing of the emergency core cooling <

system demonstrates the operability of the system as a whole and should include all components of the system. The tests should duplicate as closely as practical the perfonnance that is required of the system in the event of an accident.

Con 1: In the operating reactor plants the testing of operation of the entire ECCS may disrupt reactor operation and danage plant equipment.

, i

i 1

l l

. l l

J --

. . - . _ _ - _ - . . . - _ _. . . _ ,. - .-_---l

VI.8-C.1 Appendix X - Electrical Instrumentation and. Control Systems a Branch (EICSB)Re-reviews Pro 1: An analysis of the possible failure modes of ECCS equipment and of their effects on ECCS performance must-he made. The modified -

ECCS must be designed to meet the most limiting single failure in accordance with the Code of Federal Regulations, Appendix K.

4 i

i b

6 d

a t

1 i

i 1

I 1

I l

i 4 $

l I

i VI-8.F Accumulator Isoittion valves Power and Control System Design l Pro 1: When closed, the accumulator isolation MOV prevents the accumulator from performing its intended protective function.

This "operating bypass" must be removed automatically whenever its permissive conditions are not met. This means that all conditions of BTP EICSB 4 should be incorporated in the design.

Pro 2: . A. single failure in the electrical control system could result ,

1 in the' loss of capability of the valve to perform its function.

This would not conform to BTP EICSB-18.

Con 1: Strict adherence to administrative procedures can achieve a high degree of control without the use of automatic control systems which can cause further failures and which are to be periodically tested.

Con 2: An electrical system fault that could cause mechanical motion of a valve can occur either at the motor control center, or at the control station. Both these areas are accessible, and the fault can be rectified.

I l

l I

VI-12.A Testing of Reactor Trip System and Engineered Safety Features, Including Response Time Testing Pro 1: The accident analyses in the FSAR assume certain response times for the RPS, Periodic verification of the protection system response times is required to assure that they are within the design specifications assumed in the accident analyses.

Pro 2: The ability of the protection system to initiate the operation

- of safety systems depends on the proper performance of actuation devices; therefore, these devices are required to be tested.

GDC 20 requires that the protection system be designed to initiate the operation of systems and components important to safety.

Pro 3: Failure to adequately ensure the operability of the reactor trip system and engineered safety features can result in a le.sser reliability and potential consequences of safety significance.

Con 1: In the case of some engineered safety feature systems, testing the operation of the entire group of actuated equipment associated with a protective function may damage plant equipment or disrupt reactor operation.

Con 2: Early designs do not provide an acceptable degree of "built in" testability in those portions of the protection system used ,

to initiate the operation of ESF, standby power supplies and other supporting systems.

Con 3: The ability of a system to respond to a bonafide accident signal may be partially or completedly bypassed during testing and certain actuated equipment may not be available i

VI-12. B Shared Engineered Safety Features, On-Site Emergency Power, and Service Systems for Multiple Unit Stations Pro 1: Multiple unit sharing considerations are important to safety because they generally result in a reduction of the number and of the capacity of on-site systems to below that which nornelly is provided for the same number of units located at separate sites. The reduced capacity could cause undesirable interactions.

Examples of such interactions are (1) the interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance of testing operations in one unit affect tb availability of ESF in other units, (2) coordination reqQired between unit operators in order to cope with an accident '

in one unit and safe shutdown of the remaining unit (s), and (3) system overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

Pro 2: GDC 5 prohibits structures, systems and components important to safety from being shared among nuclear power units unless it can be shown that such sharing vdll not significantly impair their ability to perform their safety functions.

Con 1: Because of the low probability of a major reactor accident, the NRC staff assumes that an accident occurs in only one of the units at a time, with all remaining units proceeding to en orderly shutdown and a maintained cooldown condition.

i l

s VII-1.B isolation of Reactor F otection System From Non-Safety Systems, Including Qualificati', ,f Isolation Devices Pr'.' 1 : Adequate isolation of protection circuits from non-safety systems is fundamental to satisfying the single fail're criterion. Isolation arrangements that were thought to have beer. implemented during the licensing review of some operating plants have since been shown to be either inadequate or inadequately implemented (e.g., Calvert Cliffs 1 LER 76-42/1T). Complete icolation is necessary because it is not practical to identify and certify as acceptable all of the possible

- combinations of events resulting from fa flures of non-isolated systems. Events of special concern are those like the Calvert Cliffs example cited above where failures of non-safety equipment (i.e.,

plant computer) caused a transient and at the same time caused feedback to the RPS system that could have interfered with a channel trip. The criteria for isolation devices to protect against these types of events have changed substantially in recent years as the ,

importance of isolation was highlighted by events at operating reactors. Therefore, the SEP should verify that adequate isolation is provided at all operating plants.

Con 1: The scenarios that could lead to significant offsite doses are thought to be of low probability and to involve multiple failures.

[

i i

l 1

4 r

. . '. s VII-1.0 Protection System Automatic Trip Point Changes for Operation with Reactor Coolant Pumps Out of Service Pro 1: Failure to change to the more restrictive setpoint could result ,

in the reactor operating above safety limits and potentially cause fuel damage with increased offsite doses for certain transients or accidents.

Pro 2: The manual changing of setpoints to more restrictive setpoints while operating at power is conducive to the potential for introduction of common mode failure, i.e., operator error.

Con 1: Secondary backup trips not requiring resetting would tend to limit the consequences of transients and accidents. However, this has not been verified by formal analysis for all cases.

Con 2: Proper setpoint adjustmerits were considered and required at the time of licensing by means of adninistrative procedures.

Con 3: The probability of an operator error in changing a setpoint or forgetting to change it combined with the probability of occurrence of a transient or accident of concern is low.

I 1

I I

l

i

VII-2 Engineered Safety Features (ESF) System Control Logic and Design i Pro 1: Many design basis events require automatic operation of ESF to keep offsite doses within 10 CFR 100 limits. Therefore, proper operation of ESF control equipment is essential to safety and must be verified.

Pro 2: Recent reviews connected with the SIS reset issue have raised '

questions about the independence of redundant channels of control equipment (e.g., one single reset button for two redundant channels was found on several pihnts).

Pro 3: Some ESF automatic control systems must be supplemented by operator action for certain accident scenarios. Recent review'. have con-firmed that in many cases the necessary operator actions are not.

arovided in the emergency procedures. The SEP could plug these wies in the accident consequences mitigation sequence. Periodic testing verifies ESF control system integrity but does not verify the operator's ability to perform manual actions required for all accident scenarios (e.g., loss of offsite power after SIS reset).

! Con 1: The importance of ESF control system functions to limiting offsite ,

doses was considered in the review in accordance with then existing '

criteria.

i Con 2: No safety hazard has been confirmed, only questions raised. A better use of limited staff resources might be to focus on confirmed safety questions.

, con 3: Generally the scenarios not covered by emergency procedures are i thought to be of low probability. The operators general training should provide him with the knowledge to analyze the situation and adapt his actions to the changing conditions, provided sufficient time is available. It is impossible to identify all the possible accident scenarios and provide emergency procedures l

to cover them. We must rely upon the operators judgement.

l l

i

VII-3 Systems Required For Safe Shutdown i

Pro 1: The main objectives of the review of systems required for safe  !

shutdown are to detennine that the design of these systems t includes the required redundancy; meets the single failure  !

criterion; provides the required capacity and reliability to l perfonn intended safety functions on demand; and provides the capability to function during and after design basis events such ,

as earthquakes and anticipated operational occurrences. It is l particularly important that the older plants be reviewed since  !

they are more likely not be in confonnance with the current ,

I criteria.

Pro 2: Failure of a nuclear plant to confonn to the objectives in Itsn 1 can result in consequences greater than a small fraction of 10 CFR 100 consequently.

Con 1: Operating experience to date has not shown any serious design deficiencies with regard to the systems required for safe shutdown. As such, the systems currently in use for the purpose of achieving both hot and cold shutdowns are judged to be acceptable by the NRC staff.

Con 2: Other systems, in addition to those provided explicitly for  ;

safe shutdown, are available and have the capability to ,

provide for a safe plant. l l

l l

1

)

l i

l*

i

1 VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation l

Pro 1: The d-c power systems include those d-c power sources and their distribution systems and vital supporting systems provided to 1'

' supply motive or control power to safety-related equipment.

Failure of the bus voltage monitoring and annunciation schemes may not allow the operator to (1) prevent the loss of an emergency  !

d-c bus; or (2) take timely corrective action in the event of loss of an emergency d-c bus. Such an event recently occured at j Zion.

Pro 2: The recent attention given to d-c systems in general by the ACRS as a result of the "Epler letter" is justification enough to retain this item in the SEP.

Con 1: None Con 2: In review of all the LER's related to d-c power systems, to date we have not encountered a single event that has contributed significantly to increase the risk to public safety.

l l

I i

l

.. - , _