ML20210H198
| ML20210H198 | |
| Person / Time | |
|---|---|
| Site: | 05000601 |
| Issue date: | 08/31/1986 |
| From: | WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19292F933 | List: |
| References | |
| NUDOCS 8609260100 | |
| Download: ML20210H198 (69) | |
Text
- - . . . . .. - -_ _ -. _-.-... .--.. . _ . _ - _ . . _ . . - - _ . . _-..-__ _ .
s .-
4 NESTINGHOUSE CLASS 3 AMENDMENT 2 TO RESAR-SP/90 PDA MODULE 9
" INSTRUMENTATIONS & CONTROLS AND ELECTRIC POWER" i
l 4
i i
i i
'l I
d B
i i
l I i'
. I 1
f I
i i
AMENDHENT 2 HAPHR-I&C/EP 1 4904e:Id AUGUST, 1986 i
.i 8609260100 860829 PDR ADOCK 05000601
- A PDR
O AMENDMENT 2 TO RESAR-SP/90 PDA MODULE 9
" INSTRUMENTATIONS & CONTROLS AND ELECTRIC POWER" l
INSTRUCTION SHEET Remove currerit page 7.1-65/7.1-66 and replace with revised page 7.1-65/7.1-66.
Remove current Figure 7.2-1 (Sheet 3 of 14) and replace with revised Figure 7.2-1 (Sheet 3).
! Remove current page 7.3-3/7.3-4 and replace with revised page 7.3-3/7.3-4.
Remove current page 7.3-11/7.3-12 and replace with revised page 7.3-11/7.3-12.
i Remove current page 7.3-27/7.3-28 (Table 7.3-1) and replace with revised page 7.3-27/7.3-28.
i Remove current page 7.4-3/7.4-4 and replace with revised page 7.4-3/7.4-4.
I Remove current page 7.5-9/7.5-10 and replace with revised page 7.5-9/7.5-10.
I Remove current page 7.5-13/7.5-14 and replace with revised page 7.5-13/7.5-14.
Remove current pages 7.5-22 through 7.5-43 and replace with revised pages 7.5-22 through 7.5-50.
Remove current page 7.6-5/7.6-6 and replace with revised page 7.6-5/7.6-6.
Remove current page 7B-7 and replace with revised page 7B-7.
Insert remainder of package behind Amendment 1 (page 430 7) in the Questions / Answers section.
tiAPHR-I&C/EP i AMENDMENT 2 AUGUST, 1986 4904e:1d 1
i O Reactor Trin Breaker Bvnass Canability A reactor ~ trip will be actuated by opening any two of four of the pairs of rector trip breakers, one pair being associated with each of four integrated protection cabinets. The breakers will be arranged such that the opening of any two pairs of breakers will de-engergize the control rod drives, thus causing the reactor trip. See Subsection 7.1.1.4.1. During maintenance or except once during testing of the trip actuation logic, the trip signals going to the undervoltage coils of the reactor trip breakers will be blocked. The logic for performing this bypass function is shown of Figure 7.2-1. Sheet 1.
A description and evaluation of the logic is contained in Reference 1. The logic will automatically ensure that no more than one pair (one actuation train) of breakers can be bypassed at any one time. In the event that an attempt to bypass the breakers from one channel set occurs while another channel set is in the bypass mode, those breakers will be tripped rather than bypassed. Then if a trip signal is ger.erated by either of the two remaining channel set is in the bypass mode, those breakers will be tripped rather than
~
bypassed. Then if a trip signal is generated by either of the two remaining channel set (one-out-of-two) the reactor will trip. If more than two bypasses are actuated at a given time, the reactor will be tripped directly. The breaker bypass status will be communicated between the integrated protection cabinets by the same system of isolated data links which carry the partial trip information. If a trip of any two out of the remaining three pairs occurs while one is in bypass, then that one will be tripprd as well.
Rynass of Enaineered Safety Features No ESF system-level actuation logic bypasses (for test or maintenance) will be provided. Instead, all of the actuation logic. within the ESFAC cabinet will be in duplicate. Built in test capabilities are discussed in Subsection 7.1.1.3.10.
7.1.2.2.12 Conformance to Requirements on Operating bypasses (Paragraph 4.12 of IEEE 279-1971)
In addition to the test and maintenance bypasses described in the previous section, several operating bypasses will be provided. These bypasses will 7.1-65 AMENDHENT 2 NAPHR-I&C/EP AUGUST, 1986 4904e:1d
o O
automatically block certain protective actions which would otherwise prevent modes of operations such as start-up, etc. All of the operating bypasses will be automatically removed when the plant moves to an operating regime where the protective action would be required if an accident occurred. These operating bypasses are discussed in more detail in Subsections 7.2.1.1.9 and 7.3.1.1.11.
7.1.2.2.13 Conformance to Requirements to Provide Indication of Bypasses (Paragraph 4.13 of IEEE 279-1971, Regulatory Guide 1.47, EISCB-21)
Status indication for the channel level and the reactor trip breaker bypasses described in Subsection 7.1.2.2.11 will be provided in the control room. The display of the status information will be such that the operator can identify the specific function (s) which is bypassed, and also determine if the logic has reverted to 2/3 or 1/2. In addition to the status indication, an alarm will be sounded in the control room if more than one bypass has been applied to a given protection function, thus causing 1/2 logic. The bypass indication system will be a balance-of-plant design. Westinghouse will supply the I necessary IPS bypass status outputs for use by the balance-of-plant designer.
7.1.2.2.14 Conformance to Requirements Controlling Access to the Means for Bypassing (Paragraph 4.14 of IEEE 279-1971)
The bypasses described in Subsection 7.1.2.2.11 could be initiated in either of two ways, automatically via the automatic test system or manually via bypass switches. In either case, the operator will have complete administrative _ control over bypass actuation. The automatic test sequence l
bypass will be manually initiated and the manual bypass switches will be located inside the integrated protection cabinets. The IPC doors will be locked under administrative procedures.
7.1.2.2.15 Conformance to the Requirements on the Use of Multiple -Setpoints (Paragraph 4.15 of IEEE 279-1971 EICSB-12)
This subject is not applicable to the HAPHR IPS because it is not necessary O
that setpoints be made more restrictive as a function of operational mode.
7.1-66 NOVEMBER, 198 BAPHR-I&C/EP 4904e:ld
l l' s .
l l
l l
i
+(a ,c) i.
i i
h l
Figure 7.2-1 i
WAPWR STANDARD FUNCTIONAL DIAGRAMS t
(SHEET 3 OF 14) l l
l i
1 1
l
.l 1
i i
f i
i 1
\\
AMENDMENT 2 BAPHR-I&C/EP 4904e:1d AUGUST, 1986 t
8 l
i
The system-level signals must then be broken down to the individual signals through the logic cabinets to start each' component associated with an engineered safety. feature. For example, a single safety injection signal must start pumps, align valves, start diesel generators, etc. T'he interposing logic within each logic cabinet accomplishes this function and also performs necessary interlocking to ensure that components are properly aligned for safety. Component-level manual actions are also processed in the interposing logic. Since each logic cabinet computer signal is triplicated for reliability and to prevent inadvertent actuation, the triplicated component-level signals must be " voted" in the power interface. The power interface also transforms the low level signals to voltages and currents commensurate with the actuation devices which they must operate. The actuation devices in turn control motive power to the final safeguards component. The logic cabinets thus interface the integrated protection system to the 2 safeguards trains of the protective action system.
Subsection 7.3.1.1 provides a description of each of the engineered safety features. Subsection 7.3.1.2 provides the design bases information as O ,
required by Section 3 of IEEE 279-1971. Subsection 7.3.2 discusses conformance of the engineered safety features to the requirements stated in Section 4 of IEEE 279-1971. The functional diagrams for engineered safety features actuation are presented in Figure 7.2-1.
7.3.1.1 Functional Descrintion The following subsections describe the specific engineered safety features and are grouped into the following categories of actuation signal :
O 1. Safety Injection (Subsection 7.3.1.1.1)
- 2. Steam 11ne Isolation (Subsection 7.3.1.1.2)
- 3. Containment Spray (Subsection 7.3.1.1.3)
- 4. Containment Isolation (Subsection 7.3.1.1.4)
O 5.. Main Feedwater Isolation (Subsection 7.3.1.1.5)
- 6. Emergency Feedwater (Subsection 7.3.1.1.6)
- 7. Blocking Boron Dilution (Subsection 7.3.1.1.7)
O HAPWR-I&C/EP 4904e:Id 7.3-3 NOVEMBER, 1984 l
b lists the engineered safety features actuation signals and e
Table 7.3-1 summarizes the coincidence logic that will actuate these functions. The permissives and interlocks for the functions are given on Table 7.3-3.
System-level manual inputs to ESF are listed on Table 7.3-4.
7.3.1.1.1 Engineered Safety Features Actuated on a Safety Injection (SI)
Signal (See Figure 7.2-1, Sheet 12)
The safety injection signal will be derived from one or more of the following O
initiating means:
- 1. Manual Initiation of Safety Injection; or
- 2. High (Hi-1) Containment Pressure; or
- 3. Pressurizer Low Pressure; or
- 4. Low Compensated Steam 11ne Pressure in any Steamline; or l S. Low-3 T in 2/4 loops.
cold To permit startup and cooldown, the safety injection signals on low I compensated steamline pressure, low pressurizer pressure, or low-3 Tcold may be manually blocked when pressurizer pressure is below the P-11 setpoint. To permit operation below normal operating temperatures for at power reactivity control, the safety injection signal on low-3 Tcold is automatically blocked whenever nuclear power is above the P-15 setpoint.
The safety injection signal may be raanually reset after the diesel loading 2 sequencing (see pg. 8.3-32 of Module 9) has gone to completion, and during this time the operator cannot block the safety injection signal. It will remain reset until the reactor trip breakers are closed. The time delay I assures that, on a blackout, the diesel generators have been brought up to
- speed and all the required loads sequenced on before permitting the operator l to reset safety injection signal. Resetting the signal does not turn off any safeguards equipment, since individual components are required to latch in and seal on the SI signal. (See note 5 on Figure 7.2-1. Sheet 12).
O HAPHR-I&C/EP 7.3-4 AMENDMENT 2 AUGUST, 1986 4904e:1d l
(
O logic cabinets will not be bypassed for test. Instead, the output of one of the two ESF logic trains in an ESFAC cabinet during test will generate a 2 demand signal which is blocked by the downstream logic.
7.3.1.1.10 Sequencing of ESF Loads See Chapter 8.
7.3.1.2 Desian Bases for Enaineered Safety Features Actuation This section provides the design bases information for engineered safety features actuation, including the information required by Section 3 of IEEE 279-1971. Engineered safety features are protective functions initiated by 4
the integrated protection system. Consequently, there- is no ESF actuation system per se. Those design bases which relate to the equipment which '
initiate and accomplish engineered safety features are given in Subsection 7.1.2.1 and are not repeated here. The design bases presented here are concerned with the variables monitored for ESF actuation and the minimum l performance requirements in generating the actuation signals.
Design Basis; Generating Station Conditions Requiring ESF 7.3.1.2.1 Actuation (Paragraph 1 of Section 3 of IEEE 279-1971) i The following is a summary of those generating station conditions requiring protective action:
- 1. Primary System
- a. Rupture in small pipes or cracks in large pipes
- b. Rupture of a reactor coolant pipe (loss of coolant accident)
- c. Steam generator tube rupture.
O AMENDMENT 2 7.3-11 AUGUST, 1986 HAPHR-I&C/EP 4904e:Id
i
- 2. Secondary System
- a. Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief or safety valve
- b. Rupture of a major steamline pipe
- c. Rupture in feedline pipe O
Table 7.2-4 summarizes the engineered safety features as they relate to Condition II, III, or IV events as analyzed in Chapter 15.
7.3.1.2.2 Design Basis; Variables, Ranges, Accuracies, and Typical Response Times Used in ESF Actuation (Paragraphs 2, 5, 6, and 9 of Section 3 of IEEE 279-1971)
The variables required to be monitored for engineered safety features acutations are:
- 1. Pressurizer Pressure
- 2. Reactor Coolant Inlet Temperature (Tcold) in each loop
- 3. Steamline Pressure in each steamline
- 4. Containment Pressure
- 5. Mater level in each Steam Generator (Narrow and Wide Ranges)
- 6. Startup feedwater flow to each steam generator
- 7. Source Range neutron flux i
- 8. Pressurizer Water Level i
A discussion on levels that, when reached, will result in engineered safety l
features actuation, is given in Subsection 7.1.2.2.1. The " ALLOWABLE VALUES" for the Limiting Conditions for Operation (LCO) and the " TRIP SETPOINTS" for j 1
ESF actuations are given in the Technical Specifications.
HAPHR-I&C/EP 4904e:1d 7.3-12 NOVEMBER,1984Ol i
- _- .- .- ~ _ . . . . -- . - - - .
~
O O O O- O O O .
r i
k TABLE 7.3-1 (Cont.)
ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Channel Set Permissives ESF Actuation Slanal # of Channels Trin Loaic & Interlocks l
t i 3. CONTAINMENT SPRAY 1
(Figure 7.2-1. Sheet 13) ,
- a. Manual Containment Spray 4 switches 2/4 switches
- b. High (Hi-3) Containment Pressure 4 2/4-BYP*
i 1 2 l
- 4. CONTAINMENT ISOLATION (PHASE-A)*a l a. Safety Injection Signal (Auto See item Number 1(a) through (e) and Manual)
- b. Manual Phase-A Isolation 2 switches 1/2 switches
)
CONTAINMENT ISOLATION (PHASE-B)
- a. High (Hi-3) Containment Pressure 4 2/4-BYP*
- b. Manual Containment Spray 4 switches 2/4 switches ---
CONTAINMENT VENTILATION ISOLATION i a. Safety Injection (Auto or Manual) See item Number 1(a) through (e) i b. Manual Phase-A Isolation 2 switches 1/2 switches
- c. Manual Containment Spray 4 switches 2/4 switches
- 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; 1/2 with two bypasses; and automatically actuated with three or four bypasses.
3
- Setpoint will be minimum compatible with normal operating conditions to comply with NUREG-0737 II.E.4.2 2
- position 4 (and 10CFR50.34(f)).
HAPHR-I&C/EP 7.3-27 AMENDMENT 2 .
4904e:1d AUGUST, 1986 i
T TABLE 7.3-1 (Cont.)
ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Channel Set Permissives
- of Channels Trio Loalc & Interlocks ESF Actuation Slanal
- 5. FEE 0 HATER LINE ISOLATION (Closure of Isolation and Modulating Valves)
(Figure 7.2-1, Sheets 2, 5, 8, 11, 16)
Steam Generator High Mater 4/St. Gen. 2/4-BYP in any a.
- Level Safety Injection Signal (Auto See Item Number 1(a) through (e) b.
and Manual Manual Feedwater Isolation 2 switches 1/2 switches c.
1/ loop. 2/4 loops P-16
- d. Low-2 T cold FEE 0 HATER ISOLATION (Trip of all Main F/w Pugs)
Steam Generator High Mater 4/St. Gen. 2/4-BYP in any a.
- Level 2 switches 1/2 switches
- b. Manual Feedwater Isolation Safety Injection Signal (Auto See Items Number 1(a) through (e) c.
and Manual)
- 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; 1/2 with two bypasses; and automatically actuated with three or four bypasses.
NOVEMBER, 1984 -
7.3-28 MAPHR-I&C/EP 9"' O 9 9 e e e .
- 3. Pressurizer pressure control
- 4. Reactor coolant system inventory control 7.4.1 Description >
The hot standby systems are identified in the following lists together with the associated instrumentation and controls provisions. The identification of
! the snitoring indicators (Subsection 7.4.1.1) and controls (Subsection 7.4.1.2) are those necessary for maintaining a hot standby. The equipment and services for a cold shutdown are identified in Subsection 7.4.1.4. Loss of the local controls and normal automatic control systems are not assumed coincident with evacuation.
7.4.1.1 Monitoring Indicators r
- The characteristics of these indicators, which are provided outside as well as U inside the control room, are described in Section 7.5. The necessary indicators are as follows
1 O Mater level indicator for each steam generator 1 1.
- 2. Pressure indicator for each steam generator by means of steamline pressure indicator j 3. Pressurizer water level indicator
- 4. Pressurizer pressure indicator
- 5. Source range neutron flux
! 6. Emergency feedwater flow
- 7. Supply tank level 2
' 8. T hot
- 9. T cold 4 7.4.1.2 Controls 7.4.1.2.1 General Considerations
- 1. The turbine is tripped. This.can be accomplished at the turbine as well as in the control room.
O HAPHR-I&C/EP 4904e:1d 7.4-3 AMENDHENT 2 AUGUST, 1986
- . - - - - . , - - - - , -- . - - - . . , . . . . - - - - - , - __,---_.,___,-,-,..a. c., ,---- ..mn.,w,-,,e -
- 2. The reactor is tripped. This can be accomplished at the reactor trip switchgear as well as in the control room.
- 3. Safety related manual controls for hot standby shutdown are located inside as well as outside the main control room. These controls are provided with REMOTE / LOCAL selector switches located outside the main control room. An annunciator is alarmed in the main control room and the indicator lights in the main control room are turned off when LOCAL CONTROL is selected; and control of the switchgear is transferred from the control room to a local station (s).
- 4. All autoinatic systems continu1 functioning.
7.4.1.2.2 Pumps and Fans
- 1. Start-up feedwater pump Normally on a loss of electrical power, the start-up feedwater pump would come on as part of the blackout sequence. The emergency feedwater pumps start automatically on an accident sequence or can be started manually. START /STOP controls located outside as well as inside the control room are provided.
- 2. HHSI pumps START /STOP motor centrols for these pumps are located outside, as well as inside the control room.
- 3. Service water pumps O
These pumps will start automatically following a loss of normal electrical power. START /STOP motor controls are located outside as well as inside the control room.
7.4-4 NOVEMBER, 198 HAPHR-I&C/EP 4904e:1d
i i
7.5.2.3.1 Category 1 7.5.2.3.1.1 Selection Criteria for Category 1 The selection criteria for Category I variables have been subdivided according to the variable type. For type A, those key variables used for diagnosis or providing information for necessary operator action have been designated l
Category 1. For type 8, those key variables used for monitoring the process of accomplishing or maintaining critical safety functions have been designated Category 1. For type C, those key variables used for monitoring the potential for breach of a fission product barrier have been designated Category 1.
l There are no type D or type E Category 1 variables.
7.5.2.3.1.2 Qualification Criteria for Category 1 The instrumentation is seismically and environmentally qualified in accordance l
i with Sections 3.10 and 3.11, respectively, of RESAR-SP/90 PDA Module 7, l " Structural / Equipment Design". Instrumentation shall continue to read within the required accuracy following but not necessarily during a seismic event.
J At least one instrumentation channel is qualified from the' sensor up to and including the display. For the other instrumentation channels, qualification c
as a minimum is applied up to and includes the channel isolation device.
(Refer to Subsection 7.5.2.3.4. in regards to extended range instrumentation qualification.)
7.5.2.3.1.3 Design Criteria for Category 1 O A. No single failure within either the accident-monitoring instrumentation, its auxiliary supporting features, or its power sources, concurrent with the failures that are a cause of or result from a specific accident, will prevent the control room operating staff from being presented the required O information. Where failure of one accident-monitoring channel results in information ambiguity (e.g., the redundant displays disagree), the NOVEMBER,1984 7.5-9 l tlAPHR-I&C/EP 4904e:1d
I* . .
additional information is provided to allow the control room operating staff t analyze the actual conditions in the plant. This is accomplished by prc t'iing additional independent channels of information of the same variable (addit':a of an identical channel) or by providing independent channels which mo.ito different variables which bear known relationships to the channels (addition of diverse channel (s)). Redundant or diverse channels are electrically independent and physically separated from each other with two-train separation and from equipment not classified important to safety in accordance with Regulatory Guide 1.75, " Physical Independence of Electric Systems".
If ambiguity does nct result from failure of the channel, then a third redundant or diverse channel is not required.
B. The instrumentation is energized from station emergency standby power sources, battery backed where momentary interruption is not tolerable, as discussed in Regulatory Guide 1.32, " Criteria for Safety-Related Electric Power Systems for E Nuclear Power Plants".
C. The instrumentation channel will be available prior to an accident except provided in paragraph 4.11 " Exception", as defined in IEEE Std. 279-1971,
" Criteria for Protection Systems for Nuclear Power Generating Stations," or as specified in the technical specifications. Channel availability for Category 1
( instrumentation will, therefore, be in accordance with the applicable Reg. Guide 1.97, Rev. 3 statement.
D. Servicing, testing, and calibration programs are specified to mairtain the capability of the monitoring instrumentation. For those instruments where the required interval between testing is less than the normal time interval betweg generating station shutdowns, a capability for testing during power operation 7 provided.
E. Whenever means for removing channels from service are included in the design, t design facilitates administrative control of the access to such removal means.
F. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points.
BAPWR-I&C/EP 7.5-10 AMENDHENT AUGUST, 1986-4904e:Id
O' energized from a highly reliable onsite power source, not necessarily the emergency standby power, which is battery backed where momentary interruption is not tolerable.
interval will be based on normal Technical B. The out-of-service Specification requirements on out-of-service for the system it serves where applicable or where specified by other requirements. Channel l
availability will, therefore, be in accordance with the Reg. Guide 1.97, Rev. 3 statement associated with Category 2.
C. Servicing, testing, and calibration programs will be specified to maintain the capability of the monitoring instrumentation. For those instruments
' where the required interval between testing is less than the normal time interval between generating station shutdowns, a capability for testing during power operation is provided.
O. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to l
such removal means.
E. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points.
F. The monitoring instrumentation design minimizes the potential for the meters, annunciators, development of conditions that would' cause recorders, and alarms, etc., to give anomalous indications that could be potentially confusing to the operator.
G. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.
H. To the extent practicable, monitoring instrumentation inputs are from An indirect sensors that directly measure the desired variables.
measurement is made only when it can be shown by analysis to provide unambiguous information.
O tiAPHR-I&C/EP 4904e:1d 7.5-13 AMENDHENT 2 AUGUST, 1986
I. Periodic checking, testing, calibrhtion, and calibration verification will be in accordance with applicable portions of Regulatory Guide 1.118
" Periodic Testing of Electric Power and Protection Systems".
J. The range selected for the instrumentation encompasses the expected operating range of the variable being monitored to the extent that saturation does not negate the required action of the instrument in accordance with the applicable portions of Regulatory Guide 1.105,
" Instrument Setpoints".
7.5.2.3.2.4 Information Processing and Display Interface Criteria for Category 2 The instrumentation signal .is, as a minimum, processed for display on demand.
Recording requirements are variable specific and are determined on a case-by-case basis.
7.5.2.3.3 Category 3 7.5.2.3.3.1 Selection Criteria for Category 3 The selection criteria for Category 3 variables have been subdivided according to the variable type. For types B and C, those variables which provide backup information have been designated Category 3. For types D and E, those variables which provide preferred backup information have been designated Category 3. There are no Category 3 type A variables.
7.5.2.3.3.2 Qualification Criteria for Category 3 The instrumentation is high quality, commercial grade which is not required to provide information when exposed to a post-accident adverse environment.
O l
7.5-14 NOVEMBER,198 BAPHR-I&C/EP 4904e:Id
O C. Estimate the magnitude of release of radioactive materials through identified pathways.
O D. Monitor radiation levels and radioactivity in the environment surrounding the plant.
Key type E variables are qualified to Category 2 requirements. Preferred backup type E variables are qualified to Category 3 requirements.
Table 7.5-8 lists the key type E variables.
! 7.5.4 Bypassed and Inoperable Status Indication for Engineered Safety Features Systems i
7.5.4.1 Description l
For a description of the Bypassed and Inoperable Status Indication (BISI)
System and compliances to Regulatory Guide 1.47, refer to RESAR-SP/90 PDA Module 15, 'ACR/ Human Factors".
l l
O O
lO WAPWR-I&C/EP 7.5-21 NOVEMBER, 1984 2084e:1d l-..--_-___ . _ _ _ . . _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _
TABLE 7.5-1 (Sheet 1 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Cateaory - mental Seismic Instruments Supply Notes Reactor coolant 1200-3600 A1, B1, Yes Yes 3 per unit IE Transmitters located pressure (upper B2, C1 outside of containment range C2, 02 Note A l2 Reactor coolant 0-1400 A1, B1, Yes Yes 3 per unit IE Transmitters located pressure (lower B2, D2 outside of containment range) . Note A l2 RCS wide range 0* to A1, B1, Yes Yes 2 per loop IE l2 Th ot 700*F B2 RCS wide range 0* to A1, Bl. Yes Yes 2 per loop IE l2 ,
700*F B2, C1 Tcold Hide range steam 0 to 100 A1, Bl. Yes Yes 3 per steam IE Temperature compensated generator water percent of B2, D2 generator Note S l2 level span Pressurizer 0 to 100 A1, B1, Yes Yes 3 per unit IE Note S l2 level percent D2 of span Containment 0 to 53 A1, B1, Yes Yes 3 per unit IE pressure psig C2, D2 Steamline pres- O to 1350 A1, B1, Yes Yes 3 per loop IE sure psig D2 7.5-22 AMENDMENT 2 .
HAPHR-I&C/EP 1986 49040 0 9 9 e e AUGUST,e
l O O O O O O O .
~-
TABLE 7.5-1 4'
(Sheet 2 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oua11fication Required j
Typel Environ- Number of Power Range / Supo1Y Notes l
Variable Status Cateaory mental Seismic Instrustati i
3 per unit IE Notes B, S l2 0 to 1001 A1, B1, Yes Yes f Containment B2, C2 water level level
~
A1, D2 Yes' Yes 3 per tank IE Note L l2 Emergency feed- O to 100
- water storage percent of i tank level span A1, 81, Yes Yes 2 per loop IE Note C
- Total emergency
- radiation level 108 R/hr E2
! 10-1 to Al Yes Yes 1 per loop IE Steamline
- radiation 103 pC1/cm3 monitor 100 to A1, 81, Yes Yes 4 per core IE
. Core exit quadrant per temperature 2200*F C1
' train RCS subcooling 200*F sub- A1, B1 Yes Yes 3 per unit IE i cooling to 35'F super- -
- heat Yes Yes 2 per unit IE Note E l2 Neutron flux 10-8 to B1 100 percent 1
of full power l
l
- Hill conform to Item II.E.1.2 of NUREG-0737 (and 10CFR50.34(f)). 7.5-23 AMENDMENT 2
- HAPHR-I&C/EP AUGUST, 1986 4904e:Id l
I
TABLE 7.5-1 (Sheet 3 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Rangel Type / Environ- Number of Power Variable Status Cateaory . mental Seismic Instruments Supply Main Reactor vessel O to 100 B1, C1 Yes Yes 2 per unit IE Note S water level percent reactor 2 vessel height Containment 0 to 10 B1, C1 Yes Yes 2 per unit IE hydrogen percent concentration partial pressure Control rod 0 to 228 B3, D3 No No 2 per con- Non-1E position steps trol rod indication Containment -5 to 140 C1, C2 Yes Yes 3 per unit IE pressure psig (extended range)
Plant vent See Note C2, E2 No Yes I per unit IE Note G 2
radiation level Site environ- NA C3, E3 No No NA NA mental radiation level 7.5-24 AMENDMENT 2 .
HAPHR-I&C/EP d AUGUST 986 490
l O
~
i O O O O. O O :
TABLE 7.5-1 l2 (Sheet 4 of 13)
POST-ACCIDENT MONITORING INSTRUMENTATION
! Oualification Required Rangel Typel Environ- Number of Power Status Cateaory mental Seismic Instruments Supply Notes Yariable RCS activity NA C3 No No 1 MA Note F (post-accident sampling)
Containment Closed / C2, D2 Yes Yes I per IE Note H isolation valve Not Closed valve
{
status Power-operated Closed / D2 Yes Yes 1 per IE Backup indication from l valve PRT instrumentation.
relief (PORV) Not closed valve status 2 Primary safety Closed /not D2 Yes Yes 1 per IE Backup indication from
! valve PRT instrumentation.
i valve status closed
! Pressurizer On/off D2 Yes Yes 2 per unit IE Note I heater power
- availabi11ty I
j Charging system 0-550 gpm D2 Yes Yes 1 per path IE j flow Letdown flow 0-300 gpm D2 Yes Yes 1 per path IE
! Volume control O to 100 D2 No Yes 1 per tank IE Note S l tank level percent of i
span 1
1 i
! HAPHR-I&C/EP 7.5-25 AMENOMENT 2 AUGUST, 1986
! 4904e:1d
l
+
- TABLE 7.5-1 i (Sheet 5 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Typel Environ- Number of Power j Instruments Supply Notes Variable Status Cateaory mental Seismic Chemical and Closed / D2 Yes Yes 1 per valve IE l
4 volume control Not closed system valve status On/off D2 Yes Yes 1 per pump IE Chemical and volume control system pump status 0 to 20 No Yes 1 per pump IE Reactor coolant D2 pump seal injec- gal / min tion flow Steam generator Closed / D2 Yes Yes 1 per valve 1E atmospheric Not closed PORV status Steam generator Closed / D2 Yes Yes 1 per valve IE safety valve Not closed status Main steam line Closed / B2, D2 Yes Yes 1 per valve IE isolation valve Not closed status Main steamline Closed / B2, D2 Yes Yes 1 per valve IE isolation bypass Not closed valve status 7.5-26 AMENDHENT 2 HAPHR-I&C/EP AUGUS 1986 49 ld
~
O O O O O O O .
TABLE 7.5-1 (Sheet 6 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION i
__Dualification Required l Number of Power Rangel Type / Environ-Cateoory Seismic Instruments Supply Notes Variable StatJs _ mental Main feedwater Closed / D2 Yes Yes 1 per loop IE i control valve Not closed I status I
j Main feedwater Closed / D2 Yes Yes 1 per loop IE l bypass valve Not closed i status Main feedwater Closed / D2 Yes Yes 1 per valve IE l Not closed i isolation valve ;
status Main feedwater 0 to 130 D2 No No 1 per loop Non-TE Note S l2 flow percent design flow Startup feedwater Closed / D2 Yes Yes 1 per valve IE control valve Not closed status
]
I Startup feedwater 0-250 gpa D2 No No I per loop Non-1E 2
i flow per S/G Steam generator Closed / D2 Yes Yes I per valve IE -
, overflow valve Not closed '
I status
\ Yes 1 per IE j Steam generator Closed / D2 Yes
- blowdown Not closed valve i isolation valve i status HAPHR-I&C/EP 7.5-27 AMENOMENT 2
) AUGUST, 1986 4904e:1d l
TABLE 7.5-1 (Sheet 7 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION 1
Oualification Required Rangel Typel Environ- Number of Power Cateaory _ mental Seismic Instruments Supply Notes Variabig Sta_tus.
0-1000 gpm Yes Yes I per train IE Safety injection D2 flow 2 RHR/ containment 0-3500 gam D2 Yes Yes 1 per train IE spray flow per pump Yes Yes I per tank IE Note S l2 EWST level O to 100 D2 percent ISS valve Open/ closed D2 Yes Yes 1 per valve IE status (SI. RHR/
CS, accumulators, core reflood tanks)
, Accumulator 0 to 750 D2 Yes Yes I per accumulator IE pressure psig Core reflood 0 to 300 D2 Yes Yes 1 per tank 1E l
tank pressure psig psig l
50 to 400 D2 Yes Yes I per exchanger 1E RHR heat exchanger inlet *F ,
temperature 50 to 400 D2 Yes Yes 1 per exchanger IE RHR heat exchanger outlet *F temperature AMENDMENT 2 HAPHR-I&C/EP 7.5-28 AUGUST, 1986 49 1d 1
{
~
l O O O O O O O j .'
TABLE 7.5-1 l
(Sheet 8 of 13) l2 1
POST-ACCIDENT MONITORING INSTRUMENTATION l
Oualification Required Rangel Typel Environ- Number of Power l
Variable Status Cateoory mental Seismic Instruments Supply Notes Fan cooler 0 to 130 D2 Yes No 1 per cooler IE l2 motor speed percent i design speed Emergency feed- Open/ closed D2 Yes Yes 1 per valve IE water valve
! status
(
! Component 0 to 200 D2 No Yes 1 per train IE i cooling water psig header pressure Component 0 to 300*F D2 No Yes I per train IE cooling water
! header temperature Component 0 to 100 D2 No Yes 1 per train IE Note S l2 cooling water percent surge tank level Component cooling 0 to 110 - D2 Yes Yes 1 per component IE Note S l2 water flow to percent engineered safety design flow 1 features com-ponents
]
! Component cooling Open/ closed D2 Yes/No Yes 1 per valve IE water valve status 7.5-29 AMENOMENT 2
)(APHR-I&C/EP AUGUST,.1986 4904e:1d j
TABLE 7.5-1 (Sheet 9 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Environ- Number of Power Rangel Type / Notes Cateaory mental Seismic Instruments Supply Variable Status No Yes I per header IE Essential service O to 200 D2 l water header psi pressure No Yes I per header IE Note S l2 Essential service O to 110 D2 water flow percent
- design flow No 1 per unit Non-1E Note F l2 RCS boron concen- O to 6000 D3 No tration ppm Yes 1 per damper IE Heating, ventila- Open/ closed D2 Yes tion, and air-conditioning system status Yes Yes 1 per ESF IE Engineered High/ low D2 component safety features (ESF) environment temperature Ac, de, vital Bus D2 No Yes I per bus TE instrument specific voltage Yes I per breaker IE Reactor trip Open/ D2 No breaker position Closed No 1 per valve Non-1E Turbine stop Closed / D2 No valve status Not closed AMENDHENT 2 HAPHR-I&C/EP 7.5-30 -
AUGUST, 1986 4905d e e e e e e
! O O O O~ O O O ;
I i
TABLE 7.5-1 (Sheet 10 of 13) :2 l
POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required i Rangel Typel Environ- - Number of Power i Variable Status Cateoory mental Seismic Instruments Supply Notes Turbine control Closed / D2 No No 1 per valve Non-1E valve status Not closed ,
1 Emergency feed- On/off D2 No Yes 1 per pump IE water pump status (motor-j driven)
Turbine driven Open/ closed D2 Yes Yes 1 per pump IE l
- emergency feed-water pump supply i
valve status Safety injection On/off D2 Yes Yes 1 per. pump IE f
j pump status I RHR/ containment On/off D2 Yes Yes 1 per pump IE spray pump status Component cooling On/off D2 No Yes 1 per pump IE
{
water pump status I
Essential service On/off D2 No Yes I per pump IE water system pump status
, Reactor vessel Open/ closed D2 Yes Yes I per valve IE j head vent valve j status
- HAPHR-I&C/EP 7.5-31 AMENDMENT 2
! 4904e:1d AUGUST, 1986
l -l TABLE 7.5-1 l2 (Sheet 11 of 13)
POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Number of Power Range / Type / Environ- Notes Cateaory mental Seismic Instruments SuoDiv Variable Status No I current indic. Non-lE Note S Note S D3 No RCP Status per pump No I channel Non-1E Note S Note S D3 No Quench Tank Level No I channel Non-lE Note S 0-100 psig D3 No Quench Tank Pressure No I channel Non-1E Note S 50-250*F D3 No Quench Tank Temperature No 2 channels Non-lE Note J 0-1001 D3 No Accumulator Tank Per Tank Level 2
- - - Note N Containment 40-400*F D3 -
Atmosphere Temperature No No 1 per suction Non-1E Containment Sump 50-250*F D3 line Hater Temp.
Mote S High Level Rad. 03 Haste Level Note S Rad. Gas Holdup D3 Tank Press.
Note O Boric Acid 0-100 gpm D3 Charging Flow AMENDHENT 2 7.5-32 HAPHR-I&C/EP AUGUS 986 49 d
l O O O O O O O j.
TABLE 7.5-1 (Sheet 12 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oua11fication Required I Range / Typel Environ- Number of Power Variable Status Cateaory mental- Seismic Instruments Supply Notes Containment Heat
- - - Note K l2 l - -
i Removal Control room 10-5 to E2 No Yes 1 per control 1E radiation level 1 R/hr room Plant vent air E2 No Yes 1 per plant vent IE Note S l2
! flow rate Condenser air 10-6 to E2 No Yes 1 per ejector IE l ejector radia- 105 pC1/cc
! tion level t
Condenser air E2 No Yes I per ejector IE l ejector flow rate j
Steam generator 10-1 to E2 Yes Yes 1 per mainstream 1E Note S l2 I safety relief 103 pC1/cc header
! valve radiation
{ 1evel Steam generator E2 Yes Yes 1 per valve IE Note R l2 safety / relief or header i valve flow rate
! Radiation level 10-6 to E2 No Yes 1 per pathway 1E I from liquid 10-1 pC1/cc pathways Liquid pathways E2 No Yes 1 per pathway 1E j flow rate M
_APHR-I&C/EP 7.5-33 AMENDMENT 2 l AUGUST. 1986 i 4904e:1d i
TABLE 7.5-1 (Sheet 13 of 13) l2 POST-ACCIDENT MONITORING INSTRUMENTATION Oua11fication Required Rangel Typel Environ- Number of Power Variable Status Cateaory _ mental Seismic Instruments Supply Hoiti Other potential 10-6 to E2 No Yes 1 per source IE sources of radia- 104 pC1/cc tion release Other potential E2 No Yes I per source IE source flow rate Area radiation 10-4 to E2 No Yes Site specific IE 108 R/hr Environs radia- E3 No No Site specific Mon-1E Note S l2 tion level Meteorological Site E3 No No Site Non-1E Note P l2 parameters specific specific 7.5-34 AMENDMENT 2 HAPHR-I&C/EP Id AUGUS 986 49
1 i
NOTES SUPPORTING TABLE 7.5-1 I
i A. One qualified upper range (1200-3600 psig) channel and one qualified, j
1 lower range (1-1400 psig) channel with sufficient overlap indication are l used to monitor Reactor Coolant System (RCS) pressure. j j
B. A description of the containment water level measurement design is provided in NUREG 0737. Item II.F.4 Attachment 5. This is accomplished i l
by the installation of one instrument with the intent of satisfying the required range of two level detectors (see Note S). j C. The MAPHR design utilizes four physically separate auxiliary feedwater lines. The eight (8) class IE transmitters provide the redundancy required. The requirement is to ensure flow to at least one intact steam generator in post accident phase. The required redundancy with a four loop plant is provided by two channels per loop. Steam generator wide range water level provides a diverse backup. 2 D. The accuracy requirement of the lower range may require the installation of two ranges of instrumenation.
E. No diverse variable is required for monitoring neutron flux since the failure of one channel will not cause the operatcr to violate the
! required safety function.
3 F. The Post Accident Sampling System (PASS) is sufficient for obtaining samples to perform detailed analysis of RCS coolant, containment sump, and containment atmospheric activity. Offline measurement systems are considered Category 3 variables.
I The offline measurements available and the corresponding ranges are as follows:
0-6000 ppm i Boron pH 0-14 7.5-35 AMENDHENT 2 HAPHR-I&C/EP AUGUST, 1986 l
4904e:1d ,
s
O Specific Conductivity 0-1000 pmhos/cm Dissolved Oxygen 0-20 ppm Chloride 0-20 ppm Disco 1ved Hydrogen 0-2000 cc/kg
. Gross Activity 10 pC1/ml - 10 C1/ml Gamma Spectrum 0-2000 mR/sec (uncorrected)
G. Noble Gas: 10 E-6 to 10 E6 pCi/cc Particulate: 10 E-11 to 10 E2 pCi/cc Halogens: 10 E-11 to 10 E2 pC1/cc l
To cover the required range of particulates and halogens, a combination of online detection and grab sample capability with on site analysis is employed.
H. The HAPHR has identtiled it.aturau4: Ion that is necessary to assess the 2 process of accomplishing or maintaining critical safety functions. The critical safety functions defined are equivalent to those utilized in the Westinghouse Owners Group Emergency Response Guidelines, i.e.,
Subcriticality, RCS Integrity, Reactor Coolant Inventory, Reactor Core
! Cooling, Heat Sink Maintenance, and Containment Environment. Containment isolation valve status is not a critical safety function. However, the l
I containment isolation valve positions were designated variables for monitoring the actual gross breach of the containment and are therefore qualified to Category 2 criteria.
The appurtenances and power supplies for the containment isolation valves meet the intent of Regulatory Guide 1.97 Category 1 instrumentation. For isolation valves in series, a single indication on each valve is sufficient to satisfy the requirements when those indications are powered from different trains.
I I. The HAPHR has two banks of pressurizer heaters normally loaded on the i
Class IE emergency buses. Hence, the requirements stated in NUREG-0737, 1
7.5-36 AMENDHENT 2 9
HAPHR-I&C/EP AUGUST, 1986 4904e:1d
i 1
4 Section II.E.3.1, are met without necessitating operator action. Since I the heater banks are normally loaded on emergency buses, heater breaker
- position was selected for determining pressurizer heater status.
J. The span of the installed instrument is approximately fourteen inches from 39% to 64% of the tank volume. One transmitter tap is located 7 inches below normal water level. The other transmitter tap is located 7 inches above the normal water level. Both taps are located on a 2 inch l
diameter standpipe. Channel accuracy will be 15% of range. Alarm setpoint accuracy will be 11% of range. The two series check valves in each accumulator discharge line prevent fluid addition during operation.
i Accumulator isolation valve position, vent valve position and pressure (all of which are Category 2 instrumentation) provide the operator I adequate information to monitor the status of the accumulators.
K. Heat removal is performed by the containment heat removal system. Other 2
I E parameters were designated as HAPHR type D variables to demonstrate that the containment heat removal systems are operating properly. These O include the following:
o Containment Spray Flow o Containment Spray System (CSS) Valve Status o Containment Pressure o Containment Nater Level o Containment Spray Pump Status L. Tank Volume: 10,000-220,000 gal (233,000 gal total)
M. The maximum pressure allowed by the Technical Specifications is between 586 and 679 psig. The two series check valves in each accumulator discharge line prevent fluid addition to the tank during operations.
Hence, any malfunction of the check valves would be immediately indicated in the control room. The accumulator is also protected by a spring loaded safety valve with a setting of 700 psig.
O HAPHR-I&C/EP 4904e:Id 7.5-37 AMENDMENT 2 AUGUST, 1986
l N. The key variables for monitoring the accomplishment of containment cooling are containment spray flow, containment water level, containment pressure, containment spray system valve status, and containment spray I pumps status. Immediately after containment spray is initiated, the containment atmosphere is saturated and the temperature is calculated from the containment pressure.
O. Boric Acid Tank Charging Flow - for monitoring the performance of the emergency core cooling system (ECCS), the HAPHR has designated Refueling I I
Hater Storage Tank (RHST) level, High Head Safety Injection (HHSI) Flow, Low Head Safety Injection (LHSI), Containment Water Level, and ECCS Valve Status. Since the ECCS does not take suction from the Boric Acid Tank l (BAT), the Boric Acid Charging Flow was not designated a key variable. !
If the operator uses the BAT for boration following an accident, normal l charging flow and RCS sampling is used to demonstrate that the RCS is )
being borated. 2 P. Wind direction: 0-540*F
! Mind Speed: 0-50 mph (10m) 0-100 mph (60m)
Atmospheric Stability: Delta T = -6*F-6*F Sigma Theta = 0-60*F Q. As an alternate to monitoring ventilation damper position, the HAPHR monitors radiogas, radioparticulate, and/or radiciodine concentrations at various locations in the plant which provide information concerning the status of the ventilation system. These parameters include:
o Area radiation in locations which contain, or could contain, significant quantities of radioactive material o Unit vent radiogas concentration o Radiogas concentration discharged from non-headered vents 7.5-38 AMENDHENT 2 HAPHR-I&C/EP AUGUST, 1986 l 4904e:1d 1
o Environs radiation o Fuel handling building vent radiation o Effluent path flow rate ,
l R. For the purpose of radiological release calculations, the conservative assumption of maximum flow will be utilized. Actual flow indication serves as a backup parameter and is designated Category 3.
f S. Actual setpoint and range of instrumentation indication to be determined later.
Y
.O i
O
'O l
4 7.5-39 AMENDMENT 2 HAPHR-I&C/EP AUGUST, 1986 4904e:Id i
TABLE 7.5-2 SIM4ARY OF SELECTION OF CRITERIA Cateaory 3 Iypt Cateoory 1 Cateaory 2 A Key variables that are used for Variables which provide None diagnosis or providing informa- preferred backup information tion necessary for operator action Key variables that are used Variables which provide Variables which provide B
for monitoring the process of preferred backup information backup information accomplishing or maintaining critical safety functions Key variables that are used Variables which provide Variables which provide C
for monitoring the potential preferred backup information backup information for breach of a fission product barrier None Key variables which are used Variables which provide preferred D
for monitoring the performance backup information which are used of plant systems for monitoring the performance of plant systems E None Key variables to be monitored Variables to be monitoried which for use in determining the provide preferred backup informa-magnitude of the release of tion for use in determining the radioactive materials and magnitude of the release of radio-for continuously assessing active materials and for continu-such releases. ously assessing such releases.
7.5-40 AMENDHENT 2 .
HAPHR-I&C/EP AUGUS 1986 49 Id
~
O O O O O O O .
TABLE 7.S-3 SU MARY OF DESIGN, QUALIFICATION, AND INTERFACE REQUIREMENTS Cataoory 3 Oualification Cateoorv 1 Cateoory 2 As appropriate No Environmental Yes (See Subsection 7.5.2.3.2.2)
As appropriate No Seismic Yes (See Subsection 7.5.2.3.2.2.)
Desian No Single failure Yes No Emergency diesel Emergency diesel generator /onsite As required Power supply generator (as appropriate, see Subsection 7.5.2.3.2.3.A)
Technical Technical As required Channel out of service Specifications Specifications Yes As required Testability Yes Interface Immediately Demand Demand Minimum indication accessible As required As required Recording Yes (See Subsection 7.5.2.3.2.4.) (See Subsection 7.5.2.3.3.4.)
AMENOMENT 2 HAPHR-I&C/EP 7.5-41 AUGUST, 1984 4904e:1d
TABLE 7.5-4
SUMMARY
OF TYPE A VARIABLES Variable Type /
j Variable Function Cateaorv RCS pressure (lower- and upper-range) Key A1 Key Al Thot (HR)
Key Al Tcold (HR)
Steam generator level (temperature compensated HR) Key Al Pressurizer level Key Al Containment pressure Key Al Steamline pressure Key Al Containment water level Key A1 Emergency feedwater storage tank level Key A1 Emergency feedwater flow Key Al Containment radiation level Key Al Steam 11ne radiation monitor Key Al Core exit temperature Key Al RCS subcooling Key Al l
l l
l O
l l
O l
BAPHR-!&C/EP 7.5-42 AMEN 0HENT AUGUST, 1986 4904e:1d
TABLE 7.5-5 SlH4ARY OF TYPE 8 VARIABLES Function Variable Type /
Monitored Variable Function Cateaorv O~ Reactivity Neutron Flux Key B1 control Backup (P)* B2 NR Th ot Backup (P) B2 HR Teojd Control rod position Backup B3 RCS RCS pressure (lower and upper range) Key B1 Integrity Key 81 HR Th ot Key 81 NR Tcold Key 81 Reactor Prassurizer level Mey 81 coolant Reactor vessel water level inventory Containment water level Backup (P) 82 control NR steam generator level Backup (P) 82 Core exit temperature Key 81 Reactor 81 core Reactor vessel water level Key l Key B1 i : cooling RCS subcooling Backup (P) 82 NR Th ot Backup (P) B2 NR Tcold Backup (P) 82 RCS pressure (HR)
Steam generator level (NR) Key 81 Heat sink maintenance Emergency feedwater flow Key 81 Steamline pressure Key 81 l Main steamline isolation and bypass Backup (P)* B2 l
valve status Containment Containment pressure Key 81 environment Containment area radiation Key B1-Containment water level Key B1 Containment hydrogen concentration Key 81
- P - preferred l
!O O HAPHR-IIC/EP 4904e:1d 7.5-43 AMEN 0HENT 2 AUGUST, 1986 <
TABLE 7.5-6 (Sheet 1 of 2)
SU W RY OF TYPE C VARIABLES Function Variable Type /
Monitored Variable Condition Function Cateaorv Incore fuel Core exit Potential Key C1 clad temperature for breach Reactor vessel Potential Key C1 water level for breach RCS activity Actual breach Backup C3 RCS RCS pressure Potential Key C1 boundary (upper range) for breach RCS temperature Potential Key C1 (wide range) for breach RCS pressure Actual breach Backup (P)* C2
~
(upper range)
Containment Actual breach Backup (P) C2 pressure Containment Actual breach Backup (P) C2 water level Containment Containment Potential for Key C1 boundary pressure breach (extended range)
Containment Potential Key C1 hydrogen for breach concentration Plant vent Actual breach Backup (P) C2 radiation level
- P - preferred 7.5-44 AMEN 0HENT 2 HAPHR-I&C/EP AUGUST, 1986 4904e:1d I
i O TABLE 7.5-6 (Sheet 2 of 2)
SLM1ARY OF TYPE C VARIABLES 1
l
- Function Variable Type / l
. Monitored Variable Condition Function Cateaorv Containment Actual breach Backup (P) C2 i
. 1 solation valve i
i status Containment Actual breach Backup (P) C2 l
pressure
} (extended i range)
! Site environ- Actual breach Backup C3 I mental radiation I
1;
!O .
i l
l O
O 7.5-45 AMENDHENT 2 HAPHR-IAC/EP AUGUST. 1986 4904e:1d L
L
TABLE 7.5-7 (Sheet 1 of 4)
SU M RY OF TYPE D VARIABLES Variabie Type /
System Variable Function Cateaory Reactivity Reactor trip breaker position Key D2 Control Control Rod Position Backup D3 System Turbine Stop Valve Status Key D2 Turbine Control Valve Position Key D2 RCS Boron Concentration Backup D3 Pressurizer Power-operated relief Key D2 level and valve (PORV) status pressure Safety valve status Key D2 control Pressurizer level Key D2 RCS pressure (HR) Key D2 Pressurizer heater power Key D2 availability CVCS Charging system flow Key D2 Letdown flow Key D2 Volume control tank level Key D2 Sealinjectionflow Key D2 CVCS valve status Key D2 Head vent valve status Key D2 Secondary Steam generator atmospheric steam Key D2 pressure and dump valve status Steam generator safety valve status Key D2 level control Key D2
(
Hain steam isolation valve and l bypass valve status Main feedwater control and bypass Key D2 status 7.5-46 AMENDHENT HAPHR-I&C/EP AUGUST, 1986 4904e:1d f
i i
TABLE 7.5-7 (Sheet 2 of 4)
SUMARY OF TYPE D VARIABLES Variable Type /
Function Cateaory System Variable Key D2 i Main feedwater isolation valve status Startup feedwater control valve status Key D2 Key D2 Main feedwater flow Key D2 Startup feedwater flow Key D2 Emergency feedwater flow Key D2 Steam generator level (NR)
Steam generator overflow valve status Key D2 Steam generator blowdown isolation Key D2 valve status Key D2 Steamline pressure Key D2 ISS (including Emergency water storage tank level Key D2 containment Total SIS flow O spray and residual heat Total RHR/ containment spray flow ENST level Key Key D2 D2 Key 02 removal) ISS valve status Key D2 Accumulator pressure Key D2 Core reflood tank pressure Key D2 RHR heat exchanger inlet and outlet temperature Key D2 Fan cooler motor speed Key D2 Containment pressure Key D2 Emergency Emergency feedwater flow Key D2 feedwater Emergency feedwater valve status Key 02 system Emergency feedwater storage tank level O
AMENDMENT 2 7.5-47 AUGUST, 1986 HAPHR-I&C/EP 4904e:1d
TABLE 7.5-7 (Sheet 3 of 4)
SUMMARY
OF TYPE D VARIABLES Variabie Type /
System Variable Function Cateaory <
Component CCHS header pressure Key D2 cooling water CCHS header temperature Key D2 system CCHS surge tank level Key D2 Flow to ESF components Key D2 CCHS valve status Key D2 Essential ESHS header pressure Key D2 service water ESHS flow Key D2 system HVAC Environmental for ESF components Key D2 System status Key D2 Electric AC/DC vital instrument voltage Key D2 power Verification Reactor trip breaker position Key D2 of automatic Turbine stop valve position Key D2 actuation's of Turbine control valve position Key D2 safety systems ac/dc vital bus voltage Key D2 l
Main feedwater control valve status Key D2 Main feedwater bypass valve status Key D2 Main feedwater isolation valve status Key D2 Containment isolation valve status Key 02 Emergency feedwater valve alignment rey 02 Emergency feedwater pump start (motor- Key D2 driven)
Emergency feedwater pump supply valve Key D2 status (turbine-driven) 7.5-48 AMENDHENT 2 HAPHR-I&C/EP AUGUST, 1986 4904e:1d
TABLE 7.5-7 (Sheet 4 of 4)
SIM4ARY OF TYPE D VARIABLES Variable Type /
System Variable Function Cateaorv I
O SI pump start Key Key D2 D2 CCHS pump start ESHS pump start Key D2 RHR/ containment spray pump start Key D2 CVCS pump status Key D2 SI valve alignment Key D2 Containment spray valve alignment Key D2 SI flow Key D2 RHR/ containment spray flow Key D2 1
Emergency feedwater flow Key D2 l ,
f:
O I
l I
l l
O O
O 7.5-49 AMENDHENT 2 MAPHR-I&C/EP AUGUST, 1986 4904e:Id
TABLE 7.5-8
SUMMARY
OF TYPE E VARIABLES Variable Type /
Variable Function Catecory Control room radiation level Key E2 Plant vent radiation level Key E2 Plant vent air flow rate Key E2 Condenser air ejector radiation level Key E2 Condenser air ejector flow rate Key E2 Steam generator safety / refuel valve radiation level Key E2 Steam generator safety / relief valve flow rate Key E2 Radiation level of material discharged from liquid Key E2 pathways Liquid pathways flow rate Key E2 Other potential sources of radiation release Key E2 Other potential source flow rate Key E2 Environs radiation level Backup (P)* E3 Meteorological parameters Backup (P)* E3 Containment radiation level Key E2 Area radiation in areas requiring accessibility Key E2 O
- P - preferred O
7.5-50 AMENDHENT HAPHR-1&C/EP AUGUST, 1986 4904e:Id
1 integrated logic cabinets. This is done in ~the best interests of safety since an actual actuation to permit opening the valve could l "l
potentially leave only one remaining valve to isolate the low pressure Residual Heat Removal System from the Reactor Coolant System.
Paragraph 4.15: This requirement does not
- 3. IEEE Standard 279-1971 apply, as the setpoints are independent of mode of operation and are not changed.
Environmental qualification of the valves and wiring are discussed in Section l Design". The
" Structural / Equipment
- 3.11 of RESAR-SP/90 PDA Module 7 safety-grade cold shutdown concept imposes a conflicting requirement to provide a single failure RHRS initiation function along with the classical single failure autoclose function. The HAPHR design for cold shutdown is Therefore, the HAPHR based on no operator action outside of the control room.
design with two electrical trains incorporates an RHRS suction valve l
arrangement with four way independence. Each RHRS suction valve is powered by a separate power supply and interlocked with a separate RCS pressure have one suction valve powered by
' transmitter. RHR subsystems "A" and "D" " Battery train train "A" and one suction valve powered by " battery trainand A".
circuitry. The A" includes one battery, inverter (or motor-generator),
RHR subsystems "B" and "C" battery is continually charged by vital bus "A".
j "B" is similar to have one suction valve powered by train "B". Battery train constitute independent power battery train "A" except that battery train "8" supplie: and provide the single failure autoclosure capability not provided by two electrical sources. Single failure initiation capability is provided by j
the two totally redundant pairs of RHR subsystems. The recommendations of I
ICS8 Position 3 are satisfied by the design of RHR valve interlocks.
O 7.6.3 Critical Function Isolation Motor Operated Valve Interlocks The control circuits for the accumulator and core reflood tank discharge isolation valves designated " critical function valves", are shown in Figure 7.6-3. The accumulator and core reflood tank discharge isolation valves are motor operated, normally open valves which are controlled from the MCP.
AMEN 0HENT 2 7.6-5 AUGUST, 1986 O HAPHR-I&C/EP 4904e:1d l
)
These valves are interlocked such that:
a) They open autwnatically on receipt of an "S" signal with the MCP switch in either the "AUT0" or "CLOSE" position.
b) They open automatically whenever the RCS pressure is above the SI unblock pressure (P-11) specified in the Technical Specifications only when the MCP switch is in the "AUT0" position.
c) They cannot be closed as long as an "S" signal is present.
The MCP switches for these valves are three position switches which provide a
" spring return to AUT0" from the OPEN position and a " maintain position" from the CLOSE position.
The " maintain in CLOSE" is required to provide an administratively controlled
- manual block of the automatic opening of the valve at RCS pressure above the SI unblock pressure (P-11). The manual block or " maintain in CLOSE" position may be required in order to perform check valve leak tests or other anticipated operations.
Administrative control is required to ensure that any accumulator valve, which has been closed at pressures above the SI unblock pressure, is returned to the "AUT0" position. Verification that the valve automatically returns to its normal full open position would also be required.
To During plant shutdown, the accumulator valves are in a closed position.
prevent an inadvertent opening of these valves during that period, the accumulator valve breakers should be opened or removed. Administrative control is again required to ensure that these valve breakers are closed during the pre-startup procedures.
These normally open, motor operated valves have been identified as " critical function" valves, and alarms indicating a mispositioning (with regard to their ECCS function) are provided. The alarms sound in the main control room.
NOVEMBER, 198 7.6-6 HAPHR-I&C/EP 4904e:Id
. .t l
- 7. Provision for syntax and context checking.
- 8. Support of numerous data structures and variable types such as bits, bytes (8 bits), integers (16 bits), and real numbers (32 bits).
, 9. Support multidimensional arrays.
i 10. Language extensions.
i
~
The programming language can encourage good programming practices but cannot enforce them. The additional programming style guidelines will be used to improve the readability and reliability of the program.
. 1. The size of each software module will be limited to a few pages of code.
I '
- 2. Simple control structures will be used and Go To statements will be avoided.
O 3. All subroutines will return to the caller directly following the call.
- 4. All subroutines will have single-entry and single-exit.
- 5. Interrupts will not be permitted.
l 78.5 SOFTWARE TEST AND VERIFICATION Verification is intended to provide an adequate level of assurance that the software actually performs the functions which are specified by the functional requirements. It gives assurance that the protection system software meets
^
its specification and will perform its protection function.
Refer to ANS Standard IEEE-730.
l2 78-7 AMENDHENT 2 HAPHR-I&C/EP AUGUST, 1986
- 4904e
- 1d 1
_ __ -_m - __.
D 9
O O
I I
t i e!
I l
1 I
+
l 1
'I I
1 O
.I 1
- l O
i O
l 1
i e
O I
i d
i
(
!1
p
.I = .
j- <
4 i
i i
t i
O l
1 i
i t 4
i I
Insert remainder of package behind
} Amendment 1 (page 430-7) in l
" Questions / Answers" section ;
~
i lO :
I i
l l 1
i l
l 1 ;
I
\ F I r I
O :
I f
O ?
AMENDMENT 2 l' llAPHR-I&C/EP AUGUST, 1986 4904e:1d t
NRC REVIEW OF RESAR-SP/90 PDA MODULE 9, CHAPTER 7
- 1. In Section 3 of Module 2, " Regulatory Conformance," a ' discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed. piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following THI Action Plan Items:
- a. II.B.1 - Reactor Coolant System Vents 1
RESPONSE
Figure 5.1-2 (Sheet 1 of 3), Reactor Coolant System P&I Dinaram, of 1
RESAR-SP/90 PDA Module 4, " Reactor Coolant System" was used to provide a
)
detailed discussion as to how the RESAR-SP/90 design conforms to the requirements of NUREG-0737 (and 10CFR50.34(f)) for the Reactor Coolant O System Vents (Reactor Vessel Head and Pressurizer).
In addition it was shown in following discussions that the RESAR-SP/90 design complies with NUREG-0737 (and 10CFR50.34(f)) for all items discussed in Agenda Item 1.
- 1. In Section 3 of Module 2, " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following TMI Action Plan Items:
O O HAPWR-I&C/EP 4904e:ld NRC A.I.-1 AMENDMENT 2 AUGUST, 1986 i
. . I l
t I
- b. II.D.3 - Relief and Safety Valve Position Indication i
RESPONSE: .
Table 7.5-1 (Sh. 4 of 11) in Module 9 of RESAR-SP/90 lists the post-accident monitoring instrumentation, and specifically states the power operated relief valve (PORV) status and primary safety valve status are considered type D2 variables.
O Table 7.5-1 (Sheet 4 of 11) in RESAR-SP/90 has been revised to indicate that for the applicable instrument channel, monitoring valve position per valve there is backup indication from PRT instrumentation.
- 1. In Section 3 of Module 2 " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following THI Action O Plan Items:
C. II.E.1.2 - Auxiliary Feedwater System Automatic Initiation and Flow Indication
RESPONSE
Figure 7.2-1 (Sh. 8 of 14) in Section 7.2 of Module 9 illustrates the logic utilized to automatically initiate the emergency feedwater pumps.
O The following logic will automatically initiate the emergency feedwater l pumps.
A - low-1 water level in coincidence with 1/2 low start-up feedwater O flow in any steam generator.
low-2 water level in any steam generator coincident with reactor B -
trip.
O HAPHR-I&C/EP 4904e:1d NRC A.I.-2 AMENDHENT 2 AUGUST,1986
C - Safety injection signal.
D - Manual Actuation Table 7.5-1 (Sh. 2 of 11) of Module 9 shows that emergency'feedwater flow is considered a type A1, B1, and D2 variable.
l Table 7.5-1 (Sh. 2 of 11) has been revised to state that the RESAR-SP/90 design will conform to Item II.E.1.2 of NUREG-0737 (& 10CFR50.34(f)).
- 1. In Section 3 of Module 2, " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following TMI Action Plan Items:
- d. II.E.4.2 - Containment Isolation Dependability (Subparts 4, 5, and 7)
RESPONSE
Subpart 4: The logic of containment isolation was discussed by review of the functional diagram (Figure 7.2-1, Sheet 13) to demonstrate that containment isolation is sealed in even when an initiation signal is reset with re-opening requiring deliberate operator action.
Subpart 5: Table 7.3-1 (page 7.3-27) has been revised to include a footnote for item 4 to state compliance with part 5 of NUREG-0737, II.E.4.2 item (d).
Subpart 7: The logic of the containment purge and vent isolation valves was discussed by reference to Sheet 13 of Figure 7.2-1, showing that valves close on high radiation, should they be open, and recognizing that s the valves are normally closed.
O HAPHR-I&C/EP 4904e:1d NRC A.I.-3 AMENDHENT 2 AUGUST, 1986
- 1. In Section 3 of Module 2 " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, j
~
etc. (if available), how the RESAR SP/90 design conforms (or will .
conform) to the requirements of NUREG-0737 for the following TMI Action Plan Items:
- e. II.F.1 - Additional Accident-Monitoring Instrumentation (Subparts 4, 5, and 6)
RESPONSE
Containment Pressure Monitor (Suboart 4): Section 7.5.2.3.1.4b discusses the Information Processing and Display Interface Criteria for Category I.
Table 7.5-1 (Sh. 3 of 11) of Module 9 specifically states that containment pressure (extended range) is considered a Type C1 and C2 with three (3) instruments required per unit. The range of the instrument l meets the intent of Subpart 4.
Containment Water Level Monitor (Suboart 5): Table 7.5-1 (Sh. 2 of 11) of Module 9 illustrates that containment water level is considered a Type A1, B1, B2, and C2 variable with three required per unit. The bottom i taps associated with the instruments are at the bottom of the reactor cavity. The top taps are located above the calculated containment flood l
level. For identification of the location on the P&I diagrams, reference will be made at the time of the FDA.
Containment Hydrocen Monitor (Suboart 6): Table 7.5-1 (Sh. 3 of 11) of Module 9 states that containment. hydrogen concentration is considered Type B1 and C1 variables with two (2) required per unit. The range of the instruments meets the intent of subpart 6.
l O BAPHR-I&C/EP 4904e:1d NRC A.I.-4 AMENDHENT 2 AUGUST,1985 i
- 1. In Section 3 of Module 2, " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conf ~orms (or will conform) to the requirements of NUREG-0737 for the following THI Action Plan Items:
- f. II.K.3.1 - Installation and Testing of Automatic Power - Operated Relief Valve Isolation System
RESPONSE
Implementation of the pressurizer power-operated relief valves and block valves is in the reactor protection system. The block valve closes when the reactor coolant system pressure falls after the PORV opens.
Figure 7.2-1 (Sh. 6 of 14) of Module 9 shows the functional design of this system.
- 1. In Section 3 of Module 2, " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following TMI Action Plan Items:
- g. II.K.3.9 - Proportional Integral Derivative Controller Modification l
RESPONSE
The position is not applicable to the RESAR-SP/90 PDA design since the derivative function is unnecessary and has not been provided.
O l
NRC A.I.-5 AMNDMENT 2 HAPHR-I&C/EP AUhJST,1986 4904e:1d
- 1. In Section 3 of Module 2 " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following TMI Action Plan Items:
- h. II.K.3.10 - Proposed Anticipatory Trip Modification
RESPONSE
Functional diagrams currently show the anticipatory reactor trip on turbine trip above the P-9 interlock (See Figures 7.2-1, sheets R and 14).
The anticipatory reactor trip function for plants with full load rejection capability is deleted.
For HAPHR design plants with full load rejection capability (pressurizer,-
steam dump, spray) the systems are sized such that the pressurizer PORV's are not actuated following a 100% load rejection. There is no impact on the probability of a small break LOCA resulting from a stuck open PORV.
No analyses have been performed to date to determine a P-9 setting for plants that do not have full load rejection capability.
- 1. In Section 3 of Module 2, " Regulatory Conformance," a discussion of general conformance to the requirements of NUREG-0737 is provided.
Please discuss, using detailed piping diagrams, electrical elementaries, etc. (if available), how the RESAR SP/90 design conforms (or will conform) to the requirements of NUREG-0737 for the following THI Action Plan Items:
- 1. II.K.3.12 - Confirm Existence of Anticipatory Reactor Trip Upon Furbine Trip.
NRC A.I.-6 AMENDMENT 2 HAPHR-I&C/EP AUGUST, 1986 4904e:1d
RESPONSE
As stated in response to 1(h), the anticipatory reactor trip on turbine trip function is deleted for plants with full load rejection capability.
Plants with less than full load rejection capability have an anticipatory reactor trip above the P-9 interlock power level. See Figure 7.2-1 (sh. 4 of 14).
- 2. On page 7.1-28 of Module 9 a statement is made that channels may be bypassed (one or two) for an indefinite period of time. Please discuss this in terms of system availability, component drift effects on setpoints, and overall determination of surveillance intervals from a technical specifications standpoint.
' RESPONSE:
a) The availability of the system of one channel bypassed, compared to all four channels operable, was discussed, with Westinghouse
, presenting evaluation results showing that there was negligible l sensitivity to availability when bypassing one channel.
b) For the digital system there are no drift effects on setpoints.
c) The overall determination of surveillance intervals would be made and provided at the Final Design Approval (FDA) level in the Technical Specifications consistent with past surveillance intervals.
- 3. Discuss the statement 'Tne aspects of the design which permit channel bypass while maintaining immunity to inadvertent initiation of a protective function do not need to be applied to specific channels where improved reliability is not deemed necessary" found on page 7.1-46 of Hodule 9. Does this statement mean that the bypass feature will be used O only for specific, selected channels and that some protection system O HAPHR-I&C/EP NRC A.I.-7 AMENDHENT 2 AUGUST, 1986 4904e:Id
channels will not have the voting logic? If this is the case, provide a discussion of the reliability criterion used and provide an example of a channel not selected for the voting logic. .
RESPONSE
The start-up feedwater flow instrumentation (Figure 7.2-1, Sheet 6 of 14) was discussed as the example of instrumentation without the bypass feature. An appropriate Tech. Spec. action statement is to be made at time of Final Design Approval (FDA). Consideration will be given to placing an inoperable channel associated with 1/2 logic in a tripped condition.
- 4. Using detailed electrical schematics, describe how manual actuation signals, via the logic cabinets, control typical engineering safety features components? Discuss independence of manual and automatic i actuation portions of the system in the context of Section C.4 of Regulatory Guide 1.62, " Manual Initiation of Protective Actions."
O RESPONSE:
Clarification of the system logic was provided, and a discussion of the manual and automatic actuation of the ESF system and their independence took place. A portion of Section C.4 of Regulatory Guide 1.62 was read and Figure 7.1-1, 7.1-2 and 7.1-15 were used to support this discussion.
The staff did not indicate dissatisfaction with this approach.
- 5. Discuss the statement " Error detection will not involve error correction. Mhere practical the on-line error detecting features i impic'ented in the IPS will be designed to automatically place the channel in which the error was . detected into a trip or bypass mode (either by direct bypass or reconfiguration)." found on page 7.1-36 of Module 9. Also, from a technical specifications standpoint and system O' HAPHR-I&C/EP NRC A.I.-8 AMENDMENT 2 AUGUST, 1986 4904e:1d
l l
l availability considerations discuss the statement "In the case of the automatic trip mode the operator shall have the option to place the channel in a bypass mode in a short period of time." found on page 7.1-36. l
RESPONSE
The statement is correct; an error correction code is not used and will not be used. A detailed explanation of the manner in which a channel is placed in either a bypass or trip mode was given, and 2/3 and 2/4 logic O was discussed.
- 6. Discuss how the statements on pages 7.1-52 and L3 of Module 9 relate to the current Westinghouse setpoint methodology and the use of " trigger values" to determine " allowable values" for technical specifications.
RESPONSE
{
Pages 7.1-52 and 7.l-53 of Module 9 do not discuss the H setpoint methodology. However, H setpoint methodology will be incorporated into the final design phase. H will satisfy Reg. Guide 1.05, Rev. 2, dated February 1986, which endorses the ISA standard 67.04. Westinghouse f
' setpoint methodology, as supplied on recent plants, will be implemented.
" Trigger values" will be identified in the Technical Specifications.
- 7. Using detailed electrical schematics / logic diagrams, discuss reactor trip actuation and the use of the bypass capability. Include a discussion of the statement "If a trip of two remaining pairs occurs while one is in bypass, then that one. will be tripped as well." found on page 7.1-65 of
! O Module 9.
RESPONSE
Clarification of reactor trip actuation and use of bypass capability was provided through detailed discussion of Figures 7.1-5, 7.1-16 and 7.1-17. The subject statement on page 7.1-65 has been revised for further clarification as follows:
NRC A.I.-9 AMENDMENT 2 HAPHR-I&C/EP AUGUST, 1986 4904e:1d i
If a trip of any two out of the remaining three pairs occurs while one is in bypass, then that one will be tripped as well.
- 8. Using functional diagrams similar to those shown in Figure 7.2-1, of Module 9, provide a discussion of the overall logic for a typical sensor channel from sensor through the reactor trip actuation and generation of P-16. Discuss Note 3 shown of Sheet 3 of Figure 7.2-1.
RESPONSE
A walk through discussion of the overall logic for a typical sensor was provided using Sheet 2 of Figure 7.2-1. Sheet 3 of Figure 7.2-1 has been revised to show reference to Note 3 in the drawing location D-3 for circuit C-1, indicating that circuit is " control grade duplicate".
- 9. Discuss the statement "The actuation logic for ESF which is contained in the ESFAC and logic cabinets will not be bypassed for test. Instead, the output of one of the two ESF logic trains in a cabinet in test will be
, O placed in a trip condition." found on pages 7.3-10 and 11 of Module 9.
Does this statement imply that the logic will not be tested during normal l
l plant operation?
RESPONSE
A detailed description of the ESFAC and ILC testing was provided during the meeting. Section 7.3.1.1.9 has been modified to clarify the statement on page 7.3.11 to assure there is no implication that the logic will not be tested during normal plant operation. The statement found on page 7.3-10 does not imply That logic is not tested during normal plant operation.
- 10. Paragraph 7.4.1.1 of Module 9 lists the necessary indicators provided for hot standby. Discuss the apparent lack of necessity for T hot/Tcold or T,yg, source range neutron flux, emergency feedwater flow and supply tank level indicators as related to plant shutdown.
- O HAPHR-I&C/EP 4904e:Id NRC A.I.-10 AMENDHENT 2 AUGUST, 1986 !
RESPONSE
The indicators are necessary, and a revision has been made to pg. 7.4-3 of Subsection 7.4.1.1 to include Thot. T cold, source range neutron flux, emergency feedwater flow and supply tank level. Indication of T,yg is not provided for hot standby.
- 11. On-line testability of RHR isolation valves is discussed on page 7.6-4 of Module 9. Using detailed electrical elementaries, describe the interlock circuitry for these valves and discuss how testing will encompass all inputs (including valve position signals) to this interlock logic.
RESPONSE
Clarification was given through detailed discussions of Figure 7.6-4 (and others). The valve position signals will be simulated during the test.
A revision has been made to the text (pg. 7.6-5), to show compliance with O ICSB 3.
- 12. Paragraph 7.7.1.12 of Hodule 9 discusses the signal selector used to meet the requirements of Section 4.7 of IEEE-STD-279. Describe in detail the signal selector and discuss how paragraph 4.7.3 of IEEE-STD-279 is met in light of automatic bypass logic.
RESPONSE
This is described in detail in NCAP-8899 which previously had been formally transmitted to the staff. In addition, discussion is given in l the next-to-last paragraph on page 7.7-19 of our compliance with IEE-279.
- 13. Describe how test procedures will independently verify operability of the undervoltage coils and shunt trip coils of the reactor trip breakers for
- both automatic and manual actuation.
C/EP NRC A.I.-ll MN E 2 l
.. I I
RESPONSE
Test procedures will be equivalent to those contained in HOG 1etter OG-101 (dated June 14, 1983 from the HOG chairman to 'Eisenhut, NRC Division of Licensing) on generic Automatic Shunt Trip.
- 14. On page 7.3-4 of Module 9 the following statements are made:
o "The safety injection signal may be manually reset after 30 to 750 seconds following initiation."
o "However, the operator cannot take manual control of any safeguards
' component actuated by the safety injection signal, until the SI signal is first reset."
l Similar statements (except with 120 seconds in lieu of 750 seconds) are
- also found on page 7.3-21 of Module 9. Discuss if these statements imply that the operator is prevented from manual initiation as well as manual O termination of safety-related actions. Also discuss these statements in light of control room evacuation with subsequent SI.
RESPONSE
Section 7.3.1.1.1 (pg. 7.3-4) has been revised for clarification.
- 15. Table 1.8-1, " Standard Review Plan Deviations," in Module 9 is currently not filled in. Discuss any deviations from Chapter 7 of the Standard Review Plan (SRP), NUREG-0800, known at this time.
I RESPONSE:
There have been no deviations from the Standard Review Plan (SRP)
O- identified for Chapter 7 to this time. The input to Table 1.8-1 in each module will be incorporated into one table at the time of the Integrated Preliminary Design Approval (PDA). Any deviation for Chapter 7 that might be identified will be included.
NRC A.I.-12 AMENDHENT 2 BAPWR-I&C/EP AUGUST, 1986 4904e:1d
- 16. Our review revealed that conformance to only ona SRP Chapter 7 Branch Technical Position was included in Module 9. Please discuss conformance with all the BTP's listed in Chapter 7 of the SRP.
RESPONSE
FSAR Table 7.1-1 was discussed stating conformance to applicable Branch Technical Positions (BTP's), and to the extent of the development of our O
V model, no deviations have identified.
- 17. Our review indicates that conformance statements relating to GDC's and RG's applicable to Chapter 7 of the SRP cannot be clearly understood and easily related to appropriate sections of Module 9. Please provide a matrix similar to that found in Table 7-1 of the sop including positive conformance statements where applicable.
RESPONSE
To the extent of development of our model no deviations have been identified in the applicable SRP Table 7.1
- 18. Interlocks for various valves are mentioned in Sections 5.4.7.2 and Section 6.3.2.1 of Module 1. Our review indicates that most of these interlocks are not discussed in Section 7.6 of Module 9 as appropriate (see the SRP). Using detailed logic diagrams, P&ID's, and electrical schematics, provide a discussion of all interlock systems important to safety.
RESP 0MS_E:
Westinghouse will provide detailed interlock diagrams in the final design phase of Section 7.6.
O O BAPHR-I&C/EP 4904e:ld NRC A.I.-13 AMENDMENT 2 AUGUST, 1986
Specific valve interlocks were discussed as required by applicable BTP's, and RESAR-SP/90 PDA, Section 7.6 presentations were identified as appropriate. To the extent of development of this model, this was '
recognized as sufficient for the PDA.
O 19. Section 15.6.3.1(f) in Modules 6/8 refers to two parallel overflow valves opened by two-out-of-four high water 1evel signals. Discuss the design basi:: for this function. Are these the same level channels used for feedwater isolation?
RESPONSE
The purpose of the overflow valves is to address steam generator overfill concerns following a steam generator tube rupture event.
It is confirmed that the narrow range level channels are also ur.ed for feedwater isolation on high water level.
The valves are classified as active valves powered by Class lE power supplies. The protective action is defined as automatic opening on demand from the narrow range hi-hi steam generater level instrumentation. The steam generator level instrumentation is designed to meet IEEE-279-1971.
! 20. Section 7.5.4 in Module 9 refers to Module 15 for a description of the Bypassed and Inoperable Status Indication (BISI) System. Sint.e Module 15 has not been submitted for the staff's review at this time, discuss the design of the BISI System using detailed- design drawings. Provide information to describe the design philosophy used in tha selection of equipment / systems to be monitored. The design philosophy sSould describe as a minimum the criteria to be employed in the display of inter-relationships and dependencies of equipment / systems and to insure O that bypassing or deliberately induced inoperability of any auxiliary or support system will automatically be indicated for all safety systems f
affected.
O HAPWR-I&C/EP 4904e:1d NRC A.I.-14 AMENDHENT 2 AUGUST, 1986
RESPONSE
The Bypassed and Inoperable Status Indication (BISI) System hardware has been incorporated in the integrated I&C architecture des::ribed in Chapter
- 7. The bypassed and inoperable information necessary to meet the intent of Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems," has been integrated into the plant display system. A physically independent system is not being supplied.
i Detailed design drawings of the plant display system will not be available until the final design phase. The drawings will not be specific to BISI.
All protection system and systems actuated or controlled by the protection system will be automatically indicated if inoperability was intentionally induced or the system bypassed. Also included will be those systems which directly support automatically initiated systems but which themselves may r.ot be automatically initiated because they are normally in the operating mode. Related support systems may have their O own subsystem bypass and inoperability indication as well as input to the primary system indication, i.e., status information for support systems will be pyramidded up to all related primary safety systems.
The information available to the operating staff with respect to inoperability and bypass is at least as comprehensive as that of an independent system. Both overall system state (i .e., the ability to l perform) and actuation status (i.e., failure to perform) will be l
available. These capabilities for each of these purposes will take the form of binary lights for the ISS. The alarm system will drive these lights based on its results in recognizing the completion or lack of completion of the patterns for the " readiness" and for the " active" system status. The status of the systems not having these lights will be available by accessing system mimics of the display system.
The design philo',ophy of that portion of the display system that fulfills the requirer.ent', for a BISI System is the same as for the remainder of i
O BAPHR-I&C/EP 4904e:1d NRC A.I.-15 AMENDHENT 2 AUGUST, 1986 l
f
v 4 the display system. This approach to display bypassed. and inoperable status is part of the overall . functional decomposition performed to determine what information is provided in the control room and the manner in which it is displayed. High level goals are identified and then i decomposed into system level indications, component level summaries, and support system status. With the BISI requirements incorporated at the conceptual level of the display system in the integrated system, the same ,
operator niental model and display rules are used throughout the system,
. minimizing the potential for operator confusion and errors.
That equipment rendered inoperable for maintenance less frequently than once per year will not necessarily be automatically indicated. The display system will have the capability to indicate manual initiation of
! bypass of safety features on a system level. Under administrative control, manual bypass indication can be input or removed. The automatic indication feature cannot be overridden by operator action.
1 The BISI System, while not a Class 1E system, will not degrade the Class
] IE systems with which it interfaces if subjected to a credible event.
l /
The isolation provisions. it uses to satisfy this requirement will meet Class lE criteria.
- 21. Section 7.5.2.3.1.3(c) of Module 9 uses the channel availability level
- statement associated with Category 2 in lieu of Category 1
- instrumentation per R.G. 1.97 (Revision 3). Discuss these differences.
RESPONSE
O Reg. Guide 1.97, Rev. 2 does not provide any guidance on the channel availability requirements for Category 1 PAMS channels. However, based
' upon the guidance provided by the NRC in internal memorandum (Technical Specifications for post-accident monitoring instrumentation) and
! O reflected in near term operating plant Tech. Spec. commitments, only Category 1 PAMS variables need be listed in the Tech. Specs. with normal surveillance requirements.
NRC A.I.-16 AMENDMENT 2 j HAPHR-I&C/EP AUGUST, 1986 4904e:1d l
4 1
Text modification needed for Category 1 & 2 has been made to Module 9, )
pages 7.5-10 and 7.5-13, in accordance with Reg. Guide 1.97, Rev. 3. ,
I
- 22. Tables 7.5-5 through 7.5-8 provide summaries of Type B t'hrough Type E
. variables. Discuss deviations in categorization from R.G. 1.97 (Revision 3).
l
RESPONSE
Table 7.5-1 has been updated to incorporate the notes (deviations),
i required in Reg. Guide 1.97, Rev. 3, that summarize Type B through Type E i variables.
, 23. In Section 78.5 of Module 9 the statement " Refer to ANS Standard on QA" is made. Please discuss this statement as related to software I verification.
RESPONSE
The text of page 78-7 has been revised to " Refer to ANS Standard IEEE-730."
- 24. On page 7.1-43 of Module 9 the statement " Adequacy of the hardware and software will be demonstrated for the RESAR-SP/90 through a prototype verification and validation (V&V) program similar to the RESAR-414" is made. Please discuss any differences between the RESAR 414 and the SP/90 V&V programs. Include a discussion for the RESAR-SP/90 design process as related to conformance to R.G. 1.152 and ANSI /IEEE-ANS-7-4.3.2-1982.
RESPONSE
A short presentation was provided to summarize the Westinghouse l
Verification and Validation process used in the RESAR 414 application.
l O HAPHR-I&C/EP 4904e:1d NRC A.I.-17 AMENDHENT 2 AUGUST, 1986
_ . _ _ _ - . . . _. .- ~_ . - --- _
i A discussion of the System Development / Implementation Process (SISDIP) took place to faalliarize the reviewer with the various phases of the V&V process. It has been stated in past H/NRC discussions that the program I conforms closely to ANSI /IEEE 7-4.3.2-1982.
O
. O i
l lO l
O .
O O HAPHR-I&C/EP 4904e:1d NRC A.I.-18 AMENDMENT 2 AUGUST, 1986