ML20210S836

From kanterella
Jump to navigation Jump to search
Forwards Electrical,Instrumentation & Control Sys Branch SER Input Re PSAR Through Amend 18.Addl Areas of Concern Listed
ML20210S836
Person / Time
Site: Satsop
Issue date: 07/28/1975
From: Stello V
Office of Nuclear Reactor Regulation
To: Deyoung R
Office of Nuclear Reactor Regulation
References
CON-WNP-1688 NUDOCS 8605290437
Download: ML20210S836 (23)
v  d  e


Text

_

8 JUL 2 81975 R. C. beYoung Assistant Director for LWRs, Group 1. RL WASHINGTON PUBLIC POWER SUPPLY SYSTEM, WPPSS NUCLEAR UNITS NO. 3 AHD NO. 5, INSTRUMENTATION, CONTROL AND ELECTRICAL POWER SYSTEMS, SAFETY EVALUATI0h REPORT Plant Name: WPPSS Nuclear Units Nos. 3 and 5 Docket Number: 50-508/509 Licensing Stage: Construction Pemit Milestone Number: 24-22 Responsible Branch and Project Leader: LWR l-3, P. O'Reilly Technical Review Branch Involved: El&CS Branch ucscription of Review: Safety Evaluation Report Requested Completion Date: June 16, 1975 Review Status: Complete The enclosed Safety Evaluation Report (SER) was prepared by TR:RS, Electrical, Instrumentation and Control Systems Branch. This SER reflects the results of our review of the information presented in tne Preliminary Safety Analysis Report (PSAR) through Amendment 18.

The PSAR includes (both by reference and by physical incorporation) significant portions of the Cont >ustion Engineering Standard Safety Analysis Report (CESSAR).. These portions (identified in PSAR Table 1.1-2) pertain to CESSAR Amendment 16. The applicant has stated:

"It is WPPSS intent that all resolutions adopted between CE and the AEC as a result of CESSAR review which affect only CE's scope of supply, will be incorporated into the design of WNP No. 3 and 5. kesolutions between CE and the AEC which affect the balance of plant scope of supply will be evaluated on a case by case basis by WPPSS."

In view of this commitment, and the fact that Amendment 31 of CESSAR has been issued with the CESSAR review still incomplete, our review concentrated on those areas of the design solely within the applicant's scope of supply. The review of those areas of the design which arc dependent on CESSAR will be completed subsequent to completion of the CESSAR review, and will be reported in a supplement to this SER.

Although, this evaluation is submitted prior to resolution of all of our concerns, it clearly identifies unresolved areas as well as our recomended positions regarding them.

c c =

  • 37 750729 -

.u....., _

Ekf2QCK05000508 PDR oars > .f l-

  • Forms AEC 318 (Rev. 9 53) AECM 0240 W u. ..novsamuamt rasarine orrecas sere.ese. nee

r ._

i,. O. JcYoJng JUL 2 81975 Additional information, documentation, or resolution of concerns are required for the following areas (reference SER Section);

1. CESSAR generic concerns relating to the Reactor Trip System and the Containment Isolation Actuation Signals (Sections 7.2 and 7.3.1 respectively).
2. Design criteria for High Pressure Turbine Stop Valves to ensure acceptable consequences for a main steam line break accident (Section 7.3.2-(l)).
3. Feedwater System design including appropriate interface The Auxiliary (Section 7.3.4).

requirements

4. Additional documentation relating to the motor-operated valves for the Shutdown Cooling System (Section 7.4).
5. Conformance with the requirements of IEEE Std 323-1974 (Sections 7.5 and 7.8.3).
6. Arecs of generic interest resulting from the CESSAR review (Sections 7.6.1 tnrougn 7.6.4 and 3.2.1).
7. Full conformance with Regulatory Guide 1.47 (Section 7.6.5).

C. Additional documentation concerning response tire testing for-the protective systems (Section 7.6.5).

9. Docunentation concerning qualification of safety-related equiptent (Sections 7.t,.2 and 7.G.3).
10. Interfaces wita Combustion Engineering Standard Plant Jesign (Section 7.10).
11. Concerns relating to the battery installation for the safety-related d-c power system (Section 8.3.2).

Orfrinar sten % ,

Victor sect,o Victor Stello, Jr., Assistant Director for Reactor Safety Division of Technical Review Office of fiuclear Reactor Regulation

Enclosure:

As stated above CENTRAL FILES NRR READING cc: S. Hanauef- EIC READING R. Heineman V. STELLO A. Gianbusso

0. P m P. t ..uilly T. Ippolito F. Rosa F. Ashe W. Mcdonald ,

er=

  • _. EIC:.IE g ...,JE C;TR_ f _M:TR hA5nd:mg _FRosa EIC l[R ..A..

TAIppeTTP VStello

, , , , , 7/ai/75 7/22/75 _,/7 q75 _p'h)5 7

Perus ABC.318 (Rev. 9 53) ABCM 0240 W u. e. sovsn=nsamt raintine orrecsi sere.sae-see

9 UNITED STATES NUCLEAR REGULATORY COMMISSION W ASHIN GTON, D. C. 20 $$ $

JUL 2 81975 R. C. DeYoung, Assistant Director for LWRs, Group 1, RL WASHINGTON PUBLIC POUER SUPPLY SYSTEll, WPPSS ffUCLEAR UNITS N0. 3 AND N0. 5; INSTRUi:EllTATION, CONTROL AND ELECTRICAL POWER SYSTEilS, SAFETY EVALUATION Plant Name: WPPSS Nuclear Units Nos. 3 and 5 Docket Number: 50-508/509 Licensing Stage: Construction Permit Milestone Number: 24-22 Responsible Branch and Project Leader: LWR l-3, P. O'Reilly Technical Review Branch Involved: EI&CS Branch Description of Review: Safety Evaluation Report Requested Completion Date: June 16, 1975 Review Status: Complete The enclosed Safety Evaluation Report (SER) was prepared by TR:RS, Electrical, Instrumentation and Control Systems Branch. This SER reflects the results of our review of the information presented in the Preliminary Safety Analysis Report (PSAR) through Amendment 18.

The PSAR includes (both by reference and by physical incorporation) significant portions of the Combustion Engineering Standard Safety Analysis Report (CESSAR). These portions (identified in PSAR Table 1.1-2) pertain .to CESSAR Amendment 16. The applicant has stated:

"It is WPPSS intent that all resolutions adopted between CE and the AEC as a result of CESSAR review which affect only CE's scope of supply, will be incorporated into the design of WNP No. 3 and 5. Resolutions between CE and the AEC which affect the balance of plant scope of supply will be evaluated on a case by case basis by WPPSS."

In view of this commitment, and the fact that Amendment 31 of CESSAR has been issued with the CESSAR review still incomplete, our review concentrated on those areas of the design solely within the applicant's scope of supply. The review of those areas of the design which are dependent on CESSAR will be completed subsequent to completion of the '

CESSAR review, and will be reported in a supplement to this SER.

Although, this evaluation is submitted prior to . resolution of all of our concerns, it clearly identifies unresolved areas as well as our recommended positions regarding them.

R. C. DeYoung ,

a Additional information, documentation, or resolution of concerns are required for the following areas (reference SER Section);

1. CESSAR generic concerns relating to the Reactor Trip System and the Containment Isolation Actuation Signals (Sections 7.2 and 7.3.1 respectively).
2. Design criteria for High Pressure Turbine Stop Valves to ensure acceptable consequences for a main steam line break accident

-(Section 7.3.2-(1)).

3. The Auxiliary Feedwater System design including appropriate interface requirements (Section 7.3.4).
4. Additional documentation relating to the motor-operated valves for the Shutdown Cooling System (Section 7.4).
5. Conformance with the requirements of IEEE Std 323-1974 (Sections 7.5 and7.8.3).
6. Areas of generic interest resulting from the CESSAR review (Sections 7.6.1 through 7.6.4 and 8.2.1).
7. Full conformance with Regulatory Guide 1.47 (Section 7.6.5).
8. Additional documentation concerning response time testing for the protective systems (Section 7.6.7).
9. Documentation concerning qualification of safety-related equipment (Sections 7.8.2 and 7.8.3).
10. Interfaces with Combustion Engineering Standard Plant Design (Section 7.10).
11. Concerns relating to tne battery installation for the safety-related d-c power system (Section 8.3.2).

s ,

Vic Jr. sistant Director for Reactor Safe y Division of Technical Review Office of Nuclear Reactor Regulation

Enclosure:

- As stated above cc: S. Hanauer R. Heineman A. Giambusso

0. Parr P. O'Reilly T. Ippolito F. Rosa F. Ashe W. Mcdonald

r -

WASHINGTON PUBLIC POWER SUPPLY SYSTEM WPPSS NUCLEAR UNITS 3 and 5 DOCKET NOS. 50-508 and 50-509 SAFETY EVALUATION REPORT 7.0 Instrumentation and Controls 7.1 General The Commission's General Design Criteria (GDC), IEEE Standards including IEEE Criteria for Protection Systems for Nuclear Power Generating Stations (IEEE Std 279-1971), applicable Regulatory Guides for Water-Cooled Nuclear Power Reactors, and Electrical, Instrumentation and Control Systems Branch (El&CSB) Positions noted in Table 7-1 of the itandard Review Plan (SRP) have been utilized as the bases for evaluating the adequacy of the Protection and control systems. Specific documents employed in our review are listed in the Appendix to this Safety Evaluation Report (SER).

This SER reflects the results of our review through Amendment 18 of the Preliminary Safety Analysis Report (PSAR) for the Washington Public Power Supply System (WPPSS) Nuclear Units 3 and 5 (hereafter referred to as Washington Nuclear Plant (WNP) 3 and 5, or WNP 3 or 5 respectively).

The PSAR includes (both by reference and by physical incorporation) significant portions of the Combustion Engineering Standard Safety Analysis Report (CESSAR). These portions (identified in PSAR Table 1.1-2) pertain to CESSAR Amendment 16. The applicant has comitted to adoption of any resolution of problem areas resulting from our review of CESSAR which effect only Combustion Engineering (CE) scope of supply, and to " evaluate on a case-by-case basis" those resolutions which effect the balance of plant scope of supply. In view of this comitment, and the fact that Amendment 31 of CESSAR has been issued with the CESSAR review still incomplete, our review concentrated on those areas of the design solely within the applicant's scope of supply. The review of those areas of the design which are dependent on CESSAR will be completed subsequent to completion of the CESSAR review (Docket No. STN 50-470),

and will be reported in a supplement to this SER.

7.2 Reactor Trip System (RTS)

The Combustion Engineering scram system depends upon de-energizing the control rod drive magnetic jacks, which causes insertion by gravity of all rods. Each of these magnetic jacks is powered by individual ac-to-dc converters which receive their ac input from two scram buses, each bus supplying the converters for approximately one half of the control rods. Two ac-to-ac motor generator sets provide redundant sources of power to each scram bus. Both ac power feeds to each scram bus are controlled by two circuit

IT--~

breakers connected in series (each actuated by separate trip paths) so that, although both ac lines must be de-energized to release the rods, there are two separate means of interrupting each line.

This coincidence arrangement permits testing the system during nonnal reactor power operation up through the circuit breakers.

There are a total of fourteen trip inputs with four indeoendent instrument channels per input. Tae four bistable trip units per input form four independent trip channels designated A, B, C, and D. A trip de-energizes three relays in each trip channel whose contacts form parts of six independent logic matrices (designated AB, AC, AD, BC, BD, and CD). Each of these logic matrices provides a trip output for all possible two-out-of-four trip combinations per input. Contacts of the logic output relays are in turn arranged into four trip paths (series circuit with output relay) with each trip path controlling two scram breakers.

The overall logic is such that a scram is produced on trip of any two-out-of-four channels per trip input, and any one-out-of-six logic matrices, and any one-out-of-two-twice trip paths (including theassociatedscrambreaker).

Provisions are made to permit periodic testing from the analog channel input to the output of each circuit breaker during reactor operation. Isolation of the testing circuitry from the scram circuits themselves is accomplished by utilizing an isolated test power supply and double coil relays. One coil is used for the normal scram circuitry and the other for the test circuitry.

This scheme permits testing each bistable trip unit, each of the six logic matrices and series trip paths, and the circuit breakers supplying power.to the de converters. The scram system, including the sensors located outside of containment, is testable during power operation down to, but not including, the scram buses.

Testing is conducted monthly. The scram buses can be tested when the reactor is shut down.

The following trip inputs are part of the RTS:

1. High Linear Power Level
2. High Logarithmic Power Level
3. High Local Power Density
4. Low DNBR
5. High Pressurizer Pressure

. 6. Low Pressurizer Pressure

7. Low Steam Generator 1 Water Level
8. Low Steam Generator 2 Water Level
9. Low Steam Generator 1 Pressure

m

. )

10. Low Steam Generator 2 Pressure
11. High Containment Pressure
12. Loss of Load
13. High Steam Generator 1 Water Level
14. High Steam Generator 2 Water Level Additionally, the RTS utilizes Core Protection and Control Element Assembly Calculators which are computer-based systems for im-piementing the High Local Power Density and Low DNBR trip functions.

We have reviewed the information concerning the RTS contained in the PSAR which included functional diagrams, testing capabilities, control of bypasses, interface requirements, design criteria and design bases. As a result of this review we conclude that the RTS for WNP 3 and 5 is essentially identical to that proposed for the CESSAR standard plant design. The applicant has committed to implement any generic resolutions resulting from the CESSAR review. We consider this commitment acceptable conditioned on appropriate documentation of the generic resolutions relating to this system in the PSAR. We will report final resolution of this item in a supplement to this report subsequent to the com-pletion of the CESSAR review.

7.3 Engineered Safety Feature (ESF) Systems The safety-related instrumentation and controls of the Engineered Safety Feature Systems include (1) the Er:gineered Safety Feature Actuation' System (ESFAS) which consist of the electrical and mechanical devices and circuitry (from sensors to actuation device input terminals) that generate the actuation signals for the required ESF systems, and (2) the components that perform protective actions after receiving a signal from either the ESFAS or the operator.

Two-out-of-four coincidence of like initiating trip signals from each set of four independent measurement channels is required to actuate any ESF system. Each actuation system logic, including testing features, is identical to the logic for the reactor

- protective system (RTS).

ESFAS output signals and associated actuation inputs are as follows:

1. Containment Isolation Actuation Signal (CIAS); High Containment Pressure
2. Containment Spray Actuation Signal (CSAS); Low-Low Pressurizer Pressure or High Containment Pressure and High-High Containment Pressure.
3. Main Steam Isolation Signal (MSIS); Low Steam Generator 1 Pressure or Low Steam Generator 2 Pressure or High Containment Pressure m

. )

4

4. Safety Injection Actuation Signal (SIAS); Low-Low Pressurizer Pressure or H10h Containment Pressure G. Recirculation Actuation Signal (P.AS); tow Refueling Tank Water Level
6. Auxiliary Feedwater Actuation Signal (AFAS); An AFAS is initiated for a steam generator if (1) its level is low but its pressure is not low, and (2) its level is low and its pressure is higher than that of the other steam generator.

The Contaimnert Combustible Gas Control System is manually actuated by the operator.

We have reviewed the ESFAS descriptive information contained in the PSAR which included functional diagrams, testing capabilities, control of bypasses, interface requirements, design criteria and design bases. The following sections addrest the areas of concern developed during our review:

'7.3.1 Containment Isolation Actuation Signals (CIAS)

The CIAS are nearly identical (electrically) to those cor.tained in the standard plant tiesign and descrtbed in CESSAR. The applicant has comitted to implement generic resolutions resulting from the CESSAR review. We conclude that this commitment is acceptable conditioned on appropriate documentation of the generic resolution in the PSAP..

7.3.2 Steam Line Isolation The main steam lines and their assceiated valves, instrumentation and controls are within the applicant's scope of supply. Our review of this area concentrated on the acceptability of the consequences of single failures that could prevent the isolation of the intact steam generators in the event of a steam line break

! upstream of a main steam isolation valve (MSIV). These failures are:

1. A break in any one of the four main steam lines upstream of the MSIV coupled with a single failure which prevents the closure of the main steam isolation valves in the lines from the intact steam generator. Thin combination would result in the blowdown of both steam generators which could result in unacceptable safety consequences. For this case the High Pressure Turbine Stop Valves (HPTSV) must provide the desired isolation. Although, we recognize that the HPTSV are not qualified to seismic Category I standards, it is ourjudgment that the design practices and quality control measures imposed on these valves in conjunction with some degree of on-line testing and inservice inspection assure the requisite quality level and operational reliability. However, we will require

)

5- ,

that the instrumentation, control and electrical equipment to be utilized for closing the HPTSV during a steam line break accident be designed in.accordance with the requirements set

.forth in IEEE Std 279-1971 and IEEE Std 308-1971 excluding seismic qualification. . We will report the resolution of this item in a supplement to this report.

2. Each of the four main steam lines (MSL) has one power operated atmospheric dump valve and one motor-operated MSIV bypass valve (arranged in parallel with the MSIV). The power
'- operated atmospheric dump valves are located between the steam generator and the MSIV's. Concern was expressed about a single failure causing either of these valves to open. This

! could result in the blowing down of both steam generators i' during a steam line break accident upstream of a MSIV. The applicant has documented that pcv;er to the MSIV bypass valves

! (passive valves) and the atmospheric dump valves (active valves) l will be disconnected during normal plant operation (we note

+ that the atmospheric dump valves are not needed for 15 minutes i followng a main steam line break.). Additionally, for each i of the above set of valves the applicant has revised the

Technical Specifications to conform with the power lockout j requirements of El&CSB position Number 18 contained in Appendix 7-A of the SRP. We conclude that this is acceptable for the l

construction permit review. The design features which permit power to be restored to the atmospheric dump valves from the

i. main control room will be verified during the operating license review.

.7.3.3 Refueling Water Tank (RWT) Isolation Preceding Or During the Recirculation Mode Changeover from the injection mode to the recirculation mode of operation following a loss-of-coolant accident is accomplished automatically except for the RWT outlet valves which require operator action to close (isolate). This is in accordance with the standard plant design as described in CESSAR. Concern was expressed about an operator error resulting in leaving these valves open and as a consequence the degradation of emergency core

- cooling system (ECCS) pump performange due to loss of suction head. The applicant has indicated that immediately following transfer to the recirculation mode, containment pressure is higher than atmospheric, however, the check valves in each RWT discharge line will prevent backflow from the containment sump to the RWT.

Additionally, during long term cooling containment pressure will approach atmospheric. Also, the elevation of the containment sump and the RWT discharge lines is low enough, such that with the RWT isolation valves open and suction being taken from the containment sump, a positive water level will be maintained in the RWT lines.

Thus, there is no danger of introducing air from the RWT discharge lines into the ECCS pumps if the RWT outlet valves are not closed.

n I

We conclude that this is acceptable. ,

7.3.4 Auxiliary Feedwater System (AFS)

The AFS is required to remove afterheat in circumstances involving reactor trip and loss of offsite power even though the reactor coolant pressure boundary remains intact. The AFS is therefore considered an Engineered Safety Featuro. As such, it should be capable' of satisfying the system functional requirements after a postulated break in the auxiliary feedwater piping inside containment together with a single electrical failure. The basis for the position is that an auxiliary feedwater piping break would result in tripping the unit, and, in turn, might cause loss of offsite power. Standard staff assumptions for analyzing postulated accidents include the assumption of loss of offsito power if the affected unit generator is tripped by the accident.

We require that there be sufficient diversity in the design of the AFS so there is not complete reliance on any one source of energy for the AFS. This diversity should include not only the pump drives, but all instrumentation and controls, control circuitry, and motive power to all valve operators that are required for operation of the system. An example of an acceptable AFS is one comprised of two subsystemst one that utilizes a steam driven pu'rp and d-c control power and the other utilizing a-c power for both pumps and control, and either of which can provide the required flow. flso, the instrumentation, controls, and the electrical and steam driven equipment must satisfy the requirements set forth in IEEE Std 279-1971 and IEEE Std 308-1971.

The actuation signal circuitry for the AFS is within Combustion Engineerireg (CE) scope of supply and is essentially identical to that proposed for the standard plant design and described in CESSAR. This aspect of the desi5n +.;e considar acceptable based on the applicant's ccmitment to adopt the generic resolutions of the CESSAR review.

However, the remainder of the system is within the applicant's scope of supply. The proposed AFS design provides the required diverse pump drives. However, from the information oresented, it is not clear that control power diversity is provided or that the design conforms fully to the above IEEE Sta ndards, particularly with regard to testability. We will req 2 ire that the required control power diversity be provided and that the design be in full con-formance with IEEE Std 279-1971 and IEE Std 20F.-1971. Resolution of this iters will be reported in a supplement te this report.

7.4 Systerrgs Requ'ued for Safe Shutdown The safe Shutt wn systems as identiff,.ed in the PSAR are: the t

r _ ,

O

. )

auxiliary feedwater system, atmospheric dump system, shutdown cooling system, chemical and volume control syst.em (boron additicn portion), emergency shutdown from outside the control room and the engineered safety features support systems. The instrumentation and controls designs for these systems, with the exception of the shutdown cooling system, conform to our criteria and are accepteble.

With regard to the Shutdown Cooling System, two redundant end independent shutdown cooling system (SCS) suction lines from the hot legs of the reactor are utilized to remove residual heat from the core. Each line has three motor-operated valves arranged in series with two valves located inside and one valve located outside of the containment. This arrangement is identical to that provided for the standard plant and described in CESSAR. EIhCSB concerns on this dasign have been documented on the CESSAR docket.

We consider the applicant's commitment to adopt generic resolutions resulting from the CESSAR review acceptable conditioned on appropriEte documentation of the resolution in the PSAR.

We will report final resolution of this item in a cupplement to this report.

7.5 Safety Related Display _ Instrumentation (SRDI)_

The SRD1 provides the minimum informaticn required by the operator during events defined in Chapter 15 to:

1. Perform manual actions as necessary to back up the automatically initiated systems which are assumed operable in Chapter 15, or
2. Perform manual actions which are required by the analyses contained in Chapter 15.

Our review of the SRDI included the des (gn features for monitoring of the ESF systems, ESF support systeins safs shutdown systems and post-accident information.

The information perteining to the control element assembly (CEA) position indication system will be reviewed in the generic review

- of the CESSAR computer-based systems atilized in the RTS. Therefore, r

this aspect of the design is not included in our review (See Sec' tion 7.2).

With the exceptions noted in Section 7.0.'s of this report regarding conformance to IEEE Std 323-1914, we concludG that the proposed SRDI design t., acceptable.

7.6 Other Instrumentation and Control Systems Reouired fer Safety ,

c 7.6.1 Safety Injection Tank 1SIQlsolation Vaher Each of the four SITS is provided with a r.:otor-operated isolhtion

- - - - . ~ _ _ , __

= - - .

)

.a- ,

valve whish 11 nianually closed during nnrnal shutdown cocling operation of the reactor to prevent the SITS from automatically dischargicg ints the reactor coolant system (RCS). However, it is imperative that the fcur SIT isolation nives be open when the RCS is at pressure to provide the protection required in the event of a large LOCA.

We have reviewed tne design (which is identicel to CESSAR) of the SIT valve circuits that assure autcmatic opening of these valves when required and maintain the valves open when th(. RCS is at pressure. We have concluded that the design conforts to our criteria ar,d is acceptable. ,

7.6.2 Shutdown Coolino Overpressure Protecti_oq fnterlocks The poposed shutdown cooling system (SCS) design provides three serially connected motor-operated valves in each SCS succion line to isolate and protect the low desirne pressure SCS from tite high operat'ng pressure of the reactor coelant. system. Our correrns with regard to the pressure intericck provided to actomatically close and to prevent opening of these valves when the RCS pres %re exceeds a preset value have been expressed and will be re. solved on the CESSAR docket.

We consider the applicant's connitment to adopt the generie resolutions resulting fmm the CESSAR r.eview accept 41e for this item conditioned on appropriate tiocumentation of these resolutions in the PSAR. We will report final resolution of this item in a supplement to this reporS subsequent to the completion of tne CESSAR review.

7.6.3 Safety injection _ Tank (SIT) Pressure Pestoration The design (,f the SITS provides for the manuai depressurization of the tank to 400 psig during plant cooldown and the inanc.al pressurization -

of the tank to 600 psig when the reactor coolant pre >spre increases to 600 psig. This design is identical to that proposed in CESSAR.

CE has been advised on the CESSAR docket that this design should be modified to provida positive means of restoring the Sif pressure,

. When required, to ths.t used in the safety anclysis, and that the instrumentation, control and electrical squipment pertaining to -

tnis design ct.anga satisfy the requiremnts of IEEE Std 279-1971. ,

We consider the applicart's comitment to adept the generic ,

msolutions resulting from the CESSAR review acceptable for this iten conditioned in appropriate documentation of these resolutions in the PSAR. We will report final resolutica of this item in a -

suppleinent to this report subsequent to the completion of the CESSAR review. D 7.C.4 gannel Trip Innut_ Byphss Status to Plant Coreputer 15e desigt. of the Protective Systems (PS) provides for an indepetFient .

L _ .am - --

7 F

bypass for each trip input in each protective channel. In addition to indicating the bypasses at the' protective systems cabinets and control room boards, the status of each bypass is provided to the plant computer. This aspect of the design is essentially identical to that proposed in CESSAR for the standard plant design. CE has been advised on the CESSAR docket about compromising the independence of the PS as a result of a failure in the non-Class IE plant computer. For this concern, CE has agreed to demonstrate that the connections between the plant computer and the PS do not jeopardize the independence of the PS.

We consider the applicant's commitment to adopt the generic resolutions resulting from the CESSAR review acceptable for this item conditioned in appropriate documentation of these resolutions in the PSAR. We will report final resolution of this item in a supplement to this report subsequent to the completion of the CESSAR review.

. 7.6.5 Bypassed and Inoperable Status Indication for Safety-Related Systems The design of the bypass and inoperable status indication for safety-related systems is not finalized at this time. The applicant has stated that the recommendations of Regulatory Guide 1.47 will be considered in the design of these indication systems. We .T will require full conformance with this Regulatory Guide and will report resolution of this item in a supplement to this report.

7.6.6 Combustible asG Control System (CGCS)_

The CGCS has been identified as an ESF system and consists of the containment hydrogen recombiner system, hydrogen analyzer system and containment hydrogen purge system. The applicant has indicated in the PSAR how the instrumentation and controls pertaining to the CGCS will be designed in accordance with the applicable requirements of IEEE Std 279-1971. Also, it has documented in the PSAR that the electrical equipment in the CGCS will meet the requirements of IEEE Std 308-1971 with no exceptions anticipated. We have reviewed the descriptive information with regard to the proposed design of the instrumentation, control and electrical equipment for the CGCS, and have concluded that they satisfyourrequirementsandareac9ptable.

7,6.7 Provisions to Facilitate Response Time Test of the Protective Systems In the analysis of postulated accidents, the applicant and the staff assume certain response times for the protective systems including sensors. We believe that these response times should be determined prior to plant operation and verified at appropriate intervals during the life of the plant.

9 A

-y-, . *-w .y - $= -- - + + 7

r. .

f

9..,

The applicant has not proposad a response time testing program for the protective systems as required by IEEE Std 279-1971 s and IEEE Std 338-1971. We conclude that until experience with this design or other identical designs demonstrates that the protective system response times, including sensor response times, do not vary outside limits found acceptable in the accident analysis over a long period of plant operation, the response time testing should be repeated periodically.

.Accordingly, we will require response time testing of the pro-tective systems from sensor to final actuated equipment (including the sensor). We will report additional results for this item in a supplement to this report.

7.7 Control Systems The following control systems are identified in the PSAR as not required for safety: reactor control, reactor coolant system pressure control, pressurizer level control, feedwater control, steam bypass control and boron control. Additionally, the in-core -

instrumentation system is identified as not required for safety.

WNP 3 and 6 will also utilize a computer-based Core Operating Limit Supervisory System (COLSS) which is used to assure that the operator maintains the reactor system within the conditions assumed by the safety analysis.

The above systems for WNP 3 and 5 are identical to those provided for the standard plant as described in CESSAR. Accordingly, we conclude that the applicant's commitment to adopt generic resolutions resulting from the CESSAR review acceptable for these

- systems conditioned on appropriate documentation of these resolutions in the PSAR. We will report final resolution of this item in a suppicment to this report subsequent to the completion of the CESSAR review.

7.8 Qualification of Safety-Related Equipmen_t

- 7.8.1 Seismic Qualification

- The applicant has stated that the Class IE equipment (within Combustion Engineering scope of supply) required to perform a safety action during or after a seismic event will be qualified

. and documented in accordance with the requirements of the equipment specifications. Also, it has documented that these requirements are consistent with the requirements of IEEE Std 344-1971. In addition, the qualification program for this equipment will conform to the Regulatory Technical Paper, " Requirements of Electrical and Mechanical Equipment Seismic Qualification Program".

For the applicant supplied Class IE equipment, the applicant has stated that the purchase . specification requirements will comply with those provided in IEEE Std 344-1971. Additionally, these requirements will be supplemented by those contained in Appendix 3.9-A of the PSAR. The applicant has documented, and we concur, that these requirements, which supplement IEEE Std 344-1971,are consistent with Branch Technical Position El&CSB 10 contained in Appendix 7-A of the Standard Review Plan.

Accordingly, we conclude that the above connitments for the seismic qualificatio.n of Class IE equipment comply with our position and are acceptable.

7.8.2 Fnvironmental Qualification for Combustion Engineering Supplied Equipment The applicant has not addressed specifically the environmental qualification of the CE supplied equipment. However. It has stated the equipment supplied by CE will meet or exceed the qualification requirements specified for the non-CE supplied equipment. We will require that the PSAR be amendmented to include the commitment that all CE instrumentation, controls, mechanical and electrical equipment important to safety will be qualified for use under the specified environmental service conditions in accordance with IEEE Std 323-1974. He will report resolution of this item in a supplement to this report.

7.8.3 Environmental Qualification for Applicant SuDplied Equipmen_t_

The list of safety-related equipment and components (as ideatified in the PSAR) required to operate during and subsequent to design bases accidents does not include the equipment which is qualified by operating experience or the equipment which has been previously qualified.- The applicant has indicated that it is not p0ssible to identify this equipment at this time. This equipment will be identified when this information becomes available, as will the bases for establishing the adequacy of qualification on the basis of operating experience. Also, it has stated that additional documentation will be provided to demonstrate that the requirements for intended plant use will be met by the available operating experience. We conclude that this cpmmitment is acceptable conditioned on satisfactory documentation of the above in the PSAR.

With regard to IEEE Std 323-1974 the applicant has committed to this standard with som e,xceptions pertaining to aging and on-going qualification. We will require full conformance to IEEE

"'%* 3 .- ,--m. ,% ,

I 1

I Std 323-1974.

Resolution of this item will be reported in a supplement to this report.

Anticipated Transients Without Scram (ATWS)_

7.9 Our evaluation of the adequacy of the instrumentation, control and electrical equipment has been based on the information con-However, it should be noted that some of tained in the PSAR.

the designs described in the PSAR that we have reviewed the positioas set forth in AEC Report WASH-1270, "USAEC Technical Report on Anticipated Transients Without Scram for Water-Cooled Power Reactors," dated September 1973.

The applicant has stated that it does not plan to discuss any plant design changes until such time that the NRC staff completes its generic evaluation of the ATWS information submitted by Combustion Engineering.

We will report the results of the staff's ATWS evaluation in a supplement to this report.

7.10 Interfaces witn the Standard Plant Desion (CESSAR)_

As previously stated, our review concentrated on those areas of However, the design solely within the applicant's scope of supply.

selected areas of the design interface with the standard plant design (CESSAR).

Accordingly, interface requirements and design criteria must be clearly defined before our review of.these areasPre can be completed.

not been completely specified by the standard plant designer for all areas of concern.

We will require that these areas conform to the applicable General Design Criteria, IEEE Standards, Regulatory Guides and 3rancaW Technical Positions.

provide the resolution in a supplenant to this safety evaluation report.

~ ~ ~ ~ - - - - ~ - _ _ _ _ _ _ _ _ _ _ _ __ __

n 8.0 ELECTRIC POWER 8.1 General The Comission's General Design Criteria (GDC) 17 and 18. IEEE Standards including IEEE Criteria for Class IE Electric Systems for Nuclear Power Generating Stations (IEEE Std 308-1971), and applicable Regulatory Guides (RG) for Water-Cooled fluclear Power Reactors including RG 1.6, 1.9 and 1.32 served as the bases for evaluating the adequacy of the electrical power system. Specific documents employed in our review are listed in the Appendix to this report.

Washington Public Power Supply (WPPSS) fluclear Units 3 and 5 will hereafter be referred to as Washington Nt. clear Plant (WitP) 3 or 5 respectively.

The following sections apply to each nuclear unit, unless other-wise indicated.

8.2 Offsite Power System Initially, WitP-3 will be interconnected to the Bonneville Power Administration (BPA) electrical grid system via one 500 kV, two 230 kV and one 115 kV transmission lines at the BPA Satsop switch-yards. A second 500 kV transmission line will subsequently be constructed for WNP-5, the 115 kV line will be removed, and the .

existing 115 kV substation will be served radially from Satsop.

Tnese lines (two lines for WitP 3 and two lines for WilP 5) and associated circuits constitute the two physically independent offsite power circuits required by GDC 17. The 500 Ky switchyard will have a modified ring and breaker and a half bus configuration.

The 230 kV switchyard will have a modified breaker and a half bus configuration. The two sources of offsite power will be separated sufficiently so that no single failure of a structure or conductor will result in a loss of both preferred offsite power sources. The transmission lines and their associated structures interconnecting the BPA switchyard with the system will be designed for the effects of environmental conditions prevalent in the area with regard to icing, wind, temperature lightning and flood.

Thz Station flain Generator (SMG) is connected to the 500 kV switch-yhrd via a generator load break switch and the Main Transformer.

Each of the three Unit Auxiliary Transformers (UAT) are connected to the low voltage side of the main transformer via disconnect links.

The three Standby Transformers (ST) serving each plant are connected to the 230 kV switchyard via a common circuit.

1 -

ce During normal power operation, the auxiliary a-c power distribution systems are supplied by the SMG via the three UAT's. In case of electrical faults in the main generator or in any other component of the generator output circuit, the 500 kV circuit breakers for the main transformer will be tripped and the standby transformers will be automatically switched in with a fast dead bus transfer to energize all the auxiliary buses.

The three UAT supply power at two voltage levels, one transformer

, for the 13.8 kV loads and the other two provide 4.16 kV to the four 4.16 kV buses, two of which are the safety bus.es. The 230 KV offsite power system similarly utilizes three Standby Transformers for powering the 13.8 kV and 4.16 kV loads. Both sets of transformers (i.e., Standby Transformers and UAT) have the full capacity of supplying emergency shutdown power and engineered safety features power requirements to the corresponding safety related buses.

The offsite power system utilizes protective relaying which initiates the automatic opening of the appropriate breakers and load break switches upon sensing abnormal system conditions. Two separate 125 Vdc battery systems (including battery chargers) are provided for circuit breaker and load break switch operation.

The applicant has provided preliminary results of stability studies which indicate that the offsite power source will be maintained postulating the sudden loss of one unit or faults on any of the interconnecting transmission lines.

The offsite power system design provides one immediate access circuit (230 kV) and one delayed access circuit (500 kV via backfeed through the main transformer after the generator is disconnected by opening of the load break switch). However, the delayed access circuit depends on the operation of the load break suitch. We will require that test data be provided during the OL review that demonstrates that this switch is capable of performing its design function, i.e., interruption of the main generator full load current.

We have concluded that the offsite power system satisfies the

- requirements of GDC 17 and 18, and IEEE Std 308-1971, and is acceptable. l 8.2.1 Areas of Generic Concern Additional areas of generic concern wnich affect the offsite power system of WNP 3 and 5 and have been identified on the CESSAR docket are the following.

One area of concern is the interface design requirement that the reactor coolant pump motors shall remain electrically connected to the generator for 20 to 30 seconds following a turbine trip due to loss of load in order to prevent turbine overspeed. In

. )

this regard, the applicant has stated that his design will meet this requirement, we conclude that this commitment is acceptable.

Another area of concern is the requirement for disconnecting the main coolant pumps motors from the electric power system in the event of an excess frequency decay rate condition on the power system. This is necessary in order to assure the pump's kinetic energy is available for flow coastdown. In this regard, we consider the applicant's commitment to adopt generic resolutions resulting from the CESSAR review acceptable conditioned on appropriate documentation of the resolution in the PSAR. We will report final resolution of this item in a supplement to this report.

8.3 Onsite Power System 8.3.1 A-C Power System Onsite standby power for each nuclear unit will be supplied by two diesel generators. Each diesel will supply one 4160 V emergency bus (ESF bus) comprising one division of a two division split-bus configuration. Interlocks are provided to prevent paralleling the diesel generators. Each diesel will be started automatically by an undervoltage signal from its respective bus or by a safety features actuation signal. Only one of the two diesels is required to provide emergency power for accident conditions.

The redundant engineered safety features and vital instrumentation and control loads will be supplied, directly or indirectly, from the two 4160 V emergency buses through the two-division split-bus configuration. .This configuration is maintained throughout the a-c and d-c subsystems. There is no provision for automatic switching of redundant buses or loads. Further, interlocks are provided to prevent redundant buses from being paralleled.

Each diesel generator and its auxiliaries will be housed in a separate room located in a Category I struct'are. The separating

! walls will be designed with four hour fire barriers and will provide missile protection in the event of explosion or failure of rotating equipment. Each room will be provided with its own ventilation and lighting systems. The diesel generator combustion i

air intake and exhaust system will be designed to insure that l the diesel generator will have sufficient 0::ygen content in

. their intake air.

The starting and operation of any diesel is not conditioned by operation of the other. Each diesel generator will have a dual train independent air starting system. Each train will be provided with an electric air compressor, an air receiver, associated piping, valves, and control and instrumentation equip-ment. The two receivers will have a combined capacity for five (5) cold starts of the diesel generator which they serve.

l l

)

The diesel generator fuel oil system for each nuclear unit will consist of two diesel oil storage tanks, two transfer pumps, one fuel oil day tank per diesel, necessary valves, piping, etc.

Each day tank will have the capacity to run its respective diesel generator under full load for four hours. The system piping will be arranged so that any transfer pump may transfer fuel oil from either storage tank to any day tank. Each storage tank will have a capacity of 70,000 gallons, which is more than sufficient to supply oil for one diesel generator for seven days.

The applicant has not selected the diesel generator units for WNP 3 and 5. However, it has documented an acceptable diesel generator qualification test program in the PSAR. Further, the diesel generators will be selected and sized in accordance with the recommendations of Regulatory Guide 1.9. We conclude that this design commitment is satisfactory.

The applicant has stated that the design of the a-c onsite power system will conform to General Design Criteria Nos. 17 and 18, and . Regulatory Guides 1.6,1.9, and IEEE Std 308-1971. On the basis of our review, and with the above design commitment, we have concluded that the proposed design criteria for a-c onsite power would meet the Commission's requirements and therefore are acceptable.

8.3.2 Safety-Related D-C Power Systems The safety-related d-c power system of each nuclear unit will consist of two sets of two electrically independent and separated 125 volt d-c load groups. The d-c power system is compatible with the two-division split-bus configuration of the a-c system.

Each of the two load groups of one set is composed of a 125 volt d-c battery, two dedicated solid state battery chargers, distribution bus, distribution panel,. interconnecting cables and connected loads. Each of the two load groups of the other set is

, identical except that one battery charger is provided. All l load groups are normally supplied by their respective battery charger. Each charger is capable of carrying its normal steady state loads while floating the battery in a fully charged condition.

Also, the battery chargers size and' instrumentation will meet the requirements of IEEE Std 308-197), and RG 1.32 in that they will be capable of supplying plant dJc power requirements during any mode of plant operation while restoring the batteries to l full charge in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.'

Each set of safety-related 125 volt d-c batteries are located in one seismic Category I battery room with a fire barrier partition l wall separating the two batteries. Additionally, each battery room will be separately ventilated by redundant fans to remove ,

j gases produced during the battery chargino cycle. m

~

1.

l O

1 b

)

-17.

We conclude that this arrangement is not acceptable. We will require' that each safety related battery be located in a separate seismic Category I room with an independent ventilation system.

With the exception of the battery installation, we conclude that the design of tne safety-related d-c power system is in accordance with GDC 17. IEEE Std 308-1971, IEEE Std 336-1971, RG 1.6 and RG 1.30 and is acceptable. We will report resolution of our concern regarding the battery installation design in a supplement to this

report.

8.4 Physical Separation and Identification of Safety-Related Electrical Circuits and Equipment The applicant has stated that the design will comply with IEEE Std 384-1974 as augmented by the recommendations contained in RG 1.75, with the following exception.

The present design provides for automatic tripping.(of circuit breakers) on accident or loss of offsite power signal of all non-safety loads (except emergency lighting) which are supplied from emergency buses. The design also includes provisions to manually reconnect selected non-safety loads to the emergency buses at some time following the initial event (e.g., loss of offsite power or accident). The applicant has stated that administrative control will specify when this equipment may be re-connected. We conclude that this isacceptable for tite construction permit review subject to detailed review of the control circuit schematic diagrams and administrative controls during the operating license review.

The 480 volt side of the emergency lighting circuit will be fully qualified as Class IE. However, the low voltage side will not be qualified as Class IE since it can be demonstrated by analyses that the fault current due to a fault on the 208/120 volt side will have minimal effect on the ESF power sources. Also, circuit protection on the 480 volt side will be provided by molded case circuit breakers and fuses connected in series.

The criteria for identification of safety-related electrical circuits and equipment presented in the PSAR conform to the recomendations of RG 1.75 and are acceptable.

We have concluded that the design features and the applicant's commitment of conformance to IEEE Std 384-1974 and RG 1.75 meet the Regulatory position with regard to physical independence and identification of safety-related electrical equipment and are acceptable for a construction permit review.

l l

l

/

. )

APPENDIX TO SECTIONS 7.0 and 8.0 0F THE SAFETY EVALUATION REPORT FOR WASHINGTON PUBLIC POWER SUPPLY SYSTEM NUCLEAR UNITS 3 AND 5 The following documents were employed for the Construction Permit review for Washington Public Power Supply System (WPPSS) Nuclear Units 3 and 5.

1. Preliminary Safety Analysis Reports (PSAR) through Amendment 18 for WPPSS Nuclear Units 3 and 5.
2. 10 CFR Part 50 and Appendix A to 10 CFR Part 50. .
3. USNRC Regulatory Guides, Division 1, Power Reactors.
4. Programmatic Information for the Licensing of Standardized Nuclear Power Plants and Amendment 1 for this Document .(WASH-1341).
5. Institute of Electrical and Electronic Engineers (IEEE) Standards:

IEEE Std 279-1971 " Criteria for Protection Systems for Nuclear Power Generating Stations."

IEEE Std 308-1971 " Criteria for Class IE Electric Systems for Nuclear Power Generating Stations."

IEEE Std 317-1972 "IEEE Standard for Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations."

IEEE Std 323-1974 "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations."

IEEE Std 334-1971 " Trial-Use Guide for Type Tests of Continuous Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations."

IEEE Std 336-1971 " Installation, Inspection and Testing Require-ments for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations."

IEEE Std 338-1971 " Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems."

IEEE Std 344-1971 "IEEE Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations."

IEEE Std 379*1972 " Trial-Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems."

IEEE Std 382-1972 " Trial-Use Guide for Type Test of Class I Electric Valve Operators for Nuclear Power Generating Stations."

IEEE Std 383-1974 "IEEE Standard for Type Test of Class IE Electric Cables, Field Spices and Connection for Nuclear Power I Generating Stations."

.)

Appendix IEEE Std 384-1974 " Trial-Use Standard: Criteria for Separation of Class IE Equipment and Circuits."

IEEE Std 387-1972 " Criteria for Diesel-Generator Udits applied as Standhy Power Supplies for Nuclear Power Generating Stations."

IEEE Std 450-1972 " Maintenance Testing, and Replacement of Large Stationary Type Power Plant and Substation Lead Storage Batteries."

6. Sections 7.0 (Also Appendix 7A) and 8.0 (including Table 8-1) of the USNRC Standard Review Plan.

I -

r l

4 f

- - .-.

Retrieved from "https://kanterella.com/w/index.php?title=ML20210S836&oldid=3307371"