Text

{{#Wiki_filter:_ _ _ _ _ _ _ _ _ _. _ _ _ _ _ _ _ _ _ _ _ MEMORUMDUM FOR: Victor Nerses, Project Manager PWR Project Directorate #5 Division of PWR Licersing-A i FROM: C. E. Rossi Assistant Director Division of.0WR Licensing-A

SUBJECT:

SUPPLEMENTAL SAFETY EVALUATION REPORT, SEABROOK STATIOR, UNIT 1 Plant Name: Seabrook Station Unit 1 l Docket No.: 50 443 Licensing Stage: OL Responsible Branch: PWR #5 Project Manager: V. Nerses Review Branch: EICSB/ DBL Review Status: Complete to this memorandum provides SSER input pertaining to the resolution of instrumentation and control (I&C) open and confirmatory items associated with the Seabrook design. Respectively, these are identified in Sections 7.1.4.1 and 7.1.4.2 of the Seabrook SER (NUREG-0896) as open items (2), (3), (4) and confirmatory items (1), (4), (7), (9), (10), (11), (16), (19). Based on review of additional information supplied by the applicant, the EICSB has concluded that the I&C open and confirmatory items addressed in Enclosure I have been satisfactorily resolved. It should be noted that a license condition is required as a result of the radiation data management system (RDMS) review as described in Enclosure 1, Section 7.5.2.2. provides the required SALP input for this SSER information. Orisinni eigned by C. E. Rossi, Assistant Director Division of PWR Licensing-A

Enclosures:

DISTRIBUTION: As stated Central Files EICSB RF cc: See page 2 C.E. Rossi

Contact:

' R. Stevens (EICSB/ DBL) X-29456 )FC :EICS BL

EICSB:DPL-A :EICSB:DPL-A :AD:DPL-A

___...:......g:......_gg.:__. s:vs :SWeiss 0 F : FRosa .i 1AME : SATE :6/p........:............:.____...C n/86

6/B/86

6/\\3 /86

6// 4/86

~. OFFICIAL RECORD COPY g gq j C n pv j

.i I I V. Nerses. I cc w/

Enclosures:

i H. Thompson M. Srinivasan D. Crutchfield G. Lainas V. Noonan F. Rosa S. Weiss R. Stevens l l l l l

, '. a ~ ENCLOSURE 1 [ 'q, UNITED STATES yg ,., ',g NUCLEAR REGULATORY COMMISSION g,' g / g WASHINGTON, D. C. 20555 SEABROOK SUPPLEMENTAL SAFETY EVALUATION REPORT INPUT INSTRUMENTATION AND CONTROL

7. 2. 2. 4 Turbine Trip on Reactor Trip As discussed in Section 7.2.2.4 of the Safety Evaluation Report (NUREG-0896),

the applicant comitted to install for turbine trip circuitry requirements redundant, safety-related circuits and solenoids powered from Class IE inverters. Subsequently, the applicant modified the original design proposal ard, upon request, provided information by letters dated February 14, 1986, and May 10,1986, to describe the latest turbine trip on reactor trip (TT-0-RT) system. The turbine trip circuit design complies to the maximum extent practicable with the applicable requirements of IEEE 279 (Section 4.2, 4.3, 4.5, 4.6 and 4.10 specifically) with the exception of seismic qualification. Redundant, Class IE I P-4 (reactor trip breakers open) signal inputs are provided to the two turbine trip circuits. Discussions with the applicant have revealed that the input signal circuitry routed through the nonseismic structure is isolated, so the protection system performance is not degraded below an acceptable level. One trip circuit energizes the mechanical trip solenoid while the other de-energizes the electrical trip solenoid to depressurize the emergency trip system and to close the turbine valves. Cross-trip circuits are provided so that either of the redundant (P-4 Train A or Train B) trip signals will activate both turbine trip circuits. The entire turbine control system is censidered A-associated. Thus, a qualified isolation relay is provided to change the B Train reactor trip input signal from B-associated to A-associated for input to the turbine control system. Based on the information above, the staff considers this design consistent with the importance to safety of the function and, therefore, acceptable. 7.3.2.11 Emergency Feedwater System The SER (NUREG-0896, Section 7.3.2.11) states that the applicant should formally revise the FSAR and appropriate drawings to describe the final emergency feedwater system (EFWS) design. The applicant has provided FSAR infonnation (through Amendment No. 56) which confirms the EFWS design as described in SER Section 7.3.1.7. By letter dated February 14, 1986, the applicant has provided reference to the instrumentation and control' drawings which reflect the latest EFWS design. Based on review of this additional information, the staff considers this issue to be resolved. 7.3.2.4 Indicator. Alarm, and Test Features Provided for Instrumentation Used for Safety Functions 1

2 In Safety Evaluation Report (NUREG-0896) Section 7.3.2.4, it is stated that each safety function can be tested without lifting leads or the use of jury rigs. Subsequent to this SER input (November 1985 meeting), the staff was informed of the need for temporary circuit modifications during various instrumentation surveillance tests. Details have been provided by letters dated April 7 and June 5,1986. The staff's evaluation of this infomation is 3 provided in Section 7.3.2.14 of this supplemental safety evaluation report. ] 7.3.2.14 Conformance to R.G. 1.118 and IEEE 338 As stated in Safety Evaluation Report (NUREG-0896 Section 7.3.2.14), the 6, f icant committed to promptly notify the staff if temporary modifications l were found to be necessary during periodic testing of protection systems. During a November 1985 meeting, the staff was informed of the need for te porary circuit modifications. Upon request for details, the applicant pn;vided information by letters dated April 7,1986 and June 5,1986. The staff's evaluation of this inf ormation follows. The infotulation provided identifies (by procedure number and title) where a given surveillance test condition requires temporary circuit modifications (lifted leads, jumpers, removal of fuses, and test adapters). The applicant has reviewed all test procedures to reduce the requirement for the use of modifications where possible. The modifications make use of designed test points, test jacks, and hardware connection points. The applicant has confirmed that the instrumentation and control (I&C) test procedures have a point-by-point verification on the return to normal status condition. The I&C procedures require second person verification through sign off by that individual. The second person cannot be directly involved in the actual movement or relocation of equipment but shall be knowledgeable about the equipment undergoing surveillance testing. An additional independent verification is performed to ensure that the equipment is returned to its normal service condition. On the basis of its review, the staff finds that the combination of explicit testing procedures and administrative controls (independent second person verification) meets the guidelines of IE Information Notice 84-37, "Use of Lifted Leads and Jumpers During Maintenance and Surveillance Testing" and, thus, provides reasonable assurance that the instrumentation will be restored to the correct configuration following testing where temporary modifications are required. Therefore, the staff considers this issue resolved. 7.3.2.15 Confomance to Regulatory Guide 1.75 As reflected in SER (NUREG-0896) Section 7.3.2.15, the staff concluded that the f I Seabrook design adequately conformed to the provisions of Regulatory Guide (RG) f 1.75, Revision 2 and IEEE 384. As required by the subject Section, the applicant has provided formal documentation by a January 25, 1983 letter to support the staff's conclusion. However, subsequent to the issuance of the January 25, 1983 letter, the staff was informed of an area of nonconformance with the required separation criteria during the review of informathn related

3 I te possible interconnections between redundant electrical divisions as discussed in SER Section 8.3.1.8. l 1 The staff learned that Train A-associated and Train B-associated circuits l irterface (lack required separation) with each other within various cabinets j utilized to process and transmit certain field inputs for use by the main plant I cceputer. These cabinets are identified as Intelligent Remote Tenninal Units (IRTVs). The applicant has performed an analysis to show that the subject ir.terface will not cause detrimental interaction between the redundant separation groups which provide input to the IRTVs. Also, upon request, the applicant has performed tests to support the analysis. The analysis and test results have been reviewed and found acceptable by the staff as reported on in Section 8.3.1.8 of this supplement. Therefore, the staff considers this item to be resolved. 7.4.2.1 Station Service Water System As discussed in the SER (NUREG-0896, Section 7.4.2.1), the secondary (nonseismic portion) component cooling water heat exchangers are automatically isolated from the safety-related service water system piping on a loss of offsite power, tower actuation (TA) signal (low service water pump discharge pressure), or a safety injection signal. The staff expressed a concern that if there is an earthquake without an accident or loss of offsite power, the nonseismic piping can be assumed to fail, and the nonseistic portion of the service water system may not receive an automatic signal to isolate as required. The applicant has provided additional information to address this issue by letters dated February 14, 1986 and May 10, 1986. The staff's evaluation of this additional information follows. It has been determined from analyses performed by the applicant that any nenseismic pipe failure greater than 8 inches will result in a TA signal. The remaining concern relates to the effect of reduced flow to the safety equipment for failures of the nonsafety-related piping that do not cause a TA. The applicant subsequently analyzed the effect of the largest nonsafety-related piping failure (8 inches) that does not result in a TA taking into consideration worst-case conditions (maximum normal operation water temperatures and heat loads, etc.). The applicant has concluded from their analyses that any failure of the nonseismic piping will not prevent the accomplishment of the safety functions should they be required. The staff challenged the worst-case temperature conditions that might exist as related to use of the cooling towers during normal plant operation for heat treatment of the normal service water tunnels in combination with diesel generator full load testing. The applicant responded stating that a Technical Specification limiting condition exists for operation of the cooling tower during normal plant operation to maintain the basin temperature below a specific temperature (67.3*F). As long as the basin temperature is at or below 67.3*F, the applicant has confirmed that failure of the nonseismic piping will not result in unacceptable consequences. The applicant has comitted to include (prior to core load) in the procedures for cooling tower operation during normal power operation restrictions on operation of the diesel

4 gererators when the Technical Specification basin temperature could be exceeded. The Seabrook Resident Inspector should verify such procedures are in place prior to core load. Based on the above discussion and satisfactory verification by the Resident Inspector of implementation of procedural restrictions on diesel generator operation during normal plant operation, the staff considers this issue resolved. 7.4.2.2 Main Steam Atmospheric Relief Valves SER (NUREG-0896) Section 7.4.2.2, reflects that the Seabrook design will include safety-related electro-hydraulic actuators for the atmospheric steam dur p valves (ASDVs) that would be powered from the emergency power sources. Subsequently, the applicant informed the staff in a November 1985 meeting (with followup letters dated February 14 and May 10,1986) that, instead of the original proposed electro-hydraulic actuator design, the ASDVs will be air operated. The actuators will be provided with safety-related controls and The actuators (including air backup) air supplies (nitrogen backed bottles). supply and manual control circuits will comply with the seismic and environmental requirements. The applicant has provided information to verify that the safety-related air system has sufficient capacity to operate the ASDVs for 10 hours and tht this will provide adequate time to cooldown from hot standby to residual heat removal system operation. Seismically qualified transmitters will be installed to provide control room pressure indication and an alara for each set of gas bottles. The staff has reviewed drawings to confirm the safety-related control portion of the design which included verification that the manual control circuitry will be Class IE with power to be supplied from the emergency power sources. Safety-related manual control will exist at both the main control board and remote shutdown panels. The applicant has provided information to confirm that with any postulated single failure, there will always be at least two ASDvs available for safe plant shutdown. Also, the manual control circuitry will override (isolate when required) the nonsafety-related automatic controls which are associated with the plant normal instrument air system. Based on review of these latest modifications, the staff considers this issue resolved. Periodic testing and surveillance requirements shall be included as part of the Technical Specifications to check the operability of the atmospheric steam dump valves and associated manual controls including the safety-related gas supply system. 7.4.2.3 Instrument Air System As required by SER (NUREG-0896) Section 7.4.2.3, the applicant has provided formal information (letters dated February 14, 1986 and May 10, 1986; FSAR information through Amendment 56) to confirm that safe plant shutdown can be accomplished without the use of the nonsafety-related instrument air system. The applicant has verified that: (1) the emergency feedwater flow control valves will not utilize pneumatic operators (will be motor operated valves), (2) the atmospheric dump valves will be provided with a backup safety-related air supply system (nitrogen backed bottles) as described in Section 7.4.2.4 of

) 5 tMs supplement, and (3) that the residual hc .. oval system can be operated I without the use of instrument air. 4 Based on review of the additional information ab lescribed above, the staff ccrsiders this issue resolved. 7.4.2.4 Remote Shutdown From Outside the Control Room As stated in SER (NUREG-0896) Section 7.4.2.4, the applicant comitted to acdify FSAR Section 7.4 to reflect the latest design and to address staff guidance regarding the remote safe shutdown equipment / systems. The applicant has provided additional information by amending the FSAR (Amendment 56) and through letters dated May 10, 1986 and June 5, 1986. The staff's evaluation of this information follows. In the event the control room becomes uninhabitable, the plant can be brought to and maintained in a hot standby condition and then subsequent cold shutdown mode using alternate control provisions located outside the main control room at various remote safe shutdown (RSS) locations. The RSS locations utilized for achieving and maintaining hot standby are the vital switchgear rooms which are two levels directly below the control room. Access is through the stairwell on the south side of the control building or through stairwells in the turbine building. Access to all levels of the control building is ccr. trolled by the station security system. The operators' tey cards will allow access to all levels of the control building. Administratively controlled keys are also available to assure access should the security system become ir.cperable. Prior to evacuating the control room, the operator will trip the reactor, close { the main steam isolation valves, and trip the reactor coolant pumps. The capability exists outside the main control room to accomplish these functions should it be necessary. Redundant, safety-related controls required for safe sFutdown are located at the RSS locations. The controls comply with the applicable requirements of IEEE 279 including seismic and environmental qualification. The control provisions at the RSS locations consist of selector switches that isolate the main control room upon transfer of control to the local station. Jumpers, lifted leads, or temporary circuits are not required. l Selecting local control for any component initiates an alarm in the main control room. Indication instrumentation at the remote shutdown locations required for safe plant shutdown (with the exception of wide-range nuclear instrumentation) are i i separate loops that are completely independent of the instrument loops that provide indication in the control room. The applicant has provided infonnation to certify that the instrumentation circuits including transmitters and q indicators will be operable following all natural phenomena including seismic events. This information was audited during the Seabrook site visit which was performed the week of May 12, 1986. The wide-range nuclear instrumentation including indicators will be safety-related, j During the review process, the staff challenged the portion of remote safe shutdown procedures whereby the operator is instructed to disable the solid i ) io .1

i 6 state protection system (SSPS-Train A and Train B). The applicant responded with information to justify such planned procedures. The operator will obtain e stable (hot standby) condition from outside the control room from the RSS locations. After cooldown has commenced from the stable condition, the operators will go to power panels IA and IB (located in the switchgear rooms with the remote shutdown panels) and open breaker number 11 in each panel to disable Trains A and B of the SSPS. These panels are in close proximity to the other remote shutdown controls (location verified during NRC site visit the week of May 12,1986). The applicant reviewed the list of equipment affected by the SSPS disabling function and concluded that such an operation will not negate any functions required for remote safe shutdown. The SSPS can be reestablished, if necessary, during the plant cooldown by reclosing the appropriate breakers. The applicant has determined that possible reestablishment of the SSPS during plant cooldown will not result in unsatisfactory consequences related to remote safe plant shutdown. Based on the above discussion, the staff considers the remote safe shutdown issue to be resolved. 7.4. 2. 5 Pressurizer Auxiliary Spray The SER (NUREG-0896, Section 7.3.2.7) states that the applicant should provide fermal documentation related to the use of pressurizer power operated relief valves (PORVs) for safe shutdown. By letter dated February 14, 1986 and through FSAR Amendment 56, the applicant has provided information which verifies that redundant safety-related pressurizer PORVs are to be used to depressurize the reactor coolant system during safe plant shutdown instead of the pressurizer auxiliary spray valves. Also, the information confims that the PORVs and associated block valves can be controlled manually from either the control room or remote shutdown panels. Based on this latest information, the staff considers this issue resolved.

7. 5. 2. 2 Radiation Data Management System Seabrook SER Section 7.5.2.2. states that the overall design concept and use of the radiation data management system (RDMS) are acceptable to the staff.

However, the SER further states that two specific features of the RDMS require staff review. These features are (1) qualification testing of the RDMS isolation devices and (2) the software verification and validation (V&V) program. The following provides additional safety evaluation input related to the RDMS design and its associated issues. I Isolation Devices l The Seabrook RDMS is an integrated computer-based system utilized for controlling and simulating data from plant radiation monitors. A portion of the RDMS is safety-related (various radiation monitors and their associated microprocessor computers are designated as Class IE). The Class IE monitors (RM 80s) interface with the RDMS host computer (RM 11) or with other redundant safety-related microprocessors (opposite electrical division) through Class IE isolation devices. The staff requested infomation on the qualification of the

7 de. ices used for such interfaces. The applicant provided information by letters dated January 25, 1983, February 17, 1983, May 10, 1986, and June 5, 1556. The staff's evaluation of this information follows. The information provided identified the maximum fault voltages which the ccx puter corrnunication loops could be subjected to. The test mock-up was described along with identification of where the maximum fault voltages were j aplied during the test and how the acceptance criteria were met. The test i results showed that before, during, and after the fault test, the Class IE pcrtion of the design continued to perform its required safety function. The staff found the qualification testing and associated test results to be acceptable with the exception that credit is being taken for fuses as part of i the required isolation. The staff expressed concern about the ir. erchangeability of the fuses with those of higher amperage ratings which would negate the required protection. Based on this concern, the applicant has taken the following steps to allow plant operation for the first fuel cycle utilizing the fuse dependent isolation devices: a. The fuse board was replaced with a terminal block requiring the use of screw mounted fuses. I b. Special fuse assemblies will be utilized whereby one end has a soldered clip attached which will be screw mounted to the fuse termination board. c. The new fuse board and fuse assembly will have a unique part number, j d. The RDMS is the only system on site that will utilize such a fuse assembly and associated termination block. i e. The RDMS manuals will be revised to include the new fuse assembly and associated fuse mounting board. Further, the applicant has committed to install qualified isolation devices prior to startup following the first refueling outage which will not be fuse dependent. The applicant shall submit the qualification documentation to the NRC for review prior to implementation, q Based on the satisfactory qualification testing performed and the applicant's precautionary measures taken to address the fuse interchangeability issue, the staff considers the use of the existing (fuse dependent) isolation devices to be acceptable for the first cycle of plant operation. The plant operating I license shall be conditioned to require that qualified non-fuse dependent I isolation devices be installed and operational prior to startup after the first refueling outage. This issue is considered resolved. Software Verification and Validation The software verification and validation (V&V) procedures used during the design and testing of the radiation data management system (RDMS) were reviewed. The review consisted of several confererce calls, document submittals, and an on-site audit at the General Atomic (GA) Technologies, Inc. L ------ _ -- _- _ i

1 8 office. The documents audited consisted of GA Technologies V&V procedures, the RDMS design, and the RDMS testing and qualification. The procedural portion of the review included two steps. First, the GA Technologies V&V procedures (in their entirety) were specifically reviewed followed by an assessment of their use and effectiveness related to the Seabrook RDMS design. Based on the review performed, the staff concluded that the V&V procedures established by GA Technologies for the RDMS are comprehensive and sufficiently address the requirements associated with the design and testing of highly reliable systems. Spot checks of the V&V documentation specific to Seabrook confirmed that the GA Technologies V&V procedures have been utilized. Two recommendations are warranted as a result of the staff's review. The first arises from the fact that a plant specific RDMS design is based on previous project specific system designs. Thus, the applicant should ensure that GA Technologies continues to assess the adequacy of the process used to determine the impact of deficiencies or modifications associated with previous project-specific RDMS designs f rom which the Seabrook design evolved. The second recommendation is related to programable' read only memory (PROM). Upon entry into the software library, the project-specific PROM is traceable through version / revision identification. Following entry into the library, the PROM version / revision for each Seabrook RDMS monitor type is provided in a document entitled firmware configuration. System acceptance test procedures require the utilization of the firmware configuration document. It is necessary that the correct version / revision of a PROM be used when performing an acceptance test procedure. Thus, the applicant should ensure that appropriate steps are taken by GA Technologies to make sure that use of the firtnware configuration document will result in use of the correct version / revision of a PROM. Based on the above discussion including adherence to the above recommenGtions, the staff considers the verification and validation procedures used during the j design and testing of the Seabrook Class IE RDMS to be adequate. This issue 4 I is, therefore, considered resolved. 7.6.7.6 Transfer From the Injection to the Recirculation Phase As required by Safety Evaluation Report (NUREG-0896) Section 7.6.7.6, the applicant has provided fonnal information by letters dated February 14 and May 10,1986 to verify that the safety injection (SI) signal will set a latching relay.that will require separate action to reset after the SI signal j has been reset. Lights have been incorporated on the main control board to indicate when the relay it, latched. The applicant has confirmed that the lights operability will be verified periodically as part of the Technical Specification surveillance requirements. The staff finds this design to be acceptable and, therefore, considers this issue resolved. I

ENCLOSURE 2 ) l .EICSB/ DBL SALP INPUT ) PLANT: Seabrook Station, Unit 1 j LICENSEE: Public Service Company of New Hampshire DOCKET NO: 50-443 LICENSEE STATUS: OL SER

SUBJECT:

Safety Evaluation Report INPUT PERFORMANCE PARAMETERS: (1) Management Involvement in Assuring Quality (2 Approach to Resolution of Technical Issues From a Safety Standpoint (3 Response to NRC Initiatives (4 Staffing (Including Management) (5 Reporting and Analysis of Reportable Events l (6 Training and Qualification Effectiveness (7) Any Other SALP Functional Area PERFORMANCE NARRATIVE DESCRIPTION OF CATEGORY / PARAMETER APPLICANT / LICENSEE'S PERFORMANCE RATING 3 1 The applicant appeared to adequately understand I staff policies and to make decisions based on J adequate management involvement. An appropriate I level of management was present and significantly involved at the review meeting held with the applicant. ] 2 The applicant's submittals showed that there was 3 not an adequate understanding as to the information necessary to resolve various issues. The approach to resolve the issues appeared.to be viable but the infonnation provided to resolve the issues was lacking i significantly in thoroughness and depth and met t

~ \\ r 2 .) PERFORMANCE NARRATIVE DESCRIPTION OF CATEGORY / PARAMETER APPLICANT / LICENSEE'S PERFORMANCE RATING t minimum requirements. Much effort was expended by the staff to provide guidance to the applicant necessary to resolve many of the issues. Repeated -{ re$ests and clarifications of requirements had to ) be rade to obtain necessary information. The lack of sufficient information caused much delay.in the resciution of the issues. 3 The applicant responded poorly (lack of timeliness, 3 lack of thoroughness) to concerns raised by the staff. In particular, where design changes were mide that required staff re-review, the applicant was reluctant to provide sufficient details to allow the staff to complete its review. The staff had to spend considerable effort to obtain acceptaale resolution of various issues (i.e., the NRC staff had to generate specific guidance on information needed to resolve the issues). OVERALL APPLICANT / LICENSEE PERFORMANCE RATING 3 i l I}}