ML20246M562
| ML20246M562 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 07/13/1989 |
| From: | Gay J GENERAL ELECTRIC CO. |
| To: | Chris Miller NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| References | |
| 050-89, 50-89, NUDOCS 8907190174 | |
| Download: ML20246M562 (48) | |
Text
n _
L
., )
GE Nuclear Energy Gene'a' De:1x Compan 17S Cumer keve, San Jose CA 95125 July 13,1989 MFN No. 050-89 Docket No. STN 50-605 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attention: Charles L Miller, Director Standardization and Non Power Reactor Project Directorate
Subject:
Submittal of Responses to AdditionalInformation as Requested in NRC Ietter from Dino C. Scaletti, Dated May 16,1989
Dear Mr. Miller:
Enclosed are thirty four (34) copies of the Responses to Request for Additional Information (RAI) on the Standard Safety Analysis Report (SSAR) for the Advanced Boiling Water Reactor (ABWR). Triese responses principally pertain to Chapters 7 and 8.
It is intended that GE will amend the SSAR with these responses in a future amendment.
Sincerely,
$ J. S.. Gay, Acting Manager i
Licensing and Corsulting Services cc: D. R. Wilkins (GE) l i
F. A. Ross (DOE) l J. F. Quirk (GE) '
D. C. Scaletti (NRC) i
~
l 8907190174 89071 CF ADOCK 05000 Qf
%Q[
V A P t.
[34/ .
,b
, . QUESTION .
420.003l(7) Identify the. topical reports that'will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff. Subjects addressed in these topical reports should include but not necessarily be limited to the following:
Failure modes and effects analysis for the I&C system.
RESPONSE
420.003 The failure modes and effects analysis is contained in Appendix 15B, Section 15B.4 No separate topical reports will be provided.
QUESTION 420.004 (7) Identify the topical reports that will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff. Subjects addressed in these topical reports should include but not necessarily be limited to the-following:
('
A defense-in. depth analysis, demonstrating the diversity in the system that precludes the. likelihood of common mode failures.
RESPONSE
420.004 In response to this question, refer to Appendix 7A, Section 7A.7 under the heading: " Items 7A.5(4) and 7A.6(4)". Detail information may be found in the ABWR Specifications referenced in Section 1.1.3.
QUESTION 420.010 (7) Identify the topical reports that will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff. Subjects addressed in these topical reports should include but not necessarily be limited to the following:
f Task analysis for the man / machine interface to the system.
RESPONSE
420.010 Collectively, the instrumentation and controls for the pisnt systems form the man / machine interface for the plant. This man / machine interface is largely,-but not completely, contained in the control room.
In this SSAR, the subjects of the plant MNI and control room configuration
- 18. MMI andare not dealt with in Chapter 7 but are covered in Chapter other aspects of the design of the control and instrumentation are described in the design documentation. There are no topical reports which describe significant differences between the ABWR and previous BWR designs. However, Table 7.1-1 of the SSAR compares the ABWR 16C design with that of GESSAR II.
~_
- QUESTION 420.013 (10/87) One of the goals of the ABWR is simplification. The October, 1987 presentation mentions a 60% reduction in instrumentation. Which plants is this referenced to? Provide a description of the instrumentation which is no longer considered necessary.
RESPONSE
420.013 The instrument reduction occured within the design phases of the ABWR itself.
The basic configuration of the initial design of the ASWR NBS instrumentation and related systems' initiation logic is very similar to that of the BWR/5 and BWR/6 (and GESSAR II Standard).
As part of the ABWR cost analysis justification study, the number of transmitters required to provide the primary Nuclear Boiler System (NBS) instrumentation functions was reduced from 84 to 30. These substantial (i.e., 64%) reductions in the NBS instrumentation were accomplished without impairment of safety or compromise of reliability of any system and will result in both an inital savings in sensor, instrument rack and installation costs and, in the longer term, a saving in manpower to ,
conduct periodic maintenance and calibration work.
These reductions in NBS instrumentation were primarily accomplished through the broad scope sharing of transmitters such that individual transmitters now provide inputs to a number of different systems and functions. This is possible because of the four independent divisions and two-out-of-four logic adopted for the RPS and ESF Systems in the ABWR control and instrumentation design.
QUESTION 420.017 (7) Describe the trade-off analyses leading to the selection of an analog or digital approach for implementing the logic of the safety system. Describe the major criteria that the tradeoff was based on.
Show criteria.
how the tradeoff criteria is in accordance with applicable design
RESPONSE
420.017 DESIGN CRITERIA FOR ABRR SAFEIT SYSTDI LOGIC In comparison with bVR/5 plant designs:
- 1. Reduce control room equipment volame.
- 2. R0 duce quantity of system cabling.
- 3. Reduce inadvertent reactor trips
- 4. Permit proper interface with advanced operator benchboard design; i.e., high speed communication with CRT displays and flat screen touch panels.
- 5. Improve man machine interface.
- 6. Improve availability (reduce downtime).
TRADEOFF CONSIDERATIONS Since the safety system logic is separated into four divisions, with 2.out.of-4 trip logic in each division, a digital design similar to the Clinton Nuclear System Protection System (NSPS) was considered advantageous. NSPS uses discrete solid state logic for trip decisions, thus eliminating a large number of relays, but still has hardwired
___________ _ )
i oc L >
. 4 cn21cg signals to ths control roqq. ,NSPS also h2i_a digital, on-line, ei' self-diagnostic systemLthat permits complete testability of the'four
' logic divisions in a manner not practical for analog / relay' systems.
(* .
L When multiplexing was considered as a means to reduce cable volume, it L
was decided.to use microprocessor. logic to permit proper interfacing to the multiplexing system and to integrate'more system functions into a
. smaller quantity of equipment, eliminating all' relay cabinets for.RPS and.ESF functions. Multiplexing'also permits local digitizing of plant variables near their transmitters and digital transmission of encoded signals over a low noise, high speed, fiber optic cable.
[
b A list of'other tradeoffs between analog and digital technologies is shown below:
Tradeoffsf A. DIGITAL:
PRO:
-Stable.
-No drift.
-Accurate setpoints.
-Precise hysteresis.
-Low noise.
-Serial communication (less cable).
-Data multiplexing.
-Easy implementation of bypassing.
-Self-diagnostics (improves MITR).
-Auto-calibration.
-Improved man machine interface (graphical displays, prompting
, help, digital data' entry).
-Future-updates made via software (no wiring changes or extra hardware).
-Less equipment (more functions integrated into software logic).
-Lower power requirements (CMOS logic,'less equipment).
CON:
-Compicx, safety-related software (V&V program required).
-Complex, cubtle failure modes, difficult to identify,
-Complex testability, logic points not available to technician with simplo measuring instruments.
-Complex equipment for troubleshooting, r> squiring skilled personnel (Interrelationships and responses of logic functions not obvious to technician unless source code and logic analyzer are available). !
Jumpering of logic for. temporary testing not possible.
Repair is limited to module replacements, which must be kept as spares, since repair of medules is not practical on-line.
B. ANALOG PRO:
-Simple, proven technology.
-Easy troubleshooting and repair.
-Analog displays are low cost and easily implemented.
-Status of analog signals or relay coils and contacts is readily determined at any point in instrument loop.
-Measurements possible with simple instruments by relatively unskilled technicians.
-Simple parts replacement.
I'
, CON:
-Signals'.and setpoints subject to drift.
-Constant calibration required.
-Electromechanical analog meters have low resolution and E reliability and may become slow and inaccurate over time.
. Complex logic for interlocks and controls involving interdivisional signals requires large quantities of relays and wiring and is not easily testable automatically.
l CONCLUSIONS The complexities of a software-based, microprocessor. controlled system are compensated for by its higher performance, greater stability and accuracy, and reduced quantity of equipment. System inputs and outputs can be added or deleted without wiring changes. System functions can be changed in software ("firmware") without using extra hardware. These advantages, plus the availability of self-diagnostics, greater automation of functions,and improved man. machine interface, led to the selection of a digital system.
QUESTION 420.022 (7) Provide a table of conformance to IEEEE 603 and ANSI /IEEE 7-4.3.2.
RESPONSE
420.022 Conformance with IEEE 603 and ANSI /IEEE 7 4.3.2 is discussed in Appendix
. 7A, Section 7A.7.
QUESTION 420.024 (7) Are any artificial intelligence features provided in the proposed system, whereby probabilistic judgements are made by the system, or whereby the. system can " learn" during its operational life?
RESPONFE 420 024 No. As explained in the response to Question 420.021, the microprocessors are used only for making nimple logic decisions.
Artificial intelligence features are not used in the ABk'R safety system design.
QUESTION 420.025 (7) Is credit taken in the safety analysis for any rotating memory devices such as disk drives?
RESPONSE
420.025 No. As indicated in the response to 420.021, no safety action is dependent on computations from the central processor. Therefore, no safety credit is taken for rotating memory devices. The contro'1 programs for SSLC are contained in ROM as firmware.
4
. QUESTION 420.026 (7.1.251.6) What is the definition of " Safety Associated" as used in SAR Section 7.1.2.1.67
RESPONSE
420.026 The self-test subsystem (STS) is classified as " Safety Associated" because its function is not safety related, yet it is intimately interconnected with functions which are safety.related (i.e., the safety system logic & control network which controls RPS and ESF functions).
Since the STS hardware is qualified Class 1E, and receives its power from the divisional buses, the subsystem may be concidered Class IE so far'as IEEE 384 is concerned.
QUESTION 420.027 (7) Specify Vhich parameters are to be triplicated. At what point does the triplication start (flow orifice, sensor?) and end (transmitter, trip logic?).
If there is triplication of sensors is there diversity between sensors?
RESPONSE
420.027 Some of the non-safety-related process systems use triplicated logic; however, the safety systems, which are the subject of these questions, have sensors and logic in four protection divisions and will be addressed in this response.
The sensors are not diverse among divisions, but are powered separately by the divisional power sources The logic for most parameters is 2-out of.4 in each division. Thus, the output of the sensor trip logic for each variable in a division is sent to the other divisions of the particular system. The resulting 2/4 coincidence trip signal is applied to energize the driven equipment in each division. For ESF functions, the driven equipnent within a division is not replicated, but the coincidence trips are processed in dual logie processors with a 2-out-of.2 voted output to prevent inadvertent initiation of pumps or valves, In case one processor fails, automatic bypass permits temporary 1-out of.1 output until repair is accomplished.
For RPS and MSIV, input logic is 2-out-of-4 as above, but the output load drivers which energize various groups of solenoids are also arranged in a 2 out+ of-4 grouping. This permits bypassing a full i
division of logic while still maintaining centrol of all solenoids with 2-out of-4 input logic and 2-out-of-3 output logic.
QUESTION 420.028 (15.A) Section 15.A.2.2 defines " Safety" and " Power Generation." The staff did not locate definitions for "important to safety" and " safety related" Which are used in Chapter 7.
{
}
l _ - _ _ _ _ - - - _ - _ - - - - - - - - - - - - - - - .
- RESPONSE 420.028." Safety-related" is the correct term in accordance with the explicit definition in 10CFR50.49(b)(1). " Basic component" defined in 10CFR21 and used in the Potentially Reportable Condition process is equivalent to " safety-related" In the past, the term "important-to safety" was used by GE Nuclear Energy as a synonym for " safety-related". However, to avoid confusion, this term should not have been used in the ABWR SSAR. The staff did not indicate where this term was found, except that it was "...used in Chapter 7".
become known. GE will change such terms to " safety-related" as they Meanwhile, expressions such as " safety essential,",
" essential," " safety grade," and " nuclear safety-related" should be considered synonymous with the term " safety-related".
QUESTION 420.029 (7.1.1) For those systems where it has not already been done (example 7.1.1.3.5) clarify whether manual or automatic initiation will be used.
RESPONSE
420.029 The following systems definitions in Section 7.1.1 have been expanded to state manual or automatic initiation as indicated below:
SECTION SYSTEM INITIATION 7.1.1.3.1 ECCS Automatic 7.1.1.3.2 LDS Automatic 7.1.1.3.5 SGTS Automatic safetv portion 7.1.1.3.6 DG Automatic 7.1.1.3.7 RCW Automatic safety portion 7.1.1.3.8 HVAC Automatic safety portion 7.1.1.3.9 HECW Automatic safety portion 7.1.1.3,10 HPIN 7.1.1.4.1 Automatic safety portion ARI Automatic 7.1.1 4.4 RSS Manual 7.1.7.6.1 NMS Automatic trip to RPS 7.1.1.6.2 FRPM Automatic trip to RPS 7.1.1.6.4 FPC Automatic temperature control "i.1.1.6.5 WDVBS Automatic 7.1.1.6.6 CAMS i.1.1.6.7 Continuous / Automatic SPTM Continuous QUESTION 420.031 (7.1.2.3.2) For section 7.1.2.3.2(1)(c,d e) and (2)(a) define
" sufficient".
I
____ _ _ - - - - - - - - - - ~~
i i
.? ,)
j
' RESPONSE
,, 420.031 In this definition of safety design bases for leak detection & isolation
' system (LDS) for redundancy, " sufficient" means at least one redundant )
channel is required to satisfy the single failure criteria. However, for the ABWR design for LDS, at least 2 or more redundant channels are ~
previded to satisfy this requirement.
QUESTION 420.032 (7.1.2.3.2) The listed design basis should include instrumentation necessary to inform the operator that isolation has been completed and control'should provide ability for operator to reset (with adequate safeguards against inadvertently breaking isolation).
RESPONSE
'420.032 The following has been added to Section 7.1.2.3.2(1) Safety Design Bases: " Provide interlocks to assure reset capability is only possible after clearence of isolation signals."
The following has been added to Section 7.1.2.3.2(2) Nonsafety-Related Design Bases: " Provide status information to annunciator and process computer."
QUESTION 420.033 (7.1.2.3.2) Add to 7.1.2.3.2(2)(c)..."without causing plant shutdowns" or reducing safety margins.
4
RESPONSE
420.033 The addition to the text has been added as shown in attached mark.up of this section.
QUESTION 420.034 (7.1.2.3.7) For Section 7.1.2.3.7(1)(b) provide a listing of the nonessential parts of the cooling water system which should be isolated.
List any nonessential parts for which isolation is not provided.
RESPONSE
420.034 The non-essential parts of the cooling water system which are isolated are listed in Tables 9.2 4a, b and c. The non. essential cooling loads, which are not automatically isolated, are the CRD pump oil coolers, the CUW pump coolers, the instrument air system coolers and the service air system coolers. These groups of coolers which are not automatically isolated comprise less than 1% of the total heat load during LOCA.
QUESTION 420.035 (7.1.2.6.5) Is the wetwell to drywell vacuum breaker control manual or autom? tic?
4
- RESPONSE-420.035 The wetwell.to-drywell vacuum breaker system (WDVBS) is passive, in that no external power or control is used. When the pressure difference between drywell and wetwell reacFas a predetermined setpoint, the UDVBS automatically opens allowing the flow of air back into the drywell thus slowing down its depressurization, and eventually reaching a steady state. For additional information, see Subsection 6.2.1.1.4.1.
QUESTION 420.037 (7.1.2.6.7) What is the immediate safety action required by relief valve leakage and is it automatic?
RESPONSE
420.037 SRV leakage can be detected by either (a) high SRV discharge line temperature alarm, (b) SRV not fully closed alarm, or (c) observing the SRV position indication.
SRV position indication is provided by a-qualified Class 1E position transmitter on each valve. Continuous SRV leakage will result in a rise in the suppression pool temperature. High bulk average suppression pool temperature will be annunciated in the main control room.
SRV_ leakage does not require immediate safety control action anc wre is no automatic control actions initiated. The operator is requ. ed to monitor and control suppression pool temperature. The operator can
' initiate supression pool cooling by operating the residual heat removal (RER) system in the suppression pool cooling mode. If SRV leakages to the suppression pool exceed the cooling capability of the RHR, suppression pool temperature vill increase. High suppression pool temperature condition will be annunciated and it would provide an entry condition to the symptom. based emergency operating procedures.
According to the BWROG Emergency Procedure Guidelines, Revision 4, approved by the NRC, the operator actions for suppression pool temperature control can be summarized as follows:
- 1. Operate all available RHR for suppression pool cooling,
- 2. Before suppression pool temperature reaches the boron injection initiation temperature (a curve of suppression pool temperature vs
- reactor power), scram the reactor, and l
- 3. When suppression pool temperature and RPV pressure cannot be maintained below the heat capacity temperature limit (a curve of suppression pool temperature vs RPV pressure), perform a reactor depressurization.
QUESTION 4 420.038 (Table 7.1 2) The table indicates RG 1.151 applies only to safety related display and Non.1E control systems. Section 7.1.2.10.11 refers to other safety systems including RPS and ECCS. Clarify which systems
.RG 1.151 is to apply to.
1 1
i l
L_________________.__.._____
._ = _- - _
RESPONSE,
.,3
' 420.038 Table. 7.1-2 is formatted in accordance with the Standard Review Plan in conjunction' with the Licensing Review Bases document for: the ABWR.
Protection systems' (including RPS and ECCS) L instruments which require sensing' lines are' shared, and are contained within the nuclear boiler system (NBS). The NBS cenforms with Regulatory Guide 1.151 as described.
.in Subsection. 7.7.2.1.2(2).
QUEST /.ON . .
- 20.039 (Table 7.1-2) The table lists few systems for which RG 1.97 is applicable. Address the RG,1.97 for all categories and variables.
RESPONSE
L
-420.039 Table 7.1 2 is formatted in accordance with the Standard Review Plan and in conjunction with the Licensing Review Bases document for the ABWR.
The post. accident requirements of Regulatory Guide 1.97 involve instrumentation from many systems within the plant., . Signals from these many instruments converge into both safety.related and non. safety-related display systems in the control room. Since Regulatory Guider 1.97 involves only displays. (and the instruments which support them), it.is appropriate to address its requirements from the vantage point of the monitoring displays, rather than from each of the C&I systems. We assumed this is why the SRP required that Regulatory Guide 1.97 only needed to be addressed in Section 7.5. We have therefore provided a full assessr.nt of the guide for all. cat *Eories and.
,- variables, in association with the displays and supporting instruments, in Section 7.5.
QUESTION 420.040 (7.3.1.1.1.1) The HPCF pump is interlocked (7.3'.1.1.1.1(3)(c)) with the undervoltage monitor. If the' breaker cannot' close will it retry and what information is available to the operator if it doesn't close that would indicate an undervoltage problem?
RESPONSE
420.040 The HPCF pump starting logic waits for the main bus voltage to be available. As soon as voltage is available the starting cycle is initiated, assuming all other requirements for starting the pump have l been met. Bus undervoltage alarms are provided in the control room. <
QUESTION 420.041 (7.3.1.1.1.1) Does the 36 seconds (7.3.1.1.1.1(3)(e)) include time for diesel generator to start?
i____________ - -
.i ,1 i i )
= RESPONSE, L/ 1420.041 Yes, the' start time of the' diesel'is included in the 36 seconds.
f QUESTION l
420,043 (7.3.1.1.1.2(3)(c)) Manual pushbuttons are provided to' initiate ADS immediately'if required. Describe when manual action is required before 1 the 29 second timet actuates ADS.
RESPONSE
420.043 Manual actuation of the ADS is not required. The manual actuation switches are. included to need the requ'.rements of Paragraph 4.17 of IEEE c 279. The EPCs (Emergency Procedure Guidelines) call for operator action to depressurize the reactor under some conditions by using individual manual control switches which are provided for each of the 18 safety relief valves ~(SRVs). The manual pushbuttons for ADS, which operate 8 SRVs simultaneously, can be considered to be a backup method to
' individual SRV operations when following EPGs.
QUESTION 420.044 (7.3.1.1.1.3(4)(a)) One pressure sensor is'used to detect low RCIC system pump suction pressure. Explain the criteria used to justify a single pressure sensor.
RESPONSE
420.044 The RCIC is part of the emergency core cooling system (ECCS) network
- which consists of 3 high pressure systems and 3 low pressure systems.
One RCIC and 2 HPCF loops comprise the high pressure ECCS while the low pressure ECCS are the 3 RHR loops.
The subject sensor is located on the pump suction to provide a turbine trip signal on low suction pressure (and eventually stop the RCIC pump).
The intent of this instrument is to protect the pump from cavitation.
Since RCIC is a single loop, redundant suction pressure instruments are not necessary. The single failure is based on the loss of one ECCS loop. That is, if RCIC is lost,-5 more.ECCS loops are available to perform core cooling. The same configuration is true for BWR6 designs.
QUESTION 420.045~(7.3.1.1.1.3(4)) Define analog indication. Is this an analog system or digital simulation?
RESPONSE
420.045 For the ABVR, the control room indications are digital. However, all primary sensors (pressure transmitters, level transmitters, flow transmitters, differential transmitters, etc.), are analog instruments.
Output signals from the primary sensors are multiplexed and digitized, and then sent to the control room through fiber optic cables.
l
'9'.
1 4
QUESTION 420.046 (7.3.1.1.1.4(3)(g)) The injection valves cannot be opened at normal pressure.
Is this because of interlocks or because of motor size?
RESPONSE
420.046 The RHR injection valves cannot be opened at normal reactor operating pressure (1040 psia) for both reasons. A precsure interlock prevents the valve from opening above a low pressure value (approximately 436 psig), and the specified valve operating differential pressure is approximately 550 psid.
QUESTION 420.047 (7.3.1.1.4) Is the suppression pool cooling automatically initiated?
The SAR describes the system as being used to reduce the suppression pool temperature immediately after a blowdown. Section 5.4.7.1.1.5 indicates automatic initiation.
RESPONSE
420.047 Revision C of Section 5.4.7.1.1.5 of the SSAR has been corrected to be consistent with Section 7.3.1.1 4, which describes the manual-only l initiation of this mode of RHR. The third sentence has been revised to l read, "This subsystem is initiated manually." The remainder of l 5.4.7.1.1.5 has been deleted.
QUESTION 420.048 (7.1.2.1.6) SAR 7.1.2.1.6(2) appears to define " fault" as the
"... inability to open or close any control circuit." Explain the basis for this definition and the extent of its use in the FMEAs. Are there any other potential failure modes excessive time to close a circuit?
RESPONSE
420.048 There are two types of operations for the self. test subsystem (STS).
Subsectionthe describes (1)manually-initiated of 7.1.2.1.6 describes the STS.
off-line on-line STS and Subsection (2)
The " fault" definitions in (1) and (2) differ slightly in that (2) also exercises the trip outputs. Neither definition specifically includes a time. delay test. However, any excessive time delays in either test would be detected as a fault since the test system must cycle from circuit-to. circuit very rapidly (i.e., in the order of milliseconds).
FMEAs for the reactor internal pump (RIPi, the multiplex (MUX) and the fine-motion control rod drive (FMCRD) systems are included in Section 15B.4. Portions of the SSLC are included in the FMEA for the MUX. We do not intend to perform separate FMEAs for the STS alone.
l ..............................................................................
l l
l .
I i
1 QUESTION 420.049 (7) Describe the fault tolerant features of the digital design.
Describe the types of faults that are tolerated by these design features. Show how these features would respond to various faults, and show that the effectiveness of the safety system is not compromised.
RESPONSE
420.049 FAULT TOLERANT FEATURES:
HARDWARE:
- a. Four division replic3tian of rensors and logic with 2-out-of-4 voting to confirm trip in ecch division.
- b. Division of-sensors bypass results in 2-out-of-3 voting.
- c. Division logic bypass for de energize-to trip funtions results in 2-out-of-3 voting at trip channel outputs
- d. Redundant (dual channel) multiplexing in each division with automatic reconfiguration and restart.
- e. Energize to trip functions are implemented in redundant channels with 2-out-of-2 voting fer confirmation; fails automatically to 1-out-of-1 to raintain availability.
- f. Allocation of fail-safe (RPS, MS!V and other PCV isolations) and fail-as-is (ECCS, Aux. EST) functions to separate
, microprocessors within each division.
- g. Physical separation of divisional instruments prevents damage to redundant instrument loops.
SOFTWARE:
- a. Empty memory filled with jump to-reset instructions.
- b. Error checking / correcting of inputs and outputs,
- c. On detected fault, retry or roll-back to last known correct state.
- d. Concinuous self-diagnostics with auto switchover to good channel.
TYPES OF FAULTS TOLERATED: ,
HARDWARE:
- a. Single failure in any division, including inadvertent trip and loss of power.
1
- b. Loss of digital trip logic in any division; can use j maintenance bypass for on-line calibration or repair.
- c. Single failure of essential multiplexing system in any I division with no effect on safety system operation.
- - _ _ _ _ _ _ _ __J
- -l 4
d.'Singlo failura of logic chinn>? in cny divisien with no offect on system operation.
I
- e. Single failure without accidental trip. I
- f. Failure of some system function; will leave others unaffected. i SOFTWARE: i
- a. Restart without lockup on fault such as EMI.
I
- b. Detects and corrects data transmission errors with no effect i on system operation.
J
- c. Attempts to continue operation through transient fault,
- d. Attempts to continue operation through permanent fault. (
I
- e. Software transient in any single microprocessor will not cause or prevent reactor trip, nuclear system isolation, or ECCS initiation.
- f. Detects failures of plant variables produced by process transmitters or tran ducer elements through reasonability and range checking.
SYSTEM RESPONSE TO FAULTS:
As described above, the safety system is not compromised by faults because of the multi.divisonal logic configuration and 2.out-of.four coincidence logic in each division. Therefore, single microprocessor instrument failures or some multiple failures within a single division, l whether they result in tripped or untripped states, will not result in improper system response.
QUESTION 420.053 (7) 1s a diverse (hardware implemented) watchdog timer provided in the design for detecting system stall?
RESPONSE
420.053 A hardware watchdog timer is implemented in each controller of SSLC and the multiplexing system; the timer detects stall vitlin that controller.
Thus, a hardware or software fault can be detected and alarmed at a particular system unit without bringing down the entire system.
For example, an individual Trip Logic Unit can be taken out of service on a watchdog timer alarm (using the appropriate bypass function) without disrupting operation of the Digital Trip Module and its communication with the other divisions.
l The individual watchdog timer outputs permit differing responses to l component failure. Certain timer outputs may cause automatic bypass of a logic channel; others result only in an alarm indication to the operator. Typical responses are as follows:
' 1. RPS DTM . Alarm output to operator; manual division-of-sensors bypass reverts remaining logic to 2/3.
L-________-_________.
L p
",4... . .
.;< 2. ESF DTM - Sami as abova.
, 3. RPS TLU - Alarm output to operator; manual bypass reverts ouput logic to 2/3, while input logic remains 2/4 (DTMs are all assumed operable).
- 4. ESF SLU 1 & 2.- Alarm output of either SLU 1 or SLU 2 results in. automatic bypass of the failed channel at the 2/2 voter
~
(load drivers). Bypass means that load driver of the failsd channel is energized. Alarm output to operator is provided, with manual bypass as a backup to the auto function.
QUESTION 420.057 (7) What provisions have been made in the design process to preclude the introduction of a software virus that could affect the system when operational?
RESPONSE
420.057 As indicated in the responses to 420.025 and 420.021, no safety action is dependent on computations from the central processor. The control programs for SSLC are contained in ROM as firmware. Software instructions such as setpoints, etc., are not programmable in the field, but are burned on individual chips in the factory before shipment. This is considered to be adequate safeguard against the introduction of software viruses.
QUESTION 420.061 (7.1.2.2) Explain section (h) further. Does this mean one 480V bus, 4160 bus the generator? Same question at 7.2 3.2(2)(b).
RESPONSE
420.061 [We assume the second sentence should say ".. 4160 bus or the generator?" -We also assume the reference to '7.2.3.2(2)(b)" should be "7.1.2.3.2(2)(b)".]
l The electrical distribution system has three completely separate and redundant divisions of 6.9 kV buses and diesel generators. There are four divisions of 480 volt AC buses. However, the fourth division 480 volt AC bus receives power from the Division I 6.9 kV AC bus. There are also four completely separate and redundant 125 Vdc battery buses.
The RPS logic actuates on any 2-out.of.4 " failsafe" (logic "0") signals.
' Power for the RPS and other ESF systems comes from the 4. divisional safety system logic and control (SSLC) power buses. Thus, loss of any one bus or power source (i.e., 6.9 kV bus, 480 bus, diesel generator, or battery) would not result in an inadvertent scram nor a failure to scram when required. This is further explained in Section 7.2.
The leak detection and isolation system (LDS) utilizes various portions ;
of all four buses depending on the power supplies for the isolation valves with which it interfaces [See Subsection 7.3.1.1.2(2)). No single failure of any power source will result in failure to isolate a pipe ~ system then needed. See Subsection 7.3.1.1.2 for more details describing the LDS system and each of its individual isolation functions, a_.______ _ - - - _ _ - . - _ .
I t q-4 .
i QUESTION 420.063 (7) What are the realf ability / availability goals for the' reactor protection ~and engineered safety features systems?
. RESPONSE 420.063 Reliability / Availability Coals The ABWR RPS and ESF functions were to incorporate the performance features and equipment reduction advantages of the digital, mult*?lexed design while providing at least the reliability and availability of BWR/5 designs.-Particularly with the RPS design, these goals were easily met because of four division, 2.out.of.4 configuration used.
For I&C equipment, studies have shown that.the following reliabilities and availabilities are achievable when using equipment with the following failure characteristics (numbers for MTBF are meant to be very conservative figures; much higher MTBFs are known to be achievable in thie *ype of equipment):
Individual controller: MTBF - 10,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> Essentia1' Multiplexing System: MTEF . 100,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />
- All equipment: MTTR - 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> 1 Probability of detecting equipment failure . 0.9 RPS Availability (4 div.) A - 0.999999__
- Reliability an order of magnitude better than BWR/5 (extra degree of
.- redundancy for A and B trips)
ESF Availability A - 0.9994 Prob-bility of spurious trip avoidance - 0.999992 QUESTION 420.065 (7) What methodology is used in determining the system reliability / availability?
RESPONSE
420.065 Reliability Methodology (follows ANSI /IEEE Std. 352 1987):
- a. EHEA for Essential Multiplexing System
- b. Probabilistic Risk Assessment (PRA) for Safety System
- c. Quantitative Analysis (assumed NUMAC-type instrumentation)
. Manual Calculation
. Computer Calculation (Markov Models for Essential Multiplexing System) {
j 1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ .]
.- I QUESTION l
- 420.066 (7) Describe the data validation features in triplicated sensors.
)
RESPONSE
420.066 The safety _ systems use quadruple and not triplicated sensors, one set in each of the four protection divisions. Within each division, data is first validated after the analog to digital conversion process in the Remote Multiplexing. Units. Converted signals must fall within the full scale analog range of 4 20 mA; otherwise a gross failure of the sensor is assumed. Digital inputs (contact closures) are filtered and de. bounced to eliminate transient signals. _,
The formatted digital words are assembled with parity bits and checksum or CRC bits before transmission from the local areas to the control room over the essential multiplexing system. The control room multiplexing units (CMUs) then check transmission quality over the dual channel multiplexing network, where one channel is considered the Master channel (normally on-line) and the other,'_the Standby channel. Transmission checks typically include frequency of checksum errors and hardware self. test results. At some predetermined error rate, data is taken from the Standby channel instead of the Master channel. Transfer of data from the CMUs to the SSLC logic processors is checked in essentially the same manner.
For a manual check of data plausibility, equivalent sensor data from the four divisions can be compared in the control room logic processors (data is exchanged among the divisions through isolated serial communication links).
' QUESTION 420.067 (7) What testing will be done to demonstrate reliability? What is the specifle scope of these tests?
RESPONSE
420.067 Testing of Safety System Logic and Control (SSLC) ir:1udes integration i
testing of the hardware and software of each controller and system l testing of the interconnected network of controllers, including the fiber optic essential multiplexing system.
Specific testing will check conformity to the system design specifications. Both normal and abnormal responses to input stimuli will be monitored by injecting a defined sequence of test patterns. Test patterns will simulate the various modes of each processed system as defined in its respective design specification and interface block diagram (IBD). Responses to trip conditions in each division will confira 2/4 coincidence logic. Appropriate fail-safe and fail-as-is response will be noted, including response to power failure. (See Appendix 7A, Section 7A.2, Response 8, for discussicn of system response following power failures.)
Reliability testing: EMI/RFI/ESD, power transients, environmental (temp., RH), seismic, radiation, system burn in, V&V of software.
l' l Degraded mode testing will be performed. System response to multiplexing i
system failure will be monitored.
I C_
7-_
. Rasponsa to =2nual control switch' inputs.will be tested.
Transfer of. data to'non. safety systems will be tested (process computer, contro1' complex, annunciators, process control systems).
Specific to SSLC, bypassing of sensors, trip logic, and dual safety system channels will be tested. System failures will be simulated to-confirm proper operation of self-diagnostic features. Automatic failover of PRD' will be confirmed for input and output failures. Dual channel ECCS/ESF processing will-be tested and failure response will be noted.
Response' time testing will be performed.
Sequence of events monitoring will be verified.
Test inputs will include the full range of sensor types. Interlock permissives from motor control centers and valve limit switches will be
, simulated for testing under realistic conditions.
QUESTION 420.068 (7) What is the effect upon the number of spurious trips generated by the RPS if the digital design replaces the previous analog design?
Provide comparison.
RESPONSE
420.068 The digital RPS reduces the number of spurious trips when compared to previous analog designs mainly because of the 2-out-of-4 input
~~
coincidence logic and 2-out-of.4 output coincidence logic required for a valid. trip condition. This arrangement permits both a bypasu'd division due to a single failure and a single failure in another division to exist simultaneously without causing a trip. ;
other factors for digital over analog:
low drift' low noise more accurate fewer components QUESTION 420.070 (7.1.2.1.6) Is there any system for in-service testing of the ARI?
RESPONSE
420.070 Yes. The design of the ARI function incorporates testability, up to, but not including, the ARI valves, per the requirements of LTR NEDE 31906-P A.
! l F ;
!,- -l' QUESTION _
)
420'071.(7.1.2.1.6) Is the CRD scram discharge high water level used as the-example of the fifth test valid given that there is no scram discharge !
volume 7
]
l
RESPONSE
j 420.071 The reference to scram discharge volume was in error. This has been a corrected in Revision B of this section. l QUESTION 420.072 (7.1.2.1.6) Section (1) of 7.1.2.1.6 states that normal surveillance can identify failures. Discuss whether this system has the capability of transmitting this information to the plant computer se that an immediate alarm can be given in addition to waiting for the scheduled surveillance.
RESPONSE
420.072 The statement concerning " normal surveillance" applied to intermittent failures for which the STS is capable of detecting and logging without stopping system operation. Al?. other self. test failures (except intermittent failures) are annunciated to the operator at the main control room console and logged by the process computer.
QUESTION
~
420.073 (7.1.2.1.6) Section (4) notes that the four divisions are tested in sequence. When the thirty minute sequence is complete does the test system start over again or is this an operator initiated testy
RESPONSE
420.073 In the.section referenced, the test starts over again automatically; testing is continuous.
PLEASE NOT":
The concept of automatic self. test, as applied to ABWR safety systems, has changed since this section was written. The tests described are similar to the Clinton Nuclear System Protection System (NSPS) arrangement, which used an external test controller to periodically inject narrow pulses into the logic inputs and monitor the resulting outputs at the load drivers (the narrow pulsos were too short to fully turn the load drivers off or on). NSPS functional logic was implemented with discrete logic gates and was static (not clock driven). The periodic, end.to-end, cross. divisional testing was necessary to confirm system continuity and verify the integrity of logic inputs and outputs and 2.out.of.4 interdivisional wiring.
The ABWR design for SSLC permits a different approach to testing of safety system logic;
- a. The real. time, microprocessor. based, software. driven controllers contain powerful, internal, self. diagnostics that perform continuous monitoring of program flow, voltage levels, and inputs and outputs.
- b. Serial, multiplexed, data communication allows continuous error checking and correcting of all transmitted and
rocsiv:d data. !
- c. System functions are distributed among several microproces- {
" sor-based chassis. Bypassing permits various controllers to i be removed from service for maintenance without affecting system operation. Internal self. diagnostics permit continued testing of the remaining controllers. An external tester would require interruption or complex reconfigure-tion to continue operation,
- d. Experience with GE's NUMAC instruments has proven the reliability of software diagnostics running as a low priority background task. Using external self test would complicate verification and validation of the functional software, since lack of interference with self test would have to be proven for various credible faults.
QUESTION 420.074 (7.1.2.1.6) Section (5) notes that only one division shall be bypassed at any one time. Describe the interlock protection or administrative controls which assure this.
RESPONSE
420.074 A separate manual keylock switch in each of the four divisions provides means to bypass that division. Isolated fiber-optic interface signals provide interlocks between the four divisions to prevent bypass of any two or more divisions at the same time. Once a bypass of one division has been established, bypasses of any of the remaining three divisions are inhibited.
~
QUESTION
- 420.076 (7.1.2.3.2) For section 7.1.2.3.2(1)(c.d.e) and (2)(a) define
" sufficient".
RESPONSE
420.076 This question should be deleted because it is the same as 420.031.
Refer to response 420.031.
QUESTION 420.077 (7.1.2.1.4.1) One of the reasons stated for the utilization of microprocessors for the implementation of instrumentation and logic functions is that less uncertainty exists in the margins between actual safety limi- and the limiting safety trips. The margins are stated to be set from *mperimental data on setpoint drift (see Section 7.1.2.1.4.1) and from quantitative reliability requirements for each system and 1cs components.
Provide the documented bases for this procedure.
m________ J
t tRESPONSE
.s
'420.077 Setpoint drift"does not exist, since the setpoints are programedJ digita11yLinto;non-volatile data storage memory;in the Digital Trip
, Module.
Accuracy is; improved.over digital. systems:since'setpoints can be programmed precisely and in' engineering units.
" . Trip point accuracy'is improved since the digitized sensor signal'is' l compared. precisely with the digital setpoint.
Hysteresis 'is adjustable in small increments and is stable. Upscale and downscale trip points can be accurately programmed.
The digitized sensor signals are accurate to'the appropriate. linear or?
non. linear. characteristics since the A/D converters and amplifiers use auto. zeroing and auto. calibration.
g ........................................... ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
QUESTION 420.082 (7.1.2.3.3) In section 7.1.2.3.3(1)(c)'is manual control required only Lufter 30 minutes? Why isn't automatic control also provided?
RESPONSE
p 420.082 Drywell or wetwell spray is not required before 30. minutes for.the postulated break sequences. Drywell and wetwell sprays are directed by
.the symptom-based Emergency Operating Procedures.
Automatic initiation of the containment sprays was judged to not be an
' effective approach.
Fast operator response time is not required. For comparison, the GESSAR BWR.6 containment design pressure of 15.psig resulted in a~ lower. margin
,for steam bypass capability and required automatic containment spray.
The ABWR has a higher (45 psig) containmer.t design pressure and, relatively,^a lower steam bypass leakage area requirement which wili allow more time for operator action.- Manua1' initiation of drywell/wetwell sprays 30' minutes after the. initiation of the event ~
vill be sufficient to control and limit the pressure rise below the design value.
.The ABWR design allows for easy procedural valve alignment by the operator to achieve the containment spray modes. The heat exchanger is always in the flow path, and only the drywell and/or wetwell spray valves must be opened to initiate spray.
The design is simpler without automatic initiation.
-QUESTION 420.083 (7.1.2.3.4) 1s the suppression pool cooling also provided with automatic control?
- RESPONSE
, 420.083 The suppression pool cooling is not provided with automatic control.
Non-automated suppression pool cooling is consistent with the GESSAR II design which was granted an FDA by the NRC (See GESSAR II FSAR, Section 7.3.1.1.5).
QUESTION 420.097 (7.3.1.1.4(h)) This refers to Section 3.11 for EQ. Section 3.11 invokes IEEE 323 as a basis for qualificatica.
IEEE 323 was written assuming 40 {
year life. Address how this standard is to be extrapolated to a 60 year {'
design ' life for the ABWR.
RESPONSE
420.097 IEEE 323 is a consensus national standard, endorsed by the NRC, which provides an acceptable approach to demonstrating that a component is capable of performing its intended safety function, in a given {
environment, for a given time. Since historically, most applicants have sought a 40-year operating license for their facility, associated qualification activities have been based on a need to demonstrate a 40-year operating life. However, IEEE 323 is not premised on a specific life; in fact, devices undergoing qualification using the approach presented in this standard often will show qualified life times less than 40 years while others will show a qualified life of significantly greater than 40 years.
With respect to the ABWR, the designed life is intended to be 60 years.
It is intended that IEEE 323 will be used to demonstrate that IE devices in the plant will have a qualified life, with appropriate margin, equal to or greater than that period of time. Devices or components for which such a demonstration can not be made will either be redesigned to show this condition, or will (in the case of consumables) be administrative 1y controlled for periodic changeout.
QUESTION 420.099 (7) While a computer-based system can provide more effective man / machine interface, the internal system operation is more complex, and can be more obscure to the operator or maintenance person if he is required to intervene at a complex level.
Have the operator tasks with regard to interfacing with the safety system been analyzed? What was the result of the analysis? How did the result of the analysis affect the requirements, design and implementation of the safety system?
l RESPONSE '
420.099 Tasks analyses have been performed in support of the design of the man-machine interface. The purpose of the task analyses is to tabulate the controls, indications and alarms needed to monitor and operate the j safety systems and to allocate the various tasks comprised among i hardware, software and operators. The information is then used to help define man-machine interface requirements for the hardware and software to be incorporated in the detailed design of the main control room and f local area panels. The basis for task analysis includes normal system operating procedures and sympton. based emergency operating procedures.
The results of the task analyses of the safety systems is contained in
auditable design record files.
Based upon the results of the task andyses, the man. machine interface requirements for a specific system are necified in the system's design specification. The man-machine interface requirements specification for a specific system and interface requiremerd.s specified in the task analysis report for a specified system constitute the top level man. machine interface requirements for that particular system. These ;
requirements are then integrated into the operator interface panel j design. The man. machine interface requirement specifications for the !
safety systems are contained in auditable design record files. i QUESTION 420.100 (7) While a computer-based system can provide more effective man / machine incerface, the internal system operation is more complex, and can be more obscure to the operator or maintenance person if he is required to intervene at a complex level.
Describe the hardware design features that provide administrative control of devices capable of changing the data or program in the k computer based safety system.
RESPONSE
420.100 Data Security Features:
- a. 7r me panel keylock control to enable keypad input (places instrument in off.line (tripped) mode).
- b. Multi. level password control (factory and user settings).
- c. Control programs, algorithms, and data tables in PROM for protected storage.
QUESTION 420.101 (7) While a computer-based system can provide more effective man / machine interface, the internal system operation is more complex, and can be more obscure to the operator or maintenance person if he is required to intervene at a complex level.
What data or program elements are adjustable /selectable by the operator?
RESPONSE
420.101 a. Setpoints accessible from front panel for reading (can be changed through keylock/ password control).
- b. Calibration inputs from front panel (accessible through keylock/ password control).
- c. Manual self. diagnostics (off.line access through keylock control).
- d. Cross. channel check of sensor data (read only).
- e. Manual trip of inoperable instrument channel (single data variable within a logic processing instrument).
The operator cannot access the program to change program flow or operation of any logic function shown on an IBD.
_ ____ - - --- ^ ' - - ~ ~~-
I.
L.
1 1-It . .
' QUESTION
- 420.102 (7) While a computer. based system can provide more effective man / machine ,
interface, the internal system operation is more complex, and can be more obscure to the operator or maintenance person'if he is required to intervene at a complex level.
What capability of providing a permanent and current record'of the system data base is provided in the system?
RESPONSE
420.102 Each safety system controller is a real. time, computer. based device equipped with both permanent data storage capability and volatile program memory.
Permanent data storage within SSLC:
- a. The control programs, algorithms, r.nd data tables of each system controller are in PROM.
- b. Setpoints are EEPROM (EAROM).
The contents of PROM and EEPROM can be downloaded to the process !
computer for archiving or analysis upon operator request. A system l fault or internal controller fault, including power failure, that causes an inoperative condition will result in PROM, EEPROM, and RAM data being automatically downloaded to the process computer.
QUESTION 420.103 (7) While a computer. based system can provide more effective man / machine interface, the internal system operation is more complex, and can be more obscure to the operator or maintenance person if he is required to intervene at a complex level.
Provide the basis for assumed operator response times.
RESPONSE
420.103 The safety systems are initiated automatically when required. There are no assumed operator response times used in the task analyses of the safety systems since they are initiated automatically. Manual actuation capability of safety systems is provided in accordance with Paragraph 4.17 of IEEE 279.
QUESTION 420.104 (7) While a computer-based system can provide more effective man / machine interface, the internal system opera tion is more complex, and can be more obscure to the operator or maintenance person if he is required to intervene at a complex level.
Discuss the range of possible scenarios for transferring the system from automatic to manual mode (and vice versa) and the potential for error or !
disturbance during such a transfer. Describe any differences characterized by these transfers with respect to BWR desians previously reviewed by the staff. For example, discuss consideration of I6E Bulletin 80 06, " Engineered Safety Features Reset Controls".
I l
_ _ _ _ _ _ _ _ - - _ - _ _ _ _ _ _ _ _ _ - - )
7 .. - .. . . . - - - - - - - - -
L
RESPONSE
,; 420.104 In the standby. safety systems, automatic and manual modes coexist;no transfer is required. Manual control of reactor emergency shutdown or initiation of the emergency core cooling systems is always available to the operator. Manual control is implemented both at the' system and individual equipment level. Manual functions do not require the-2-out-of-4 voting of the automatic signals. However, various interlocks from valve limit switches, pump status indicators, or other sensors
-limit the operator's responses to safe actions.
QUESTION 420.106 (7) Define the logic by type and verify the diversity of the reactor internal pump trip circuits. If software is to be a part of this design, identify the form and diversity to be applied to this function.
RESPONSE
420.106 Referring to the attached figure on recirculation pump trip (RPT) logic, redundant inputs and diverse logic are provided in the RPT design. For example, the use of four sensors to monitor turbine stop valve (TSV) positions and two.out-of.four' trip logic in the reactor protection system insulates the RPT signal from the effect of either two sensor failures in the non-trip condition, or one sensor failure in the trip condition. Furthermore, a two.out-of four trip logic is provided in the RFC system to protect the divisional failure in the reactor protection system (RPS). This same degree of tolerance is available to the TGV fast closure and wide range water level sensors. For the high dome pressure and L3 RPT trip, the failure of one of three sensors in either the trip or non-trip condition is tolerable by the two-out of-three logie.
Since all trip logic will be performed by application software embedded in dedicated microprocessors, logic redundancy depends only on the voting algorithm for the processor outputs. With both the RPS and SSLC (Safety System Logic & Control) outputs being voted upon by two-out-of.four logic in the recirculation flow control (RFC) system, failure in two. divisions of RPS or SSLC processing channels, multiplexer, or data bus in the non-trip condition (a very remote possibility), or one channel of the same in the trip condition can be tolerated. Similarly, with the voting of the RFC system, feedwater flow control (FWC) system and steam bypass & pressure control (SB&PC) system contro11ers' outputs being performed by two-out-of-three logic, failure in one processing node in each controller will not result in a loss of system function.
Trip diversification is accomplished by planned distribution of trip logic. Multiple failures in the TCV pressure sensors, TSV position switches, or RPS, SB&PC or FWC processors will not cause the loss of more than five RIPS, and multiple failures in the SSLC processors will not cause more than six staggered pump trips. By separating the L2, L3 and high pressure RPT trip logic from the RPS system, no common mode failure can cause a loss of both reactor scram and ATWS RPT functions upon command. Also, by delaying the pump trip in three RIPS with hardware built into the ASD, no multiple failures in the RPT trip logic could cause a simultaneous trip of more than 5 RIPS.
e i
LQUESTION
~*
420.107 (9.3.5.2) Describe procedural controls considered' adequate to control.
the keylocked SLCS.
- RESPONSE 420.107.The operation of.the Standby Liquid Control System (SLCS) is governed (by the symptom. based Emergency Operating Procedures (EOPs). NEDO.31331,
- BWR Dwners Group: Emergency Procedure-Cuidelines",'Rev.14, March 1987, has been approved by the NRC. These. guidelines (which were originally developed for general application for BWRs).have been incorporated for the'SLCS' system in the ABWR Emergency Procedure Guidelines (See Section-1.1.3).
.There'~are~four entry conditions, any one of.which would cause the operator.to initiate emergency procedures. These are:
- 1) RPV water level below Level 3,
- 2) RPV pressure above the high pressure setpoint,
- 3) Drywell pressure above~the high pressure setpoint, or
- 4) Reactor power greater than specified limits or unknown' .
It is the fourth entry condition which could cause a need for SLCS.
Once the operator has entered the EOFs he is instructed to monitor-and control the following:
- 1) RPV water level,
- 2) RPV pressure, and
- 3) RPV power, The E0P specifies numerous ways to lower power while continuing attempts -
to get the control' rods in. The operator also monitors the suppression pool temperature during this procedure. Before the pool reaches'a specified limit SLCS is initiated.
These symptom. based E0Ps provide procedural controls that are adequate to control the keylocked SLCS.
l ..............................................................................
-QUESTION-420.108.(7.1.2.2) in section (m) consider replacing " obviate" with prevent or preclude.
RESPONSE
420.108 " Obviate" has been replaced with " prevent" as shown is attached mark-up of text.
1.
. QUESTION 1420.109 (7.1.2.3.1) In Section 7.1.2.3.1(c), describe how provision for manual-l control limits dependence on operator judgement in times of stress.
1 f
l i
! _ . _ . _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ I
. 'RESh0NSE L 420.109' Strictly speaking, provision for manual control need not be mentioned under the heading " limit dependence on operator judgement in times of stress...". However, the intent was that the operator would be less stressed knovning such provision was available, even though the ECCS 4
initiation is fully automated.
QUESTION 420.110 (7.1.2.3.1) For Section 7.1.2.3.1(2), describe any precautions taken to prevent or minimize inadvertent initiation of non. safety systems during accidents.
RESPONSE
420.110 The non. safety systems primarily consist of control systems that continuously operate during normal reactor power operation. These are described in Section 7.7. It is desirable, but not essential, that these systems continue to operate during postulated accident events in order to preclude the need for (or reduce the load on) the protection systems. Therefore, the question is not applicable to these systems.
As' indicated in Section 9.5.1.1, the fire protection systems are designed so that their inadvertent operation or the occurrence of a single failure in any of these systems will not prevent plant safe shutdown.
- QUESTION
- 420.111 (7.l.2.3.7) Why isn't the requirement to meet the Seismic Category I design requirements (7.1.2.3.7(1)(c)) listed in the other applicable sections?
RESPONSE
420.111 The seismic category I requirement is generally applied to all safety related instrumentation and control equipment as stated 6eneribally in Section 7.1.2.11.4 and in Section 3.30. It is usually not considered a design basis for each safety system since it is already imposed as a qualification requirement for the safety system's components. The I statement in 7.1.2.3.7(1)(c) is therefore unnecessary, though it is true. To be consistent with the other sections, and avoid the erroneous implication that other safety systems may not meet such requirements, this statement has been removed as shown in attached mark-up.
QUESTION 420.112 (7.1.2.4.3) Are the other sections to be revised to include the normal operation parameters similar to 7.1.2.4.3(1)(a)?
l 1
I
RESPONSE
420.112 We do not anticipate such revisions for the following reason:
The safety design bases for the protection systems described in this section generally pertain to accident (abnormal) conditions. Few, if l
any, ' normal" operation parameters are defined for such systems, other than to monitor for detection of an abnormal condition. An exception, as indicated, is the RHR shutdown cooling mode which has a safety function to remove residual heat from the reactor vessel during normal shutdown.
Normal operating parameters are generally handled by the control systems described in Section 7.7. These systems design bases are just the opposite, in that they generally have no safety design bases except to assure their functions do not preclude the operation of safety.related systems. [See Section 7.1.2.7(1).)
QUESTION 420.113 (7.1.2.6.1.1) Has consideration been given to providing the annunciators with backup diesel or battery power? (Ref. 7.1.2.6.1.1(2)(g))
RESPONSE
420.113 Yes. All control room annunciators shall be powered uninterruptably.
QUESTION
' 420.114 (7A.1-1) The copy of Section 7 provided to the staff did not include Appendix 7A nor an indication that it was to be provided later. Provide this section or e schedule for providing it.
RESPONSE
420.114 Appendix 7A was submitted to the NRC Staff in March, 1989.
QUESTION 420.115 (7.3.1.1.1.3(4)(e)) In the discussion about torque switches and thermal averloads, there is a reference to Section 3.8.4.2 which is the applicable codes and standards for seismic qualification of the Reactor and Control Buildings. What is the correct reference? i RESPONSE I 420.115 The reference has been corrected to say "(For more information on valve testing, see Section 3.9.3.2)"
QUESTION 420.116 (1.2.2.4.8.1.2) The forth paragraph seems to imply that all three systems are needed to mitigate a LOCA. Is that accurate?
-m=== -
]
E. m
.i RESPONSE' 420.116 The previous text was misleading. .Section 6.3.1.1 provides a more accurate and detailed description of the redundant features of the ECCS ne twork. The last sentence of the fourth paragraph of. 1.2.2.4.8.1.2 has been replaced with the following:
"These high pressure systems, combined with the RHR low pressure flooders and ADS, make up the ECCS network which can. accommodate any single failure and still safely shut down the reactor. (See Section ;
6.3.1.1'for detail description of ECCS redundancy and reliability.)" '
- QUESTION
'420.117 (9.3.5.1.1) Describe interlocks and indications used to prevent injection of the testing mode demineralized water instead of boron.
RESPONSE
420.117 Control roo, indications in conjunction with the E0Ps prevent the unlikely occurt.. ice of injecting the test tank demineralized water instead of boron.
When the SLCS has been initiated from the main control room, the injection valve and the pump suction valve will open to begin injection of the. sodium pentaborate solution. In the unlikely event that the. test tank suction valve were open, then neither the injection valve nor the pump suction valve would open and demineralized water would be circulated back to the test tank. However, the test tank suction valve is'a manually operated valve whose position (full open or full closed) is indicated in the control room. To inhibit boron injection under this condition, the plant operators would have had to have left the test tank valve open af ter testing, and the control room operators would have had to ignore the valve position indicator. This is an extremely unlikely scenario.
In addition to the above, the operators operating under the EPGs (See response to Question 420.107) are instructed to' confirm boron injection
'by monitoring the solution water level in the tank.
Therefore, the operating procedures and indicators will prevent the injection of the testing mode demineralized water instead of boron.
QUESTION 420.119-(7.4.1.2(7)) Are there any other valves which must isolate upon initiation of the SLCS?
RESPONSE
420.119 only the reactor water cleanup isolation valve must close upon initiation of the SLCS. However, given the initiation of the SLCS the operator will be monitoring and controlling many functions of the plant, (See response to Question 420.107), such as managing the RPV water level, to bring the plant to a safe shutdown. These other actions may involve isolating other systems to maximize the benefits of the SLCS.
'4 QUESTION
. .420.121.(7.3.1.2(7)) The first paragraph states that pipe break outside
. containment and-feedwater.line break are discussed below. The staff could not locate these items.
RESPONSE
420.121 The following additional section has been added to 7.3.1.2(7):
"(f). Pipe Break Outside Containment and Feedwater Line Break For any postulated pipe rupture, the structural integrity of the containment structure is maintained. In addition, safety / relief valves-(SRVs) and the reactor core isolation cooling (RCIC) system steamline are located'and restrained so that a pipe failure would not prevent depressurization. Separation is provided to preserve the independence of the low-pressure flooder (LPFL) systems.
For high energy piping systems penetrating through the containment, such as the feedwater lines, isolation valves are located as close to the containment as possible. The pressure, water level, and flow sensor instrumentation for essential systems, which are required to function following a pipe rupture, are protected.
Pipe whip protection is detailed in Section 3.6."
O D i
l l
, .- - _- - - - - _ _ _ _-_a
l l
L .
Mk 23A6100AF Standard Plant REV A i
7.1 INTRODUCTION
instrumentation in the safety related system, and uses the input information to perform logic This chapter presents the specific detailed functions in making decisions for safety design and performance information relative to actions.
the instrumentation and control aspects of the safety related systems utilized throughout the Divisional separation is also applied to the plant. The design and performance considerations essential multiplexing system (EMS), which rclative to these systems' safety function and provides data highways for the sensor input to their mechanical aspects are described in other the logic units and for the logic output to the chapt ers. system actuators (actuated devices such as pump motors and motor operated valves). Systems i 7.1.1 Identification of Safety Related which utilize the SSLC are the reactor Systerns protection (trip) system, the high pressure core flooder system, the residual heat removal 7.1.1.1 General system, the automatic depressurization system, the leak detection and isolation system and the Instrumentation and control systems are reactor core isolation cooling system which are designated as either nonsafety related systems or defined in the following subsections and safety systems depending on their function. Some discussed in other sections of this chapter.
portions of a system may have a safety function while other portions of the same system may be 7.1.1.2 Reactor Protection (Trip) System (RPS) classified nonsafety related. A description of the system of classification can be found in The reactor protection (trip) system instru-Chapter 15, Appendix A. mentation and cuntrols initiated an automatic reactor shutdown via insertion of control rods The systems presented in Chapter 7 are also (scram) if monitored system variables exceed classified according to NRC Regulatury Guide preestablished limits. This action avoids fuel 1.70, Revision 3 (i.e., reactor protection damage, limits system pressure and thus (trip) system (RPS), engicered safety feature restricts the release of radioactive material.
(ESP) systems, systems required for safe
' shutdown, safety-related display instrumentation, 7.1.13 Engineered Safety Featurrs (ESP) all other instrumentation systems required for Systems safety, and control systems not required for safety). Table 7.11 compares instrumentation 7.1.1.3.1 Emergency Core Cooling Systems (ECCS) pg 4 !
and control systems of the ABWR with those of the GESSAR 11238 Nuclear Island. Differences and Instrumentation and controls provide eMc their effect on safety related systems are also initiation and control of specific core cooling identified in Table 7.11. systems such as high pressure core flooder (HPCF) system, automatic depressurization system Each individual safety related system utilizes (ADS), reactor core isolation cooling system redundant channels of safety related instruments (RCIC) and the low-pressure coolant injection for initiating safety action. The automatic de- flooders of the residual heat removal system cision making and trip logic functions associated provided to cool the core fuel cladding with the safety action of several safety related following a design basis accident.
t nuclear steam supply systems (NSSS) are accom-plished by a four division correlated and sepa- 7.1.13.2 leak Detection and Isolation System rated protection logic complex called the safety system logic and control (SSLC). The SSLC muhi- Instrumentation and controls monitor selected divisional complex includes divisionally separate stgagd water leakage or j control room and other panels which house the potential sources other conditions an of,knitiate# closure of various '
SSLC equipment for controlling the various safety 9eterrec isolation valves if monitored system I j
function actuation devices. The SSLC receives variables exceed preestablished limits. This input signals from the redundant channels of action limits the loss of coolant from the l
l Amendment : 'I l'I l l
AMVR usaoorr
' Standard Plant RFV A reactor coolant pressure boundary and the release S, HVAC Emergency Cooling Water System 7 i of radioactive materials from either the reactor ode =,Tk MN coolant pressure boundary or from the fuel and / 4ts rumentation and control is provided to equipment storage pools, re that adequate cooling is provided for the main control room, the control building essen.
7.1.133 Wetwell and Drptil Spray Mode of RHR tial electrical equipment rooms, and the diesel Instrumentation and control provides manual i initiation of wetwell spray and manual initiation 7.1.13.10 High Pressurt Nitrogen Gas Supply of drywell spray (when high drywell pressure signalis present) to condenses steam in the con- e ,fic tainment and remove heat from the containment. Mnstru entation and control is provided to 6 The drywell spray has an interlock suchfhat' dry- e adequate instrument high pressure nitro-well spray is possible only in the pr$senQ o a gen is available for ESF equipment operational high drywell pressure condition. ca. support.
7.1.13.4 Suppression Pool Cooling Mode of RIIR 7J.1.4 Safe Shutdown Systems (SPC.RHR) 7.1.1.4.1 Alternate Rod Insertion Funcslon Instrumentation and control is provided to (ARI) j) manually initiate portions of the RHR system to Q cffect cooling of the suppression pool water. Though not required for safety, instruments-tion ind controls for the ARI provide a function h 7.1.13.5 Standby Gas Treatment System fN mitigation of the consequences of antici- i pated transient without scram (ATWS) events.
Instrumentation -Com I is provided to Upon receipt of an initiation signal (high reac-maintain negati geggin the secondary tot ute or low reactor water level),
containment an lotAlimitarr irborne radio- t
'n ontrol rod drive (FMCRD) motor activity release fr e r L. ment if required. s a Ifrive J rods full.in. This provides a L
me A, Mrse from the hydraulic control units 7.1.13.6 Emergency Diesel Generator Support (HCUs) for scramming the reactor.
Systems 7.1.1.4.2 Standby Liquid Control System (SLCS)
Instrumentation and control is provided to as-sure availability of electric control and motive Instrumentation and controls are provided for
( owtr under all design basis conditions. The the manual initiation of an independent backup ggbon f of the diesel generator is to provide system which can shut the reactor down from acme ency AC power supply for the safety-related rated power to the cold condition in the event s (required for the safe shutdown of the that all withdrawn control rods cannot be reactor) when the offsite source of power is not inserted to achieve reactor shutdown.
available.
7.1.1.43 Residual Heat Removal (RllR) System /
7.1.13.7 Reactor Building Cooling Water System Shutdown Cooling Mode Instrumentation and control is provided to Instrumentation and controls provide manual
, assure availability of cooling water for heat initiation of cooling systems to remove the removal rom the nuclejr decay and sensible heat from the reactor vessel.
DrEs{N.', e!#Nr1 t$pstem 4[s required.c 5o!Ni. fo$$pel-7.1.1JJ Esi;ential HVAC Systems d. .tt Remote Shutdown System 3 (frava l g,,yns,trumentation and control is provided to A4nstry entation and controls are provided 4 mal'ndin an acceptable thermal environment for tsitfe the main control room to assure safe L safety equipment and operating personnel. shutdown of the reactor in the event the main Amendment 2 ".14
MM , 23A6tooAr Standard Plant ~ arv A
- control room should become uninhabitable. 7.1.14.4 Fuel Pool Cooling and Cles System uh.r.c,I/,y , o* p,g >
7.1.1.5 Safety Related DisplayInstrumentation The fuel pool cooling fun tionAnnintains the fuel storage pool below a dm' M & s perature ,
{
' Safety related display instrumentation is necessary to service.and store the fuel provided to inform the reactor operator of plant bundles. The cleanup function consists of conditions and equipment status so that it can be filter demin izer units which treat the water-determined when a manual safety action should be i and recircul te{it back to the fuel pool.
taken or is required.
7.1.14.5 Wetwell to.Drywell Vacuum Breaker '
7.1.14 Other Safety.Related Systers System _ ,
ytedico((9 7.1J4J Neutron Monitoring System (NMS) Thir system is provide toppreven he ^
occurrence of harmful presw. Chrences sp0<C2i The neutron monitoring system (NMS) monitors across the diaphragm floor. >
- r['(A therange core to beyond neutron fluxTfrom rated power. e the startup on moni. 7J.14.6source Containmen't Atmospheric Monitoring f
toring system provides logic a s ,to e reac- System tor protection system (RPS) Yut" wa the reactor when a condition nec si ati a reactor The containment atmospheric monitoring system scram is detected. The NMS is composed of four (CAMS) measures and records radiation levels and subsystems:' the oxygen / hydrogen concentration in the primary S
(1)' startup range neutron monitoring (SRNM), * { twt containm9nt %EaIISIIfpu.gst. accident underq in service uponconditions.
detection of loss-of-coolant accident (LOCA) conditions. I (2) local power range monitoring (LPRM),
.,- 7.1.14.7 Suppnssion Pool Temperatun (3) automated traversing incore probe (ATIP), and Monitoring System (4) average power range monitoring (APRM). Instrumentation is provided to maintain operator awareness of pool temperatures M ,
7.1J4.2 Process Radiation Monitoring System a !r d under a11 operati and e id.ent '
lastawmentation and,Colitrols (PRM) I conditions. The syffr%jnroWat c /4Te.r g devi3 ouroctor etenfin ' L The process ra iahmonitoring system moni- 7.1.2 Identification of Safety Criteria ,
tors the main st m lin , vent discharges and all liquid and gaseous uent streams which may 7.1.2.1 General contain radioactiya met ials. Main control room display, reco jqsgd, a rm capability is pro. Design bases and criteria for instrumentation vided along itli" trip in uts to the reactor pro- and control equipment design are based on the '
tection syste andle detection and isolation need to have each system perform its intended gere' 5 systems. function while meeting the(ege4pmeetsfoi applicabic general design criteria, regulatory 7.1.143 High Pressun/ Low Pnssure Systems guides, industry standards, and other documents.
Interlock Protection Function The safety design basis for a safety system Instrumentation and controls provide automatic states in functional terms the unique design control of the RHR/LPFL system valves thereby requirements that establish the limits within providing an interface between this low-pressure which the safety objectives shall be met. The system and the reactor coolant pressure boundary general functional requirement portion of the to protect it from overpressurization. safety design basis presents those requirements Amendment 2 7.13 l I
l
4 MWR 4,kp 23xa mar
. Standard Plant Rrv A LPS
. Specific Regulatory Requirements:
Elhtt3 can perform its intended funct ion, p assuming a single failure caused by any
- The specific regulatory requirements appli- of the design basis events or a single cable to the controls and instrumentation power supply failure; for the ECCS are shown on Table 7.12.
k provide an isolation control system (2) Nonsafety-Related Design Bases which will ensure that isolation of the containment and/or reactor vessel will None. occur once initiated; 7.1.23.2 14ak Detection and Isolation System h provide instrumentation and controf to (ldh &Nre8 Instrumentation and Control permit the operator to manually initiate i (1) Safety Design Bases , $'j' T /j#[,
g golation if necessag "[M,f f/,
'Q-}
SpecficguRe# katory Re%,
quirements d The general functional requirements of the gpdMtt$ instrumentation and control are to Specific regulatory requirements applicable .
detect,isdicate and alarm leakage from the to this system are shown in Table 7.11 reactor primary pressure boundary and, in certain cases, to initiate closure of (2) Nonsafety.Related Design Bases isolation valves to shut off leakage g,0) external to the containment. Theg keltts instrumentation and controlis N designed to: '#A031 In order to meet the safety design basis, M instrumentation and control system (a) provide sufficient redundacey of instru- ,
shall be designed (as a minimum) tor ments to avoid unnecessary plant shut-downs due to instrument malfunctions;
(. (a) provide direct and accurate measurements
~
of parameters which are indicative of a (b) avoid plant shutdowns due to a single reactor coolant press e boundary (RCPB) power supply failure; and N g 33 leak or a leakl of r actor coolant out-Agi the contas at and then provide (c) provide the capability to maintain, 8%peempt isolation of the affected system calibrate, or adjust system monitors j or area; while operating without causing plant -
w (b) monitor predetermined parameters with
. (g) ,,shutgwng
,, s[ c, ,, me,.,
y,gy,yl,@7,,g ,f ,j precision and reliability and respond 7.1.233 [RHR Wetwell and Dryviell Spray ,
correctly to the sensed parameters; Cooling Mode (CS RHR) instrumentation and <
Controls ]
(c) provide a sufficient number of indepen- l dent monitors sensing each parameter to (1) Safety Design Bases j casure accurate measurement and preclude I the possibility of a failure to isolate The general functional requirements of the I due to instrumentation failure; wetwell and drywell cooling mode of the RHR l b system shall provide instrumentation and l [d) provide a sufficient number of fedundan controls to:
and/or diverse monitors sensing each the condition . (a) initiate wetwell and drywell spray as
/ parameter Jo' ensure th[t disab'le the required to avoid environmental condi.
requiringisolation canno monilars necessary)o causeJrsolatioy tions of pressure and temperature that j g would threaten the integrity of the con-(e) provide an isolation control system with tainment during a transietst or accident sufficient redundancy to ensure the condition; s.-
Amendment 2 7.19 j l
1
[ }
- f ,
io _
0,IOb}
!. , ammmmmmmmmmme . RFC I- 4 CONTROLLER A
-a RPS DIVI
>s
. isv
<- ~.. . , _
/. TSV
\ cincum n /
Nh 4>- 2 4 '
2 E
l l
(cI'!m >$3* '4 f -+toRPT ASD A
\$ '-
l
/ TSV ,,
'I
\ CLOSURE TV/
G *i -
T ure 1 -
g
,- ~
3*r"* 4 _ o 3
If m closure D /- _.
=
/ TCV Fut \,N A cintum m / -
[+ ~
? [4
- 5 2
/ TCV Fut \
\_ cintum rv /"g , -
E / +RPT 3 to ASD J .
NCA
' { RPV NR LVL 1) ' ; NR < L3 g GPV NR LVL n} g =
NR < L3 -
y [23 -
q rq r GPV NR LVL In) : NR < L3 ->- / +RPT '
z '. _3 . to ASD 8 m .
2 SB & PC A E / +RPT 4 , = 3 to ASD E
@MEPRESI : P > HI SP .>-
g ; __ E 2, . ,y, hME PRES h
P > }D SP >-
1 i - ASDG 4 SSLC ECCS H > 2 6 Sec ,>.
f*
~
K@ q 4 - '
> 3 DIY RPT G 2 " L- - ""
5 "~ '- 2 >
- */ *. 6 See .
'* *! 2 / '
_K N 2 3 Diy RPT C
. .e L -
4 ASDK
' 6PV WR LVL Uff-e
+4 ], -
2 6 Sec J ,
, f Div Rer x oPv wR tvt n>e - 3 l
'ABM 23AMWAF
- Standard Plant RFV A sients, or physical events from impair. Specific Regulatory R,.quirements:
ing the ability of the system to respond correctly. The specific requirements applicable to the RPS instrumentation and control are shown in (k) Earthquake ground motions, as amplified Table 7.12.
by building and supporting structures, shall themselves initiate reactor scram, (2) Nonsafety.Related Design Bases and shall not impair the ability of the RPS to otherwise initiate a reactor The RPS is designed with the added objective scram, with the exception of turbine of plant availability. The setpoints, power building trips which originate from a sources, and control and instrumentation non-seismic building. These shall be shall be arranged in such a manner as t >
backed up by diverse variables such as preclude spurious scrams insofar as reactor pressure and power trips. practicable and safe.
(1) No single failure within the RPS shall 7.1.23 Engineered Safety Features (ESF) prevent proper reactor protection system action when required to satisfy Safety 7.1.23.1 Emergency Core Cooling Systems Design Bases as described by the first lastrumentatica and Controls three bullets undei 1(a) above.
(1) Safety Design Bases (m) Any one intentional bypass, maintenance operation, calibration operation, or General Functional Requirements:
I test to verifv shall ndt75bgperational
=M the ability ofavailability the The ECCS control and instrumentation shall reactor protection system to respond be designed to meet the following correctly. requirements: -
(n) The system shall be designed so that two (a) automatically initiate and control the or more sensors for any monitored emergency core cooling systems to variable exceeding the scram setpoint prevent fuel cladding temperatures from will initiate an automatic scram. reaching the limits of 10CFR50.46.
The followieg bases redoce the probabi- (b) respond to a need for emergency core lity that RPS operational reliability cooling regardless of the physical and precision will be degraded by location of the malfunction or break operator error: that causes the need; (o) Access to trip settings, component cali- (c) limit dependence on operator judgement bration controls, test points, and other in times of stress by:
terminal points shall be under the con-trol of plant operations supervisory personnel.
(p) Manual bypass of instrumentation and control equipment components shall be under the control of the control room indication of performance of the ECCS by operator. If the ability to trip some main control room instrumentation; and l essential part of the system has been i l bypassed, this fact shall be continuous- provi:; ion for manual control of the ECCS ly annunciated in the main control room. in the main control room.
l l
w Amendment 2 7.M
_ _ _ _ _ ___m
l AlnVR mmr I
Standard Plant r1GR-Tn applicable to the diesel generator and its 7.1.23.8 Essential HVAC Systems.
f ,,%)p. ) (
.6 auxiliaries are lists in Table 7.12. Instrumentation and Controls s (2) Nonsafety Related Design Bases (1) Safety Design Bases There is no power generacico design basis See Subsections 9.4.1.L1 and 9.4.5.1.1.
for this system.
7.1.23.9 HVAC Emergency Cooling Water System.
7.1.23.7 Reactor Building Cooling Water Instrumentation and Controls System . Instrumentation and Controls (1) Safety Design Bases (1) Safety Design Bases General Functional Requirements:
General Functional Requirements:
The general functional requirements of the The general functional requirements of the HVAC emergency cooling water system instru-instrumentation and controls of this system mentation and controls shall provide control shall be to: for cooling units that ensure a controlled environment for essential equipment and (a) maintain control of cooling water to control room areas following a loss of-equipment that requires cooling during coolant accident, loss of preferred power, reactor shutdown modes and following a or isolation of normal heating, venting, and LOCA; air conditioning (HVAC).
(b) provide for the automatic isolation of Specific Regulaton Requirements:
the non essential parts of the reactor
- building cooling water system (except The specific regulatory requirements appli-CRD pump oil coolers and instrument air cable to the system instrumentation and coolers) from the essential parts during control are given in Table 7.12.
LOCA or upon detecdon of a major RCW leak in the non-essential system; (2) Nonsafety-Related Design Bases sat' y Se' mic C egory desi The system shall provide a continuous supply
'f '
r uire ents of chilled water to the cooling coils of air conditioning systems whkh provide a con-Specific Regulatory Requirements: trolled temperature environment and proper humidity to ensure the comfort of the The specific regulatory requirements operating personnel and to provide a applicable to the system instrumentation and suitable atmosphere for the operation of controls are given in Table 7.1-2. control equipment.
(2) Nonsafety-Related Design Bases 7.1.23.10 High Pressure Nitrogen Gas Supply System . Instrumentation and Control (a) Controls and instrumentation shall be provided to control and monitor the (1) Safety Design Bases distribution of reactor building cooling water to remove heat from plant auxilia- General Functional Requirements: )
ties during normal plant operation. ,
The general functional requirements of the (b) The essential service water system shall instrumentation and controls shall provide be capable of being tested during normal automatic and manual control of the nitrogen plant operation. gas supply to assure its operation during Amendment 6 7.1 11
r_
1 L . ABM ' 23x6200xr Standard Plant REV A damaged by overheating at reduced RCIC (RCIC P&ID). Upon receipt of an RCIC - -
pump discharge flow, a pump minimum flow initiation signal, the valves close as (
bypass is provided to route the water shown in Figure 7.3-3 (RCIC IBD). The discharged from the pump back to the pump suction from the condensate storage-suppression pool. pool is automatically closed or interlocked closed if the suppression The minimum flow bypass is controlled by pool suction valve is fully open.
an automatic DC motor operated valve. Various indications pertinctit to the The control scheme is shown in Figure operation and condition of the RCIC are 7.3 3 (RCIC IBD). The valve is available to the main control room automatically closed at high flow c,r operator. Figure 7.3 3 (RCIC IBD) shows when either the steam supply or turbine the various indications provided.
trip valves are closed. Low flow combined with high pump discharge (d) Redundancy and Diversity pressure opens the valve.
On a network basis, the HPCF is To prevent the RCIC steam supply pipe- redundant and diverse to RCIC for the line from filling up with water and ECCS and safe shutdown function, cooling creessively, a condensate drain Therefore, RCIC as a system by itself is pot, steamline drain, and appropriate not required to be redundant or diverse valves are provided in a drain pipeline although the instrument channels are arrangement jus; upstream of the turbine redundant for operational availability supply valve. The controls position purposes.
valves so that during normal operation steamline drainage is routed to the main The RCIC is actuated by high drywell condenser. The water level in the pressure or by reactor low water level.
steamline drain condensate pot is controlled by a level switch and a Four nuclear boiler system sensors -g' manitor each parameter and combine in -.
direct acting solenoid valve which two sets of two out of four logic energizes to allow condensate to flow signals in the safety system logic and out of the drain pot. Upon receipt of control (SSLC). A permissive signal an RCIC initiation signal and subsequent from either set initiates the RCIC. The opening of the steam supply valve, the sensor outputs themselves are shared by drainage path is shut off by redundant other systems in common with each valves. division (see NBS P&ID Figure 5.1-3).
To prevent the turbine exhaust line fron (c) Actuated Devices filling with water, a condensate drain pot is provided. The water in the tur- All automatic valves in the RCIC are bine exhaust line condensate drain pot equipped with remote manual test capabi-is routed to the clean radwaste system. lity so that the entire system can be RCIC initiation and subsequent opening operated from the contro! room. Motor-of the steam supply valve causes the operated valves are equipped with limit condensate drainage line to be shut off and torque switches. Limit switches by redundant valves, turn off the motors when movement is complete. In the closing direction, During test operation, the RCIC pump torque switches turn the motor off when discharge is routed to the suppression the valve has properly seated. Thermal pool. Tro DC motor operated valves are overload devices are used to trip motor-installed in the pump discharge to operated valves during testing only.4 sect suppression pool pipeline. The piping NLs M.4.2). All motor-operated and air-operated valves provide control d2Cdl6 i
arrangement is shown in Figure 5.4 8
@ce *w 0 e e in on n T(e en vafue fg.;f: '
,a u me., +3. ) n
. Amendrnent 2 7.3 12
-)
i a
}
ABWR- 2s461oaxc
.]
Standard Plant ' REV A -f operateiautomatically in time.and with minunum flow bypass line to the suppression pool sufficient coola-at flow to maintain adequate and a cooling water supply line to auxiliary
(
i waer level b the reactor vessel for events . equipment. 1 defined in Sci: tion 5.4. ,
Following a reactor scram, steam generation
^
122AJ Enrgency Core Cooling Systems (ECCS) in the reactor core continues at a reduced rate due to the core fission product decay heat. The
'In the event of a breach in the reactor turbine' bypass system diverts the stenin to the coolant pressure boundary that results in a loss anain condenser, and the feedwater system of reactor coolant, three independent divisions supplies the me!: cup water required to maintain of ECCS are provided to maintain fuel cladding reactor vesselinventory, below the temperature limit as defined by 10CFR50A6. Each division contains one high In the event the reactor vessel is isolated, pressure and one low pressure inventcey makeup and the feedwater supply is unavailable, relief system. The systems are: valves are provided to automatically (or remote manually) maintain vessel pressure within _
122AA.1 Bigh Pressere desirable limits. The water level in the @20,llh reactor vessel drops due to continued steam L12AA.1.1 Bish Prussure Cere F1eeder (HPCF) generation by decay beat. Upon reaching a System predetermined low level, the RCIC system is '
initiated automatically. The turbiac driven 2*t HPCF are provided in two divisions to maintain pump supplies water from the suppression pool or R c an adequate coolant inventory inside the reactor from the CSP to the reactor vessel. The turbine f ,l vessel to limit fuel cladding temperatures in the is driven with a portion of the decay heat steam event of breaks in the reactor coolant pressure from the reactor vessel, and exhausts to the 3 8 )g boundary. -The systems are initiated by either suppression pool. g!6 high pressure in the drywell or low water level '!5{u
./ in the vessel. They operate independently of all In the event there is a LOCA, the RCIC system fjgC other systems over tbc entire range of system 3a conjunction with the two HPCF systems, is 5,j0 operating pressures. The HPCF system pump motors designed to pump water into the vessel from %l-I are powered by a diesel generator if auxiliary approximately 150 psig to full operating }jlj power is not available. The systems may also be pressure. F moinau of a mp vi
-fhii t ti used as a backup for the RCIC system. coolin until sei pres re I fedrarnte s to teo point which. e low p ssure1 -y"J 12JAA.1.2 RCIC Description ooder (LPFL be rgaf the R canbel g ced
- operati . f~I=
g 3 One division contains the RCIC system which ,j]4 consists of a steam driven turbine which drives a During RCIC operation, the wetwell suppres- b .b pump assembly and the turbine and pump sion pool acts as the heat sink for steam gene- i(}l accessories. The system also includes piping, rated by reactor decay best. This results in
- k valves, and instrumentation necessary to rise in pool water temperature. Heat exchangus ji}%.{hj e
F]:y implement several flow paths. The RCIC steam in the residual heat removal (RHR) system are supply line branches off one of the main steam used to maintain pool water temperature within ijj%g;; j lines (leaving the reactor pressure vessel) and acceptable limits by cooling the pool water goes to the RCIC turbine with drainage provision directly.
y
{}%
to the main condenser. The turbine exhausts to the suppression pool with vacuum breaking 1.2JAJJ Automatic Depressuritation System protection. Makeup water is supplied from the (ADS) condensate storage pool (CSP) or the suppression pool with the preferred source being the CSP. Tbc ADS rapidly reduces reactor vessel RCIC pump discharge lines include the main pressure in a loss of coolant accident, enabling discharge line to the feedwater line, a the low. pressure RHR to deliver cooling water to test return line to the suppression pool, a the reactor vessel.
Amamm 1 22 8
w r quj a . v .
Y ETo prctect ESF systems in the event cf a
' (. H '
Trip points are within the cperating range; postulated fire, the redundant portions
~
( ...
of the systems'are separated byf fire of instruments with full allowance for barriers.' If an internal fire were to instrument error, drift, and setting error.
,- ' occur within one of the sections of s
- , . main control room panel or in the area 73.13 System Drawings l' of one of the local panels, the ESF sys-
- tems functions would not be prevented by A list of the drawings is provided in Section j- - the fire. The use of separation and 1.7. P& ids'are provided within Chapters 5,6, I fire barriers ensures that, even though and 9, and are referenced where appropriate in som'e' portion of the system may be Chapter 7. ~ All other diagrams, tables, and fig-1 affected, the ESF system will continue ures are included in Chapter 7 as appropriate.
to' provide the required protective ' Subsection 1.7.1 provides keys for the interpre-action. -The remote shutdown system tation of symbols used in these documents.
n provides redundancy in the event of ~
significant exposure fires in- the 7.3.2 Arialysis h control room.
Failure modes and effects analyses for ESF The plant fire protection system is systems are provided in Chapter 15. ;~
discussed in Section 9.5. L 7J.2.1 Emergency Core Cooling Systems (k . .A Instmmentation and Controls
'.)e following ESF system instrument taps 73.2.1.1 General Functional Requirements and sensing lines are located inside the Conformance drywell and terminate outside the dry-well. They could be subjected to the ' Chapters 15. " Accident Analysis," and 6,.
' ffects e of a design basis loss of cool- " Engineered Safety Feature Systems,' evaluate ant accident (LOCA): th; individual and combined capabilities of the emergency cooling systems. . For the entire range Reactor vessel pressure of nuclear process system break sizes, the
~
. cooling syuems provide adequate removal of' Reactor vessel water level decay heat from the reactor core.
Drywell pressure Instrumentation for the emergency core cooling systems must respond to the potential These items have been environmentally inadequacy of core cooling regardless of the qualified to remain functional during location of a breach in the reactor coolant and following a 1.OCA as discussed in pressure boundary. Such a breach inside or Section 3.11. . outside the containment is sensed by reactor low M Ore Sr # d utrenients :M Id water level. The reactor vessel low water level signal is the only emergency core cooling system
((8) MinimddiTeFIMlffanch Re[
initiating function that is completely t{Mg The instrumentation and control for the independent of breach location. Consequently, '
various systems described in this section it can actuate HPCF, RCIC, ADS and LPFL.
~ 4 _ ..
Amendmem 6 d) Npe keek outsW contehnent W FWe W W U.j for any postulated pipe rupture, the structural integrity of the In addition, safety / relief l conteirnent structure is maintained.
volves (sRVs) erw4 the reactor core isolation cooling (RCIC) system steamline are located and restrained so that a pipe fatture would not .
prevent depressurization. Seperation is provided to preserve the independence of the low-pressure flooder (LPFL) systems.
For high energy piping systems penetrating through the containment,
, such as the feedwater lines, isolation valves are located as closs to the containment es possible. The pressure, water tevel, and flow sensor instrumentation for essentist systems, which are required to fmetion fottowing a pipe rupture, are protected.
- " "" '? F?' "? ' '" ' ' '" * " '" '" '"' ' "" '
- p
.- QUESTION 435.023 Section 8.3.1.2.1 states that there are four 6.9 kV electrical divisions, three of which are independent load groups backed by individual diesel generator sets. ' Figure 8.3-2 entitled "6.9 kV System Single Line" however shows only the three divisions backed by diesel generators. It does not show the fourth 6.9 kV division referred to in section 8.3.1.2.1 Please clarify this discrepancy and show the fourth division, if it exists, in Figures 8.3-1 and 8.3-2.
RESPONSE
435.023 Eection 8.3.1.2.1 was incorrect and has been revised in accordance with attached mark-up. There are only three 6.9 kV electrical divisions.
Figures 8.3 1 and 8.3 2 are correct as shown.
QUESTION 435.024 In section 8.3.1.2.1 it is stated that the standby power system redundancy is based on the capability of any two of the four divisions (two of three load groups) to provide the mininum safety functions necessary to shut down the unit in case.of an accident and maintain it in the safe shutdown condition. Why can't the unit be shut down in case of an accident with only one of the three load groups available?
Identify the Oystems or loads needed that require that two of the three
-load groups be available.
RESPONSE
435.024 Section 8.3.1.2.1 was incorrect and has been revised in accordance with attached mark-up. The reactor can be safely shut down from the control room with any one of the three load groups available.
QUESTION 435.029 (a) Section 8.3.1.3.1 discusses the means used to physically identify safety related power systems equipment. It states that all cables for Class 1E systems and.asociated circuits (except those routed in conduit) are tagged every 15 ft. In addition all cables are tagged at their terminations with a unique identifying number. R.G. 1.75, Rev. 2 states that these cables should be marked at intervals not to exceed 5 ft. and the preferred method of marking the cable is color coding. IEEE 384 1974 also states that these cable markings shall be applied prior to or during installation. Please verify that these recommendations are pF met or justify the differences. If exception is taken to position C.10 j of R.G. 1.75, Rev. 2 regarding cable marking, the exception should be identified in section 8.1.3.1.2.2 and wherever the exception is applicable.
I (b) Section 8.3.1.3.1 also describes the marking of conduit and cable '
trays. Please verify that in accordance with the requirements of IEEE 305-1974 these markings are applied prior to the installation of cables.
(c) The identification requirements for instrumentation and control I system cables and raceways described in items (3) and (4) of section 8.3.1.3.2.1 should be the same as those for power systems provided in section 8.3.1.3.1 subject to the above comments.
1
- RES ONSE 435.029attached.
Sections 8.3.1.3.1.and 8.3.1.3.2.1 have been revised as shown on The identification criteria fully complies with the requirements of R.C. 1.75, Rev. 2, and IEEE 384-1974 regarding marking of cables, conduit, cable trays and raceways.
QUESTION 435.030 Provide a description of the ABWR cable spreading areas in the ABWR SSAR.
Describe how the requirements specified in section 5.1.3 of IEEE 384 1974 (as modified by posfrion C.12 of R.G. 1.75) are met.
RESPONSE
435.030 A description of the cable spreading areas is not applicable to the ABWR because room.
a majority of the signals will be multiplexed to the control A cable spreading area is not in the plant layout.
QUESTION 435.035 Item (4) of section 8.3.1.4.2.3.1 states that the scram solenoid conduits will have unique identification but no specific separation requirements, and the scram group conduits may run_in the same raceway with other divisional circuits. If the scram group conduits are run in the same raceway with other divisional circuits or if they have less ;
than the minimum separation from Class 1E circuits, they must be treated as associated circuits and must meet the requirements specified in section 4.5 of IEEE 384 1974 Please verify that this is the case, and identify the specific separation requirements that will be applied to the scram group conduits when they become associated circuits.
RESPONSE
435.035 The statement in item (4) related to "no specific separation require-ments" was not correct. There are specific separation requirements for the conduits scram groups, containing the RPS wiring associated with each of the four i.e.,
the conduits required from the scram actuating devices to the scram solenoid fuse panels, and from the fuse panels to the two solenoids of each of the individual scram pilot valves.
pages. 8.3.1.4.2.3.1 has been completely revised as per attached Section Individual grounded steel conduits will be provided to contain the scram solenoid wiring of each of the four scram groups to protect this wiring from hot shorts to any other wiring. Individual conduits will ,
also be provided for the A solanoid wiring and for the B solenoid wiring in the same scram group.
1 The scram group conduits will have unique identification and will be treated essentially as if they are separate enclosed raceways, i.e., ,
the conduits containing the scram solenoid group circuit wiring will be i physically separated from raceways which contain either divisional or ,
"non-divisional" (non-safety-related) circuits. Any scram group !
conduit may be routed alongside of any raceway containing either i safety-related circuits (of any division), or any raceway containing non-safety-related circuits, as long as the conduit itself is not within the boundary of the raceway which contains either the divisional l or non-safety-related circuits. i Each scram conduit will be physically I separated by at least one (1) inch from either metal enclosed raceways
_- - - )
, Cr ntn*GnC10CGd rCC6W;ya, D
- ** **** ***e*eeeeeeeeeg ge,,,,,,, *******W #eemeG eg eg eg y g g gg , , ,
5 S
'; ABWR $3A6100AG Standard Plant RfW A q i (b) Conformance: The AC power system is in with the other listed Regulatory Guides.
( compliance with these GCDs,in part, or 3,.g as a whole, as applicable. The GDCs are There are 4ew 6.9 KV electrical divisions, ,
generically addressed in Subsection 'I S J which are independent load groups ! gg. M 3 3.1.2. ;gegrator sets.,Tg backed low voltageby ACindividual systems o dge)f,eHyour divisionsgre (2) Regulatory Guides (RGs): backed by independent DC battery, charger and inverter systems.
(a) RG 1.6 - Independence Between Redun-dant Standby (Onsite) Power The standby power system redundancy is based i Sources and Between Their on the ca ability of any+wdf the four divi-p2 Distribution Systems sions ( 4 f three load groups) to provide the mini um safgoctions necessary to shut down (b) RG 1.9 .-
Selectior, Design, and Qua- the n $ case oIU accident and maintain it lification of Diesel Gene- in the safe shutdown condition.
rator Units Used as Standby (Onsite) Electric Power Sys- There is no sharing of standby power system tems at Nuclear Power Plants components between load groups, and A::re is no sharing of diesel generator power sources be-(c) RG 132 - Criteria for Safety Related tween units, since the ABWR is a single-plant Electric Power Systems for design.
Nuclear Power Plants Each standby power supply for each of the (d) RG 1.47 - Bypassed and Inoperable Sta- three load groups is compose d of a single ge-tus Indication for Nuclear nerator driven by a diesel engine having fast.
Power Plant Safety Systems start characteristics and sized in accordance with Regulatory Guide 1.9.
(e) RG 1.63 - Electric Penetration Assem-
,- blies in Containment Struc- Table 8.31 and 8.3-2 show the rating of each tures for Light Water Cooled of the Division I, II and III diesel generators, Nuclear Power Plants respectively, and the maximum coincidental load for each.
(f) RG 1.75 - Physical Independence of Eleetric Systems t/(3) Branch Technical Positions (BTPs):
(g) RG 1.106 Thermal Overload Protection (a) BTP ICSB 8 (PSB) - Use of Diesel-Gene-for Electric Motors on Mo- rator Sets for Peaking tor Operated Valves (b) BTP ICSB 18 (PSB) Application of the 1 (b) RG 1.108- Periodic Testing of Diesel Single Failure Criterion to Manually-Generator Units Used as On- Controlled Electrically Opered Valves.
site Electric Power Systems {
at Nuclear Power Plants (c) BTP ICSB 21 - Guidance for Application of Regulatory Guide 1.47 (i) RG 1.118- Periodic Testing of Electric power and Protection Systems (d) BTP PSB 1 - Adequacy of Station Electric Distribution System Voltages j Regarding Position C 1 of Regulatory Guide l 1.75, see Section 8.1.3.1.2.2 (6). Otherwise, (c) BTP PSB 2 - Criteria for Alarms and In-the onsite AC power system is designed in accor- dications Associated with Diesel-Gene- )
dance with recommendations of this guide, and rator Unit Bypassed and Inoperable 1 I
Status l
i B.3-9 Amendment 2 l
AWR
. Standard Plant 2M00AG REV A
. formers, distribution panels, batteries, (HCU) are also placed in separate conduits and chargers) is tagged with an equipment number cable trays.
the same as indicated on'the single-line diagrams. The redundant Class 1E, equipment and cir-h cuits, assigned to redundant Class IE divisions (3) ~ The nameplates are laminated black and white and non-class 1E system equipment and circuits ,
plastie, arranged to show black engraving on are readily distinguishable from each other a white background for non-Class IE equip- without the necessity for consulting reference ment. For Class 1E equipment, the name- materials. This is accomplished by color coding plates have color coded background with of equipment, nameplates, cables and racewavs, black engraving. as described above.
I All cables for Class 1 stemf and associated 83.13.2 Instrumentation and Control Systems circuits (excep,t thg Qigonduits) are tagged every/5 ftA A ables are tagged at Major electrical and control equipment, as-their terminations with a unique identifying num- semblies, devices, and cables grouped into sepa-ber (cable number), in addition to the marking rate divisions per Table 8.31 shall be identi-characteristics shown below. fied so that their electrical divisional assign-ment is apparent and so that an observer can vi-All conduit is similarly tingged with a unique sually differentiate b ween t Class 1E (or 1E- l conduit number, in addition to the marking cha- associated) equipment and wiring of different
% racteristics shown below, at 25 ft intervals, at divisions, rnd between Class 1E and non-Class 1E f
discontinuities, at pull boxes, at points of (or between IE associated and non-Class 1E) entrance and exit of rooms and at origin and equipment and wires. The identification method destination of equipment. Conduits containing shall be placed on color coding. All markers J
cables operating at above 600V (i.e.,6.9kV) are within a division shall have the same color.
also ta For associated cables treated as Class 1E, there g&gged ffeto8/rh indigteprithe eao t werating i fa#8 voltge.
shall be an A appended to the divisional desig- ,
~
- , I All cable trays are marked with their proper nation (e.g., A1). The latter A stands for as- -
raceway identification at 15 ft intervals on . sociated and ND for nondivisional, Associated straight sections, at turning points and at cables are uniquely identified by a longitudinal gts o.f entr,y andyit from rearencigd to mt.I arpas*.
A/ tw. stripe and/or the datt. on the label. The color yr p a %4 of the cable marker for associated cables shall To help dirtingeish the neutron-monitoring and be the same as the related Class 1E cable. Divi-scram solenoid cables from other type cables, the sional separation requirements of individual following unique voltage class designations are pieces of hardware are shown in the system ele-used in the cable routing program: mentary diagrams. Identification of raceways, esbles, etc., shall be compatible with the iden.
Type of Unique tification of the Class 1E equipment with which Soecial Cables Voltare Class it interfaces. Location of identification shall be such that points of change of circuit classi-Neutron monitoring VN fication (at isolation devices, etc.) are readi-ly identifiable.
Scram solenoid cables VS 83.13.2.1 Identification Neutron monitoring cables are run in their own divisional conduits and cable trays, separately (1) Panels and racks '
from all other power, instrumentation and control cables. Scram solenoid cables are run in a se- Panels and racks associated with the nuclear parate conduit for each rod scram group, safety related systems shall be labeled with marker plates which are conspicuously dif-In addition, the cables of the rod control and ferent from those for other similar panels.
information system in the hydraulic control unit The difference may be in color, shape, or b
8.3 12 Amendment 2
______________-___-______a
t -
~
ABWR 23A6100AG
' ' Standard Plant arv A j
' color of engraving fill. The marker plates Where spatial separation cannot be maintained in
- shall include identification of the proper' hazardous areas (e.g., potential missile areas),
division.of the equipment included, physical isolation between electrical equipment -
of different divisions is achieved by_use of a (2) Junction or pull boxes 6 inch minimum thickness reinforced concrete barrier.
Junction and/or pull boxes enclosing wiring for the nuclear safety related systems shall . The physicalindependence of electric power have identification similar to and compati- systems complies with the requirements of IEEE -
ble with the panels and racks. Standards 279,308,379,384, General Design a Criteria 17,18 and 21 and NRC Replatory Guides (3) Cables 1.6 and 1.75. 1 i
Cables external to cabinets and/or panels 83.1.4.1.1 Class 1E Electric Equipment Arruagement ior marke th@egaf o t gnyte,d,s,vsfems shall bcistinguish them frh other cables and identify their separate division as (1) Class 1E electric equipment and wiring is tpplicable. This identification requirement .egregated into separate divisions so that does not apply to individual conductors. no single credible event is capable of dis-
.M p abling enough equipment to hinder reactor ;
(4) Raceways shutdown, removal of decay heat from the !
core, or isolation of the containment in the
~
Those trays or conduits which carry nuclear event of an accident. Separation require-saggeja,}e,d,, siv tengpr,iyg shall be identi- ments are applied to control power and ficAat room enTrFoce poi 6ts through which motive power for all systems involved, they pass (and exit points unless the room is small enough to facilitate convenient (2) Equipment arrangement and/or protective bar-following of cable) with a permanent marker riers are provided such that no locally ge-identifying their assigned division. serated force or missile can destroy any re-dundant RPS, NSSS, ECCS, or ESF functions.
(5) - Sensory equipment grouping and designation in addition, arrangement and/or separation letters barriers are provided to ensure that such disturbances do not affect both HPCF and Redundant sensory logic / control and actua- RCIC systems.
tion equipment for safety related systems shall be identified by suffix letters. (3) Routing of wiring / cabling is arranged such as to eliminate, insofar as practical, all 8.3.1.4 Independence of Redundant Systems potential for fire damage to cables and to separate the redundant divisions so that fire in one division will not propagate to 83.1.4.1 Power Systems another division.
The Class 1E onsite electric power systems and major components of the separate power (4) An independent raceway system is provided divisions is shown on Figure 8.31. for each divisions of the Class 1E electric system. The raceways are arranged, physi-Independence of the electric equipment and cally, top to bottom, as follows (based on raceway systems between the different divisions the function and the voltage class of the
.is maintained primarily by firewall type separ- cables):
ation where feasible and by spatial separation, in accordance with criteria given in Subsection (a) V4 = Medium voltage power,6.9kV (8ky 8.3.1.4.2, where firewalls are not feasible, insulation class).
s}l3 A:nendment 2
h 5,03
/
35 *Section 8.3.1.4.2.3.1 has been revised as follows:
"8.3.1.4.2.3.'l Reactor Protection (Trip) System (RPS)
The following separation requirements apply to the RPS wiring:
(1) RPS sensors,. sensor input circuit wiring, trip channels and trip
. logic equipment will be arranged in four functionally independent and divisionally separate groups designated Divisions I, II, III and IV. The trip channel wiring associated with the sensor input signals for each of the four divisions provides inputs to divisional logic cabinets which are in the same divisional group as the sensors and trip channels and which are functionally independent and physically separated from the logic cabinets of the redundant divisions.
-(2) Where trip channel data originating from sensors of one division are required for coincident trip logic circuits in other divisions, Class 1E isolation devices will be used as interface elements for signals sent from one division to another such as to maintain electrical isolation between divisions.
(3) Sensor wirin6 for several trip variables associated with the trip channels of one division may be run together in the same conduits or in the same raceways of that same and only division. Sensor wiring associated with one division will not be routed with, or in close proximity to, any wiring or cabling associated with a redundant division.
(4) The scram solenoid circuits, from the actuation devices to the
~." solenoids of the scram pilot valves of the CRD hydraulic control units, will be run in grounded steel conduits, with no other wiring contained within the conduits, so that ecch scram group is protected against a hot short to any other wiring by a grounded enclosure. Short sections (less than one meter) of flexible metallic conduit will be permitted for making connections within panels and the connections to the solenoids.
(5) Separate grounded steel conduits will be provided for the scram solenoid wiring for each of four scram groups. Separate grounded steel conduits will also be provided for both the A solenoid wiring circuits and for the B solenoid wiring circuits of the same scram group. -
(6) The scram group conduits will have unique identification and will be treated essentially as if they are separate enclosed raceways. The conduits containing the scram solenoid group circuit wiring will be physically separated by a minimum separation distance of one inch from either metal enclosed raceways or non-enclosed raceways which contain either divisional or "non divisional" (non-safety-related) circuits.
(7) Any scram group conduit may be routed alongside of any cable or raceway containing either safety-related circuits (of any division), or any cable or raceway containing non-safety related circuits, as long as the conduit itself is not within the boundary of any raceway which contains either the divisional or the non-safety-related circuits and is physically separated from o_________ i
' 4g a 1scid cables cnd.rceswsy boundzries by a minimum.aspsration distance of one inch. Any one scram' group conduit may also be F,"*- . routed along with scram group conduits of the same scram group or with conduits of any of the three other seram groups as long l, 'as.the minimum separation distance of one inch (2.5 cm.) is maintained.
r (8) - Tho standby liquid control system redundant Class 1E controls will be run as Division I and Division II so that no failure of standby liquid control (SLC) function will' result from a single electrical failure in a RPS circuit.
(9) The startup_ range' monitoring (SRNM) subsystem cabling of the NMS and the rod control and information system (RC&IS)' cabling under the vessel is treated as divisional. The SRNM cables will be assigned to Divisions I, II, III and IV, and the RC&IS cables to Divisions 1 and II. Under the vessel, cables will not be placed in any enclosure which will unduly restrict capability of removing probe connectors for maintenance purposes' .
1 E________. ..___.-m.