NRC Generic Letter 1989-19: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
Line 15: Line 15:
| page count = 14
| page count = 14
}}
}}
{{#Wiki_filter:~1 4UNITED STATESNUCLEAR REGULATORY COMMISSIONWASHINGTON. D. C. 20555September 20, 1989TO: ALL LICENSEES OF OPERATING REACTORS, APPLICANTS FOR OPERATINGLICENSES AND HOLDERS OF CONSTRUCTION PERMITS FOR LIGHT WATERREACTOR NUCLEAR POWER PLANTS
{{#Wiki_filter:~1 4UNITED STATESNUCLEAR REGULATORY COMMISSIONWASHINGTON. D. C. 20555September 20, 1989TO: ALL LICENSEES OF OPERATING REACTORS, APPLICANTS FOR OPERATINGLICENSES AND HOLDERS OF CONSTRUCTION PERMITS FOR LIGHT WATERREACTOR NUCLEAR POWER PLANTSSUBJECT: REQUEST FOR ACTION RELATED TO RESOLUTION OF UNRESOLVED SAFETYISSUE A-47 8SAFETY IMPLICATION OF CONTROL SYSTEMS IN LWRNUCLEAR POWER PLANTSN PURSUANT TO 10 CFR 50.54(f) -GENERICLETTER 89-19As a result of the technical resolution of USI A-47, Safety Implications ofControl Systems in LWR Nuclear Power Plants," the NRC has concluded thatprotection should be provided for certain control system failures and thatselected emergency procedures should be modified to assure that plant transientsresulting from control system failures do not compromise public safety.The NRC has provided to all utility and reactor vendor executives copies ofNUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR NuclearPower Plants" and NUREG-1218, Regulatory Analysis for Resolution of USI A-47."These reports are identified as items 1 and 2 in Enclosure 1. These reportssummarize the results of the analyses conducted for USI A-47. During the A-47review a number of different designs for reactor vessel and steam generatoroverfill protection were evaluated. Plant specific features such as: powersupply interdependence, sharing of sensors between control and trip logic,operator training, and designs for indication and alarms available to theoperator were considered in developing risk estimates associated with failuresof the feedwater trip system. The results of NRC's studies of the A-47 issueincluding the analysis for other events evaluated, such as overheat andovercool events, are provided for information. lt is expected that eachlicensee and applicant will review the information for applicability to itsfacility. The results of the analyses and the technical bases for the NRCconclusions are documented in the references listed in Enclosure 1.The staff has concluded that all PWR plants should provide automatic steamgenerator overfill protection, all BWR plants should provide automatic reactorvessel overfill protection, and that plant procedures and technical specifica-tions for all plants should include provisions to verify periodically theoperability of the overfill protection and to assure that automatic overfillprotection is available to mitigate main feedwater overfeed events duringreactor power operation. Also, the system design and setpoints should beselected with the objective of minimizing inadvertent trips of the main feed-water system during plant startup, normal operation, and protection systemsurveillance. The Technical Specifications recommendations are consistent withthe criteria and the risk considerations of the Commission Interim PolicyStatement on Technical Specification Improvement. In addition, the staffrecommends that all BWR recipients reassess and modify, if needed, theiroperating procedures and operator training to assure that the operators canmitigate rqg=__vessel overfill events that may occur via the condensate(1 8909200223 Z u-,6, C,
Generic Letter 89-192September 20, 1989booster pumps during reduced system pressure operation. Enclosure 2 (Sections 1through 4, a and b) describes the requested action for the different NSSS designs.Enclosure 2 outlines a number of designs that satisfy the objectives for overfillprotection and provides guidance for an acceptable design. The staff believesthat a significant number of plants already provide satisfactory designs foroverfill protection; many plants also have technical specifications dealingwith overfill protection system surveillance which were previously approved bythe staff.The staff also concluded that certain Babcock and Wilcox plants should provideeither automatic initiation of auxiliary feedwater on low steam generator levelor another acceptable design to prevent steam generator dryout on a loss ofpower to the control system. Most B&W plants have already incorporated auto-matic initiation circuits for this purpose. Enclosure 2, Section 3c, identifiesthe plants that have not, and describes the requested action.The staff also concluded that certain Combustion Engineering plants shouldreassess their emergency procedures and operator training to assure safe shut-down of the plants during any postulated small break loss of coolant accident.Enclosure 2, Section 4c, identifies these plants and describes the requestedaction.On the basis of the technical studies the staff requests that the recommen-dations in Enclosure 2 be implemented by all LWR plants to enhance safety.These recommendations result from the staff interpretation of General DesignCriteria 13, 20, and 33, identified in 1OCFR50, Appendix A.The implementation schedule for actions on which commitments are made bylicensees or applicants in response to this letter should be prior to start-upafter the first refueling outage, beginning nine (9) months following receiptof the letter.In order to determine whether any license or construction permit for facilitiescovered by this request should be modified, suspended or revoked, we require,pursuant to Section 182 of the Atomic Energy Act and 10 CFR 50.54(f), that youprovide the NRC, within 180 days of the date of this letter, a statement as towhether you will implement the recommendations in Enclosure 2 and, if so, thatyou provide a schedule for implementation of the items in Enclosure 2 and thebasis for the schedule. If you do not plan to implement these recommendations,provide appropriate justification. This information shall be submitted to theNRC, signed under oath and affirmation. The licensee should retain, supportingdocumentation consistent with the records retention program for their facility.With regard to the recommendations in Enclosure 2 that specify modification toplant procedures and Technical Specifications, the intent is that the appropriateplant procedures be modified in the short-term to provide periodic verificationand testing of thevoverfill protection system. As part of future upgrades toTechnical Specifications, licensees should consider including appropriatelimiting conditions of operation and surveillance requirements in futureTechnical Specification improvements.


SUBJECT: REQUEST FOR ACTION RELATED TO RESOLUTION OF UNRESOLVED SAFETYISSUE A-47 8SAFETY IMPLICATION OF CONTROL SYSTEMS IN LWRNUCLEAR POWER PLANTSN PURSUANT TO 10 CFR 50.54(f) -GENERICLETTER 89-19As a result of the technical resolution of USI A-47, Safety Implications ofControl Systems in LWR Nuclear Power Plants," the NRC has concluded thatprotection should be provided for certain control system failures and thatselected emergency procedures should be modified to assure that plant transientsresulting from control system failures do not compromise public safety.The NRC has provided to all utility and reactor vendor executives copies ofNUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR NuclearPower Plants" and NUREG-1218, Regulatory Analysis for Resolution of USI A-47."These reports are identified as items 1 and 2 in Enclosure 1. These reportssummarize the results of the analyses conducted for USI A-47. During the A-47review a number of different designs for reactor vessel and steam generatoroverfill protection were evaluated. Plant specific features such as: powersupply interdependence, sharing of sensors between control and trip logic,operator training, and designs for indication and alarms available to theoperator were considered in developing risk estimates associated with failuresof the feedwater trip system. The results of NRC's studies of the A-47 issueincluding the analysis for other events evaluated, such as overheat andovercool events, are provided for information. lt is expected that eachlicensee and applicant will review the information for applicability to itsfacility. The results of the analyses and the technical bases for the NRCconclusions are documented in the references listed in Enclosure 1.The staff has concluded that all PWR plants should provide automatic steamgenerator overfill protection, all BWR plants should provide automatic reactorvessel overfill protection, and that plant procedures and technical specifica-tions for all plants should include provisions to verify periodically theoperability of the overfill protection and to assure that automatic overfillprotection is available to mitigate main feedwater overfeed events duringreactor power operation. Also, the system design and setpoints should beselected with the objective of minimizing inadvertent trips of the main feed-water system during plant startup, normal operation, and protection systemsurveillance. The Technical Specifications recommendations are consistent withthe criteria and the risk considerations of the Commission Interim PolicyStatement on Technical Specification Improvement. In addition, the staffrecommends that all BWR recipients reassess and modify, if needed, theiroperating procedures and operator training to assure that the operators canmitigate rqg=__vessel overfill events that may occur via the condensate(1 8909200223 Z u-,6, C, Generic Letter 89-192September 20, 1989booster pumps during reduced system pressure operation. Enclosure 2 (Sections 1through 4, a and b) describes the requested action for the different NSSS designs.Enclosure 2 outlines a number of designs that satisfy the objectives for overfillprotection and provides guidance for an acceptable design. The staff believesthat a significant number of plants already provide satisfactory designs foroverfill protection; many plants also have technical specifications dealingwith overfill protection system surveillance which were previously approved bythe staff.The staff also concluded that certain Babcock and Wilcox plants should provideeither automatic initiation of auxiliary feedwater on low steam generator levelor another acceptable design to prevent steam generator dryout on a loss ofpower to the control system. Most B&W plants have already incorporated auto-matic initiation circuits for this purpose. Enclosure 2, Section 3c, identifiesthe plants that have not, and describes the requested action.The staff also concluded that certain Combustion Engineering plants shouldreassess their emergency procedures and operator training to assure safe shut-down of the plants during any postulated small break loss of coolant accident.Enclosure 2, Section 4c, identifies these plants and describes the requestedaction.On the basis of the technical studies the staff requests that the recommen-dations in Enclosure 2 be implemented by all LWR plants to enhance safety.These recommendations result from the staff interpretation of General DesignCriteria 13, 20, and 33, identified in 1OCFR50, Appendix A.The implementation schedule for actions on which commitments are made bylicensees or applicants in response to this letter should be prior to start-upafter the first refueling outage, beginning nine (9) months following receiptof the letter.In order to determine whether any license or construction permit for facilitiescovered by this request should be modified, suspended or revoked, we require,pursuant to Section 182 of the Atomic Energy Act and 10 CFR 50.54(f), that youprovide the NRC, within 180 days of the date of this letter, a statement as towhether you will implement the recommendations in Enclosure 2 and, if so, thatyou provide a schedule for implementation of the items in Enclosure 2 and thebasis for the schedule. If you do not plan to implement these recommendations,provide appropriate justification. This information shall be submitted to theNRC, signed under oath and affirmation. The licensee should retain, supportingdocumentation consistent with the records retention program for their facility.With regard to the recommendations in Enclosure 2 that specify modification toplant procedures and Technical Specifications, the intent is that the appropriateplant procedures be modified in the short-term to provide periodic verificationand testing of thevoverfill protection system. As part of future upgrades toTechnical Specifications, licensees should consider including appropriatelimiting conditions of operation and surveillance requirements in futureTechnical Specification improvement Generic Letter 89-19September 20, 1989This request is covered by Office of Managemeht and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00115, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.
3Generic Letter 89-19September 20, 1989This request is covered by Office of Managemeht and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00115, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.Sincerely,Jambs G. PartlowAss ciate Director for ProjectsOffice of Nuclear Reactor RegulationEnclosures:1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic Letters Enclosure 1REFERENCELIST OF SIGNIFICANTINFORMATION RELATED TORESOLUTION OF USI A-471. NUREG-12172. NUREG-1218"Evaluation of Safety Impilcations of ControlSystems in LWR Nuclear Power Plants" -TechnicalFindings Related to USI A-47."Regulatory Analysis for Resolutionof USI A-47."3. NUREG/CR-42854. MUREG/CR-43865. NUREG/CR-4387"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Westinghouse PWR.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Babcock and Wilcox Pressurized WaterReactor.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a General Electric Boiling Water Reactor."6. NUREG/CR-39587. NUREG/CR-43268. NUREG/CR-40479. NUREG/CR-426210. NUREG/CR-426511. Letter ReportORNL/NRC/LTR-86/19"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Combustion Engineering Pressurized WaterReactor.""Effects of Control System Failures on Transients andAccidents at a 3 Loop Westinghouse. PressurizedWater Reactor." Vol. 1 and 2."An Assessment of the Safety Implications of Controlat the Oconee 1 Nuclear Plant-Final Report.""Effects of Control System Failures on Transients ardAccidents At A General Electric Boiling Water Reactor.*Vol. 1 and 2."An Assessment of the Safety Implications of Controldt the Calvert Cliffs -1 Nuclear Plant" Vol. 1 and 2."Generic Extensions to Plant Specific Findings of theSafety Implications of Control Systems Program."
Enclosure 2CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATIONFOR RESOLUTION OF USI A-47As part of the resolution of USI A-47, NSafety Implications of Control Systems,"the staff Investigated control system failures that have occurred, or arepostulated to occur, in nuclear power plants. The staff concluded that planttransients resulting from control system failures can be mitigated by theoperator, provided that the control system failures do not also compromiseoperation of the minimum number of protection system channels required to tripthe reactor and initiate safety systems. A number of plant-specific designshave been identified, however, that should provide additional protection fromtransients leading to reactor vessel or steam generator overfill or reactorcore overheating.Reactor vessel or steam generator overfill can affect the safety of the plantin several ways. The more severe scenarios could potentially lead to a steam-line break and a steam generator tube rupture. The basis for this concern isthe following: (1) the increased dead weight and potential seismic loads placedorn the main steamline and its supports should the main steamline be flooded;(2) the loads placed on the main steamlines as a result of the potential forrapid collapse of steam voids resulting in water hammer; (3) the potential forsecondary safety valves sticking open following discharge of water or two-phaseflow; (4) the potential inoperability of the main steamline isolation valves(MSIVs), main turbine stop or bypass valves, feedwater turbine valves, or at-mospheric dump valves from the effects of water or two-phase flow; and (5) thepotential for rupture of weakened tubes in the once-through steam generator onB&W nuclear steam supply system (NSSS) plants due to tensile loads caused bythe rapid thermal shrinkage of the tubes relative to the generator shell.These concerns have not been addressed in a number of plant designs, becauseoverfill transients normally have not been analyzed.To minimize some of the consequences of overfill, early plant designs providedcommercial-grade protection for tripping the turbine or relied on operatoraction to control water level manually in the event the normal-water-level con-trol system failed. Later designs, including the most recent designs, provideoverfill protection which automatically stops mian feedwater flow on vesselhigh-water-level signals. These designs provide various degrees of coincidentlogic and redundancy to initiate feedwater isolation and to ensure that asingle failure would not inhibit isolation. A large number of plants providesafety-grade designs for this protection.On the basis of the technical studies conducted by the staff and its contractors,the staff recommends that certain actions should be taken by some plants toenhance plant safety. These actions are described in the material that follows,and include design and procedural modifications to ensure that (1) all plantsprovide overfill protection, (2) all plants provide plant procedures and
-2 -technical specifications for periodic surveillance of the overfill protection,(3) certain Babcock and Wilcox plants provide an acceptable design to preventsteam generator dryout on a loss of power to the control system, and (4) certainCombustion Engineering plants reassess their emergency procedures and operatortraining to ensure safe shutdown during any postulated small break loss ofcoolant accident. With regard to the recommendations that specify modificationto plant procedures and Technical Specifications, the intent is that theappropriate plant procedures be modified in the short-term to provide periodicverification and testing of the overfill protection system. As part of futureupgrades to Technical Specifications, licensees should consider includingappropriate limiting conditions of operation and surveillance requirements infuture Technical Specification improvements.(1) GE Boiling-Water-Reactor Plants(a) It is recormrended that all GE boiling-water-reactor (BWR) plant designsprovide automatic reactor vessel overfill protection to mitigate mainfeedwater (MFW) overfeed events. The design for the overfill-protectionsystem should be sufficiently separate from the MFW control system toensure that the VFW pump will trip on a reactor high-water-level signalwhen required, even if a loss of power, a loss of ventilation, or a firein the control portion of the MFW control system should occur. Common-mode failures that could disable overfill protection and the feedwatercontrol system, but would still result in a feedwater pump trip, areconsidered acceptable failure modes.It is recommended that plant designs with no automatic reactor vesseloverfill protection be upgraded by providing a commercial-grade (or better)MFW isolation system actuated from at least a 1-out-of-1 reactor vesselhigh-water-level system, or justify the design on some defined basis.In additionu it is recommended that all plants reassess their operatingprocedures and operator training and modify then, if necessary to ensurethat the operators can mitigate reactor vessel overfill events that mayoccur via the condensate booster pumps during reduced pressure operationof the system.(b) it is recommended that plant procedures and technical specifications forall BWR plants with main feedwater overfill protection include provisionsto verify periodically the operability of overfill protection and ensurethat automatic overfill protection to mitigate main feedwater overfeedevents is operable during power operation. The instrumentation should bedemonstrated to be operable by the performance of a channel check, channelfunctional testing, and channel calibration, including setpoint verification.The technical specifications should include appropriate limiting conditionsfor operation (LCOs). These technical specifications should be comensuratewith the requirements of existing plant technical specifications for channelsthat initiate protective actions. Previously approved technical specifica-tions for surveillance intervals and limiting conditions for operation(LCOs) for overfill protection are considered acceptable.
 
-3 -Designs for Overfill ProtectionSeveral different designs for overfill protection have already been incorporatedinto a large number of operating plants. The following discussion Identifiesthe different groups of plant designs and provides guidance for acceptable designs.Group I: Plants that have a safety-grade or a commercial-grade overfill protec-tohn system initiated on a reactor vessel high-water-level signal based on a2-out-of-3 or a 1-out-of-2 taken twice (or equivalent) initiating logic. Thesystem isolates I4FW flow by tripping the feedwater pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is separate from the control portion of the MFWcontrol system so that it is not powered from the same power source, notlocated in the same cabinet, and not routed so that a fire is likely to affectboth systems and (2) the plant procedures and technical specifications includerequirements to periodically verify operability of this system. Licensees ofplants that already have these design features that have been previouslyapproved by the staff should state this in their response.Group II: Plants that have safety-grade or commercial-grade overfill-protectionsystems initiated on a reactor vessel high-water-level signal based on a 1-out-of-i, 1-out-of-2, or a 2-out-of-2 initiating logic. The system isolates MFWflow by tripping the feedwater pumps.The staff concludes that these designs are acceptable provided conditions (1)arnd (2) stated for Group I are met. Licensees of plants that already havethese design features that have been previously approved by the staff shouldstate this irn their response. Plant designs with a 1-out-of-1 or a 1-out-of-2trip logic for overfill protection should provide bypass capabilities toprevent feedwater trips during channel functional testing when at poweroperation.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent reactor vesseloverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill protection system is separated from thefeedwater control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Common-mode failures that could disable overfill pro-tection and the feedwater control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff review identifiedthree plants; i.e., Big Rock, LaCrosse (permanently shutdown), and Oyster Creek;that fall into this group. If any of these plants wish to justify riot includingoverfill protection, part of the requested justification should demonstratethat the risk reduction in implementing an automatic overfill protection systemis significantly less that, the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addressed.
 
-4 -(2) Westinghouse-Designed PWR Plants(a) It is recommended that all Westinghouse plant designs provide automaticsteam generator overfill protection to mitigate MFW overfeed events. Thedesign for the overfill protection system should be sufficiently separatefrom the MFW control system to ensure that the MFW pump will trip on areactor high-water-level signal when required, even if a loss of power, aloss of ventilation, or a fire in the control portion of the MFW controlsystem should occur. Common-mode failures that could disable overfillprotection and the feedwater control system, but would still result in thefeedwater pump trip, are considered acceptable failure modes.(b) It is recommended that plant procedures and technical specifications forall Westinghouse plants include provisions to periodically verify theoperability of the MFW overfill protection and ensure that the automaticoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification. The technical specifications shouldinclude appropriate LCOs. These technical specifications should beconurmensurate with existing plant technical specification requirements forchannels that initidte protective actions. Plants that have previouslyapproved technical specifications fur surveillance intervals for overfillprotection are considered acceptable.Designs for Overfill ProtectionSeveral different designs for overfill-protection are already provided in mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidance for acceptable designs.Crcup I: PUnts that hdve an overfill-protection system initiated or a steamgenerator high-water-level signal based on a 2-out-of-4 initiating logic whichis safety grade, or a 2-out-of-3 initiating logic which is safety grade but usesone out of the three channels for both control and protection. The systemisolates MFW by closing the MFW isolation valves and tripping the MFW pumps.The staff concludes that the design is acceptable, provided that (1) theoverfill protection system is sufficiently separate from the control portion ofthe MFW control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems, and (2) the plant procedures and technical specificationsinclude requirements to periodically verify operability of this system.Group II: Plants with a safety-grade or a conmnercial-grade overfill protectionsystem initiated on a steam generator high-water-level signal based on either al-out-of-l, l-out-of-2, or 2-out-of-2 initiating logic. The system isolates MFFWby closing the MFW control valves.


Sincerely,Jambs G. PartlowAss ciate Director for ProjectsOffice of Nuclear Reactor Regulation
-5 -The staff finds that only one early plant (i.e., Haddam Neck) falls into thisgroup; therefore, a risk assessment was not conducted. Considering thesuccessful operating history of the plant regarding overfill transients (i.e.,no overfill events have been reported), this design may be found acceptable,provided that (1) justification for the adequacy of the design on a plant-specific basis is included and (2) plant procedures and technical specifica-tions are modified to include requirements to periodically verify operabilityof this system. As part of the justification, it is requested that the licenseeinclude verification that the overfill-protection system is separate from thefeedwater-control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Comnon-mode failures that could disable overfill protec-tion and the feedwater-control system, but would still cause a feedwater pumptrip, are considered acceptable failure irodes.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent steam generatoroverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill-protection system is separated from thefeedwater-control system so that it is not powered from the same power source,not located in the safice cabinet, and not routed so that a fire is likely toaffect both systems. Comion-mode failures that could disable overfill pro-tection and the feedwater-control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff's reviewidentified two plants; i.e., Yankee Rowe and Sari Onofre 1; that fall into thiscategory. If either of these plants wish to justify not including overfillprotection, part of the requested justification should demonstrate that therisk reduction in implementing an automatic overfill protection system issignificantly less than the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addressed.(3) Babcock and Wilcox-Designed PWR Plants*(a) It is recommended that all Babcock and Wilcox plant designs have auto-matic steam generator overfill protection to mitigate MFW overfeed events.On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Gen-erating Station, Unit 1. This event occurred as a result of loss of power tothe integrated control system (ICS). Subsequently, the B&W Owners Group initi-ated a study to reassess all B&W plant designs including, but not limited to,the ICS and support systems such as power supplies and maintenance. As part ofthe USI A-47 review, failure scenarios resulting from a loss of power to controlsystems were evaluated; and the results were factored into the A-47 requirements.however, other recommended actions for design modifications, maintenance,and any changes to operating procedures (if any) developed for theutilities by the B&W owners group is being resolved separately.


===Enclosures:===
-6 -The design for the overfill-protection system should be sufficientlyseparate from the MFW control system to ensure that the MFW pump will tripon a steam generator high-water-level signal (or other equivalent signals)when required, even if a loss of power, a loss of ventilation, or a firein the control portion of the main feedwater control system should occur.Common failure modes that could disable overfill protection and thefeedwater-control system, but would still result in a feedwater pump trip,are considered acceptable failure modes.It is recommended that plants that are similar to the reference plantdesign (i.e., Oconee Units 1, 2, and 3) have a steam generator high-water-level feedwater-isolation system that satisfies the single-failure criterion.An acceptable design would be to provide automatic MFW isolation by either(1) providing an additional system that terminates MFW flow by closing anisolation valve in the line to each steam generator (this system is to beindependent from the existing overfill protection which trips the mainfeedwater pumps on steam generator high-water level); (2) modifying theexisting overfill-protection system to preclude undetected failures in thetrip system and facilitate online testing; or (3) upgrading the existingoverfill-protection system to a 2-out-of-4 TFr equivalent) high-water-leveltrip system that satisfies the single-failure criterion.(b) It is recommended that plant procedures and technical specifications forall B&W plants include provisions to periodically verify the operabilityof overfill protection and ensure the automatic main feedwater overfillprotection is operable during reactor power operation. The instrumentatioreshould be demonstrated to be operable by the performance of a channelcheck, channel functional testing, and channel calibration, includingsetpoint verification. Technical specifications should include appropriateLCOs. These technical specifications should be commensurate with therequirements of existing technical specifications for channels thatinitiated protective actions.(c) It is recommended that ploivt designs with no automatic protection to preventsteam generator dryout upgrade their design and the appropriate technicalspecifications and provide an automatic protection system to prevent steamgenerator dryout on loss of power to the control system. Automaticinitiation of auxiliary feedwater on steam generator low-water level isconsidered an acceptable design. Other corrective actions identified inSection 4.3(4) of NUREG-1218 could also be taken to avoid a steam generatordryout scenario on loss of power to the control system. The staff believesthat only three B&W plants, i.e., Oconee 1, 2, and 3, do not have automaticauxiliary feedwater initiation on steam generator low water level).Designs for Overfill ProtectionSeveral different designs for overfill protection are already provided on mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidelines for acceptable designs.
1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic Letters Enclosure 1REFERENCELIST OF SIGNIFICANTINFORMATION RELATED TORESOLUTION OF USI A-471. NUREG-12172. NUREG-1218"Evaluation of Safety Impilcations of ControlSystems in LWR Nuclear Power Plants" -TechnicalFindings Related to USI A-47."Regulatory Analysis for Resolutionof USI A-47."3. NUREG/CR-42854. MUREG/CR-43865. NUREG/CR-4387"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Westinghouse PWR.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Babcock and Wilcox Pressurized WaterReactor.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a General Electric Boiling Water Reactor."6. NUREG/CR-39587. NUREG/CR-43268. NUREG/CR-40479. NUREG/CR-426210. NUREG/CR-426511. Letter ReportORNL/NRC/LTR-86/19"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Combustion Engineering Pressurized WaterReactor.""Effects of Control System Failures on Transients andAccidents at a 3 Loop Westinghouse. PressurizedWater Reactor." Vol. 1 and 2."An Assessment of the Safety Implications of Controlat the Oconee 1 Nuclear Plant-Final Report.""Effects of Control System Failures on Transients ardAccidents At A General Electric Boiling Water Reactor.*Vol. 1 and 2."An Assessment of the Safety Implications of Controldt the Calvert Cliffs -1 Nuclear Plant" Vol. 1 and 2."Generic Extensions to Plant Specific Findings of theSafety Implications of Control Systems Program."


Enclosure 2CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATIONFOR RESOLUTION OF USI A-47As part of the resolution of USI A-47, NSafety Implications of Control Systems,"the staff Investigated control system failures that have occurred, or arepostulated to occur, in nuclear power plants. The staff concluded that planttransients resulting from control system failures can be mitigated by theoperator, provided that the control system failures do not also compromiseoperation of the minimum number of protection system channels required to tripthe reactor and initiate safety systems. A number of plant-specific designshave been identified, however, that should provide additional protection fromtransients leading to reactor vessel or steam generator overfill or reactorcore overheating.Reactor vessel or steam generator overfill can affect the safety of the plantin several ways. The more severe scenarios could potentially lead to a steam-line break and a steam generator tube rupture. The basis for this concern isthe following: (1) the increased dead weight and potential seismic loads placedorn the main steamline and its supports should the main steamline be flooded;(2) the loads placed on the main steamlines as a result of the potential forrapid collapse of steam voids resulting in water hammer; (3) the potential forsecondary safety valves sticking open following discharge of water or two-phaseflow; (4) the potential inoperability of the main steamline isolation valves(MSIVs), main turbine stop or bypass valves, feedwater turbine valves, or at-mospheric dump valves from the effects of water or two-phase flow; and (5) thepotential for rupture of weakened tubes in the once-through steam generator onB&W nuclear steam supply system (NSSS) plants due to tensile loads caused bythe rapid thermal shrinkage of the tubes relative to the generator shell.These concerns have not been addressed in a number of plant designs, becauseoverfill transients normally have not been analyzed.To minimize some of the consequences of overfill, early plant designs providedcommercial-grade protection for tripping the turbine or relied on operatoraction to control water level manually in the event the normal-water-level con-trol system failed. Later designs, including the most recent designs, provideoverfill protection which automatically stops mian feedwater flow on vesselhigh-water-level signals. These designs provide various degrees of coincidentlogic and redundancy to initiate feedwater isolation and to ensure that asingle failure would not inhibit isolation. A large number of plants providesafety-grade designs for this protection.On the basis of the technical studies conducted by the staff and its contractors,the staff recommends that certain actions should be taken by some plants toenhance plant safety. These actions are described in the material that follows,and include design and procedural modifications to ensure that (1) all plantsprovide overfill protection, (2) all plants provide plant procedures and
-7 -Group I: Plants that provide a safety-grade overfill-protection system initi-ated-on a steam generator high-water-level signal based on either a 2-out-of-3or a 2-out-of-4 (or equivalent) initiating logic. The system isolates mainfeedwater (MFW) by (1) closing at least one MFW isolation valve in the MFW lineto each steam generator and (2) tripping the MFW pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is sufficiently separated from the feedwater controlsystem so that it is not powered from the same power source, not located in thesame cabinet, and not routed so that a fire is likely to affect both systems(common-mode failures that could disable overfill protection and the feedwatercontrol system, but still result in a feedwater pump trip are consideredacceptable failure modes) and (2) the plant procedures and technical specifica-tions include requirements to periodically verify operability of this system.GroupI: Plants that have a commercial-grade overfill-protection system ini-tMate-don a steam generator high-water level based on coincident logic thatminimizes inadvertent initiation. The system isolates MFW by tripping theFEW pumps.This design may be found acceptable, provided that (1) the overfill-protectionsystem is sufficiently separate from the feedwater control system so that it isnot powered from the same power source, not located in the same cabinet, andnot routed so that a fire is likely to affect both systems and (2) the designmodifications are implemented per the guidelines identified in the secondparagraph of item (3)(a) above and that the plant procedures and technicalspecifications include requirements to periodically verify operability of thissystem. The technical specifications should be commensurate with existingplant technical specification requirements for channels that initiate protec-tion actions.It is also recommended that plant designs that provide a separate 1-out-of-i or al-out-of-2 trip logic to close the feedwater isolation valves for additionaloverfill protection provide bypass capabilities to prevent feedwater tripsduring channel functional testing when at power or during hot-standby opera-tion.(4) Combustion Engineering-Designed PWR Plants(a) It is recommended that all Combustion Engineering plants provide automatic,steam generator overfill protection to mitigate main feedwater (MFW) over-feed events. The design for the overfill-protection system should besufficiently separate from the MFW control system to ensure that the MFWpump will trip on a steam generator high-water-level signal when required,even if a loss of power, a loss of ventilation, or a fire in the controlportion of the MFW control system should occur. Common failure modes thatcould disable overfill protection and the feedwater control system, butwould still result in a feedwater pump trip, are considered acceptablefailure modes.
-2 -technical specifications for periodic surveillance of the overfill protection,(3) certain Babcock and Wilcox plants provide an acceptable design to preventsteam generator dryout on a loss of power to the control system, and (4) certainCombustion Engineering plants reassess their emergency procedures and operatortraining to ensure safe shutdown during any postulated small break loss ofcoolant accident. With regard to the recommendations that specify modificationto plant procedures and Technical Specifications, the intent is that theappropriate plant procedures be modified in the short-term to provide periodicverification and testing of the overfill protection system. As part of futureupgrades to Technical Specifications, licensees should consider includingappropriate limiting conditions of operation and surveillance requirements infuture Technical Specification improvements.(1) GE Boiling-Water-Reactor Plants(a) It is recormrended that all GE boiling-water-reactor (BWR) plant designsprovide automatic reactor vessel overfill protection to mitigate mainfeedwater (MFW) overfeed events. The design for the overfill-protectionsystem should be sufficiently separate from the MFW control system toensure that the VFW pump will trip on a reactor high-water-level signalwhen required, even if a loss of power, a loss of ventilation, or a firein the control portion of the MFW control system should occur. Common-mode failures that could disable overfill protection and the feedwatercontrol system, but would still result in a feedwater pump trip, areconsidered acceptable failure modes.It is recommended that plant designs with no automatic reactor vesseloverfill protection be upgraded by providing a commercial-grade (or better)MFW isolation system actuated from at least a 1-out-of-1 reactor vesselhigh-water-level system, or justify the design on some defined basis.In additionu it is recommended that all plants reassess their operatingprocedures and operator training and modify then, if necessary to ensurethat the operators can mitigate reactor vessel overfill events that mayoccur via the condensate booster pumps during reduced pressure operationof the system.(b) it is recommended that plant procedures and technical specifications forall BWR plants with main feedwater overfill protection include provisionsto verify periodically the operability of overfill protection and ensurethat automatic overfill protection to mitigate main feedwater overfeedevents is operable during power operation. The instrumentation should bedemonstrated to be operable by the performance of a channel check, channelfunctional testing, and channel calibration, including setpoint verification.The technical specifications should include appropriate limiting conditionsfor operation (LCOs). These technical specifications should be comensuratewith the requirements of existing plant technical specifications for channelsthat initiate protective actions. Previously approved technical specifica-tions for surveillance intervals and limiting conditions for operation(LCOs) for overfill protection are considered acceptabl Designs for Overfill ProtectionSeveral different designs for overfill protection have already been incorporatedinto a large number of operating plants. The following discussion Identifiesthe different groups of plant designs and provides guidance for acceptable designs.Group I: Plants that have a safety-grade or a commercial-grade overfill protec-tohn system initiated on a reactor vessel high-water-level signal based on a2-out-of-3 or a 1-out-of-2 taken twice (or equivalent) initiating logic. Thesystem isolates I4FW flow by tripping the feedwater pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is separate from the control portion of the MFWcontrol system so that it is not powered from the same power source, notlocated in the same cabinet, and not routed so that a fire is likely to affectboth systems and (2) the plant procedures and technical specifications includerequirements to periodically verify operability of this system. Licensees ofplants that already have these design features that have been previouslyapproved by the staff should state this in their response.Group II: Plants that have safety-grade or commercial-grade overfill-protectionsystems initiated on a reactor vessel high-water-level signal based on a 1-out-of-i, 1-out-of-2, or a 2-out-of-2 initiating logic. The system isolates MFWflow by tripping the feedwater pumps.The staff concludes that these designs are acceptable provided conditions (1)arnd (2) stated for Group I are met. Licensees of plants that already havethese design features that have been previously approved by the staff shouldstate this irn their response. Plant designs with a 1-out-of-1 or a 1-out-of-2trip logic for overfill protection should provide bypass capabilities toprevent feedwater trips during channel functional testing when at poweroperation.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent reactor vesseloverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill protection system is separated from thefeedwater control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Common-mode failures that could disable overfill pro-tection and the feedwater control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff review identifiedthree plants; i.e., Big Rock, LaCrosse (permanently shutdown), and Oyster Creek;that fall into this group. If any of these plants wish to justify riot includingoverfill protection, part of the requested justification should demonstratethat the risk reduction in implementing an automatic overfill protection systemis significantly less that, the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addresse (2) Westinghouse-Designed PWR Plants(a) It is recommended that all Westinghouse plant designs provide automaticsteam generator overfill protection to mitigate MFW overfeed events. Thedesign for the overfill protection system should be sufficiently separatefrom the MFW control system to ensure that the MFW pump will trip on areactor high-water-level signal when required, even if a loss of power, aloss of ventilation, or a fire in the control portion of the MFW controlsystem should occur. Common-mode failures that could disable overfillprotection and the feedwater control system, but would still result in thefeedwater pump trip, are considered acceptable failure modes.(b) It is recommended that plant procedures and technical specifications forall Westinghouse plants include provisions to periodically verify theoperability of the MFW overfill protection and ensure that the automaticoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification. The technical specifications shouldinclude appropriate LCOs. These technical specifications should beconurmensurate with existing plant technical specification requirements forchannels that initidte protective actions. Plants that have previouslyapproved technical specifications fur surveillance intervals for overfillprotection are considered acceptable.Designs for Overfill ProtectionSeveral different designs for overfill-protection are already provided in mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidance for acceptable designs.Crcup I: PUnts that hdve an overfill-protection system initiated or a steamgenerator high-water-level signal based on a 2-out-of-4 initiating logic whichis safety grade, or a 2-out-of-3 initiating logic which is safety grade but usesone out of the three channels for both control and protection. The systemisolates MFW by closing the MFW isolation valves and tripping the MFW pumps.The staff concludes that the design is acceptable, provided that (1) theoverfill protection system is sufficiently separate from the control portion ofthe MFW control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems, and (2) the plant procedures and technical specificationsinclude requirements to periodically verify operability of this system.Group II: Plants with a safety-grade or a conmnercial-grade overfill protectionsystem initiated on a steam generator high-water-level signal based on either al-out-of-l, l-out-of-2, or 2-out-of-2 initiating logic. The system isolates MFFWby closing the MFW control valve The staff finds that only one early plant (i.e., Haddam Neck) falls into thisgroup; therefore, a risk assessment was not conducted. Considering thesuccessful operating history of the plant regarding overfill transients (i.e.,no overfill events have been reported), this design may be found acceptable,provided that (1) justification for the adequacy of the design on a plant-specific basis is included and (2) plant procedures and technical specifica-tions are modified to include requirements to periodically verify operabilityof this system. As part of the justification, it is requested that the licenseeinclude verification that the overfill-protection system is separate from thefeedwater-control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Comnon-mode failures that could disable overfill protec-tion and the feedwater-control system, but would still cause a feedwater pumptrip, are considered acceptable failure irodes.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent steam generatoroverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill-protection system is separated from thefeedwater-control system so that it is not powered from the same power source,not located in the safice cabinet, and not routed so that a fire is likely toaffect both systems. Comion-mode failures that could disable overfill pro-tection and the feedwater-control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff's reviewidentified two plants; i.e., Yankee Rowe and Sari Onofre 1; that fall into thiscategory. If either of these plants wish to justify not including overfillprotection, part of the requested justification should demonstrate that therisk reduction in implementing an automatic overfill protection system issignificantly less than the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addressed.(3) Babcock and Wilcox-Designed PWR Plants*(a) It is recommended that all Babcock and Wilcox plant designs have auto-matic steam generator overfill protection to mitigate MFW overfeed events.On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Gen-erating Station, Unit 1. This event occurred as a result of loss of power tothe integrated control system (ICS). Subsequently, the B&W Owners Group initi-ated a study to reassess all B&W plant designs including, but not limited to,the ICS and support systems such as power supplies and maintenance. As part ofthe USI A-47 review, failure scenarios resulting from a loss of power to controlsystems were evaluated; and the results were factored into the A-47 requirements.however, other recommended actions for design modifications, maintenance,and any changes to operating procedures (if any) developed for theutilities by the B&W owners group is being resolved separatel The design for the overfill-protection system should be sufficientlyseparate from the MFW control system to ensure that the MFW pump will tripon a steam generator high-water-level signal (or other equivalent signals)when required, even if a loss of power, a loss of ventilation, or a firein the control portion of the main feedwater control system should occur.Common failure modes that could disable overfill protection and thefeedwater-control system, but would still result in a feedwater pump trip,are considered acceptable failure modes.It is recommended that plants that are similar to the reference plantdesign (i.e., Oconee Units 1, 2, and 3) have a steam generator high-water-level feedwater-isolation system that satisfies the single-failure criterion.An acceptable design would be to provide automatic MFW isolation by either(1) providing an additional system that terminates MFW flow by closing anisolation valve in the line to each steam generator (this system is to beindependent from the existing overfill protection which trips the mainfeedwater pumps on steam generator high-water level); (2) modifying theexisting overfill-protection system to preclude undetected failures in thetrip system and facilitate online testing; or (3) upgrading the existingoverfill-protection system to a 2-out-of-4 TFr equivalent) high-water-leveltrip system that satisfies the single-failure criterion.(b) It is recommended that plant procedures and technical specifications forall B&W plants include provisions to periodically verify the operabilityof overfill protection and ensure the automatic main feedwater overfillprotection is operable during reactor power operation. The instrumentatioreshould be demonstrated to be operable by the performance of a channelcheck, channel functional testing, and channel calibration, includingsetpoint verification. Technical specifications should include appropriateLCOs. These technical specifications should be commensurate with therequirements of existing technical specifications for channels thatinitiated protective actions.(c) It is recommended that ploivt designs with no automatic protection to preventsteam generator dryout upgrade their design and the appropriate technicalspecifications and provide an automatic protection system to prevent steamgenerator dryout on loss of power to the control system. Automaticinitiation of auxiliary feedwater on steam generator low-water level isconsidered an acceptable design. Other corrective actions identified inSection 4.3(4) of NUREG-1218 could also be taken to avoid a steam generatordryout scenario on loss of power to the control system. The staff believesthat only three B&W plants, i.e., Oconee 1, 2, and 3, do not have automaticauxiliary feedwater initiation on steam generator low water level).Designs for Overfill ProtectionSeveral different designs for overfill protection are already provided on mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidelines for acceptable design Group I: Plants that provide a safety-grade overfill-protection system initi-ated-on a steam generator high-water-level signal based on either a 2-out-of-3or a 2-out-of-4 (or equivalent) initiating logic. The system isolates mainfeedwater (MFW) by (1) closing at least one MFW isolation valve in the MFW lineto each steam generator and (2) tripping the MFW pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is sufficiently separated from the feedwater controlsystem so that it is not powered from the same power source, not located in thesame cabinet, and not routed so that a fire is likely to affect both systems(common-mode failures that could disable overfill protection and the feedwatercontrol system, but still result in a feedwater pump trip are consideredacceptable failure modes) and (2) the plant procedures and technical specifica-tions include requirements to periodically verify operability of this system.GroupI: Plants that have a commercial-grade overfill-protection system ini-tMate-don a steam generator high-water level based on coincident logic thatminimizes inadvertent initiation. The system isolates MFW by tripping theFEW pumps.This design may be found acceptable, provided that (1) the overfill-protectionsystem is sufficiently separate from the feedwater control system so that it isnot powered from the same power source, not located in the same cabinet, andnot routed so that a fire is likely to affect both systems and (2) the designmodifications are implemented per the guidelines identified in the secondparagraph of item (3)(a) above and that the plant procedures and technicalspecifications include requirements to periodically verify operability of thissystem. The technical specifications should be commensurate with existingplant technical specification requirements for channels that initiate protec-tion actions.It is also recommended that plant designs that provide a separate 1-out-of-i or al-out-of-2 trip logic to close the feedwater isolation valves for additionaloverfill protection provide bypass capabilities to prevent feedwater tripsduring channel functional testing when at power or during hot-standby opera-tion.(4) Combustion Engineering-Designed PWR Plants(a) It is recommended that all Combustion Engineering plants provide automatic,steam generator overfill protection to mitigate main feedwater (MFW) over-feed events. The design for the overfill-protection system should besufficiently separate from the MFW control system to ensure that the MFWpump will trip on a steam generator high-water-level signal when required,even if a loss of power, a loss of ventilation, or a fire in the controlportion of the MFW control system should occur. Common failure modes thatcould disable overfill protection and the feedwater control system, butwould still result in a feedwater pump trip, are considered acceptablefailure mode (b) It is recommended that plant procedures and technical specifications forall Combustion Engineering plants include provisions to verify periodicallythe operability of overfill protection and ensure that automatic FWWoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification, and by identifying the LCOs. Thesetechnical specifications should be commensurate with existing planttechnical specifications requirements for channels that initiate protectionactions.(c) It is recommended that all utilities that have plants designed with high-pressure-injection pump-discharge pressures less than or equal to 1275 psireassess their emergency procedures and operator training programs andmodify them, as needed, to ensure that the operators can handle the fullspectrum of possible small-break loss-of-coolant accident (SBLOCA) scenarios.This may include the need to depressurize the primary system via theatmospheric dump valves or the turbine bypass valves and cool down theplant during sone SBLOCA. The reassessment should ensure that a singlefailure would not negate the operability of the valves needed to achievesafe shutdown.The procedure should clearly describe any actions the operator is requiredto perform in the event a loss of instrument air, or electric power preventsremote operation of the valves. The use of the pressurizer PORVs todepressurize the plant during an SBLOCA, if needed, and the means to ensurethat the R NDT (reference temperature, nil ductility transition) limitsare not compromised should also be clearly described. Seven plants havebeen identified that have high pressure injection pump discharge pressuresless than or equal to 1275 psi that may require manual pressure-reliefcapabilities using the valves to achieve safe shutdown. They are: CalvertCliffs 1 and 2, Fort Calhour,, Millstoine 2, Palisades, and St. Lucie 1 and 2.Designs for Overfill PrutectionCE-designed plants do not provide automatic steam generator overfill protec-tion that terminates MFW flow. Therefore, it is recommended that licensees andapplicants for CE plants provide a separate and independent safety-grade orcommercial-grade steam generator overfill-protection system that will serve asbackup to the existing feedwater runback, control system. Existing water-levelsensors may be used in a 2-out-of-4 initiating logic to isolate MFW flow on asteam generator high-water-level signal. The proposed design should ensurethat the overfill protection system is separate from the feedwater-controlsystem so that it is not powered from the same power source, is not located inthe same cabinet, and is not routed so that a fire is likely to affect bothsystems (common-mode failures described above are considered acceptable) andthe plant procedures and technical specifications should include requirementsto periodically verify operability of the system. The information that isrequested to be addressed in the plant procedures and the technical specifica-tions is provided in item (4)(b) abov LIST OF RECENTLY ISSUED GENERIC LETTERSGenericLetter Uln.Date ofSubject IssuanceIssued To89-1989-18REQUEST FOR ACTION RELATED TO 09/20/89RESOLUTION OF UNRESOLVEDSAFETY ISSUE A-47 'SAFETYIMPLICATION OF CONTROLSYSTEMS IN LWR NUCLEARPOWER PLANTS" PURSUANT TO10 CFR 50.54(f)ALL LICENSEES OFOPERATING REACTORS,APPLICANTS FOROPERATING LICENSESAND HOLDERS OFCONSTRUCTION PERMITSFOR LIGHT WATERREACTOR NUCLEARPOWER PLANTSALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSRESOLUTION OF UNRESOLVEDSAFETY ISSUE A-17, "SYSTEMSINTERACTIONS IN NUCLEARPOWER PLANTS09/06/89ACCESSION NUMBER IS 890907002989-1789-16PLANNED ADMINISTRATIVECHANGES TO THE NRC OPERATORLICENSING WRITTEN EXAMINA-TION PROCESS -GENERICLETTER 89-17INSTALLATION OF A HARDENEDWETWELL VENT (GENERICLETTER 89-16)09/06/8909/01/89ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR PWRSAND BWRS AND ALLLICENSED OPERATORSALL GE PLANTS88-20SUPPLEMENT 1GENERIC LETTER 88-20 08/29/89SUPPLEMENT NO. 1(INITIATION OF THE INDIVIDUALPLANT EXAMINATION FOR SEVEREVULNERABILITIES 10 CFR 50.54(f))ALL LICENSEESHOLDING OPERATINGLICENSES ANDCONSTRUCTIONPERMITS FORNUCLEAR POWERREACTOR FACILITIES89-15EMERGENCY RESPONSE DATASYSTEM GENERIC LETTER NO.89-1508/21/89CORRECT ACCESSION NUMBER IS 8908220423ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSALL LICENSEES OFOPERATING PLANTS,APPLICANTS FOROPERATING LICENSES,AND HOLDERS OFCONSTRUCTION PERMITS89-07SUPPLEMENT 1 TO GENERICLETTER 89-07, "POWER REACTORSAFEGUARDS CONTINGENCYPLANNING FOR SURFACEVEHICLE BOMBS"08/21/89 3Generic Letter 89-19September 20, 1989This request is covered by Office of Management and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00111, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.


Sincerely,ORIGINAL SIGNED BY JAMES PARTLOWJames G. PartlowAssociate Director for ProjectsOffice of Nuclear Reactor Regulation
-8 -(b) It is recommended that plant procedures and technical specifications forall Combustion Engineering plants include provisions to verify periodicallythe operability of overfill protection and ensure that automatic FWWoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification, and by identifying the LCOs. Thesetechnical specifications should be commensurate with existing planttechnical specifications requirements for channels that initiate protectionactions.(c) It is recommended that all utilities that have plants designed with high-pressure-injection pump-discharge pressures less than or equal to 1275 psireassess their emergency procedures and operator training programs andmodify them, as needed, to ensure that the operators can handle the fullspectrum of possible small-break loss-of-coolant accident (SBLOCA) scenarios.This may include the need to depressurize the primary system via theatmospheric dump valves or the turbine bypass valves and cool down theplant during sone SBLOCA. The reassessment should ensure that a singlefailure would not negate the operability of the valves needed to achievesafe shutdown.The procedure should clearly describe any actions the operator is requiredto perform in the event a loss of instrument air, or electric power preventsremote operation of the valves. The use of the pressurizer PORVs todepressurize the plant during an SBLOCA, if needed, and the means to ensurethat the R NDT (reference temperature, nil ductility transition) limitsare not compromised should also be clearly described. Seven plants havebeen identified that have high pressure injection pump discharge pressuresless than or equal to 1275 psi that may require manual pressure-reliefcapabilities using the valves to achieve safe shutdown. They are: CalvertCliffs 1 and 2, Fort Calhour,, Millstoine 2, Palisades, and St. Lucie 1 and 2.Designs for Overfill PrutectionCE-designed plants do not provide automatic steam generator overfill protec-tion that terminates MFW flow. Therefore, it is recommended that licensees andapplicants for CE plants provide a separate and independent safety-grade orcommercial-grade steam generator overfill-protection system that will serve asbackup to the existing feedwater runback, control system. Existing water-levelsensors may be used in a 2-out-of-4 initiating logic to isolate MFW flow on asteam generator high-water-level signal. The proposed design should ensurethat the overfill protection system is separate from the feedwater-controlsystem so that it is not powered from the same power source, is not located inthe same cabinet, and is not routed so that a fire is likely to affect bothsystems (common-mode failures described above are considered acceptable) andthe plant procedures and technical specifications should include requirementsto periodically verify operability of the system. The information that isrequested to be addressed in the plant procedures and the technical specifica-tions is provided in item (4)(b) above.


===Enclosures:===
LIST OF RECENTLY ISSUED GENERIC LETTERSGenericLetter Uln.Date ofSubject IssuanceIssued To89-1989-18REQUEST FOR ACTION RELATED TO 09/20/89RESOLUTION OF UNRESOLVEDSAFETY ISSUE A-47 'SAFETYIMPLICATION OF CONTROLSYSTEMS IN LWR NUCLEARPOWER PLANTS" PURSUANT TO10 CFR 50.54(f)ALL LICENSEES OFOPERATING REACTORS,APPLICANTS FOROPERATING LICENSESAND HOLDERS OFCONSTRUCTION PERMITSFOR LIGHT WATERREACTOR NUCLEARPOWER PLANTSALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSRESOLUTION OF UNRESOLVEDSAFETY ISSUE A-17, "SYSTEMSINTERACTIONS IN NUCLEARPOWER PLANTS09/06/89ACCESSION NUMBER IS 890907002989-1789-16PLANNED ADMINISTRATIVECHANGES TO THE NRC OPERATORLICENSING WRITTEN EXAMINA-TION PROCESS -GENERICLETTER 89-17INSTALLATION OF A HARDENEDWETWELL VENT (GENERICLETTER 89-16)09/06/8909/01/89ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR PWRSAND BWRS AND ALLLICENSED OPERATORSALL GE PLANTS88-20SUPPLEMENT 1GENERIC LETTER 88-20 08/29/89SUPPLEMENT NO. 1(INITIATION OF THE INDIVIDUALPLANT EXAMINATION FOR SEVEREVULNERABILITIES 10 CFR 50.54(f))ALL LICENSEESHOLDING OPERATINGLICENSES ANDCONSTRUCTIONPERMITS FORNUCLEAR POWERREACTOR FACILITIES89-15EMERGENCY RESPONSE DATASYSTEM GENERIC LETTER NO.89-1508/21/89CORRECT ACCESSION NUMBER IS 8908220423ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSALL LICENSEES OFOPERATING PLANTS,APPLICANTS FOROPERATING LICENSES,AND HOLDERS OFCONSTRUCTION PERMITS89-07SUPPLEMENT 1 TO GENERICLETTER 89-07, "POWER REACTORSAFEGUARDS CONTINGENCYPLANNING FOR SURFACEVEHICLE BOMBS"08/21/89
1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic LettersDistribution:Central Files S. NewberryNRC PDR D. MatthewsJ. Partlow K. JabbourC ingerNAME :JPARTLO .p : : : :DATE :9/ /89 : : : :OFFICIAL RECORD COPYDocument Name: GENERIC LETTER USI A47}}
3Generic Letter 89-19September 20, 1989This request is covered by Office of Management and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00111, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.Sincerely,ORIGINAL SIGNED BY JAMES PARTLOWJames G. PartlowAssociate Director for ProjectsOffice of Nuclear Reactor RegulationEnclosures:1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic LettersDistribution:Central Files S. NewberryNRC PDR D. MatthewsJ. Partlow K. JabbourC ingerNAME :JPARTLO .p : : : :DATE :9/ /89 : : : :OFFICIAL RECORD COPYDocument Name: GENERIC LETTER USI A47  
}}


{{GL-Nav}}
{{GL-Nav}}

Revision as of 17:47, 6 April 2018

NRC Generic Letter 1989-019: Request for Action Related to Resolution of Unresolved Safety Issue A-47 Safety Implication of Control Systems in LWR Nuclear Power Plants Pursuant to 10 CFR 50.54(f)
ML031200742
Person / Time
Site: Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, 05000000, Zimmer, Fort Saint Vrain, Washington Public Power Supply System, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant, Clinch River
Issue date: 09/20/1989
From: Partlow J G
Office of Nuclear Reactor Regulation
To:
References
USA A-47 GL-89-019, NUDOCS 8909200223
Download: ML031200742 (14)


~1 4UNITED STATESNUCLEAR REGULATORY COMMISSIONWASHINGTON. D. C. 20555September 20, 1989TO: ALL LICENSEES OF OPERATING REACTORS, APPLICANTS FOR OPERATINGLICENSES AND HOLDERS OF CONSTRUCTION PERMITS FOR LIGHT WATERREACTOR NUCLEAR POWER PLANTSSUBJECT: REQUEST FOR ACTION RELATED TO RESOLUTION OF UNRESOLVED SAFETYISSUE A-47 8SAFETY IMPLICATION OF CONTROL SYSTEMS IN LWRNUCLEAR POWER PLANTSN PURSUANT TO 10 CFR 50.54(f) -GENERICLETTER 89-19As a result of the technical resolution of USI A-47, Safety Implications ofControl Systems in LWR Nuclear Power Plants," the NRC has concluded thatprotection should be provided for certain control system failures and thatselected emergency procedures should be modified to assure that plant transientsresulting from control system failures do not compromise public safety.The NRC has provided to all utility and reactor vendor executives copies ofNUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR NuclearPower Plants" and NUREG-1218, Regulatory Analysis for Resolution of USI A-47."These reports are identified as items 1 and 2 in Enclosure 1. These reportssummarize the results of the analyses conducted for USI A-47. During the A-47review a number of different designs for reactor vessel and steam generatoroverfill protection were evaluated. Plant specific features such as: powersupply interdependence, sharing of sensors between control and trip logic,operator training, and designs for indication and alarms available to theoperator were considered in developing risk estimates associated with failuresof the feedwater trip system. The results of NRC's studies of the A-47 issueincluding the analysis for other events evaluated, such as overheat andovercool events, are provided for information. lt is expected that eachlicensee and applicant will review the information for applicability to itsfacility. The results of the analyses and the technical bases for the NRCconclusions are documented in the references listed in Enclosure 1.The staff has concluded that all PWR plants should provide automatic steamgenerator overfill protection, all BWR plants should provide automatic reactorvessel overfill protection, and that plant procedures and technical specifica-tions for all plants should include provisions to verify periodically theoperability of the overfill protection and to assure that automatic overfillprotection is available to mitigate main feedwater overfeed events duringreactor power operation. Also, the system design and setpoints should beselected with the objective of minimizing inadvertent trips of the main feed-water system during plant startup, normal operation, and protection systemsurveillance. The Technical Specifications recommendations are consistent withthe criteria and the risk considerations of the Commission Interim PolicyStatement on Technical Specification Improvement. In addition, the staffrecommends that all BWR recipients reassess and modify, if needed, theiroperating procedures and operator training to assure that the operators canmitigate rqg=__vessel overfill events that may occur via the condensate(1 8909200223 Z u-,6, C,

Generic Letter 89-192September 20, 1989booster pumps during reduced system pressure operation. Enclosure 2 (Sections 1through 4, a and b) describes the requested action for the different NSSS designs.Enclosure 2 outlines a number of designs that satisfy the objectives for overfillprotection and provides guidance for an acceptable design. The staff believesthat a significant number of plants already provide satisfactory designs foroverfill protection; many plants also have technical specifications dealingwith overfill protection system surveillance which were previously approved bythe staff.The staff also concluded that certain Babcock and Wilcox plants should provideeither automatic initiation of auxiliary feedwater on low steam generator levelor another acceptable design to prevent steam generator dryout on a loss ofpower to the control system. Most B&W plants have already incorporated auto-matic initiation circuits for this purpose. Enclosure 2, Section 3c, identifiesthe plants that have not, and describes the requested action.The staff also concluded that certain Combustion Engineering plants shouldreassess their emergency procedures and operator training to assure safe shut-down of the plants during any postulated small break loss of coolant accident.Enclosure 2, Section 4c, identifies these plants and describes the requestedaction.On the basis of the technical studies the staff requests that the recommen-dations in Enclosure 2 be implemented by all LWR plants to enhance safety.These recommendations result from the staff interpretation of General DesignCriteria 13, 20, and 33, identified in 1OCFR50, Appendix A.The implementation schedule for actions on which commitments are made bylicensees or applicants in response to this letter should be prior to start-upafter the first refueling outage, beginning nine (9) months following receiptof the letter.In order to determine whether any license or construction permit for facilitiescovered by this request should be modified, suspended or revoked, we require,pursuant to Section 182 of the Atomic Energy Act and 10 CFR 50.54(f), that youprovide the NRC, within 180 days of the date of this letter, a statement as towhether you will implement the recommendations in Enclosure 2 and, if so, thatyou provide a schedule for implementation of the items in Enclosure 2 and thebasis for the schedule. If you do not plan to implement these recommendations,provide appropriate justification. This information shall be submitted to theNRC, signed under oath and affirmation. The licensee should retain, supportingdocumentation consistent with the records retention program for their facility.With regard to the recommendations in Enclosure 2 that specify modification toplant procedures and Technical Specifications, the intent is that the appropriateplant procedures be modified in the short-term to provide periodic verificationand testing of thevoverfill protection system. As part of future upgrades toTechnical Specifications, licensees should consider including appropriatelimiting conditions of operation and surveillance requirements in futureTechnical Specification improvements.

3Generic Letter 89-19September 20, 1989This request is covered by Office of Managemeht and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00115, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.Sincerely,Jambs G. PartlowAss ciate Director for ProjectsOffice of Nuclear Reactor RegulationEnclosures:1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic Letters Enclosure 1REFERENCELIST OF SIGNIFICANTINFORMATION RELATED TORESOLUTION OF USI A-471. NUREG-12172. NUREG-1218"Evaluation of Safety Impilcations of ControlSystems in LWR Nuclear Power Plants" -TechnicalFindings Related to USI A-47."Regulatory Analysis for Resolutionof USI A-47."3. NUREG/CR-42854. MUREG/CR-43865. NUREG/CR-4387"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Westinghouse PWR.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Babcock and Wilcox Pressurized WaterReactor.""Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a General Electric Boiling Water Reactor."6. NUREG/CR-39587. NUREG/CR-43268. NUREG/CR-40479. NUREG/CR-426210. NUREG/CR-426511. Letter ReportORNL/NRC/LTR-86/19"Effects of Control System Failures onTransients, Accidents and Core-Melt Frequenciesat a Combustion Engineering Pressurized WaterReactor.""Effects of Control System Failures on Transients andAccidents at a 3 Loop Westinghouse. PressurizedWater Reactor." Vol. 1 and 2."An Assessment of the Safety Implications of Controlat the Oconee 1 Nuclear Plant-Final Report.""Effects of Control System Failures on Transients ardAccidents At A General Electric Boiling Water Reactor.*Vol. 1 and 2."An Assessment of the Safety Implications of Controldt the Calvert Cliffs -1 Nuclear Plant" Vol. 1 and 2."Generic Extensions to Plant Specific Findings of theSafety Implications of Control Systems Program."

Enclosure 2CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATIONFOR RESOLUTION OF USI A-47As part of the resolution of USI A-47, NSafety Implications of Control Systems,"the staff Investigated control system failures that have occurred, or arepostulated to occur, in nuclear power plants. The staff concluded that planttransients resulting from control system failures can be mitigated by theoperator, provided that the control system failures do not also compromiseoperation of the minimum number of protection system channels required to tripthe reactor and initiate safety systems. A number of plant-specific designshave been identified, however, that should provide additional protection fromtransients leading to reactor vessel or steam generator overfill or reactorcore overheating.Reactor vessel or steam generator overfill can affect the safety of the plantin several ways. The more severe scenarios could potentially lead to a steam-line break and a steam generator tube rupture. The basis for this concern isthe following: (1) the increased dead weight and potential seismic loads placedorn the main steamline and its supports should the main steamline be flooded;(2) the loads placed on the main steamlines as a result of the potential forrapid collapse of steam voids resulting in water hammer; (3) the potential forsecondary safety valves sticking open following discharge of water or two-phaseflow; (4) the potential inoperability of the main steamline isolation valves(MSIVs), main turbine stop or bypass valves, feedwater turbine valves, or at-mospheric dump valves from the effects of water or two-phase flow; and (5) thepotential for rupture of weakened tubes in the once-through steam generator onB&W nuclear steam supply system (NSSS) plants due to tensile loads caused bythe rapid thermal shrinkage of the tubes relative to the generator shell.These concerns have not been addressed in a number of plant designs, becauseoverfill transients normally have not been analyzed.To minimize some of the consequences of overfill, early plant designs providedcommercial-grade protection for tripping the turbine or relied on operatoraction to control water level manually in the event the normal-water-level con-trol system failed. Later designs, including the most recent designs, provideoverfill protection which automatically stops mian feedwater flow on vesselhigh-water-level signals. These designs provide various degrees of coincidentlogic and redundancy to initiate feedwater isolation and to ensure that asingle failure would not inhibit isolation. A large number of plants providesafety-grade designs for this protection.On the basis of the technical studies conducted by the staff and its contractors,the staff recommends that certain actions should be taken by some plants toenhance plant safety. These actions are described in the material that follows,and include design and procedural modifications to ensure that (1) all plantsprovide overfill protection, (2) all plants provide plant procedures and

-2 -technical specifications for periodic surveillance of the overfill protection,(3) certain Babcock and Wilcox plants provide an acceptable design to preventsteam generator dryout on a loss of power to the control system, and (4) certainCombustion Engineering plants reassess their emergency procedures and operatortraining to ensure safe shutdown during any postulated small break loss ofcoolant accident. With regard to the recommendations that specify modificationto plant procedures and Technical Specifications, the intent is that theappropriate plant procedures be modified in the short-term to provide periodicverification and testing of the overfill protection system. As part of futureupgrades to Technical Specifications, licensees should consider includingappropriate limiting conditions of operation and surveillance requirements infuture Technical Specification improvements.(1) GE Boiling-Water-Reactor Plants(a) It is recormrended that all GE boiling-water-reactor (BWR) plant designsprovide automatic reactor vessel overfill protection to mitigate mainfeedwater (MFW) overfeed events. The design for the overfill-protectionsystem should be sufficiently separate from the MFW control system toensure that the VFW pump will trip on a reactor high-water-level signalwhen required, even if a loss of power, a loss of ventilation, or a firein the control portion of the MFW control system should occur. Common-mode failures that could disable overfill protection and the feedwatercontrol system, but would still result in a feedwater pump trip, areconsidered acceptable failure modes.It is recommended that plant designs with no automatic reactor vesseloverfill protection be upgraded by providing a commercial-grade (or better)MFW isolation system actuated from at least a 1-out-of-1 reactor vesselhigh-water-level system, or justify the design on some defined basis.In additionu it is recommended that all plants reassess their operatingprocedures and operator training and modify then, if necessary to ensurethat the operators can mitigate reactor vessel overfill events that mayoccur via the condensate booster pumps during reduced pressure operationof the system.(b) it is recommended that plant procedures and technical specifications forall BWR plants with main feedwater overfill protection include provisionsto verify periodically the operability of overfill protection and ensurethat automatic overfill protection to mitigate main feedwater overfeedevents is operable during power operation. The instrumentation should bedemonstrated to be operable by the performance of a channel check, channelfunctional testing, and channel calibration, including setpoint verification.The technical specifications should include appropriate limiting conditionsfor operation (LCOs). These technical specifications should be comensuratewith the requirements of existing plant technical specifications for channelsthat initiate protective actions. Previously approved technical specifica-tions for surveillance intervals and limiting conditions for operation(LCOs) for overfill protection are considered acceptable.

-3 -Designs for Overfill ProtectionSeveral different designs for overfill protection have already been incorporatedinto a large number of operating plants. The following discussion Identifiesthe different groups of plant designs and provides guidance for acceptable designs.Group I: Plants that have a safety-grade or a commercial-grade overfill protec-tohn system initiated on a reactor vessel high-water-level signal based on a2-out-of-3 or a 1-out-of-2 taken twice (or equivalent) initiating logic. Thesystem isolates I4FW flow by tripping the feedwater pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is separate from the control portion of the MFWcontrol system so that it is not powered from the same power source, notlocated in the same cabinet, and not routed so that a fire is likely to affectboth systems and (2) the plant procedures and technical specifications includerequirements to periodically verify operability of this system. Licensees ofplants that already have these design features that have been previouslyapproved by the staff should state this in their response.Group II: Plants that have safety-grade or commercial-grade overfill-protectionsystems initiated on a reactor vessel high-water-level signal based on a 1-out-of-i, 1-out-of-2, or a 2-out-of-2 initiating logic. The system isolates MFWflow by tripping the feedwater pumps.The staff concludes that these designs are acceptable provided conditions (1)arnd (2) stated for Group I are met. Licensees of plants that already havethese design features that have been previously approved by the staff shouldstate this irn their response. Plant designs with a 1-out-of-1 or a 1-out-of-2trip logic for overfill protection should provide bypass capabilities toprevent feedwater trips during channel functional testing when at poweroperation.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent reactor vesseloverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill protection system is separated from thefeedwater control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Common-mode failures that could disable overfill pro-tection and the feedwater control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff review identifiedthree plants; i.e., Big Rock, LaCrosse (permanently shutdown), and Oyster Creek;that fall into this group. If any of these plants wish to justify riot includingoverfill protection, part of the requested justification should demonstratethat the risk reduction in implementing an automatic overfill protection systemis significantly less that, the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addressed.

-4 -(2) Westinghouse-Designed PWR Plants(a) It is recommended that all Westinghouse plant designs provide automaticsteam generator overfill protection to mitigate MFW overfeed events. Thedesign for the overfill protection system should be sufficiently separatefrom the MFW control system to ensure that the MFW pump will trip on areactor high-water-level signal when required, even if a loss of power, aloss of ventilation, or a fire in the control portion of the MFW controlsystem should occur. Common-mode failures that could disable overfillprotection and the feedwater control system, but would still result in thefeedwater pump trip, are considered acceptable failure modes.(b) It is recommended that plant procedures and technical specifications forall Westinghouse plants include provisions to periodically verify theoperability of the MFW overfill protection and ensure that the automaticoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification. The technical specifications shouldinclude appropriate LCOs. These technical specifications should beconurmensurate with existing plant technical specification requirements forchannels that initidte protective actions. Plants that have previouslyapproved technical specifications fur surveillance intervals for overfillprotection are considered acceptable.Designs for Overfill ProtectionSeveral different designs for overfill-protection are already provided in mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidance for acceptable designs.Crcup I: PUnts that hdve an overfill-protection system initiated or a steamgenerator high-water-level signal based on a 2-out-of-4 initiating logic whichis safety grade, or a 2-out-of-3 initiating logic which is safety grade but usesone out of the three channels for both control and protection. The systemisolates MFW by closing the MFW isolation valves and tripping the MFW pumps.The staff concludes that the design is acceptable, provided that (1) theoverfill protection system is sufficiently separate from the control portion ofthe MFW control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems, and (2) the plant procedures and technical specificationsinclude requirements to periodically verify operability of this system.Group II: Plants with a safety-grade or a conmnercial-grade overfill protectionsystem initiated on a steam generator high-water-level signal based on either al-out-of-l, l-out-of-2, or 2-out-of-2 initiating logic. The system isolates MFFWby closing the MFW control valves.

-5 -The staff finds that only one early plant (i.e., Haddam Neck) falls into thisgroup; therefore, a risk assessment was not conducted. Considering thesuccessful operating history of the plant regarding overfill transients (i.e.,no overfill events have been reported), this design may be found acceptable,provided that (1) justification for the adequacy of the design on a plant-specific basis is included and (2) plant procedures and technical specifica-tions are modified to include requirements to periodically verify operabilityof this system. As part of the justification, it is requested that the licenseeinclude verification that the overfill-protection system is separate from thefeedwater-control system so that it is not powered from the same power source,not located in the same cabinet, and not routed so that a fire is likely toaffect both systems. Comnon-mode failures that could disable overfill protec-tion and the feedwater-control system, but would still cause a feedwater pumptrip, are considered acceptable failure irodes.Group III: Plants without automatic overfill protection.It is recommended that the licensee have a design to prevent steam generatoroverfill and justify the adequacy of the design. The justification shouldinclude verification that the overfill-protection system is separated from thefeedwater-control system so that it is not powered from the same power source,not located in the safice cabinet, and not routed so that a fire is likely toaffect both systems. Comion-mode failures that could disable overfill pro-tection and the feedwater-control system, but would still result in a feedwaterpump trip, are considered acceptable failure modes. The staff's reviewidentified two plants; i.e., Yankee Rowe and Sari Onofre 1; that fall into thiscategory. If either of these plants wish to justify not including overfillprotection, part of the requested justification should demonstrate that therisk reduction in implementing an automatic overfill protection system issignificantly less than the staff's generic estimates of risk reduction. Indetermining the risk reduction, specific factors such as low plant power andpopulation density should be considered. Other applicable factors that areplant unique should also be addressed.(3) Babcock and Wilcox-Designed PWR Plants*(a) It is recommended that all Babcock and Wilcox plant designs have auto-matic steam generator overfill protection to mitigate MFW overfeed events.On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Gen-erating Station, Unit 1. This event occurred as a result of loss of power tothe integrated control system (ICS). Subsequently, the B&W Owners Group initi-ated a study to reassess all B&W plant designs including, but not limited to,the ICS and support systems such as power supplies and maintenance. As part ofthe USI A-47 review, failure scenarios resulting from a loss of power to controlsystems were evaluated; and the results were factored into the A-47 requirements.however, other recommended actions for design modifications, maintenance,and any changes to operating procedures (if any) developed for theutilities by the B&W owners group is being resolved separately.

-6 -The design for the overfill-protection system should be sufficientlyseparate from the MFW control system to ensure that the MFW pump will tripon a steam generator high-water-level signal (or other equivalent signals)when required, even if a loss of power, a loss of ventilation, or a firein the control portion of the main feedwater control system should occur.Common failure modes that could disable overfill protection and thefeedwater-control system, but would still result in a feedwater pump trip,are considered acceptable failure modes.It is recommended that plants that are similar to the reference plantdesign (i.e., Oconee Units 1, 2, and 3) have a steam generator high-water-level feedwater-isolation system that satisfies the single-failure criterion.An acceptable design would be to provide automatic MFW isolation by either(1) providing an additional system that terminates MFW flow by closing anisolation valve in the line to each steam generator (this system is to beindependent from the existing overfill protection which trips the mainfeedwater pumps on steam generator high-water level); (2) modifying theexisting overfill-protection system to preclude undetected failures in thetrip system and facilitate online testing; or (3) upgrading the existingoverfill-protection system to a 2-out-of-4 TFr equivalent) high-water-leveltrip system that satisfies the single-failure criterion.(b) It is recommended that plant procedures and technical specifications forall B&W plants include provisions to periodically verify the operabilityof overfill protection and ensure the automatic main feedwater overfillprotection is operable during reactor power operation. The instrumentatioreshould be demonstrated to be operable by the performance of a channelcheck, channel functional testing, and channel calibration, includingsetpoint verification. Technical specifications should include appropriateLCOs. These technical specifications should be commensurate with therequirements of existing technical specifications for channels thatinitiated protective actions.(c) It is recommended that ploivt designs with no automatic protection to preventsteam generator dryout upgrade their design and the appropriate technicalspecifications and provide an automatic protection system to prevent steamgenerator dryout on loss of power to the control system. Automaticinitiation of auxiliary feedwater on steam generator low-water level isconsidered an acceptable design. Other corrective actions identified inSection 4.3(4) of NUREG-1218 could also be taken to avoid a steam generatordryout scenario on loss of power to the control system. The staff believesthat only three B&W plants, i.e., Oconee 1, 2, and 3, do not have automaticauxiliary feedwater initiation on steam generator low water level).Designs for Overfill ProtectionSeveral different designs for overfill protection are already provided on mostoperating plants. The following discussion identifies the different groups ofplant designs and provides guidelines for acceptable designs.

-7 -Group I: Plants that provide a safety-grade overfill-protection system initi-ated-on a steam generator high-water-level signal based on either a 2-out-of-3or a 2-out-of-4 (or equivalent) initiating logic. The system isolates mainfeedwater (MFW) by (1) closing at least one MFW isolation valve in the MFW lineto each steam generator and (2) tripping the MFW pumps.The staff concludes that this design is acceptable, provided that (1) theoverfill protection system is sufficiently separated from the feedwater controlsystem so that it is not powered from the same power source, not located in thesame cabinet, and not routed so that a fire is likely to affect both systems(common-mode failures that could disable overfill protection and the feedwatercontrol system, but still result in a feedwater pump trip are consideredacceptable failure modes) and (2) the plant procedures and technical specifica-tions include requirements to periodically verify operability of this system.GroupI: Plants that have a commercial-grade overfill-protection system ini-tMate-don a steam generator high-water level based on coincident logic thatminimizes inadvertent initiation. The system isolates MFW by tripping theFEW pumps.This design may be found acceptable, provided that (1) the overfill-protectionsystem is sufficiently separate from the feedwater control system so that it isnot powered from the same power source, not located in the same cabinet, andnot routed so that a fire is likely to affect both systems and (2) the designmodifications are implemented per the guidelines identified in the secondparagraph of item (3)(a) above and that the plant procedures and technicalspecifications include requirements to periodically verify operability of thissystem. The technical specifications should be commensurate with existingplant technical specification requirements for channels that initiate protec-tion actions.It is also recommended that plant designs that provide a separate 1-out-of-i or al-out-of-2 trip logic to close the feedwater isolation valves for additionaloverfill protection provide bypass capabilities to prevent feedwater tripsduring channel functional testing when at power or during hot-standby opera-tion.(4) Combustion Engineering-Designed PWR Plants(a) It is recommended that all Combustion Engineering plants provide automatic,steam generator overfill protection to mitigate main feedwater (MFW) over-feed events. The design for the overfill-protection system should besufficiently separate from the MFW control system to ensure that the MFWpump will trip on a steam generator high-water-level signal when required,even if a loss of power, a loss of ventilation, or a fire in the controlportion of the MFW control system should occur. Common failure modes thatcould disable overfill protection and the feedwater control system, butwould still result in a feedwater pump trip, are considered acceptablefailure modes.

-8 -(b) It is recommended that plant procedures and technical specifications forall Combustion Engineering plants include provisions to verify periodicallythe operability of overfill protection and ensure that automatic FWWoverfill protection is operable during reactor power operation. Theinstrumentation should be demonstrated to be operable by the performanceof a channel check, channel functional testing, and channel calibration,including setpoint verification, and by identifying the LCOs. Thesetechnical specifications should be commensurate with existing planttechnical specifications requirements for channels that initiate protectionactions.(c) It is recommended that all utilities that have plants designed with high-pressure-injection pump-discharge pressures less than or equal to 1275 psireassess their emergency procedures and operator training programs andmodify them, as needed, to ensure that the operators can handle the fullspectrum of possible small-break loss-of-coolant accident (SBLOCA) scenarios.This may include the need to depressurize the primary system via theatmospheric dump valves or the turbine bypass valves and cool down theplant during sone SBLOCA. The reassessment should ensure that a singlefailure would not negate the operability of the valves needed to achievesafe shutdown.The procedure should clearly describe any actions the operator is requiredto perform in the event a loss of instrument air, or electric power preventsremote operation of the valves. The use of the pressurizer PORVs todepressurize the plant during an SBLOCA, if needed, and the means to ensurethat the R NDT (reference temperature, nil ductility transition) limitsare not compromised should also be clearly described. Seven plants havebeen identified that have high pressure injection pump discharge pressuresless than or equal to 1275 psi that may require manual pressure-reliefcapabilities using the valves to achieve safe shutdown. They are: CalvertCliffs 1 and 2, Fort Calhour,, Millstoine 2, Palisades, and St. Lucie 1 and 2.Designs for Overfill PrutectionCE-designed plants do not provide automatic steam generator overfill protec-tion that terminates MFW flow. Therefore, it is recommended that licensees andapplicants for CE plants provide a separate and independent safety-grade orcommercial-grade steam generator overfill-protection system that will serve asbackup to the existing feedwater runback, control system. Existing water-levelsensors may be used in a 2-out-of-4 initiating logic to isolate MFW flow on asteam generator high-water-level signal. The proposed design should ensurethat the overfill protection system is separate from the feedwater-controlsystem so that it is not powered from the same power source, is not located inthe same cabinet, and is not routed so that a fire is likely to affect bothsystems (common-mode failures described above are considered acceptable) andthe plant procedures and technical specifications should include requirementsto periodically verify operability of the system. The information that isrequested to be addressed in the plant procedures and the technical specifica-tions is provided in item (4)(b) above.

LIST OF RECENTLY ISSUED GENERIC LETTERSGenericLetter Uln.Date ofSubject IssuanceIssued To89-1989-18REQUEST FOR ACTION RELATED TO 09/20/89RESOLUTION OF UNRESOLVEDSAFETY ISSUE A-47 'SAFETYIMPLICATION OF CONTROLSYSTEMS IN LWR NUCLEARPOWER PLANTS" PURSUANT TO10 CFR 50.54(f)ALL LICENSEES OFOPERATING REACTORS,APPLICANTS FOROPERATING LICENSESAND HOLDERS OFCONSTRUCTION PERMITSFOR LIGHT WATERREACTOR NUCLEARPOWER PLANTSALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSRESOLUTION OF UNRESOLVEDSAFETY ISSUE A-17, "SYSTEMSINTERACTIONS IN NUCLEARPOWER PLANTS09/06/89ACCESSION NUMBER IS 890907002989-1789-16PLANNED ADMINISTRATIVECHANGES TO THE NRC OPERATORLICENSING WRITTEN EXAMINA-TION PROCESS -GENERICLETTER 89-17INSTALLATION OF A HARDENEDWETWELL VENT (GENERICLETTER 89-16)09/06/8909/01/89ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR PWRSAND BWRS AND ALLLICENSED OPERATORSALL GE PLANTS88-20SUPPLEMENT 1GENERIC LETTER 88-20 08/29/89SUPPLEMENT NO. 1(INITIATION OF THE INDIVIDUALPLANT EXAMINATION FOR SEVEREVULNERABILITIES 10 CFR 50.54(f))ALL LICENSEESHOLDING OPERATINGLICENSES ANDCONSTRUCTIONPERMITS FORNUCLEAR POWERREACTOR FACILITIES89-15EMERGENCY RESPONSE DATASYSTEM GENERIC LETTER NO.89-1508/21/89CORRECT ACCESSION NUMBER IS 8908220423ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSALL LICENSEES OFOPERATING PLANTS,APPLICANTS FOROPERATING LICENSES,AND HOLDERS OFCONSTRUCTION PERMITS89-07SUPPLEMENT 1 TO GENERICLETTER 89-07, "POWER REACTORSAFEGUARDS CONTINGENCYPLANNING FOR SURFACEVEHICLE BOMBS"08/21/89

3Generic Letter 89-19September 20, 1989This request is covered by Office of Management and Budget Clearance Number3150-0011 which expires December 31, 1989. The estimated average burdenhours is 240 person hours per licensee response, including assessment of thenew recommendations, searching data sources, gathering and analyzing the data,and the required reports. These estimated average burden hours pertain onlyto these identified response-related matters and do not include the time foractual implementation of the requested actions. Send comments regarding thisburden estimate or any other aspect of this collection of information, includingsuggestions for reducing this burden, to the Record and Reports ManagementBranch, Division of Information Support Services, Office of InformationResources Management, U.S. Nuclear Regulatory Commission Washington, D.C.20555; and to the Paperwork Reduction Project (3150-00111, Office of Manage-ment and Budget, Washington, D.C. 20503.If you have any questions on this matter, please contact your projectmanager.Sincerely,ORIGINAL SIGNED BY JAMES PARTLOWJames G. PartlowAssociate Director for ProjectsOffice of Nuclear Reactor RegulationEnclosures:1. Enclosure 1, List of References2. Enclosure 2, Control System Designand Procedural Modification forResolution of USI A-473. Enclosure 3, List of RecentlyIssued NRC Generic LettersDistribution:Central Files S. NewberryNRC PDR D. MatthewsJ. Partlow K. JabbourC ingerNAME :JPARTLO .p : : : :DATE :9/ /89 : : : :OFFICIAL RECORD COPYDocument Name: GENERIC LETTER USI A47

Template:GL-Nav