NRC Generic Letter 1989-19: Difference between revisions

~1

4 UNITED STATES

NUCLEAR REGULATORY COMMISSION

WASHINGTON. D. C. 20555 September 20, 1989 FOR OPERATING

TO: ALL LICENSEES OF OPERATING REACTORS, APPLICANTS FOR LIGHT WATER

LICENSES AND HOLDERS OF CONSTRUCTION PERMITS

REACTOR NUCLEAR POWER PLANTS

UNRESOLVED SAFETY

SUBJECT: REQUEST FOR ACTION RELATED TO RESOLUTION OF

ISSUE A-47 8SAFETY IMPLICATION OF CONTROL 50.54(f)SYSTEMS IN LWR

- GENERIC

NUCLEAR POWER PLANTSN PURSUANT TO 10 CFR

LETTER 89-19 USI A-47, Safety Implications of As a result of the technical resolution of the NRC has concluded that Control Systems in LWR Nuclear Power Plants," system failures and that protection should be provided for certain control to assure that plant transients selected emergency procedures should be modified compromise public safety.

resulting from control system failures do not vendor executives copies of The NRC has provided to all utility and reactor of Control Systems in LWR Nuclear NUREG-1217, "Evaluation of Safety Implications for Resolution of USI A-47."

Power Plants" and NUREG-1218, Regulatory Analysis 2 in Enclosure 1. These reports These reports are identified as items 1 and for USI A-47. During the A-47 summarize the results of the analyses conducted vessel and steam generator review a number of different designs for reactor specific features such as: power overfill protection were evaluated. Plant control and trip logic, supply interdependence, sharing of sensors between and alarms available to the operator training, and designs for indication estimates associated with failures operator were considered in developing risk of NRC's studies of the A-47 issue of the feedwater trip system. The results such as overheat and including the analysis for other events evaluated, lt is expected that each overcool events, are provided for information. for applicability to its licensee and applicant will review the information the technical bases for the NRC

facility. The results of the analyses and listed in Enclosure 1.

conclusions are documented in the references should provide automatic steam The staff has concluded that all PWR plants should provide automatic reactor generator overfill protection, all BWR plants and technical specifica- vessel overfill protection, and that plant procedures to verify periodically the tions for all plants should include provisions to assure that automatic overfill operability of the overfill protection andfeedwater overfeed events during protection is available to mitigate main and setpoints should be reactor power operation. Also, the system design trips of the main feed- selected with the objective of minimizing inadvertent operation, and protection system water system during plant startup, normal are consistent with recommendations surveillance. The Technical Specifications the Commission Interim Policy the criteria and the risk considerations of In addition, the staff Statement on Technical Specification Improvement. and modify, if needed, their recommends that all BWR recipients reassess to assure that the operators can operating procedures and operator training may occur via the condensate mitigate rqg=__vessel overfill events that

6

(1 8909200223 Z u-,

,. C,

2 September 20, 1989 Generic Letter 89-19 Enclosure 2 (Sections 1 booster pumps during reduced system pressure operation.for the different NSSS designs.

through 4, a and b) describes the requested action the objectives for overfill Enclosure 2 outlines a number of designs that satisfy design. The staff believes protection and provides guidance for an acceptable satisfactory designs for that a significant number of plants already provide specifications dealing overfill protection; many plants also have technicalwere previously approved by with overfill protection system surveillance which the staff.

Wilcox plants should provide The staff also concluded that certain Babcock and on low steam generator level either automatic initiation of auxiliary feedwater dryout on a loss of or another acceptable design to prevent steam generatoralready incorporated auto- power to the control system. Most B&W plants have 2, Section 3c, identifies matic initiation circuits for this purpose. Enclosure action.

the plants that have not, and describes the requested Engineering plants should The staff also concluded that certain Combustion training to assure safe shut- reassess their emergency procedures and operatorbreak loss of coolant accident.

down of the plants during any postulated small and describes the requested Enclosure 2, Section 4c, identifies these plants action.

that the recommen- On the basis of the technical studies the staff requests plants to enhance safety.

dations in Enclosure 2 be implemented by all LWR of General Design These recommendations result from the staff interpretation A.

Criteria 13, 20, and 33, identified in 1OCFR50, Appendix commitments are made by The implementation schedule for actions on which should be prior to start-up licensees or applicants in response to this letter(9) months following receipt after the first refueling outage, beginning nine of the letter.

permit for facilities In order to determine whether any license or construction or revoked, we require, covered by this request should be modified, suspended and 10 CFR 50.54(f), that you pursuant to Section 182 of the Atomic Energy Act letter, a statement as to provide the NRC, within 180 days of the date of thisEnclosure 2 and, if so, that whether you will implement the recommendations in in Enclosure 2 and the items you provide a schedule for implementation of theimplement these recommendations, basis for the schedule. If you do not plan to shall be submitted to the provide appropriate justification. This information should retain, supporting NRC, signed under oath and affirmation. The licenseeprogram for their facility.

documentation consistent with the records retention

2 that specify modification to With regard to the recommendations in Enclosure the intent is that the appropriate plant procedures and Technical Specifications, provide periodic verification plant procedures be modified in the short-term to As part of future upgrades to and testing of thevoverfill protection system. including appropriate Technical Specifications, licensees should considerrequirements in future limiting conditions of operation and surveillance Technical Specification improvements.

3 September 20, 1989 Generic Letter 89-19 This request is covered by Office of Managemeht and Budget Clearance Number

3150-0011 which expires December 31, 1989. The estimated average burden the hours is 240 person hours per licensee response, including assessment of data, new recommendations, searching data sources, gathering and analyzing the only and the required reports. These estimated average burden hours pertain for to these identified response-related matters and do not include the time this actual implementation of the requested actions. Send comments regardingincluding burden estimate or any other aspect of this collection of information, suggestions for reducing this burden, to the Record and Reports Management Branch, Division of Information Support Services, Office of InformationD.C.

Resources Management, U.S. Nuclear Regulatory Commission Washington,

20555; and to the Paperwork Reduction Project (3150-00115, Office of Manage- ment and Budget, Washington, D.C. 20503.

If you have any questions on this matter, please contact your project manager.

Sincerely, Jambs G. Partlow Ass ciate Director for Projects Office of Nuclear Reactor Regulation Enclosures:

1. Enclosure 1, List of References

2. Enclosure 2, Control System Design and Procedural Modification for Resolution of USI A-47

3. Enclosure 3, List of Recently Issued NRC Generic Letters

Enclosure 1 REFERENCE

LIST OF SIGNIFICANT

INFORMATION RELATED TO

RESOLUTION OF USI A-47

1. NUREG-1217 "Evaluation of Safety Impilcations of Control Systems in LWR Nuclear Power Plants" - Technical Findings Related to USI A-47.

2. NUREG-1218 "Regulatory Analysis for Resolution of USI A-47."

3. NUREG/CR-4285 "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Westinghouse PWR."

4. MUREG/CR-4386 "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Babcock and Wilcox Pressurized Water Reactor."

5. NUREG/CR-4387 "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a General Electric Boiling Water Reactor."

6. NUREG/CR-3958 "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Combustion Engineering Pressurized Water Reactor."

7. NUREG/CR-4326 "Effects of Control System Failures on Transients and Accidents at a 3 Loop Westinghouse. Pressurized Water Reactor." Vol. 1 and 2.

8. NUREG/CR-4047 "An Assessment of the Safety Implications of Control at the Oconee 1 Nuclear Plant-Final Report."

9. NUREG/CR-4262 "Effects of Control System Failures on Transients ard Accidents At A General Electric Boiling Water Reactor.*

Vol. 1 and 2.

10. NUREG/CR-4265 "An Assessment of the Safety Implications of Control dt the Calvert Cliffs - 1 Nuclear Plant" Vol. 1 and 2.

11. Letter Report "Generic Extensions to Plant Specific Findings of the ORNL/NRC/ Safety Implications of Control Systems Program."

LTR-86/19

Enclosure 2 CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATION

FOR RESOLUTION OF USI A-47 As part of the resolution of USI A-47, NSafety Implications of Control are Systems,"

the staff Investigated control system failures that have occurred, or plant postulated to occur, in nuclear power plants. The staff concluded that transients resulting from control system failures can be mitigated by the operator, provided that the control system failures do not also compromise trip operation of the minimum number of protection system channels requireddesigns to the reactor and initiate safety systems. A number of plant-specific have been identified, however, that should provide additional protection from transients leading to reactor vessel or steam generator overfill or reactor core overheating.

Reactor vessel or steam generator overfill can affect the safety of tothea plant steam- in several ways. The more severe scenarios could potentially lead concern is line break and a steam generator tube rupture. The basis for this the following: (1) the increased dead weight and potential seismic flooded; loads placed orn the main steamline and its supports should the main steamlinepotential be

(2) the loads placed on the main steamlines as a result of the potentialforfor the rapid collapse of steam voids resulting in water hammer; (3)

secondary safety valves sticking open following discharge of water or valves two-phase flow; (4)the potential inoperability of the main steamline isolation (MSIVs), main turbine stop or bypass valves, feedwater turbine valves, or at- mospheric dump valves from the effects of water or two-phase flow; and (5) the potential for rupture of weakened tubes in the once-through steam generator on B&W nuclear steam supply system (NSSS) plants due to tensile loads caused by the rapid thermal shrinkage of the tubes relative to the generator shell.

These concerns have not been addressed in a number of plant designs, because overfill transients normally have not been analyzed.

To minimize some of the consequences of overfill, early plant designs provided commercial-grade protection for tripping the turbine or relied on operator action to control water level manually in the event the normal-water-level con- trol system failed. Later designs, including the most recent designs, provide overfill protection which automatically stops mian feedwater flow on coincident vessel high-water-level signals. These designs provide various degrees of logic and redundancy to initiate feedwater isolation and to ensure thatprovide a single failure would not inhibit isolation. A large number of plants safety-grade designs for this protection.

On the basis of the technical studies conducted by the staff and its contractors, to the staff recommends that certain actions should be taken by some plants that follows, enhance plant safety. These actions are described in the material all plants and include design and procedural modifications to ensure that (1)

provide overfill protection, (2) all plants provide plant procedures and

- 2- protection, technical specifications for periodic surveillance of the overfill provide an acceptable design to prevent

(3) certain Babcock and Wilcox plants (4) certain to the control system, and steam generator dryout on a loss of power operator emergency procedures and Combustion Engineering plants reassess their break loss of training to ensure safe shutdown during any postulated small that specify modification coolant accident. With regard to the recommendations that the to plant procedures and Technical Specifications, the intent is periodic appropriate plant procedures be modified in the short-term to provide protection system. As part of future verification and testing of the overfill should consider including upgrades to Technical Specifications, licensees in appropriate limiting conditions of operation and surveillance requirements future Technical Specification improvements.

(1) GE Boiling-Water-Reactor Plants designs (a) It is recormrended that all GE boiling-water-reactor (BWR) plant main provide automatic reactor vessel overfill protection to mitigate feedwater (MFW) overfeed events. The design for the overfill-protection to system should be sufficiently separate from the MFW control system trip on a reactor high-water-level signal ensure that the VFW pump will a fire when required, even if a loss of power, a loss of ventilation, orCommon- in the control portion of the MFW control system should occur.

mode failures that could disable overfill protection and the feedwater control system, but would still result in a feedwater pump trip, are considered acceptable failure modes.

It is recommended that plant designs with no automatic reactor vessel better)

overfill protection be upgraded by providing a commercial-grade (or reactor vessel MFW isolation system actuated from at least a 1-out-of-1defined basis.

high-water-level system, or justify the design on some In additionu it is recommended that all plants reassess their operating ensure procedures and operator training and modify then, if necessary tothat may that the operators can mitigate reactor vessel overfill events occur via the condensate booster pumps during reduced pressure operation of the system.

for (b) it is recommended that plant procedures and technical specifications provisions all BWR plants with main feedwater overfill protection include ensure to verify periodically the operability of overfill protection and overfeed that automatic overfill protection to mitigate main feedwater be events is operable during power operation. The instrumentation should channel demonstrated to be operable by the performance of a channel check, functional testing, and channel calibration, including setpoint verification. conditions The technical specifications should include appropriate limiting comensurate for operation (LCOs). These technical specifications should be for channels with the requirements of existing plant technical specifications specifica- that initiate protective actions. Previously approved technical tions for surveillance intervals and limiting conditions for operation (LCOs) for overfill protection are considered acceptable.

- 3 -

Designs for Overfill Protection have already been incorporated Several different designs for overfill protection discussion Identifies into a large number of operating plants. The following guidance for acceptable designs.

the different groups of plant designs and provides overfill protec- Group I: Plants that have a safety-grade or a commercial-grade signal based on a tohn system initiated on a reactor vessel high-water-level initiating logic. The

2-out-of-3 or a 1-out-of-2 taken twice (or equivalent) pumps.

system isolates I4FW flow by tripping the feedwater provided that (1) the The staff concludes that this design is acceptable, portion of the MFW

control overfill protection system is separate from the power source, not same control system so that it is not powered from the that a fire is likely to affect located in the same cabinet, and not routed so specifications include both systems and (2) the plant procedures and technical of this system. Licensees of requirements to periodically verify operability have been previously plants that already have these design features that response.

approved by the staff should state this in their overfill-protection Group II: Plants that have safety-grade or commercial-grade signal based on a 1-out- systems initiated on a reactor vessel high-water-levelThe system isolates MFW

of-i, 1-out-of-2, or a 2-out-of-2 initiating logic.

flow by tripping the feedwater pumps.

provided conditions (1)

The staff concludes that these designs are acceptable plants that already have arnd (2) stated for Group I are met. Licensees of these design features that have been previously approved by the staff should a 1-out-of-1 or a 1-out-of-2 state this irn their response. Plant designs with bypass capabilities to trip logic for overfill protection should provide testing when at power prevent feedwater trips during channel functional operation.

Group III: Plants without automatic overfill protection.

to prevent reactor vessel It is recommended that the licensee have a design The justification should overfill and justify the adequacy of the design. system is separated from the include verification that the overfill protection from the same power source, feedwater control system so that it is not powered that a fire is likely to not located in the same cabinet, and not routed so could disable overfill pro- affect both systems. Common-mode failures that still result in a feedwater tection and the feedwater control system, but would The staff review identified pump trip, are considered acceptable failure modes. shutdown), and Oyster Creek;

three plants; i.e., Big Rock, LaCrosse (permanentlywish to justify riot including that fall into this group. If any of these plants should demonstrate overfill protection, part of the requested justification overfill protection system that the risk reduction in implementing an automatic of risk reduction. In is significantly less that, the staff's generic estimates such as low plant power and determining the risk reduction, specific factors applicable factors that are population density should be considered. Other plant unique should also be addressed.

- 4-

(2) Westinghouse-Designed PWR Plants It is recommended that all Westinghouse plant designsoverfeed provide automatic (a) events. The steam generator overfill protection to mitigate MFW sufficiently separate design for the overfill protection system shouldMFWbe pump will trip on a from the MFW control system to ensure that the of power, a reactor high-water-level signal when required, even if ofa loss the MFW control loss of ventilation, or a fire in the control portion overfill system should occur. Common-mode failures that could disable protection and the feedwater control system, but would still result in the feedwater pump trip, are considered acceptable failure modes.

specifications for (b) It is recommended that plant procedures and technical verify the all Westinghouse plants include provisions to periodically that the automatic operability of the MFW overfill protection and ensure operation. The power overfill protection is operable during reactoroperable instrumentation should be demonstrated to be by the performance channel calibration, of a channel check, channel functional testing, and specifications should including setpoint verification. The technical should be include appropriate LCOs. These technical specifications requirements for conurmensurate with existing plant technical specification have previously channels that initidte protective actions. Plants that intervals for overfill approved technical specifications fur surveillance protection are considered acceptable.

Designs for Overfill Protection provided in most Several different designs for overfill-protection are already the different groups of operating plants. The following discussion identifies plant designs and provides guidance for acceptable designs.

a steam Crcup I: PUnts that hdve an overfill-protection system initiated or generator high-water-level signal based on alogic 2-out-of-4 initiating logic which is safety grade, or a 2-out-of-3 initiating which is safety grade but uses one out of the three channels for both control and protection. The system the MFW pumps.

isolates MFW by closing the MFW isolation valves and tripping that (1) the The staff concludes that the design is acceptable, providedfrom the control portion of overfill protection system is sufficiently separate the same power source, the MFW control system so that it is not powered from that a fire is likely to not located in the same cabinet, and not routed so and technical specifications affect both systems, and (2) the plant procedures this system.

include requirements to periodically verify operability of overfill protection Group II: Plants with a safety-grade or a conmnercial-grade signal based on either a system initiated on a steam generator high-water-level The system isolates MFFW

l-out-of-l, l-out-of-2, or 2-out-of-2 initiating logic.

by closing the MFW control valves.

- 5- The staff finds that only one early plant (i.e., Haddam Neck) falls into this group; therefore, a risk assessment was not conducted. Considering the overfill transients (i.e.,

successful operating history of the plant regarding design may be found acceptable, no overfill events have been reported), this of the design on a plant- provided that (1) justification for the adequacy and technical specifica- specific basis is included and (2) plant procedures to periodically verify operability tions are modified to include requirements it is requested that the licensee of this system. As part of the justification, system is separate from the include verification that the overfill-protection from the same power source, feedwater-control system so that it is not powered not located in the same cabinet, and not routed so that a fire is likely to affect both systems. Comnon-mode failures that could disable overfill protec- tion and the feedwater-control system, but would still cause a feedwater pump trip, are considered acceptable failure irodes.

Group III: Plants without automatic overfill protection.

It is recommended that the licensee have adesign.design to prevent steam generator overfill and justify the adequacy of the The justification should include verification that the overfill-protection system is separated from the feedwater-control system so that it is not powered from the same power source, not located in the safice cabinet, and not routed so that a fire is likely to affect both systems. Comion-mode failures but that could disable overfill pro- tection and the feedwater-control system, would still result in a feedwater pump trip, are considered acceptable failure modes. The staff's review identified two plants; i.e., Yankee Rowe and Sari Onofre 1; that fall into this category. If either of these plants wish to justify not including overfill protection, part of the requested justification should demonstrate that the system is risk reduction in implementing an automatic overfill protection reduction. In significantly less than the staff's generic estimates of risk such as low plant power and determining the risk reduction, specific factors Other applicable factors that are population density should be considered.

plant unique should also be addressed.

(3) Babcock and Wilcox-Designed PWR Plants*

(a) It is recommended that all Babcock and Wilcox plant designs have auto- matic steam generator overfill protection to mitigate MFW overfeed events.

On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Gen- erating Station, Unit 1. This event occurred as a result of loss of power to the integrated control system (ICS). Subsequently, the B&W Owners Group initi- ated a study to reassess all B&W plant designs including, but not limited to, the ICS and support systems such as power suppliesfrom and maintenance. As part of the USI A-47 review, failure scenarios resulting a loss of power to control systems were evaluated; and the results were factored into the A-47 requirements.

modifications, maintenance, however, other recommended actions for design developed for the (if any)

and any changes to operating procedures resolved separately.

utilities by the B&W owners group is being

- 6 -

The design for the overfill-protection system should be sufficiently trip separate from the MFW control system to ensure that the MFW pump will signals)

on a steam generator high-water-level signal (or other equivalent when required, even if a loss of power, a loss of ventilation, or a fire in the control portion of the main feedwater control system should occur.

Common failure modes that could disable overfill protection and the feedwater-control system, but would still result in a feedwater pump trip, are considered acceptable failure modes.

It is recommended that plants that are similar to the reference high-water- plant design (i.e., Oconee Units 1, 2, and 3) have a steam generator level feedwater-isolation system that satisfies the single-failureby criterion. either An acceptable design would be to provide automatic MFW isolationclosing an

(1) providing an additional system that terminates MFW flow by to each steam generator (this system is to be isolation valve in the line independent from the existing overfill protection which trips the main feedwater pumps on steam generator high-water level); (2) modifying the existing overfill-protection system to preclude undetected failures in the trip system and facilitate online testing; or (3) upgrading the existing overfill-protection system to a 2-out-of-4 TFr equivalent) high-water-level trip system that satisfies the single-failure criterion.

for (b) It is recommended that plant procedures and technical specifications all B&W plants include provisions to periodically verify the operability overfill of overfill protection and ensure the automatic main feedwater The instrumentatiore protection is operable during reactor power operation.

should be demonstrated to be operable by the performance of a channel check, channel functional testing, and channel calibration, including appropriate setpoint verification. Technical specifications should include with the LCOs. These technical specifications should be commensurate that requirements of existing technical specifications for channels initiated protective actions.

(c) It is recommended that ploivt designs with no automatic protection to prevent steam generator dryout upgrade their design and the appropriate technical specifications and provide an automatic protection system to prevent steam generator dryout on loss of power to the control system. Automatic initiation of auxiliary feedwater on steam generator low-water level isin considered an acceptable design. Other corrective actions identified Section 4.3(4) of NUREG-1218 could also be taken to avoid a steam generator dryout scenario on loss of power to the control system. The staff believes that only three B&W plants, i.e., Oconee 1, 2, and 3, do not level). have automatic auxiliary feedwater initiation on steam generator low water Designs for Overfill Protection on most Several different designs for overfill protection are already providedgroups of operating plants. The following discussion identifies the different plant designs and provides guidelines for acceptable designs.

- 7 -

system initi- Group I: Plants that provide a safety-grade overfill-protection a 2-out-of-3 ated-on a steam generator high-water-level signal based on either isolates main or a 2-out-of-4 (or equivalent) initiating logic. The system in the MFW line feedwater (MFW) by (1) closing at least one MFW isolation valve to each steam generator and (2) tripping the MFW pumps.

(1) the The staff concludes that this design is acceptable, provided that feedwater control overfill protection system is sufficiently separated from the not located in the system so that it is not powered from the same power source, both systems same cabinet, and not routed so that a fire is likely to affect the feedwater and (common-mode failures that could disable overfill protection considered control system, but still result in a feedwater pump trip are specifica- acceptable failure modes) and (2) the plant procedures and technical of this system.

tions include requirements to periodically verify operability system ini- GroupI: Plants that have a commercial-grade overfill-protectionlogic that tMate-don a steam generator high-water level based on coincident tripping the minimizes inadvertent initiation. The system isolates MFW by FEW pumps.

This design may be found acceptable, provided that (1) the overfill-protection system is sufficiently separate from the feedwater control samesystem so that it is in the cabinet, and not powered from the same power source, not located and (2) the design not routed so that a fire is likely to affect both systems identified in the second modifications are implemented per the guidelines and technical paragraph of item (3)(a) above and that the plant procedures of this specifications include requirements to periodically verify operability existing system. The technical specifications should be commensurate with protec- plant technical specification requirements for channels that initiate tion actions.

1-out-of-i or a It is also recommended that plant designs that provide a separate for additional l-out-of-2 trip logic to close the feedwater isolation valves feedwater trips overfill protection provide bypass capabilities to prevent opera- during channel functional testing when at power or during hot-standby tion.

(4) Combustion Engineering-Designed PWR Plants provide automatic, (a) It is recommended that all Combustion Engineering plants (MFW) over- steam generator overfill protection to mitigate main feedwater system should be feed events. The design for the overfill-protection the MFW

sufficiently separate from the MFW control system to ensure that signal when required, pump will trip on a steam generator high-water-level control even if a loss of power, a loss of ventilation, or a fire in themodes that portion of the MFW control system should occur. Common failure system, but could disable overfill protection and the feedwater control acceptable would still result in a feedwater pump trip, are considered failure modes.

-8 -

for (b) It is recommended that plant procedures and technical specifications all Combustion Engineering plants include provisions to verify periodically the operability of overfill protection and ensure that automatic The FWW

overfill protection is operable during reactor power operation.

instrumentation should be demonstrated to be operable by the performance of a channel check, channel functional testing, and channel calibration, including setpoint verification, and by identifying the LCOs. These technical specifications should be commensurate with existing plant technical specifications requirements for channels that initiate protection actions.

high- (c) It is recommended that all utilities that have plants designed with1275 psi pressure-injection pump-discharge pressures less than or equal to reassess their emergency procedures and operator training programs and modify them, as needed, to ensure that the operators can handle the scenarios.full spectrum of possible small-break loss-of-coolant accident (SBLOCA)

This may include the need to depressurize the primary system via the atmospheric dump valves or the turbine bypass valves and cool down the plant during sone SBLOCA. The reassessment should ensure that a single failure would not negate the operability of the valves needed to achieve safe shutdown.

The procedure should clearly describe any actions the operator is required to perform in the event a loss of instrument air, or electric power prevents remote operation of the valves. The use of the pressurizer PORVs to ensure depressurize the plant during an SBLOCA, if needed, and the means to that the R NDT (reference temperature, nil ductility transition) limits are not compromised should also be clearly described. Seven plants have been identified that have high pressure injection pump discharge pressures less than or equal to 1275 psi that may require manual pressure-relief capabilities using the valves to achieve safe shutdown. They are: Calvert 2.

Cliffs 1 and 2, Fort Calhour,, Millstoine 2, Palisades, and St. Lucie 1 and Designs for Overfill Prutection protec- CE-designed plants do not provide automatic steam generator overfill licensees and tion that terminates MFW flow. Therefore, it is recommended that safety-grade or applicants for CE plants provide a separate and independent as commercial-grade steam generator overfill-protection system that will serve backup to the existing feedwater runback, control system. Existing water-level on a sensors may be used in a 2-out-of-4 initiating logic to isolate MFW flow ensure steam generator high-water-level signal. The proposed design should that the overfill protection system is separate from the feedwater-control in system so that it is not powered from the same power source, is not located both the same cabinet, and is not routed so that a fire is likely to affect and systems (common-mode failures described above are considered acceptable)

the plant procedures and technical specifications should include requirements is to periodically verify operability of the system. The information that specifica- requested to be addressed in the plant procedures and the technical tions is provided in item (4)(b) above.

LIST OF RECENTLY ISSUED GENERIC LETTERS

Generic Date of Letter Uln. Subject Issuance Issued To

89-19 REQUEST FOR ACTION RELATED TO 09/20/89 ALL LICENSEES OF

RESOLUTION OF UNRESOLVED OPERATING REACTORS,

SAFETY ISSUE A-47 'SAFETY APPLICANTS FOR

IMPLICATION OF CONTROL OPERATING LICENSES

SYSTEMS IN LWR NUCLEAR AND HOLDERS OF

POWER PLANTS" PURSUANT TO CONSTRUCTION PERMITS

10 CFR 50.54(f) FOR LIGHT WATER

REACTOR NUCLEAR

POWER PLANTS

89-18 RESOLUTION OF UNRESOLVED 09/06/89 ALL HOLDERS OF

SAFETY ISSUE A-17, "SYSTEMS OPERATING LICENSES

INTERACTIONS IN NUCLEAR OR CONSTRUCTION

POWER PLANTS PERMITS FOR NUCLEAR

POWER PLANTS

ACCESSION NUMBER IS 8909070029

89-17 PLANNED ADMINISTRATIVE 09/06/89 ALL HOLDERS OF

CHANGES TO THE NRC OPERATOR OPERATING LICENSES

LICENSING WRITTEN EXAMINA- OR CONSTRUCTION

TION PROCESS - GENERIC PERMITS FOR PWRS

LETTER 89-17 AND BWRS AND ALL

LICENSED OPERATORS

89-16 INSTALLATION OF A HARDENED 09/01/89 ALL GE PLANTS

WETWELL VENT (GENERIC

LETTER 89-16)

GENERIC LETTER 88-20 08/29/89 ALL LICENSEES

88-20 HOLDING OPERATING

SUPPLEMENT 1 SUPPLEMENT NO. 1 (INITIATION OF THE INDIVIDUAL LICENSES AND

PLANT EXAMINATION FOR SEVERE CONSTRUCTION

VULNERABILITIES 10 CFR 50.54(f)) PERMITS FOR

NUCLEAR POWER

REACTOR FACILITIES

89-15 EMERGENCY RESPONSE DATA 08/21/89 ALL HOLDERS OF

SYSTEM GENERIC LETTER NO. OPERATING LICENSES

89-15 OR CONSTRUCTION

PERMITS FOR NUCLEAR

POWER PLANTS

CORRECT ACCESSION NUMBER IS 8908220423

89-07 SUPPLEMENT 1 TO GENERIC 08/21/89 ALL LICENSEES OF

LETTER 89-07, "POWER REACTOR OPERATING PLANTS,

SAFEGUARDS CONTINGENCY APPLICANTS FOR

PLANNING FOR SURFACE OPERATING LICENSES,

VEHICLE BOMBS" AND HOLDERS OF

CONSTRUCTION PERMITS

3 September 20, 1989 Generic Letter 89-19 This request is covered by Office of Management and Budget Clearance Number

3150-0011 which expires December 31, 1989. The estimated average burden hours is 240 person hours per licensee response, including assessment of the new recommendations, searching data sources, gathering and analyzing the data, and the required reports. These estimated average burden hours pertain only to these identified response-related matters and do not include the time for actual implementation of the requested actions. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to the Record and Reports Management Branch, Division of Information Support Services, Office of Information Resources Management, U.S. Nuclear Regulatory Commission Washington, D.C.

20555; and to the Paperwork Reduction Project (3150-00111, Office of Manage- ment and Budget, Washington, D.C. 20503.

If you have any questions on this matter, please contact your project manager.

Sincerely, ORIGINAL SIGNED BY JAMES PARTLOW

James G. Partlow Associate Director for Projects Office of Nuclear Reactor Regulation Enclosures:

1. Enclosure 1, List of References

2. Enclosure 2, Control System Design and Procedural Modification for Resolution of USI A-47

3. Enclosure 3, List of Recently Issued NRC Generic Letters Distribution:

Central Files S. Newberry NRC PDR D. Matthews J. Partlow K. Jabbour C inger NAME :JPARTLO .p :  :  :  :

DATE :9/ /89  :  :  :  :

OFFICIAL RECORD COPY

Document Name: GENERIC LETTER USI A47

Template:GL-Nav