ML20041C824

From kanterella
Revision as of 13:25, 13 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Summary Rept on Conduct of Crbr Key Sys Reviews.
ML20041C824
Person / Time
Site: Clinch River, 050537M
Issue date: 02/28/1982
From:
ENERGY, DEPT. OF
To:
Shared Package
ML20041C820 List:
References
NUDOCS 8203020588
Download: ML20041C824 (63)


Text

.

ts

SUMMARY

REPORT ON THE CONDUCT OF THE CLINCH RIVER BREEDER REACTOR PLANT (CRBRP) KEY SYSTEM REVIEWS 1

February 1982 l

i 8203020588 820219 PDR ADOCK 05000537 A PDR

TABLE OF CONTENTS PAGE

1.0 INTRODUCTION

1-1 1.1 Objectives 1-1 1.2 Reviews Conducted 1-2 2.0

SUMMARY

AND CONCLUSIONS 2-1

3.0 DESCRIPTION

OF THE REVIEW PROCESS 3-1 3.1 Project Steering Group 3-1 3.2 Topic Selection 3-2 3.3 Team Selection 3-4 3.4 Generic Review Process and Methodology 3-6 3.4.1 Scope and Schedule 3-6 3.4.2 Data Base 3-6 3.4.3 Event / Fault Trees 3-7 3.4.4 OMT Outlines / Checklists 3-8 3.4.5 Report Preparation and Release 3-9 3.5 Resolution of Review Team Recommendations 3-10 4.0 SCOPE OF REVIEWS 4-1 4.1 Decay Heat Removal 4-1

/. 2 Spent Fuel Transport, Storage and Cooling 4-2

! 4.3 Na/NaK Leaks 4-3 4.4 Inert Gas Processing 4-5 4.5 Thermal Margin Beyond the Design Base 4-C 4.6 Containment Isolation 4-7 4.7 Radioactive Waste (Solid and Liquid) 4-8

{

l 1 -

i i

TABLE OF CONTENTS (CONTINUED)

PAGE 4.8 Liquid Metal / Water Reaction 4-10 4.9 Control Room 4-12 4.9.1 Initial Control Room Design Process 4-12 4.9.2 Design Review Process 4-14 4.9.2.1 Planning Phase 4-14 4.9.2.2 Review Phase 4-17 4.9.2.2.1 Events Evaluated by the 4-17 Review Team 4.9.2.2.2 Analysis of the Events - Task 4-18 Analysis 4.9.2.2.3 Control Room Model 4-18 4.9.2.2.4 Walk-Throughs 4-18 4.9.2.2.5 Formulation of Final 4-19 Recommendations 4.9.2.3 Assessment and Implementation Phase 4-21 4.9.3 Conclusions 4-22 4.10 Auxiliary Cooling Systems 4-27 4.11 Plant Operation During and After Seismic 4-28 Events 4.11.1 Methodology 4-28 4.12 Class lE and Non-lE Electrical Power 4-32 Distribution and I&C f

4.13 PHTS/IdTS Pump Level Control and Cover Gas 4-34 Systems li

O o

TABLE OF CONTENTS (CONTINUED)

LIST OF TABLES TABLE PAGE 3.4-1 Event Tree Preparation Guide 3-14 3.4-2 Checklist for Decay Heat Removal Event 3-18 Tree Review 1

e 111 i

- _ . . . - . . - - - - - , - , _ . . - - . , _ _ . _ - - . . , . - - . . , _ . _ , , . ~ , _ _ _ . , , - - - . -

O 9

TABLE OF CONTENTS (CONTINUED)

LIST OF FIGURES FIGURE PAGE 3.4-1 Flow Chart of Review Process 3-11 3.4-2 Top Level Event Tree for EVST Cooling 3-12 System 3.4-3 Generic Event Tree 3-13 4.9-1 Partial View of the Full Scale Model of the 4-23 CRBRP Control Room Panel 4.9-2 Simulators Placing Colored Acetate Sheet on the 4-24 Model to Represent System Configuration for the Event Analyzed 4.9-3 Operator Performing Steps Required by the 4-25 Procedure for the Event Analyzed with the Evaluation Team Observing and Analyzing 4.9-4 Typical Operating Sequence Diagram 4-26 iv

1.0 INTRODUCTION

The purpose of this report is to provide a summary description and overview of the Key System Reviews conducted on the integrated performance of selected Clinch River Breeder Reactor Plant (CRBRP) systems. The systems selected are required to function during normal and off-normal events without creating an undue risk to the health and safety of the public or the plant operating staff. Eleven of these reviews have been completed and two are currently ongoing. These reviews primarily focused on the safety aspects of the plant design. However, where appropriate, the plant design was reviewed considering the qualitative economic aspects associated with mitigating the consequences of and recovery from off-normal events.

It was realized that as a result of TMI-2, a number of formal changes and procedures would occur in the licensing process. It was also felt that the CRBRP Project design should not wait for these formal changes to occur without a thorough review. As a consequence, the Project management decided to select some subjects for review to assess the need, if any, for changes to any design features, guldelines, or assumptions used for CRBRP.

There was no intention to use these reviews to replace the normal Final Design Review process. The Project management team selected the reviews to be conducted, established the objectives, identified the team chairmen and composition by discipline, and established a senior management Project Steering Group that provided periodic interactive guidance to the review teams.

1.1 Objectives The overall objectives of the review team efforts were generic in nature and are summarized by the following:

1. Evaluate the operation of all interfacing systems that are required to support the overall functional service, e.g. reactor decay heac removal. The interaction of saf ety and non-saf ety related systems, if any, was considered.
2. Evaluate the operations, maintenance and tests aspects of the systems.
3. Evaluate the system and or component failures with respect to both safety and protection of plant investment considering the following:

o initiating failures o multiple failures o automatic or operator action to detect and recover from postulated failures 1-1

o man-machine interfaces o identify potential paths for radioactivity release l 4. Make recommendations to enhance the design and document the review team effort.

1.2 Reviews Conducted The integrated systems selected for review were those which support the safe operation of the plant and which involve operator interaction. The following nine (9) areas were investigated beginning in 1979:

1. Decay Heat Removal
2. Spent Fuel Transport, Storage and Cooling
3. Inert Gas Processing
4. Radioactive Waste (Solid and Liquid)
5. Containment Isolation
6. Sodium /NaK Leaks in the Reactor Containment Building
7. Liquid Metal / Water Reaction
8. Thermal Margin Beyond the Design Base
9. Control Room The above reviews were completed and documented in the January 1980 to September 1980 time frame. As a result of the successful completion of these reviews and recommendations for additional reviews, five (5) additional reviews were initiated in late 1980 and early 1981. The areas addressed are the following:
10. Sodium /NaK leaks in the Reactor Service Building
11. Auxiliary Cooling Systems
12. Plant Operation During and After Seismic Events
13. Class lE and Non-lE Electrical Power Distribution and I&C
14. PHTS/IHTS Pump Level Control 'nd Cover Gas Systems i Reviews 10 and 12 were completed and documented by October 1981.

Reviews 11, 13, and 14 are currently in progress and are scheduled to be completed and documented in 1982.

1-2 i

l

i Section 2.0 of the report provides the Summary and Conclusions of the overall effort of the Key System Reviews.

Section 3.0 provides a description of the review process emphasizing the topic selection, team compositions, methodology, and a list of the number of recommendations made by the reviews, and the mechanism for resolving the recommendations.

Section 4.0 provides a summary of the scope of effort for each of the reviews.

1-3

2.0

SUMMARY

AND CONCLUSIONS The overall results of the Key System Reviews reinforced the Project confidence that the CRBRP can be operated without undue risk to the health and safety of the public and operating staff.

The Key System Review process provided valuable support to the normal Project review and design assurance process. These reviews did not replace any quality assurance aspect of the Project design as described in Chapter 17 of the PSAR, but were additional supportive reviews conducted in a rigorous disciplined manner. The methodology permitted a systematic review of plant operation during normal and off-normal conditions considering the various plant systems required to perform in an integrated fashion to accomplish a specific function.

The Key Systems Reviews represented a significant effort in the evolution of the CRBRP design, which must be placed in context.

The major significance to Project licensing is the nature of the process itself, and its demonstration of the dedication of the Project staff to ensuring a good product. It is of particular note that many of the actions taken, particularly in the case of the control room, pre-date but are in general compliance with NRC direction to licensees in the post-TMI era.

These reviews do not alter the technical basi.- for licensing; namely, the design as presented in the Preliminary Safety Analysis Report. The incorporation of the Key System Review findings into this design is addressed in Section 3 of this Report.

2-1

3.0 DESCRIPTION

OF REVIEW PROCESS This section provides a summary description of the review process which includes the Project Steering Group, topic selection, review team composition, the basic methodology used to conduct the review, and the mechanism for resolution of the team recommendations.

3.1 Project Steerino Group A Project Steering Group was established which provided initial guidance on the conduct of the reviews, provided overall direction to the review teams, and conducted periodic reviews with the team members. The Project Steering Group consisted of senior technical and management personnel with diverse backgrounds and experience. The Project Steering Group included the following personnel at various times during the process:

o CRBRP Project Office Assistant Director for Engineering - Chairman o Westinghouse Electric Corporation - LRM Systems Integration Manager o CRBRP Project Office - Systems Branch Chief o Burns and Roe - Assistant Project Manager o Westinghouse Electric Corporation - Manager, Safety and Licensing o Operation, Maintenance and Test Specialist - General Physics Corporation o CRBRP Project Office - I & C Branch Chief i o Westinghouse Electric Corporation - LRM - Technical l Director l

t o Westinghouse Electric Corporation - RM - Manager Plant Engineering The use of the Project Steering Group provided the expertise and overview necessary to integrate the overall efforts of the i individual task teams with respect to the overall performance of

( the plant systems on an integrated basis.

I l

3-1

3.2 Topic selection As a result of the maturity of the CRBRP systems design and the evolving TMI-2 lessons learned, the senior engineering management of the CRBRP Project Office, Westinghouse Lead Reactor Manufacturer and Burns and Roe made the decision to perform a comprehensive review of key functional areas of the plant considering: 1) operations important to the protection of the health and safety of the public and operating staff, 2) protection of the plant investment, and 3) lessons learned from TMI-2. As a result, the senior management selected the following functional categories:

1. Decay heat removal from fuel located within the reactor vessel.
2. Decay heat removal from spent fuel located within the plant areas external to the reactor vessel.
3. Potential release of radioactivity, whether it be liquid, gaseous or solid, to the plant environment or plant environs.
4. The initiating cnd functioning of the containment isolation system and the plant areas defined as the confinement system to mitigate the consequences of a rt'iation release.
5. The potential for radioactive and non-radioactive liquid metal (sodium or NaK) release into the Reactor Containment Building cells.
6. The potential for liquid metal / water reactions during operation and maintenance conditions.
7. Core Melt events beyond the design base.
8. Man-machine interf aces specifically related to the main control room.

The senior management team generated the charters of the task teams and identified the expertise required to conduct the reviews. The review topics initially selected were based upon the above criteria and are identified as reviews 1 through 9 in Section 1.2.

As these nine (9) task team reviews were being conducted and their recommendations generated, several of the teams concluded that reviews should be conducted in additional areas. These recommended reviews were related to the following functional '

areas:

3-2

10. The potential for radioactive and non-radioactive liquid metal (sodium and NaK) release into the Reactor Service Building cells.
11. Normal and off-normal environmental control of the plant in the air and inert gas filled cells.
12. Plant response during and after seismic events.
13. Electrical power distribution interrelationship as it supports the automatic and operator action required to control the plant during normal and off-normal power conditions.
14. Plant response due to normal and off-normal events in the Primary and Intermediate Heat Transport System cover gas systems.

Based upon these criteria, the reviews 10 through 14 identified in Section 1.2 were initiated.

l I

l l

l 1

l 3-3 1

l _. . . _ - -

3.3 Team compcsition The engineering revieu teams were composed of ir.dividuals selected on the basis of being able to make a significant technical contribution to the revier effort. The management of all the Project participants provided full support and the

- review team members were given limited additional responsibilities for the d Etion of the review.

The typical team consisted of individuals wibh the following expertise:

o Cognizant engineer responsible for the design of the system most closely associated with the category assigned, o Two or three engineers responsible for interfacing systems.

o One engineer with light water reactor plant operating experience.

o One percon representing the CRBRP Project Office.

o One experienced engineer with no direct responsibility for the plant systems involved in the review.

o Consultants, as necessary.

The composition of the Control Room review team was unique from the other reviews due to the complexity of the review and the bulk of material reviewed. There were approximately 23 engineering personnel involved in various phases of the review of the Control Room. Representation from all the Project participants was provided since the review was conducted on nearly all of the plant systems. The review team was comprised of personnel with the following expertise and experience.

! o Systems engineers familiar with the overall operation of the plant.

o Designers experienced in instrumentation and control systems and Control Room layout.

l 3-4

o Personnel with light water end sodium breeder reactor plant operation, maintenance, and testing experience.

o Human factors engineering consultants from 7.he University of Tennessee and Westinghouse Electric Research and Development Center.

t f

3-5

l 3.4 Gengric Review Process and Methodology With the selection of the review topics and team compositio- the review process was initiated. Figure 3.4-1 is a Flow Chart depicting the generic process used in the review. The tools utilized by the review teams described in this section are generic in nature. In some cases, unique methodology was used; however, the planning, interaction with the Project Steering Group, report release and cesolution of recommendations were consistent for all reviews. The unique methodology was used for the Control Room, Class lE and Non-lE Electrical Power Distribution and I & C, and the Plant Operation During and After Seismic Events. The methodology for these reviews is described in Section 4. The following provides a description of the flow diagram process.

3.4.1 Scope and schedule Each of the review teams developed a detailed scope of work and schedule for completion. This detailed scope of work was developed at team meetings where a detailed understanding of each individual's responsibility wac devel.oped. In addition, a schedule consistent with the scope of work and methodology was developed. This scope and schedule was reviewed with the Project Steering Group and, if appropriate, modified to reflect the interaction.

3.4.2 Data Base Once the scope'and schedule were established, the team began gathering the design data base information that was to be used for the evaluation of the systems encompassing the reviews. This data base was assembled to ensore that the subsequent efforts reflected the approved design (baseline documents). To accomplish this, each team assembled and reviewed the relevant baseline documents and technical reports. The primary sources of information were: System Design Descriptions (which include Operations, Maintenance, and Test procedure outlines), Piping and Instrumentation Drawings, Logic Diagrams, General Arrangement Drawings, Equipment Specifications, Interface Control Documents, and the Preliminary Safety Analysis Report. These source documents with revision numbers were identified in each team report. If the teams required information that was not available in baselined form, design assumptions were made in conjunction with the responsible design organization to permit the review to proceed. These assumptions were identified, e.g. draft engineering change proposal in process, in the report for resolution by the cognizant design organization.

The data base was assembled into appropriate formats for easy use by the teams. These took the forms of matrices, equipment lists, instruments lists, etc.

3-6

3.4.3 Event / Fault Trees With the data base assembled, the teams proceeded to develop the tools necessary to complete the assessment of the design. The fundamental approach used by most teams was to construct event / fault trees that represented the systems / components in the plant design that were necessary to perform the review topic function, e.g. decay heat removal.

The review teams used the event tree methodology in different ways. Some of the review teams used a specific event tree that modeled the discrete systems / components necessary to perform the function. Others used a generic event tree to assess the adequacy of the system design to safely perform a function for postulated failures.

Specific Event Tree - The specific event tree was constructed to represent the systems / components that are required to function to support the topic being reviewed. Figure 3.4-2 is a simplified ever.t tree of the spent fuel Ex-Vessel cooling system which reflects the design that has three redundant cooling loops. The actual review was conducted on an event tree that had a substructure for each of the loops. This substructure had nodes that represented components and systems that were required to function for an individual loop to remove spent fuel decay heat, e.g. pumps, valves, component cooling, offsite and diesel electrical power, etc. The functions were modeled as nodes in the event tree and binary modeling was used to depict the success or failure states of the nodes in the event tree leading to the end result,'e g', adequate fuel cooling, reduced cooling, or loss of fuel cooling.

In some cases, it was considered necessary to conduct a detailed investigation of events leading to a particular failure of a system / component node in the event tree. In these cases, fault trees were constructed to systematically represent the specific failures or faults in the combination necessary to reach the failure state in the event tree.

Generic Event Tree - This modified event tree methodology was utilized by several review teams that evaluated the operator /

systems interactions and the system response involving each of a series of postulated events, e.g. a leak in an auxiliary water system in the liquid / metal water reaction review.

A generic event tree and event tree guide were used by the reviewers in developing the individual event trees for each system response to an initiating event. Figure 3.4-3 provides the generic event tree and Table 3.4-1 provides the event tree guide. The triangular nodes on Figure 3.4-3, e.g. A, B.1 etc.

are correspondingly described in Table 3.4-1 as A, B.1, etc.

In developing the event tree, the following aspects (identified on the generic event tree) were considered, and checklists were 1 3-7 l

generated to effect their inclusion in individual event tree descriptions.

o System Automatic Actions

- Initiating Signals

- Sensitivity to Improper Maintenance Actions

- Potential for Improper Operator Override of Automatic Actions o Information Provided to the Operator Adequacy of the information Potential for scenario to cause instrumentation to indicate incorrect parameter values

- Relevency of the information provided (i.e.,

proper priority of alarms and indications) o Required Operator Actions Timing Requirements for Actions Potential Effects of Failure to Take Required Actions

- Potential Effects of Improper Actions The generic event tree contains more branches than may be necessary to analyze a particular system response. In these cases, the individual review teams terminated or combined branches on the event tree to reflect the system response.

Where necessary, fault trees were generated to conduct a detailed investigation of events leading to a particular failure.

Identification of events which result in unwanted consequences allowed the team members to identify potential " problem" areas and to generate recommendations.

The use of the event / fault trecs formed the basis for the systematic and rigorous review of the system design.

3.4.4 OMT Procedure Outlines / Checklists The review evaluation of the system response was completed with the review (where available) or construction of Operation, l Maintenance and Test (OMT) procedure outlines and preparation of detailed checklists. The OMT procedure outline's were used to

identify the automatic and/or operator action required to detect, i isolate and recover from the postulated failures. The review concentrated on the adequacy of the information provided to the Control Room Operator (CRO). Checklists were utilized in f conjunction with the event / fault trees and OMT procedure outline to maintain a rigorous systematic review process. An example of the checklist 3-8 l

I

( -

i used by the Decay Heat Eemoval team in conjunction with their

specific event tree is provided in Table 3.4-2. Other review
teams used modified versions of the checklist that was tailored for their review purpose, but they maintained the information i necessary for the CRO to detect, isolate and recover from

) postulated events.

l The review team analyzed the response to the checklist items and determined if recommendations should be made to enhance the system design or operability. ,

{ 3.4.5 Renort Prenaration and Release

! The teams had periodic interaction at approximately 4-6 week I intervals, with the Project Steering Group. At the conclusion of the review process, each team prepared a draft of the final report that was submitted to the Project Steering Group for review. The report contained the following information:

o Description of the problem and recommendations for solution o Description of methods used in the analysis ,

i o Results l

f o References to documentation used in the review that included the baseline data and data generated in lieu of D an established baseline o OMT procedure outlines generated for the review l

, Approximately 2-4 weeks aftet the draft report was submitted,

! each team made oral presentations of the review to the Project Steering Group. The team members participated in both the presentation and discussion of the problems and recommendations.

! The interchange with the Project Steering Group resulted, in some cases, in modifications, additions or deletions to the list of j team recommendations. The task team final report was modified, as appropriate, to incorporate the interchange comments. The final task team report was formally transmitted to the CRBRP design organizations for the responsible design organization to resolve the team recommendations.

1 J

1 3-9 I

i m- ,m . -- - ~ , , . . . _ _ _ ~ . , . _ , . _ - , , _ , _ - . __-,,,y, , _ , _ , , , , , ,m_,m,,.,,,.,__. , . . _ , . , , . , _ . _ _ _ , , , , , _ _ , , , . . _,..-~*m r' w - w # - -ei- -.- - - -

3.5 Resolution of Review Team Recommendations The final report for each of the key system reviews was issued to the Project design organization for resolution of the task team recommendations. The resolution of the task team recommendations was assigned in the following manner:

1. The recommendation was assigned to the design organization responsible for system design which was related to the recommendation.
2. A commitment number and date for resolution was established in a computerized tracking system.
3. The resolution for all of the recommendations was required to be formally transmitted to the CRBRP Project Office.

The resolution of the recommendations is accomplished in several ways, namely;

1. Incorporate an engineering change into the baseline design documentation via established Project procedures.
2. Reject the recommendation with adequate technical justification subject to senior management approval.
3. Perform additional systems analyses to support current baseline design.
4. Incorporate information into unbaselined documentation, e.g. procedure outlines, via established Project procedures.
5. Modify the PSAR.

The recommendations from the various task teams can be categorized into several broad areas; namely,

1. Procedure related
2. Interface inconsistencies
3. PSAR inconsistenciec with design
4. Man-machine interfaces
5. Design improvements
6. Analysis required
7. Economic factors
8. Miscellaneous The majority of the task team recommendations were related to the procedures and man-machine interfaces.

3-10

Prepare Detailed Interaction with Scope and Schedule N Senior Mar.agement l of Effort if Assemble Design Data Base Option "A" Option "B" gir d 6-) Fault Trees H Specific Event Generic Event Tree Tree (Optional)

1F Operating, Maintenance i Operating. Maintenance and Test Procedure and Test Procedure Outlines Outlines gp  ;

Checklist for Checklist for Specific Event Generic Event Tree-Oction "A" Tree-Oction "B" I

Analyze Design- p Periodic Interaction with Project Steering Generate Recomendations Group 1P Prepare Draft Report i

1P Presentation to Project Steering Group l

1P l

incorporate Coments Project Office or Design Organization Issue Report 1r

?

Design Organizations l Resolve Recomendations Figure 3.4-1 Flow Chart of Review Process 3-11 1

1 - .- . _ - , - - - . .- -. -

Figure 3.4-2 i TOP LEVEL EVENT TREE

- FOR EVST COOLING SYSTEM LOOP 2 LOOP 3 ,.

LOOP 1 N0DE/0B0 4 1

>l( 2 pjd 3 7 S1  ;

S2 g S3 F1 v F2 F3 LOC S- success F- failure C- cooling.

LOC- Loss of cooling 3-12

A i A

El-E r r r w r ~r e - - ~- e ir !!ii!

m i!!!!*

111. E 3

E E= -

I El _lskr i

fr1

=

  • i r:

r , . I.::- . f ejI

!> :fi ilt.tg i

i 1

r t j3j-liallit i

a t ,.

81**

l

, = . ,

.- a g ge r i_i I  :

g !

i-

3-1 O re G i } I li E O !~- G l ._

= t !

  • @ t i i.

-S  !

er mn.

5! -

if l[g- I g

fi{:-

gl g

e e, l.i, = _ I_ t !_

c, I  :. -

9 S i i A II 3 w v V E l j- Er g b, O - O  !*

<= I4s

" jf 8 IV

=

e =r -r

.t m ix e

=  : r-a ~

50 1 G 9,

" 3 G l O i m l, 1 O Eey :: r-r rEr x8 r

1 rr I*

m 3 a -

=

g 2 l E a D

- F

& { { ~- -

5 =u S _ f I h m " 1 m . 5[ s  !

a t e

er o

r 2r a

-er _

=r i,r ,

tx1 In -g ,

j:1,,ri 5 r

-1 35 -

E:l 1 ,-

,J ran cr A r

,-i e i ,

I V' i E

gf tr It sr='i I'

3 i

s a

er -=

r

[ :r O_ ~

, .- E !lr ij

~

=

lO { g'3  !! g

-r r

1 L

G __

r! r. f.

r'I !!

=1 lr li-: Ei [E!

_a:

Is.r,

1.ri f s

r=  :

tr x-e:r s:ts f_i'il lg

, it 4

TABLE 3. 4 -1 EVENT TREE PREPARATION GUIDE Node Descript1 QB A. Initiating Event - Describe.

Examplest o Radiation leakage outside containment o Loss of coolant -

primary, secondary, emergency o Pipe break o Valve malfunction o Pump failure o Sodium-water accident o Heat exchanger leak B.1 Detected - How o Sensor type & parameter sensed o Location of sensor o Indication o Location - local or control room o Alarm -

o Audible -

Shutoff - automatic or manual o Visible -

Continuous or intermittent Position indication?

B.2 Automatic Action Describe signal to initiate (e.g. energize relay)

B.3 Automatic action occurs.

o Describe effects on systems and plant.

B.4 Automatic action is detected.

o Describe method of detection.

3-14

1 l TABLE 3.4-1 (Continued)

I

(

! Node Description B. 5 can operator override Automatic Action?

o Yes or No o State reason why operator might override automatic action, how it can be effected and what the subsequent effects of his action will be.

B.6 Automatic Action not detected.

o State reason why it cannot or might not be detected e.g., Instrumentation failure due to event or random failure.

B.7 Can operator override automatic action?

o Yes or No o If different than B.5 describe.

B.8 Automatic action does not occur.

, o State reason why it cannot or might not occur e.g., improper maintenance or test action such as failure to reopen valves.

B.9 No automatic action is detected.

o Describe method of detection.

(Is it sufficient?)

B.10 Automatic initiation of redundant action of system if available.

o Repeat analysis for this automatic action starting with B.2.

B.ll Manual action is required.

B.12 Proper manual action.

o Describe action to be taken, controls and indication available, and subsequent effects of action taken. (Include consideration of time frame for action to occur).

3-15 j

1 j

TABLE 3.4-1 (Continued)

Node Description B.13 Improper manual action.

o Describe possible improper action.

e.g. - no action

- delayed action

- opens wrong valve

- etc.

and provide possible bases for these actions.

o Describe subsequent effect of action taken and indication thereof.

B.14 No automatic actiont not detected.

B.15 No instrumentation available for detection of no automatic action.

o Describe effects (Should instrumentation be provided; why?)

B.16 Instrumentation for detection of no auto action malfunctions.

(Does not indicate or indicates inappropriately due to initiating event or random failures.)

o Describe effects of possible operator action (if different f rom B.15) based on inappropriate indication (i.e. auto action did not occur, instrumentation indicates it did) or no indication.

B.17 Manual action is required (no auto equipment provided.) Instrumentation designed to detect the event functions.

3-16

  • l l

l l

TABLE 3.4-1 l

(Continued) l l

Node Description B.18 Manual action is required (no auto egiupment provided). Instrumentation designed to detect the event does not functione event is detected through other instrumentation s o Describe the other indications which enable the operator to detect the events.

B.19 Operator takes proper manual action based on B.17 or B.18, o Describe the action to be taken, controls and indication available, and subsequent effects of action taken (Include consider-ation of time f rame for action occur) .

B.20 Operator takes improper action based on B.17 or B.18.

o Describe possible improper actions, e.g. - no action

- delayed action

- opens wrong valve

- etc.

and provide possible bases for these actions.

C.1 Not detected.

l l C.2 State whether design instrumentation is sufficient to detect the initiatino event.

C.3 Sufficient instrumentation - wrong values I

(e.o., due to eventi.

l l o Describe effects.

[

I i

l i

t l 3-17 l

n l

l TABLE 3.4-2 CHECKLIST FOR DECAY HEAT REMOVAL EVENT TREE REVIEW Plant Status: (Event in progress) Normal and Abnormal DHR Event Tree: Node PHTS Flow Yes No Comments

1. Is adequate instrumentation available?
2. Are appropriate alarms provided?
3. Is redundant information available in case primary instrumentation fails?
4. Is information on the MCP?

If not, where is it located?

Is it accessible to the operrtor?

5. Does the title of the alarm /

instrumentation properly identify the parameter?

6. Does the instrument and el-ectronic circuitry function throughout the event's environment?
7. Is the range of indication sufficient to cover the condition?
8. Is the instrument calibrated in the range of concern?
9. Are too many alarms provided?
10. Is the instrument channel classified 1E where necessary?

3-18

TABLE 3.4-2 (Continued)

Yes No Comments

11. Does the operator have complete control over the necessary parameters?
12. Are the controls readily accessible to the operator?
13. Does the MCP show the operator the results of his actions?
14. Are the electrical and/or mechanical components properly qualified (lE, Env. Qual)?
15. Must the operator take immediate action to the mitigate the event?
16. Can the operator override key automatic actions?
17. Do potential operator actions further degrade the system capability?
18. Must a roving operator be used? If so, does the environment permit use of a roving operator?
19. Can an interfacing system cause a common mode type failure in the primary

, system?

l

20. Do transients from the inter-facing systems cause failure of the primary control systems?
21. Are adequate interlocks provided for interfacing systems that effect the primary system?

l l

3-19 l . -_ __ _ _

TABLE 3.4-2 (Continued)

Yes No Comments

22. Are interfacing systems properly indicated to the operator?

23 . Can interfacing system failure cause loss of primary system instrument-ation?

24. Does restoration of a power supply (e.g. off-site power) adversely effect the operating DHR systems. (i.e., do fail closed valves spring open?)
25. Do potential operator actions degrade other system capabilities?
26. Does the operator have indication when the system is out of service for main-tenance or surveillance?

l

27. Can improper maintenance de-grade the system capability?
28. Must the entire system be out of service to maintain redundant components?
29. Do designed in maintenance provisions degrade the system operation if improperly utilized?
30. Are abnormal clean-up require-ments imposed by the system response? '

3-20

4.0 SCOPE OF REVIEWS The following provides a description of the scope of effort of the Key System Review. The sections pertaining to the Control Room, Class lE and non-lE Electrical Power Distribution and I &C, and Plant Operation during and after seismic events includes a description of the methodology used in the review. This is provided since there are methods associated with the review process that are unique to the process identified in Section 3.4.

4.1 Decav_ Heat Removal The decay heat removal systems provide the path for reactor heat removal during normal and off-normal operating conditions, and consist of the Main Heat Transport Systems (MHTS), Steam Generator System (SGS), Main Condenser and Feedwater System, Steam Generator Auxiliary Heat Removal System (SGAHRS), and Direct Heat Removal Service (DHRS). In addition, the interfacing systems, e.g. Building Electrical Power, Control Room, Reactor Heat Transport Instrumentation and Control System, Heating, Ventilating, and Air Conditioning Systems, etc. were included in the review process as they support decay heat removal.

The review of the decay heat removal systems focused on the adequacy of safety features and verification of design operability. An examination of automatic system actions, operator initiated actions, and control room instrumentation for monitoring plant systems was considered to be of major importance. Since the decay heat removal systems operate primarily in automatic modes, the review investigated the l

respective systems to determine whether or not the operator would be able to diagnose, from available control room instrumentation, the plant status at any time during various decay heat removal scenarios, and whether the proper action could be taken. Tools used in the investigation were overall decay heat removal l event / fault trees, instrument lists, and checklists. The specific and generic event tree methodology described in Section 3.4 was used in the review process. The plant systems and corresponding CRBRP Preliminary Safety Analysis (PSAR) chapter that provides a description of the systems are the following:

o Heat Transport and Connected Systems - Chapter 5 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 o Steam and Power Conversion System - Chapter 10 l

I 4-1

4.2 Spent Fuel Transport. Storage and Cooling The systems reviewed were those that support the decay heat removal of spent fuel that is located external to the reactor vessel. The spent fuel can be located within the plant in the Ex-Vessel Storage Tank (EVST), the Ex-Vessel Transfer Machine (EVTM) or the Fuel Handling Cell (FHC). The spent fuel shipping cask was not reviewed.

The review of the cooling systems associated with the EVST concentrated on verifying the operability of the design to ensure the adequacy of the operation, maintenance and testing of the associated primary and interface systems (to the ultimate heat sink) to maintain adequate cooling of the spent fuel. The investigation focused on the adequacy of the mechanical systems and the associated instrumentation and control to prevent radiation exposures to the plant workers and the public. The team investigations considered automatic action, operator actions and the adequacy of the instrumentation to permit the operator to detect and mitigate the consequences of failures in the system.

The tools utilized in the investigation were event trees, operating base procedure outlines, instrumentation lists and checklists. The specific event tree methodology described in Section 3.4 was used in the review process.

The plant systems and corresponding CRBRP PSAR chapter that provides a description of the systems are the following:

o Instrumentation and Controls - Chapter 7 o Electric power - Chapter 8 o Auxiliary Systems - Chapter 9 4-2

I 4.3 Na/NaK Leaks The systems reviewed were those used to detect, locate, and isolate leaks in CRBRP sodium and NaK systems. Sodium and NaK systems are located in the Reactor Containment Building (RCB),

the Reactor Service Building (RSB), and in the Steam Generator Building (SGB). The reviews for the RCB and RSB were conducted in two different time frames. The RCS and RSB reviews were completed and documented in August 1980 and October 1981, respectively. The generic recommendations f rom these two reviews are to be resolved for the leak detection systems in the SGB.

In order to verify the capability of the CRBRP design to detect, isolate, and secure leaks in CRBRP sodium and NaK systems (i.e.

Reactor Enclosure System, Primary Heat Transport System, Intermediate Heat Transport System, Auxiliary Liquid Metal System, and the Impurity Monitoring and Analysis System) comprehensive reviews of these respective sodium /NaK systems were conducted with emphasis both on interfacing systems dedicated to sodium /NaK leak detection and the sodium /NaK system design features that facilitate mitigation and isolation of potential sodium /NaK leakage.

Foremost in these system reviews was an assessment of the adequacy of information made available to the Control Room Operator (CRO) whereby he could diagnose the source of leakage, the magnitude of the leakage, and the impact of the leakage on the leaking and interfacing plant systems. In addition, control room information was identified and evaluated for providing the CRO with the required data to either verify that automatic actions had satisfactorily occurred to isolate the source of sodium /NaK leakage or to initiate proper operator actions to isolate the sodium /NaK leakage.

In addressing actions required to secure sodium /NaK leakage and return the plant to an operational status, this task force investigated methods for removing sodium /NaK spill volumes ranging from tens to thousands of gallons. Recovery from sodium /NaK spills included a review of present state-of-the-art techniques with special emphasis on the feasibility and practicality of these techniques for cleanup of large multi-thousand gallon radioactive sodium spills.

To determine the capability of the CRBRP design to detect sodium /NaK leakage and provide the CRO with accurate leak

. detection information, four key tools were utilized, namely an overall sodium NaK leak detection event tree, detailed instrumentation lists, detailed operating base descriptions, and maintenance and test procedures. The specific event tree methodology described in Section 3.4 was used in the review process.

4-3

The plant systems and corresponding CRBRP PSAR chapter that provides a description of the systems are the following:

o Heat Transport and Connected Systems - Chapter 5 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 o Radioactive Waste Management - Chapter 11 o Radiation Protection - Chapter 12 4

6 4-4

4.4 Inert Gas Processing The Inert Gas Processing system Key System Review focused mainly on the ability of CRBRP systems to prevent significant gaseous radiation releases, both offsite and onsite. This effort involved not only the Inert Gas Processing System itself, but also extensively involved the building ventilation systems, the Fuel Failure Monitoring system, and Radiation Monitoring.

Systems which contain radioactive cover gas and/or require cover gas control were also studied; these systems included the Reactor, the Primary Heat Transport System, and the Reactor Refueling System.

In addition to the gaseous radiation release aspects, the proper functioning of the Inert Gas Processing System in response to a variety of initiating events was also verified. Emphasis was placed on those parts of the system potentially containing radioactivity. The methodology used was specific event trees and fault trees described in Section 3.4.

The plant systems and corresponding CRBRP PSAR chapter that provides a description of the systems are the following:

o Heat Transport and Connected Systems - Chapter 5 o Engineered Safety Features - Chapter 6 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 o Radioactive Waste Management - Chapter 11 o Radiation Protection - Chapter 12 l

l 4-5

4.5 Thermal Margin Beyond The Design Base The TMBDB review effort consisted of two categories of tasks: 1) analysis tasks, and 2) the operability review task. The analysis tasks supported the operability review task by providing detailed data to aid in assessing the consequences of various operating sequences other than the base case TMBDB. Deviations from the base case caused by operator inaction and/or different physical behavior of the plant during TMBDB were investigated. The cverriding question throughout was, "What are the consequences if things do not behave the way we thought they would?"

Operator actions were assessed for initiation of TMBDB features, information available to the operator, and consequences of incorrect actions or failure of instruments (especially with respect to engineered safety features) . The use of the specific event tree methodology described in Section 3.4 was used to perform the operability review.

The CRBRP design includes features to mitigate the consequences of a hypothetical core disruptive accident (HCDA). The. features that provide long term mitigation of the thermodynamic and chemical reaction effects of an HCDA are said to provide Thermal Margin Beyond Design Base, hence the term TMBDB features. The features are described in Volume 2 of CRBRP-3, " Hypothetical Core Disruptive Accident Considerations in CRBRP".

l l

t l

I l

l l 4-6 l

D 4.6 Containment Isolation This review team performed an integrated review of the exicting containment isolation system design and operability to evaluate potential leak paths from the Reactor Containment Building (RCB) to the environment taking into account a broad range of events.

Included in the review was a study of the containment isolation instrumentation and the design, operation, maintenance and testing of the systems penetrating the Reactor Containment Building.

The team reviewed the signals and circuitry used to provide actuation signals to isolate containment. In addition, the systems and penetrations isolated and not isolated by the containment isolation system were examined. The adequacy of the initiation conditions and the adequacy of the extent of isolation were evaluated. For each penetration and its associated plant system scenarios which might lead to radioactive material exiting containment via the penetration were reviewed.

The review team developed event trees for each penetration describing all credible events which could lead to radioactive materials exiting containment via that penetration. The event trees were then used as a guide to examine the scenarios as discussed above. The review team used the generic event tree methodology described in Section 3.4.

The plant systems and corresponding CRBRP PSAR chapter that provides a description of the systems are the following:

o Heat Transport and Connected Systems - Chapter 5 o Engineered Safety Features - Chapter 6 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 I

l o Radioactive Waste Management - Chapter 11 o Radiation Protection - Chapter 12 4-7

4.7 Radioactive Waste (Licuid and Solid)

The review team performed a two part review of the radioactive waste system; namely, the liquid (Part I) and solid (Part II) processing systems.

PART I The purpose of the review on liquid radioactive waste was to perform an integrated review of the existing Radioactive Waste System and the design and operability of the associated interfacing systems to evaluate the potential leak paths to the environment. An integrated review was conducted of the design and operability of the Radwaste System and Intarfacing Systems.

In order to accomplish this objective a review of the appropriate system design, operating, maintenance, and test procedures was conducted. Where the design of the systems was not sufficiently developed to provide this information it was developed in outline form. Emphasis was placed on the following aspects of the plant design:

1. Adequacy of automatic features to terminate radioactive material leakage.
2. Adequacy of information displayed to the plant operators.
3. Ability of the plant operator to detect and respond to release of radioactive material if automatic' action fails.
4. Effect of improper or no operator action in response to a radiation release.
5. Effect of mainL; nance and test on probability of radiation release.

i l Evaluations were developed of the potential for radiation release f rom the system boundary and to the environment. These evaluations were accomplished by first identifying a matrix of l all possible release paths. Evaluation of release paths was l developed by the use of fault trees which postulated equipment I failures that could initiate the release of radioactive material.

l Each fault would initiate a series of events which could either terminate or lead to the release of radioactive material to the environment. The events were followed until all automatic action failed. RecommEridations are made to insure that the operator has means to identify and terminate the casualty. The review team used the generic event tree methodology described in Section 3.4.

PART II The purpose of the task force on solid radioactive waste was to review the handling and disposal of the material subsequent to l maintenance with regard to potential for radiation release within 4-8

the plant and to the environment. Additionally, a review was made of the capability of the Radioactive Waste System to support plant recovery following a plant accident, shich involves a release of solid or liquid radioactive material within the plant.

To analyze the consequences of handling and disposal of solid radwaste subsequent to maintenance, it was first necessary to identify all solid radioactive waste material and the container to be used in handling and disposal. The type and quantity of radioactive material provides information on the potential for release of radiation and the ability to detect an accident. The initiating event for all potential radiation releases was asssumed to be a release of the solid radwaste material from the container either during transporting or storing the radioactive material. Each event would initiate a series of events which would either terminate or lead to radioactive releaso to the environment. The initiating event and subsequent events were evaluated and recommendations made to ensure that the operator has means to identify and terminate the casualty. To analyze the capability of the Radwaste System to support plant recovery following a plant accident the initial step was to identify accident; which may involve release of solid or liquid radioactive material within the plant. The type and quantity of radioactive material was compared with the storage and processing capability of the Radwaste System. Recommendations were made where necessary to increase processing and/or storage capabilities. The review team used the generic methodology described in Section 3.4.

The plant systems and corresponding CRBRP PSAR chapter that provides a description of the systems are the following:

o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 j o Radioactive Waste Management - Chapter 11 l o Radiation Protection - Chapter 12 I

4-9

4.8 Liquid Metal / Water Reaction The team reviewed the systems that could provide potential pathways that might result in the interaction of radioactive liquid metals (Na or NaK) with plant service and process water systems. The analysis was divided into two major sections; those pathways which might occur inside the Containment and those which might occur outside the Containment.

This analysis concentrated on the water sources present in areas where a potential for interaction with liquid metal exists. The key systems involved in the potential water leakage paths for the Containment Building and the Reactor Service Building are:

o Normal & Emergency Chilled Water System o Nuclear Island HVAC o Non-Sodium Fire Protection o Recirculating Gas Cooling System In addition to the above, the Containment Building Liner Vent System was also included in the analysis.

Other water sources in the Reactor Service Building which were addressed:

o Containment Cleanup Subsystem o Hot Water Heating Subsystem o Emergency Plant Service Subsystem o Demineralized Water Subsystem The CRBRP design normally maintains three barriers (3 passive or 2 passive and 1 active) between water and radioactive liquid metal. In these anayses the first barrier is identified as the pipe wall of the water systems, the second barrier is the cell boundary (passive) for water systems not directly connected to sodium bearing cells and isolation and drain valves (active) for water systems which are directly connected to sodium bearing cells. The third boundary is the pipe wall of the sodium system.

Only the first two boundaries were addressed in the analysis, the third boundary is addressed in Section 4.3 (Na/NaK leaks).

For the analysis a leak was postulated in the first boundary and an analysis of the possibilities of breaching the secoadary boundary was performed using the generic event tree methodology described in Section 3.4. j 4-10

During the evaluation emphasis was directed at the following areas of concern:

a. Information available to the Control Room Operator,
b. Ability of Control Room Operator to detect and respond to leakage using available instrumentation.
c. Adequacy of automatic features provided to isolate leaking systems,
d. Effect of operator action on the possibility for liquid metal / water reaction.
e. Effect of system lineup, during and/or following maintenance and the possibility of breaching the secondary boundary under conditions when, " Preferred /

Reserve" power was available and when it was not available.

The analysis considered the effect of a leak in the water piping and the possibility of breaching the secondary boundary under conditions when, " Preferred / Reserve" power was available and when it was not available.

Although the analysis of sodium leaks is addressed in Section 4.3, this analysis also considered the instrumentation and controls associated with such leaks. The effect of sodium leak detection systems and the ability of the operator to detect a liquid metal / water reaction was examined in the analysis.

The plant systems and corresponding CRBRP PSAR Chapter that provides a description of the systems are the following:

o Heat Transpor t and Connected Systems - Chapter 5 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 o Steam and Power Conversion Systems - Chapter 10 o Radiation Protection - Chapter 12 o General Plant Description - Chapter 1.2 o Radioactive Waste Management - Chapter 11 o Liner Vent System - Chapter 3 4-11

4.9 Control Room Following the Three Mile Island occurence, a review team was formed to conduct a thorough review of the CRBRP Control Room design. This review was initiated in October 1979 and completed and documented in June 1980. Approximately two (2) years after the initiation of the review, the NRC issued NUREG-0700,

" Guidelines for Control Room Design Reviews" in September 1981.

It is concluded that the overall Control Room review is consistent with the guidance provided in NUREG-0700 even though the CRBRP review preceded the release of the document. The following provides a description of the initial Control Room design process, the overall design review process, and appropriate reference to NUREC-0700 for comparison.

4.9.1 Initial Control Room Design Process The control room design process is an on-going activity which started in 1974. The initial design of the CRBRP Control Room utilized personnel experienced in human factors engineering and designers experienced with sodium and light water cooled nuclear plants.

Initial decisions were made with respect to which plant functions would be automatic and which would be the responsibility of the operator based on the dynamic response of the plant. Those functions which required immediate operation to perform a safety or complex operational task were identified as automatic actions.

Instrumentation was provided to permit operator verification of the automatic action. Manual control was provided as a backup to these automatic safety functions.

Critical steps in an operation, the last step in a series of successive operational cteps, or confirmation of the safety of the plant by direct indication of I&C on the panel were assigned to the Control Room Operator (CRO). Other functions which were considered of lesser importance were assigned to a roving l operator who maintains communciations with the CRO.

i

! These functions, i.e. automatic, manual f rom the Control Room, l and manual external to the Control Room provided the bases from I

which a later task function analysis was performed on the l operator's ability to control and maintain the plant through a multitude of different events.

l With the functions assigned, the Control Room size was estimated.

l An open U-shaped with a modified K-frame main control panel I cross-section was chosen. This configuration minimizes the i operator interaction area with the panel and the acute angle l observation of the instruments.

l 4-12

4 The indicators, annunciators, and controls provided the capability to operate the piant through all normal operational sequences and minimum operator time to evaluate system

performance during off-normal or emergency conditions without continuously manned remote stations. Frequently used safety related instrumentation and controls were located on the Main Control Panel. Deviations from pre-determined conditions were annunciated and the status of automatic safety systems was provided with annunciators and/or indicators. This equipment was grouped by operational category to assure that indication of the plant condition and controis to correct the condition were in close proximity. Less frequently used equipment and certain electronic equipment for which access control was desired were located in the rear panel area.

The Main Control Panel was arranged with annunciators at the top.

Indicators, controls, and switches were in functional groups on the vertical and sloping bench sections. The size and arrangement of equipment was based on enhancing the operator / plant man-machine interface considering the following:

1. Indications, annunciation, switches, and controls necessary to operate the plant without continuously manned remote stations were located on the Main Control Panel, or displayed on cathode ray tubes.
2. When warranted, graphic or mimic displays were provided.
3. Physical separation of redundant safety related instrumentation equipment was provided.
4. Physical, color, and geometric differentiation of displays and controls mounted on the board was provided.
5. Where practical, arrangement and design of displays and controls was specified to provide arrays which permit determination of proper alignment at a glance.
6. Modular design of switches, controls, and indicators was used.

A description of the Control Room is provided in Chapter 7 of the PSAR.

The following sections describe the review conducted on the initial Control Room design discussed above.

4-13 1 , _. . _ . . . _ . . _ , . ,

4.9.2 Desian Review Prqsuul The overall review process can be divided into the following three parts:

1 - A Plannino Phase in which the objectives, scope and schedule of the review were identified, and personnel selection accomplished.

2 - A Review Phase in which extensive analyses of plant events were conducted.

3 - An Assessment and Implementation Phase in which the results of the review phase were formulated into a consistent set of recommendations and assigned to the Project design organizations for resolution.

This overall review process is consistent with the guidance provided in Section 1.4, "The Control Room Design Review Process," of NUREG-0700. The following sections provide the details associated with the Planning, Review, and Assessment and Implementation Phases of the review.

4.9.2.1 Plannino Phase The senior management initiated the planning phase by: 1) establishing the objectives, 2) selecting the review team chairman, and 3) establishing the criteria for selection of the review team members.

The objectives were to review the Control Room design and the operating procedure outlines to ensure that the systems designs, the integration of the systems, and the man-machine interfaces properly supported safe and expedient operation of the plant during both normal and abnormal conditions. Task analysis was to be performed followed by observing the operator conducting his various duties. Specific items included in the review were:

i o Overall Control Room and individual panel designs and features, and their interface with the operator.

o System and overall plant operating procedure outlines.

o Administrative approaches for plant operations.

o Recommendations from other Key System Reviews.

l o Recommendations made by NRC and other parties as a result I of Three Mile Island.

o Computer utilization by the operators.

4-14 l

l l

[_

o Operator training requirements.

o Remote shutdown capabilities and safety system status indication in the Control Room.

The criteria for the selection of the review team members was the following:

o Engineers from the cognizant design organizations familiar with the design, operations, testing, and maintenance of the plant systems.

o Qualified operators on sodium cooled nuclear plants and/or licensed operators on light water cooled nuclear plants.

o Human factors engineers with experience in the nuclear and/or other industries.

o Engineers responsible for the design of the CRBRP Control Room, o Engineers with nuclear systems experience, o Engineers responsible for the preparation of the overall plant procedure outlines.

o Personnel with operator training experience.

To satisfy the' criteria, personnel were selected f rom the CRBRP Project design organizations, University of Tennessee, Westinghouse Electric Corporation Research and Development Center, Energy Incorporated, General Physics Corporation, and MPR Associates, Incorporated. The Project Steering Group interacted with the team chairman in the selection of the review team members. Twenty-three (23) persons were assigned to the review team as their top priority task. As required, other personnel were used during the review process, l

Plans, schedule and methodology were established and concurred l

with by the Project Steering Group prior to commencing the review phase. Periodic reports and demonstrations were made to.the Project Steering Group during the review phase.

l The team gathered the data base of procedures, human factors i checklists, and drawings of the control room. The drawings were l used to construct a full scale model of the Control Room.

To identify a method for conducting the evaluations, the review team consulted with individuals with extensive experience in the I ,

power plant, automotive, aerospace, and defense industries, l Based on these consultations, the review team chose to:. 1) analyze individual plant events, 2) identify the hardware- and l

4-15 l '

operator requirements for each, and 3) walk-through the operator (s) responses to approximately two hundred (200) plant events on the full scale model of the Control Room.

Human factors considerations were emphasized in the planning phase. As described in Section 4.9.1, previous Control room design efforts had attempted to optimize the man-machine interface. However, a major objective of the Control Room review was to re-evaluate this interface. Prior to the evaluation effort, a seminar was held, under the direction of three leading human factors personnel, to teach the review team disciplined methods for considering human factors. Based on this training and further assistance from human engineers, check lists were prepared to evaluate the man-machine interface. These check lists specified detailed criteria for human factors considerations, such as the following:

1. Nomenclature consistency
2. Controller, indicator, and annunciator locations and ease of operation i 3. Coding of equipment (color, tactile, auditory, etc.)
4. Information flow rate for the planned staffing levels
5. Anthropometric considerations
6. Noise levels
7. Adequacy of information presented to the operator and feedback after taking actions from the Control Room i

The detailed check lists were utilized during the event analyses and walk-throughs of the operator's actions. These checklists forced a comparison of the information required by the operator to perform his duties to the instrumentation and control provided in the design. By making human f actors an integral part of the evaluation, the problems identified and recommendations formulated address many areas for improving the man-machine interface.

Based upon the previous discussion, it is concluded that the planning phase of the Control Room review is consistent with the guidance provided in Section 1.4.1 of NUREG-0700 which states:

"A formal planning phase is recommended. The control room design review is a major undertaking, and every effort should be made to ensure that the review meets the objectives of these guidelines, that the review results are usable, and that review documentation and reporting provide the necessary assurance that human factors engineering has been appropriately considered and applied in the control room design review process. Planning should also 4-16

take into account the data and information needs of related control room human factors efforts, se that a data base can be developed to meet common needs. Other features of the planning phase are to involve management in the overall control room design review process, to make sure that all objectives and tasks are fully understood, to develop a well defined work plan and schedule that takes operational constraints into account, and to ensure that the resources needed to complete the review on schedule will be available.

For these reasons, planning is treated in some detail, and specific recommendations are set forth concerning personnel, reference materials, and documentation. A preliminary raport summarizing the formal planning phase should be prepared."

4.9.2.2 Review Phase The Control Room review phase consisted of identifying, analyzing and walking - through some 200 operational events in a full-size model of the CRBRP Control Room.

The following discussion describes in detail how the review was accomplished.

4.9.2.2.1 Events Evaluated By the Review Team The events that were evaluated were carefully selected so as to umbrella all of the operations that are either expected to occur or might be postulated to occur over the life of CRBRP. The off-normal events include plant responses to single and multiple failures. The' events were chosen from the following:

1. Design basis events and PSAR events: Twenty-five of these events were evaluated. Draft operating instructions were prepared by the review team for use during the walk-throughs.
2. Events for which operator response is governed by a general or emergency operating instruction. Eighteen of these events were evaluated and draft operating instructions were utilized during the walk-throughs.
3. Events for which an alarm annunciates in the Control Room: One hundred and sixty of these events were evaluated and draf t plant alarm response procedure outlines were utilized during the walk-throughs.

Additionally, a combination event, with multiple failures, was evaluated to assess any improvement in operations with additional operators in the Main Control Room.

4-17

- B l

l l

l l

4.9.2.2.2 Analysis of The Events - (Task Analysis)  !

l The members of the review team were divided into three sub-teams with each sub-team analyzing assigned events. These evaluations  !

included the following: 1) an analysis of the dynamic response (i.e. power, flow, temperature, automatic functions, electrical &

mechanical system status) of the plant, and 2) a determination of the indication (on both the hardwired indicators and the plant computer) and control available to the operator for determining the plant status and carrying out functions delineated in the operating outline procedures and defined by the analysis in (1) above. This determination was based on equipment requirements and specifications or on a documented set of assumptions in cases where the detailed design had not been completed. As described in Section 4.9.2.1 checklists were used to force the evaluation of the design and procedure oatlines.

4.9.2.2.3 control Room Model A full-scale model of the Control room that is in the viewing area of the operator was constructed with the Main Control Panel and the other front panels mocked up anC located in accordance with the approved panel design and Control Room layout. The main panels (Main Control Panel and the electrical panel) were then covered with acetate and the instrumentation marked in red, ynllow (representing white), and green for the various plant operating conditions. Figures 4.9-1 portrays a partial view of the full scale model of the Control Room.

4.9.2.2.4 Walk-Through Following the task analysis, walk-throughs of the operator (s) responses to the events were conducted on the Control Room model.

Team members were assigned one of three roles for the walk-through of events:

1. Simulators: The simulators analyzed the events which were to be evaluated prior to the walk-throughs and then, during the walk-through evaluations, they simulated the control panel indicators by marking up the panel as they would appear to the operator. The control panels were marked up by the simulators to represent the changing plant conditions and the information flow into the Control Room during the event (Figure 4.9-2). This made the walk-through as realistic as possible.
2. Operators: The operators played the part of the Control room operator (s) and carried out the steps of the procedure being evaluated (Figures 4.9-3). All operator movement, observations, communications and actuations were simulated.

l l 4-18

3. Evaluatorst The evaluation teams included a human factors engineer and a systems engineer (Figure 4.9-3).

Their function was to fill out the Operating Sequence Diagrams (Figure 4.9-4) and the evaluation sheets for each procedure and event reviewed. The evaluation sheets identified any problems and recommendations associated with the Control Room design or procedure.

An operation sequence diagram was maintained for those events in which the operator had to take several actions, i.e. read an instrument, activate a switch, acknowledge an alarm, call-up a remote operator, etc. For each event evaluated, the use of the plant computer was considered as a means by which the man-machine interface could be improved. The human factor engineers maintained a continued surveillance over whether or not the operator tasks were too many and of such magnitude that he would encounter excessive stress.

A record was maintained during the walk-through of frequency of use of equipment. Evaluations were made to ensure most frequently used equipment was in a favored location. Some equipment used infrequently, or not at all, was recommended to be removed from the panel. A specific human factors checklist was made for CRBRP by the human f actors personnel, and was used consistently throughout the evaluations.

Following the walk-through sessions, all the recommendations were compiled in draft form.

4.9.2.2.5 Formulation Of Final Recommendations A large number of problems or concerns were identified from which recommendations were made. In some cases, these were of a broad nature and reflected the need for reconsideration of the initial design of the Main Control Room and Main Control Panel layout.

Other problems and concerns related to specific details of the Control Room design or the procedure outlines. To check the consistency of all of the recommendations, small models of the overall Main Control Room and Main Control Panel were made l

assuming all recommendations were incorporated into the design.

The recommendations were modified based on the small model to provide a coordinated and consistent set of final recommendations.

In addition to the review team recommendations, it is noted that the Project utilizes the experience gained from FFTF. A formal program has been underway for several years between FFTF and CRBRP in which problems which occur at FFTF are addressed by CRBRP cognizant design organizations and assessed as to the effect a similar problem would have on CRBRP. The CRBRP design l

is modified, if required.

l 4-19

9 Based upon the previous discussion, it is concluded that the review phase of the Control Room review is consistent with the guidance provided in Section 1.4.2 of NUREG-0700 which states:

"The review phase is directed to identifying and documenting human engineering discrepancies.* A system point of view is recommended so that the assessment of control rcom characteristics will be tied to their functional applications 1 and operational interrelationships. It is important to note that the term system, as used here, included personnel as well as hardware; the design review addresses the total man-machine system configuration. Six processes are defined for the review phase:

1. A review of the operating experience, including examination of plant performance records and a survey of control room operators.
2. A review and analysis of system functions and control room operator tasks, to establish the instrumentation and equipment requirements and the performance criteria for the tasks operators are expected to accomplish.
3. An inventory of the control room to identify and describe the performance features of the existing instrumentation and equipment.
4. A survey of the control room in which the instrumentation, controls, other equipment, ambient conditions, and other features are checked against human engineering guidelines.
5. Verification of task performance capabilities, in which the instrument and equipment requirements derived from task analysis are compared to the items presently in the control room inventory.
6. Validation of the control room functions, in which the l relationships and dependencies in operating crew l

activities and between the operators and plant processes

are examined in the context of operational sequences."

l l

"*The term " human engineering discrepancy" is used to denote a deviation from some benchmark such as a standard or convention of human engineering practice, an operator preference or need, or an instrument / equipment charac-teristic implicitly or explicitly required for an operator task."

4-20 l

l

\ -- ,-

4.9.2.3 Assessment and Implementation Phase The assessment and implementation phase of the Control Room review process actually started near the end of the review phase.

Following the walk-throughs all of the recommendations were collected and grouped according to subject. An assessment team who had participated in the entire evaluation walk-through processes evaluated these groups of recommendations with respect to their overall impact on operations and design. When recommendations conflicted, decisions were made to optimize the problem solution. The overall effect of related recommendations were evaluated.

The recommendations were issued to the Project Steering Group.

After the interaction with the Project Steering Group and incorporation of their comments, the final recommendations were issued to the Project for resolution by the cognizant design organization.

For each recommendation, the appropriate cognizant design organization either accepts a recommendation if it is valid and incorporates the result into the design, or rejects the recommendation and provides adequate justification for the rejection subject to concurrence by Project senior management.

Regardless of whether or not a recommendation is accepted, its ultimate disposition is traced and recorded in Project documentation.

Based upon the previous discussion, it is concluded that the assessment and implementation phase of the Control Room Review is consistent with the guidance provided in Section 1.4.3 of NUREG-0700 which states:

"The processes of the review phase will identify and describe control room design features or absent features (human engineering discrepancies) that may adversely affect operator i

performance. In the assessment and implementation phase, those human engineering discrepancies should be assessed and the process of correcting them (implementation) initiated.

! Assessment involves determining the safety significance of l discrepancies and analyzir J them to select design

! improvements. Discrepancies which have no particular safety significance should also be assessed and analyzed for correction, but on a lower priority basis. Cost / benefit or cost-effectiveness analyses should be a part of the assessment process. Assessment also involves establishing I

l

! 4-21

priorities and schedules for corrective action, determining the extent of corrections, and justifying any recommendations / decisions not to fully correct discrepancies.

The assessment process should ensure that the control room design review has been appropriately integrated with those other control room-related projects that are concerned with or may affect human factors. Corrective actions identified in this phase should be reviewed to ensure their consistency with the goals of related projects. (See Section 1.3.)

Once selected, corrective actions should be implemented promptly. Design improvements that can be executed without interfering with normal control room operation (e.g., changes in surface features such as labeling and location aids) should be initiated as soon as the assessment is completed.

Other improvements that involve changes to control room equipment or design or that require operator retraining should be scheduled for introduction on a schedule consistent with their significance to plant safety and with operational considerations."

4.9.3 Conclusion The following conclusions can be reached regarding the CRBRP Control Room design process:

1. Human f actors were incorporated into the CRBRP design during the initial phases (1975).
2. A thorough review of the Control Room design was held following TMI-2 (1979-1980).

, 3. Although the original design was functional, I recommendations were made to improve the man-machine interface.

4. These recommendations are required to be evaluated by the cognizant design organizations and are incorporated into the CRBRP design, as necessary.
5. Although NUREG-0700 was issued subsequent to the Control Room Key Systems Review, the conduct of the Control Room Key System Review is consistent with the guidance provided in NUREG-0700.

4-22

7 l

.- g -

~g ,y 7, ij, i = y 'm an

.v., bp , , ' ic.,y;lh Mg fg['E.1 f

r 13.;p{..

tj .

k,

!.], I.'"i:

_ _ - l E@ ... .

a.n. z . ,+ i ,

,e i bi ! -

..n:se

" ? ~ I 1.h; .

y%,1  ?%

Q, ;ign),.)

~

4l11 l. 1 I]I4$=;;ig3-y'4
"Qp

~s } aly_.;_ [ g-gi,i ps.,t:<s58 a v; #.3 . _.- w,, ., .  : M.2

. 4 72 =-

a: 4.:. .. ,1 . . - -u n. :..: , . m w x. . ,a. . + .

.. ., o

% ll , .E ; 'b }![ L%g. Et ~;Lt $~f - E u e, --

.pm y A#M.N',e' X@ QQ. .S 'hN[k 9 fj  : -

T:i E

$  ?!hh'fl' agm.x ~

qllf.'sl )0,}"..._: .

w .%(

u, .

A'.. s a n i 5

c .,,

w.( ..

mg s *?

e

%iM %w 4zwe  ? &. 4 ngAg y '

^:e c; gn 2;q@$gy&w.j&

4 j

t g

N eg f ~ [="[-[s

%eW)jj@%@H ..- .gs$spjgp,y%[aT 4# 9$ .g!V ww WMQ]  ;$e 4 o?".;iEm d L3~ U,.

y% V '

o k Ilkld$n 4

i e'gg' I:: :i I'!OdsSNgp n

r ;9 c!

fi !:

  • npt  !) w[ cw-r .

o 2 i' p

. ""*".'s. ] -  :

s

,8 . sSi h m,,j_..._.g [a p l 5 4

+p&

i,"@G J  ![ 8,3.t ih t

i'm. $1; .  :

7 3

M --gfii; i-%, 3 g kE ' qSi

.fy..

c%

2 .. g ;. l i @ g . d ,i 4 Lp, h h vi

~

N,-)* b g/- 3 7 1

gr _

g .; .

c $,3 n

ga M!) u , #

e g )' ,-i.\ I3E E C 3 bt
ES Q Qv.

nE

,. E E

. pp SD.q i

a. % .g. J j

- '~~ il #b h {f.,g,9Q.6 f"E #i/ ,..

Aj :f

  • I i .i i:

n f -

,jf, ov,b egg l ed _

= -ar.masw$segg

..:: ism 7ffjf$

gj$

4-23

k a'

N [' Vl - p ^* , v* 1 d 6 L* ~.,

k & Q Cl ' 0E y <O ! : '3\ogg X , 2 %n w. J " *

  • I -

'%$ l w, % d8"Eg;;&;e: r..i. V AW/u%p#2}&

& , um ,r %a ,

s9. h h . f;f..!qf1 'I [ t9 ~? ,% ,'s [];.,} e' [ ... '

d '# - --

~.

%- l ng;c;r1, a

p. n.. N.g. y, e

e ~-~ r - - -

mw W:, ;- w: s'; m &c.g.

f?, 7,, +-bro3 :, 5 (,.s Me;d-:[;ty n ,- .

,t- *1 ,i .

,a * . ... ,

' g ** . h. com s.

. , . 4fg j

  • #s L,1 - w.

.j:,=a .. .n 4. w m.-

2 5 .n

..~7._'agy;. .

apegs. a

,ie c f,

D ;d , d}"k'.

37 ,

- 1 N.3g % .: :- 8

.Q ,: t;.'~4. ,p:: , , ,

~

Q4 Ib i l l .,; .' k '::. =

.x, .

Y. . o

,<;,  ; : .'f 7' 4 .s -

y -

's . .r !f,t o

Q-f,

> f..' !- ..r.og.

't- c

. , if f .

ll[-

w.,m:: H - -

s- '

o

=

3. W'- l 4 I * ', ,

,.v d it .. . 7 c

o

....,t

^

g h'+% 0.. +. ' f a as - a

.,.. :q. h.co kh.,,.l 2; :y

)i; F 5 an o y, e .

yI l.Iy.b E, 4h m 63& m,i%!

, f. [.q J' Y} i ci \ .

c.i 5 3 ';;

ac q :( . .! J.

c

__C

. 1 m,i, . p.f r g 4 ~.. ...- _e

.or -Mi",I:. m.

c p h .h ta L! ' 3 .- -

W- j. - a.:

s' d. .' s t .*, ll - y F: i r 4 l C w,p,'d': M :WgW 6'} ,i k g" l

wr11

." d , $  ;;' s$ e-3 'M 1 7 N d M(qm/,1 Ml.: ?3,o.1,g j,:O D-  ?@q'p 1 ,. # 'la I .m  ? , .

'i' - g ~

re f8

'ssame is 'm F.6 m:

l 1. . Ysd r 1 mI +M

. .v . , ;

b@. [g't 'L ,jmaM ,A.W is

.- E- '.' ,W V. W .o  : t ;_

82

~=

~

? iM M.M M A'! gJ ,f ,d: 'j/ g,s, "d /  ; ' s. , 2.T v,.lh.

r j n rwm4 a- '. 1

$0

! = j#:. .'M' ~ .e n

-o

~

'Qfh  :,

L .:  ?.;T ' QQ I Y;  ; .

QS~

\

' .wN f1!,*

l.
  • v 11L l u( s t. .

p-,V a

U

+ .

e . ~

g, g p - .

l. ". 1 .f t? - .

e p@?] ^^

\1 k' n.,. ;&w$

S

  • l.1r- 1:

+

f.

w A t1- e y~ .,..

y; .y mm ,

it .d .-

t c yl \L.m .e of'

.t y } v Y f ,f )w,.!4 Y^

' hg .c n  : ,

Mc,(p9 43, w.

%*t p y y

'g ].A

.L

,i l, .t r .. 3.,

\ ep r, ,- . -

~ .

?s. ,= T^

t.

f,,*,[. ,f' 'M , [, b * . g \ ,e , \

@j$ym &

W~ . a y w- m!.mq J. al D A m ./_ m _, ._. ?t.

l 4-24 l

7- _ , , . - - , - . - . _ , - , , , . _ . - . _ _ - . - _ , _ . __- _ ,,.,.,p.,-p, , . --,,-.,-.--v-. , - - - - - - - - - - - . _ -_,,._,,,_m_ -

y 4 *]9'. . *'4

1,i ,. ; I o ~

<,y ;. '

t 0~ 5' d p g' t, a

,.}*} ~

, 7 J.! . . .

5 A i> z j

( .(

e .I

' *

  • mpy' 1..;--

a o

s, e ,f y y

.i

  • p t 7 z 1 0. I!

' E

&, J ~

'hl y

?.

t

, .y . a a ., -

{ .

g C ' * '

4 ,, ,

j ,- -

.. i

?

c ~, t; n e2.:e.

. X y. l~:: :.:

Sf l . L ,. I Q o x 2 m

d. , RUE , :: .

.ai i N=

. i1 L g g y-; j.[fl;. ;;' '

t &g?I

.; . .5 7 Q' 4f

'5.:2';

.s  ! L. 55

? ?. h

>- Lc.4

. -.jOs.g 8,

V_ f, o

-) .t ,j ,? >:.; g ..,- -

- ,i irl , 4J e

y r..

o'7;/ml.. - , .; . : . :.- a

. j 4 st . . . . '

3 -

yt' s

h-I{ IJ < . h N b ' * * * * * . ,.

' '[

. ,k< $

, i  : y ' j g .'.,. ,; p ~ : . .

=-

( ; '.'.

's j . p' .i @2.' G . t . 'E'* 4

$.5 3 ,J " ) & . ' t#'

!4'

b .l ,

I .

.! 4,yi::: t mo

$ '. . ; } . j <- gg fly"'.{.s. pf.lu ,-

'fr-,e , ,9 pg

k. t-t I  :- e}

f

% ,c' .

y L

,f' [ .> \

O$

) ,, . h;

'~

};

a I f.i -

,as I* 3

) ;.g L) u:

1,f ,

U - .]  ;

h5

\5q'h a

tf c:Y : ' . : - l 1 EE s i

\

J{yQ.v
2.: w .. : j a

h[ k

  • n ,.(-

! t -

" [.

< 9di.l. .'  :  ;

' l- .

m;pf f ifI.

,t. $.

ip ,.h,!l t.gp . .: '

m<, . ~

ni

4 .4  !; ii $

M. . . .

.- 4 jQt r l' .

k? ..9 .. 4 bkM:I! '

bh$ke 4-25

_ . . . .u M.S$kn1

Figure 4.9-4 TYPICAL OPERATING SEQUENCE DIAGRAM DATE 2-14-80 CRT

\ M DN I EVENT EOl 10-3  % HONE l -l REV.NO. DRAFT 4 \ l l l

l l DESK l CRT l l BACK l l SIDE STEP PANEL 1&2 3 l 4 l 5 l

6 7 l8&9 PANEL 1 M2 2 A02 03 OA OA O 2a O2 2b O2 2c 06 0 2d O 2e 03 3.la A202 3.1b 02 3.1c AO O2 3.1d OS 06 3.1e O 3.1f KEY: -- VISUAL 0 - OBSERVE A - ANNUCIATOR ACK.

MOVEMENT P - PHONE REQUEST C - CRT REQUEST M- MANIPULATE PAGE 1 OF 1 v . .um ,

4-26

4.10 Auxiliary coolina systems The team reviewed the system design to ensure that all safety related components and those selected non-saf ety related components (cotisidered important for the operation of the plant) have been properly coordinated between the interfacing systems.

Detailed loss of cooling analyses were performed to ensure that the environmental qualification of the components was appropriately defined for safety related equipment. Redundancy of components and cooling equipment was factored into the review.

The initiating event of the loss of cooling analyses was an arbitrary loss of cooling to the cell without considering the probability of occurrence. This was chosen to determine the worst case condition for the cell and to examine its effects.

The plant systems and corresponding CRBRP PSAR Chapter that provides a description of the systems are the following:

o Heat Transport and Connected Systems - Chapter 5 o Engineered Safety Features - Chapter 6 o Instrumentation and Controls - Chapter 7 o Electric Power - Chapter 8 o Auxiliary Systems - Chapter 9 -

4-27

4.11 Plant Operation Durino And Af ter Seismic Events CRBRP structures, systems and components are classified into three seismic design categories in accordance with the importance of their function. These are Seismic Category I, II or III.

Seismic Category I structures, systems and components are those which are designed to perform their safety functions for Safe Shutdown Earthquake (SSE) vibratcry ground motions.

Those Category I structures, systems and components necessary for continued operation without undue risk to the health and saf ety of the public are designed to remain functional under the effects of the Operating Base Earthquake (OBE) .

Seismic Category II structures, systems and components are designed to remain functional under the effects of the OBE, and are not included in the Seismic Category I classification.

Seismic Category III structures, systems and components are those which are not included in either Seismic Category I or II. These systems, components and structures are designed in accordance with the design criteria of the Standard Building Code for Zone 2.

The team conducted an integrated review of Seismic Category I, II, and III Plant Equipment, Instrumentation and Control (I&C) and Electrical Items. The review team concentrated on determining the overall ability of the integrated plant systems to perform their functions necessary for continued plant operation during an (OBE) and to safely shutdown the plant for seismic events up to and including an SSE. The review also indentified what I&C are available to assess plant status following a selsraic event and assessed the adequacy of the plant seismic recovery procedures to ensure proper operator response following a seismic event.

In addition, a review of " Seismic Category II and III Equipment as Hazards to Seismic Category I Equipment" was performed.

4.11.1 Methodology To establish a data base for use during the evaluation, members of the review team compiled listings, summarizing Seismic Category I, II and III Plant Equipment, Instrumentation and Control (I&C) and Electrical. Instrument and equipment lists, Piping and Instrument Diagrams, and Interface Control Drawings were used to compile the data.

To ensure that all safety related equipment and I&C required for safe shutdown of the plant during an SSE has the proper system interfaces, a system level review of all Seismic Category I items was performed. These items were reviewed to determine if they were safety related and if any of the safety related items had 4-28

_ _ _ _ _ _ _ - - _ _ _ _ _ _ _ _ _ _ . l

Category II or III' interfaces. This review highlighted those areas of potential problems that required further analysis.

Fault trees were developed as required to provide additional information on potential problem areas.

An event tree was developed for the review of plant and operator ,

response during an SSE.

A similar process was used for determining the interfaces for Seismic Category II items. These interfaces were reviewed to determine what Category III items are likely to prevent the plant from continued operation during a seismic event equal to or less than an Operating Base Earthquake (OBE) .

Again, an event tree path was developed for the review of plant and operator response during an OBE.

A. CatecoIy_I The team review of Category I components, electrical and I&C was based on the assumption that these items are designed to perform their safety function at an SSE level. The following approach '

was applied:

f

~

1. Review each system for safety function (s).
2. Identify and review primary interface requirements.
3. Perform preliminary analysis to determine if interface presents potential problem (s).
4. Develop fault tree, or flow chart if necessary to determine extent of problem (s).

~5. Input findings to plant response analysis.

6. Develop overall plant event tree, prepare Operating Base Procedure Outlines (OBOs) and determine consequences.

The following OBOs were developed to assess:the affects of an SSE on plant operation.

Event Assumotion o Seismic Event of SSE Magnitude No Failures o Seismic Event of SSE Magnitude Seismic Category II and III active components except electrical systems fail o Seismic Event of.SSE Magnitude Loss of Offsite Power Both diesels start 4-29

Category II and II active items fail o Seismic Event of SSE Magnitude Loss of Offsite Power Diesel A starts Diesel B fails to start, ,

Category II and III l active items fail o Seismic Event of SSE Magnitude Loss of Offsite Power Diesel B starts, Diesel A fails to start, )

Category II and III I active items fail o Seismic Event of SSE Magnitude Loss of Offsite Power Both diesels fail to start, Category II and III active items fail o Seismic Event of SSE Magnitude Containment Seismic instrumentation sys-tem Category II &

III items fail B. Category II and III The team review of Category II components, electrical and Instrumentation and Control was based on the assumption that these items are designed to survive on OBE event and remain capable of functioning.

The team review of Category III components, electrical and I&C was based on the assumption that these items may or may not continue to function for any seismic disturbance.

Upon completion of the review of Category II and III, components, electrical and I&C, an event tree for an OBE was developed, OBOs prepared, and consequences determined.

The following OBO's were developed to assess the affects of an OBE on plant operation.

Event Assumption o Seismic Event of OBE Magnitude Loss of Offsite Power, Both diesels start, Category III active items fail o Seismic Event of OBE Magnitude Loss of Offsite Power, Diesel A starts, Diesel B fails, 4-30

l i Category III active items fail o Seismic Event of OBE Magnitude Loss of Offsite Power, Diesel B starts, Diesel A fails, Category III active items fail o Seismic Event of OBE Magnitude Seismic Category III active components fail Then, plant operating procedures for seismic events were reviewed and conclusions and recommendations were developed.

C. SEISMIC CATEGORY II AND III HAZARDS This review was conducted to assess if failure of Seismic Category II and III items can affect the performance of Seismic Category I items due to missile generation.

The following definitions were used during this review process.

The seismic Category I item was called the target and the Seismic Category II or III item was called the hazard. The zone of influence was that volume of space through which the hazard could f all when propelled by the energy f rom the earthquake. Examples of targets and hazards analyzed during the review are the following: Piping, supports, snubbers and valves, electrical cabinets, boxes, conduits and cable trays, normal lighting and emergency lighting fixtures, instruments and instrument tubing, heating and ventilation ducting, and architectural structures such as walkways, grating, ladders and railings.

Each cell was examined using a CRBRP plant scale model (1/2 inch equals a foot) to determine the potential of the targets being impacted by hazards. Drawings were used where cells had not been incorporated in the CRBRP model. Recommendations were made if the zone of influence and energy capability of the hazard had the potential of jeopardizing the function of the Seismic Category I target.

4-31

4.12 class lE And Non-lE Electrical Power Distribution and I & C The purpose of the in-process review is to perform an integral review of the Class lE and Non-lE buses supplying power to all safety and non-safety related instrumentation and control systems which could affect the ability to achieve shutdown and remove decay heat using existing procedures or new procedures to be developed. Emphasis is being placed on operator indications in the Control Room for normal and abnormal operation of the electrical power distribution and any impact on plant operation.

The review is in process and is scheduled to be completed in 1982.

The review effort has been structured considering the guidance provided in the NRC IE Bulletin No. 79-27, " Loss of non-class-lE Instrumentation and Control Power System Bus During Operation",

dated November 30, 1979.

The following is the scope of effort for the review:

1) Identify the instrument and control system loads connected to the buses and evaluate the effects of loss of power to these loads including the ability to achieve shutdown and safely remove decay heat.

The loads will consist of the individual sensors, signal conditioners, indicators, or other elements that make up an instrument or control loop.

2) Identify the cross-connection of power supplies, particularly in the lE area; i.e., sensor and indicator on one loop supplied from different power divisions.

1

3) Identify alternate indications and/or control circuits which l

may be powered from other lE or non-lE instrumentation and control buses.

4) Generate Operating Base Procedures to be used by the operator I

upon loss of power to each lE and non-lE bus supplying power to saf ety and non-safety related instrument and control systems.

To establish a data base for evaluation, the review team expanded on and studied the Project Instrument Index. The principal tool is a special printout of the Instrument Index which sorts for each element in an instrument or control loop:

1. Location.
2. Saf ety class code.
3. Electric power source bus.
4. Source bus power division.
5. Load voltage / frequency.
6. Equipment failed position.

4-32 l

i

. _ . __ l

7. Alternate or back-up indication to main control panel.
8. Equipment restart mode.

Supporting the Instrument Index is the Power Distribution System Fault Tree which is being used to identify all loads af f ected by the failure of a power bus at any level.

Analysis of the Instrument Index and the Power System Fault Tree is being used to demonstrate that the electrical distribution is adequately implemented to prevent loss of power buses to cause failure of independent or reoundant systems and affect the ability to achieve shutdown and saf ely remove decay heat. A computer program has been generated to provide the I&C response with the f ailure of the electrical supply system on a bus-by-bus basis.

The review covers all systems of CRBRP associated with plant operation.

4-33

m t

4.13 PHTS/IHTS Pumo Level Control and Cover Gas Systems This review is being conducted to verify the operability of the Primary and Intermediate Heat Transport System (PHTS/IHTS) Pump Level Control and Cover Gas System during normal and abnormal operating modes. An integrated review of the following systems is being conducted to ensure that the pumps will support decay heat removal during all normal and abnormal operating conditions.

o Primary Heat Transport System - PSAR Chapter 5 o Intermediate Heat Transport System - PSAR Chapter 5 o Reactor Heat Transport Inst. & Control System - PSAR Chapter 7 o Piping Equip. Elec. Heating & Control System - PSAR Chapter 9 o Inert Gas Receiving & Processing System - PSAR Chapter 9 This review is employing the fault tree and specific event tree methodology described in Section 3.4. Using the current baseline design, event trees and operating base outlines will be generated for the pump and cover gas systems to determine conditions which result in potential failures that could lead to an operational loss of one or more of the primary or intermediate heat transport pumps.

The final report for this review is scheduled to be issued in 1982.

4-34