ML20137W427

From kanterella
Revision as of 20:32, 15 June 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Forwards Revised Instrumentation & Control Sys Branch Minutes from 851120-21 Meeting,Consolidating Responses to Requests for Addl Info 420.05 to 420.81.Tabulation of FSAR Changes & Revised Project Documents Included
ML20137W427
Person / Time
Site: Seabrook  NextEra Energy icon.png
Issue date: 02/14/1986
From: Devincentis J
PUBLIC SERVICE CO. OF NEW HAMPSHIRE
To: Noonan V
Office of Nuclear Reactor Regulation
References
RTR-NUREG-0737, RTR-NUREG-737 SBN-945, NUDOCS 8602200139
Download: ML20137W427 (96)


Text

4

,e men SEABROOK STATION Engineering Office i .UI Pub 5c Service of New M February 14, 1986 SBN-945 Now Hampshire Yankee Division T.F. B7.1.2 United States Nuclear Regulatory Commission Washington, DC 20555 Attention: Mr. Vincent S. Noonan, Project Director PWR Project Directorate No. 5

References:

(a) Construction Permits CPPR-135 and CPPR-136, Docket Nos. 50-443 and 50-444 (b) PSNH Letter (SBN-431), "Open Item Response (SRP 7.3.2, 7.4.2, 7.5.2, 7.7.2)," J. DeVincentis to G. W. Knighton, dated January 25, 1983 (c) PSNH Letter (SBN-471), "Open Item Responses (SRP 7.3.2, 7.4.2, 7.5.2, 7.7.2; Instrumentation and Control Systems Branch)," dated February 17, 1983, (d) PSNH Letter (SBN-489), "Open item Response (SRP 7.4.2.1, RAI 420.48; Instrumentation and Control Systems Branch),"

dated March 10, 1983

Subject:

Meeting Notes Instrurientation and Control Systems Branch

Dear Sir:

We have enclosed revised ICSB meeting minutes that consolidate our responses to RAIs 420.05 to 420.81. This enclosure includes revisions to RAIs 420.8, .10, .12, .15, .23, .45, .47, .48, .54, .54, .68, .73, .76, and

.81 that were discussed at the ICSB meeting held Novel)er 20 and 21,1985. It also includes updated status of the remaining outstanding and confirmatory issues. This status includes the tabulatior. of the FSAR changes and revised project documents that provide formal documentation of the commitments made in our RAI responses. Copies of the project documents listed will be available in our Bethesda licensing office for Staff review and information.

We will provide an additional response to RAI 420.23 by February 28, 1986.

V,er try y ours, 8602200139 860214 PDR ADOCK 05000443 John DeVincentis, Director A PDR Engineering and Licensing

. Enclosures cc: Atomic Safety and Licensing Board Service List 9P{

(\

P O Box 300 . Soobrook. NH 03874 Totophone (603)474-9521

)

Willico S. Jcrdan, III Don:1d E. Chick Diano Currcn Town Manager Harmon, Weiss & Jordan Town of Exeter 20001 S. Street, N.W. 10 Front Street Suite 430 Exeter, NH 03833 Washington, D.C. 20009 Brentwood Board of Selectmen Robert G. Perlis RED Dalton Road Office of the Executive Legal Director Brentwood, NH 03833 U.S. Nuclear Regulatory Commission Washington, DC 20555 Richard E. Sullivan, Mayor City Hall Robert A. Backus, Esquire Newburyport, MA 01950 116 Lowell Street P.O. Box 516 Calvin A. Canney Manchester, NH 03105 City Manager City Hall Philip Ahrens, Esquire 126 Daniel Street Assistant Attorney General Portsmouth, NH 03801 Augusta, ME 04333 Dana Bisbee, Esquire Mr. John B. Tanzer Assistant Attorney General Designated Representative of Office of the Attorney General the Town of Hampton 208 State House Annex 5 Morningside Drive Concord, NH 03301 Hampton, NH 03842 Anne Verge, Chairperson Roberta C. Pevear Board of Selectmen Designated Representative of Town Hall the Town of Hampton Falls South Hampton, NH 03827 Drinkwater Road Hampton Falls, NH 03844 Patrick J. McKeon Selectmen's Office Mrs. Sandra Gavutis 10 Central Road Designated Representative of Rye, NH 03870 the Town of Kensington RFD 1 Carole F. Kagan, Esquire East Kingston, NH 03827 Atomic Safety and Licensing Board Panel U.S. Nuclear Regulatory Commission Jo Ann Shotwell, Esquire Washington, DC 20555 Assistant Attorney General Environmental Protection Bureau Mr. Angi Machiros Department of the Attorney General Chairman of the Board of Selectmen One Ashburton Place, 19th Floor Town of Newbury Boston, MA 02108 Newbury, MA 01950 Senator Gordon J. Humphrey Town Manager's Office U.S. Senate Town Hall - Friend Street Washington, DC 20510 Amesbury, MA 01913 (ATTN: Tom Burack)

Senator Gordon J. Humphrey Diana P. Randall 1 Pillsbury Street 70 Collins Street Concord, NH 03301 Seabrook, NH 03874 (ATTN: Herb Boynton)

H. Joseph Flynn Office of General Counsel Federal Emergency Management Agency 500 C Street, SW Washington, DC 20472

a 4

e 420.5 As called for in Section 7.1 of the Standard Review Plan, provide (7.1) Information as to how your design conforms with the following TMI Action Plan Items as described in NUREG-0737:

(a) II.D.3 - Relief and safety valve position indication, (b) II.E.1.2 - Auxiliary feedwater system automatic initiation flow indication, (c) II.E.4.2 - Containment isolation dependability (positions 4, 5 and 7),

(d) II.F.1 - Accident monitoring instrumentation (positions 4, 5 and 6),

(e) II.F.3 - Instrumentation for monitoring accident conditions (Regulatory Guide 1.97, Revision 2),

(f) II.K.3 - Final recommendations

.9 - PID controller

.12 - Anticipatory reactor trip.

RESPONSE: (a) II.D.3 The single acoustic device to monitor all safety 3/23 va'.ves is not redundant but is safety grade.

. Limit switches 1/83 fot each PORV are not redundant but position indication is safety grade. Position indication system is seismically and environmentally qualified. There will be control room alarm for acoustical device and for either PORV not closed. There is backup temperature indication downstream of each safety valve and one temperature indication for both PORVs. all are alarmed in the control room. The FSAR will be revised.

(b) II.E.1.2 Auxiliary feedwater system automatic initiation is safety grade. Flow indication meets Item 2a and b of II.E.1.2-5, NUREG-0737.

(c) & (d) II.E.4.2 and II.F.1 will be handled by containment systems branch.

(e) II.F.3 will be covered by Regulatory Guide 1.97, Response 420.51.

(f) II.K.3.9 and .12, provided response in letter SBN-212, dated 2/12/82. Reviewed by staff and found acceptable.

ADDITIONAL RESPONSE: (a) NUREG-0737, Item II.D.3, Clarification was made that the final 5/12 design of the safety and relief valve position indication is not complete. The project documents and the FSAR will be revised. The block valves, position indication and their manual controls will be Class lE.

1 4

o (b) NUREG-0737, Item II.E.1.2, will be addressed in the overall discussions of the emergency feedwater system.

FSAR Figure 7.2-1. Sh. 15 and Page 7.3-23, will be corrected to indicate that both A & B train actuate the turbine driven emergency feedwater pump.

ADDITIONAL RESPONSE: (a) FSAR 5.2.2.8 will be revised to provide the information on 9/14 relief and safety valve position required by NUREG-0737 1/83 II.D.3. A handout of the draft FSAR revision is included in the meeting minutes.

(b) The information required by NUREG 0737 II.E.1.2 is provided in the following FSAR sections that are keyed to the 0737 positions and clarifications:

Part I Position (1) 6.8.1 h, 6.8.5 (2) 6.8.1 a, 7.3.2.2 (3) 6.8.4, 7.3.2.2 (4) 8.3 (5) 6.8.1 h (6) 8.3 (7) 6.8.1 h Clarification The automatic initiation signals and circuits are safety grade and comply with the salient paragraphs of IEEE 279-1971 listed in action Item II.E.1.2 of NUREG-0737.

Part II Position (1) 6.8.5 (2) 6.8.5, Table 7.5-1 Clarification (1) Not applicable (2) (a) 6,8.5, Table 7.5-1 (b) (1) 6.8.5, 7.5.3.3 (a)

(11) 6.8.5, 7.5.3.3 (g)

(iii) 7.5.3.3 (j), (k)

(iv) 17.2.2.2,.ippendix 311 (v) 7.5.3.3 (a)

This instrumentation will be covered in the Control Room design review and the operator training program.

Note that 6.8 is being revised to include this and other information on EFW changes, a copy-of the draft revision is attached as part of the response to RAI 420.36. FSAR Figure 7.2-1. Sh. 15, and p. 7.3-23 will be revised to show that both A & B trains actuate the turbine driven pump. A copy of the FSAR markups are attached.

HANDOUT: Revised FSAR 5.2.2.8 for RAI 420.5 (a).

9/14 11/82 5.2.2.8 Process Instrumentation Instrumentation is provided in the control room to give the open/ closed status of the pressurizer safety and Power Operated Relief (PORV) Valves. Each PORV is monitored by limit switches that operate red and green indicating lights on the main control board. The safety valves are monitored by an acoustic monitor that senses the acoustic emissions associated with flow in the discharge line that is common to the three safety valves.

All instrumentation will be environmentally and seismically quallfled, will be powered from a vital instrument bus, and will actuate VAS alarms. The indication will not be redundant, therefore, backup indication and alarms are provided by temnerature indication on the discharge of each safety valve and the common discharge from the PORVs and by primary relief tank temperature, pressure, and level.

The primary and backup instrumentation will be integrated into the emergency procedures and operator training. The human factors analysis will be performed as part of the control room design review.

STATUS: (a) PORV and safety valve position indication. Closed per 2/86 SER 7.5.2.6.

(b) Flow indication.

Closed per SER 7.3.1.7.2.

Automatic initiation and flow control o FSAR 6.8, FSAR Page 7.3-23 and FSAR Figure 7.2-1, Sh. 15 were revised in Amendment 48.

Drawings M-506497 M-506555 M-507056 5

6 M-503585 M-503586 M-504152 M-504155 F-510107 3

M-310844, SH-B3V a through d M-310844, SH-B3Z a through d M-310844, SH-E3E/la through Ic M-310844, SH-E3F/la through Ic (SERs 6.8, 7.3.1.7.1, 7.3.1.7.2, 7.3.2.11, and 7.5.2.6)

(c) Will be reviewed by Containment Systems Branch, and (d)

(e) See RAI 420.49.

j (f) Closed.

420.6 Provide an overview of the plant electrical distribution system, (7.1) with emphasis on vital buses and separation divisions, as background for addressing various chapter 7 concerns.

RESPONSE: Discussed at meeting, no further response required.

3/23 STATUS: Closed.

5/12 420.7 Describe features of the Seabrook environment control system which (7.1) insure that instrumentation sensing and sampling lines for systems important to safety are protected from freezing during extremely cold weather. Discuss the use of environmental monitoring and alarm systems to prevent loss of, or damage to systems important to safety upon failure of the environmental control system.

Discuss electrical independence of the environmental control system circuits.

RESPONSE: Written response reviewed by the NRC and attached to meeting 3/23 notes. We reviewed the freeze protection for the refueling water storage tank (RWST) after the meeting. It was determined that the instruments and sensing lines are in the building that encloses the RWST and is maintained above 32 0 F by the heated RWST.

Additional freeze protection is not required. RAI 440.104 is related. This item is under review by the staff.

ADDITIONAL RESPONSE: Fluid systems are protected from freezing by being 1) located in 5/12 an area with a heating system; 2) located in an enclosure with a 7/15 heated tank; or 3) provided by heat tracing.

_ . - . . - - - _ . .. , - . - _ . , . . - ~ . . -. _

  • l a

The majority of the safety-relat d piping is located in areas that are provided with heating systems. Low ambient temperature is alarmed in the control room. The alarms are not safety grade.

The alarm is electrically independent of the heating system. The areas are accessed periodically as part of the operators inspections. The operator will be instructed to notice abnormal ambient temperatures that could result from failure of the heating system.

The tank farm enclosure is maintained above the freezing temperature by the heat lost from the heated RWST. Low ambient, RWST, and spray additive tank temperatures are alarmed in the control room to warn of abnormal conditions in the tank farm enclosure.

Safety-related piping that is not in heated areas or that require the maintenance of tenperatures higher than the design ambient temperatures is provided with dual heat tracing circuits and low temperature alarms.

The alarm and heat tracing circuits are electrically independent, therefore, failure of the heating circuit will not result in loss of the low temperature alarm. Loss of power to the low temperature alarm and heat tracing circuits will be alarmed in the control room.

HANDOUT: To ensure that instruments, including sensing and sampling lines, 3/23 are protected from freezing during cold weather, electrical heat tracing is provided. Heat tracing on safety-related piping is protected by redundant, nonsafety-related, heat tracing. On the boron injection line only, the primary heat tracing circuit is train A associated. The backup heat tracing circuit is train B associated. This backup circuit is normally de-energized. On the remaining lines, the redundant heat tracing circuit is energized from the same train as the primary circuit.

Integrity of each circuit is continuously monitored. Low and high temperature alarms are available at the heat tracing system control cabinet. Additionally, failures as detailed below are indicated at the heat tracing control cabinets that are located in the general vicinity of the systems being heat traced:

a) Loss of voltage, b) Ground fault trip for each heating element circuit, c) Overload trip of branch circuit breakers, Trouble alarms are provided in the main control room.

STATUS: Closed.

9/14 o

420.8 Provide and describe the following for NSSS and BOP safety-related I (7.1) setpoints:

(a) Provide a reference for the methodology used. Discuss any differences between the referenced methodology and the methodology used for Seabrook, (b) Verify that environmental error allowances are based on the highest value determined in qualification testing, (c) Document the environmental error allowance that is used for each reactor trip and engineered safeguards setpoint, (d) Identify any time limits on environmental qualification of instruments used for trip, post-accident monitoring or engineered safety features actuation. Where instruments are qualified for only a limited time, specify the time and basis for the limited time.

RESPONSE: Seabrook uses the same methodology as W used for DC Cook, North 3/23 Anna and Sumner, there are no differences. DC Cook and North Anna were submitted and approved. This is applicable for both NSSS and bop safety-related setpoints.

WCAp 8587 and 8687 describe the determination of environmental error allowances.

ADDITIONAL RESPONSE: The use of the Westinghouse statistical methodology was accepted 9/14 by the NRC for Virgil C. Sumner (NUREG 0717 Supplement No. 4).

The determination of the Seabrook setpoints will be consistent with the method used for Sumner.

ADDITIONAL

RESPONSE

2/86 The following provides the additional information requested by SER 7.3.2.13.

1. The calculations performed for the Seabrook plant utilize the methodology that is fully approved by the NRC staff. The areas of disagreement noted in NUREG-0717, Supplement 4 have been resolved, with the Seabrook calculations reflecting this resolution. Recent plants utilizing the fully approved approach are: 'uallaway, Wolf Creek, Millstone Unit 3, and Byron. The methodology utilized for Seabrook is identical to these recently approved plants.
2. Where instrumentation is required to operate in a harsh environment in order to perform a required safety function, environmental error allowances are included in the setpoint determination. Environmental error allowances used in the development of the protection system, engineered safety 4

o features actuation system, and BOP safety-related setpoints envelope or equal the data obtained from qualification testing.

3. The qualification and accuracy for reactor trip and ESF functions is based on exposure up to five minutes. In all cases where qualified equipment is necessary to provide protection function actuation, that actuation is calculated to te.ke place in less than five minutes.
4. The only protection function which has a theoretical trip setpoint within 3% of the measurement span limits is steam generator water level - low-low. This is due to the conservative value used for the environmental allowance. EA reflects a combined uncertainty for both elevated temperature and radiation exposure. The transient event this function is used for does not result in any significant radiation exposure. It is therefore expected that the actual trip setpoint would occur before reaching 3% or less of the measurement span.

420.9 There is an inconsistency between the discussions in FSAR (7.1.2.5) Section 1.8 and FSAR Section 7.1.2.5 pertaining to the compliance with Regulatory Guide 1.22. FSAR Section 1.8 states that the main reactor coolant pump breakers are not tested at full power. FSAR Section 7.1.2.5 does not include these breakers in the list of equipment which cannot be tested at full power. Please provide a discussion as to whether the operation of the reactor coolant pump breakers is required for plant safety. If not, then please justify. Also, please correct the inconsistency described above and, as a minimum, provide a discussion per the recommendations of Regulatory Position D.4 of Regulatory Guide 1.22.

RESPONSE: Revised 1.8 provided to staff and attached to meeting notes, 3/23 reactor does not trip on opening of reactor coolant pump breakt" .

STATUS: Closed.

9/14 420.10 Using detailed plant design drawings (schematics), discuss the (1.8) Seabrook design pertaining to bypassed and inoperable status

, (7.1.2.6) indication. As a minimum, provide information to describe:

l (7.5) j 1. Compliance with the recommendations of Regulatory Guide 1.47,

2. The design philosophy used in the selection of equipment / systems to be monitored,
3. How the design of the bypass and inoperable status indication j

systems comply with Positions B1 through B6 of ICSB Branch l

Technical Position No. 21, and l

l

4. The list of system automatic and manual bypasses within the BOP and NSSS scope of supply as it pertains to the recommendations of Regulatory Guide i.47.

The design philosophy should describe, as a minimum, the criteria to be employed in the display of inter-relationships and dependencies on equipment / systems and should insure that bypassing or deliberately induced inoperability of any auxiliary or support system will automatically indicate all safety systems affected.

RESPONSE: Handout given to staff. Overview of systems covered and 3/23 description of operation given including automatic and manual modes, and interaction between systems. Handout as amended during meeting will be attached to the meeting minutes.

System description of computer and video alarm system (VAS) presented during meeting and will be followed up by written description to staff as response to RAI 420.49. A meeting will be held with the staff in Washington at a later date to review all aspects of plant computer operation.

Staff presented concern that some guarantee must be considered as to percent of time computer will be operating and that plant will not continue to operate for any length of time, without appropriate corrective action, when and if computer should be out of service. A possible solution would be to refer operating and repair times to safety review committee although it is agreed that the computer is not a safety-related system. Staff asked for additional information concerning level of validation and verification of software.

HANDOUT: 1. Systems are designed to meet the recommendations of 3/23 Regulatory Guide 1.47.

1/83 2/86 2. Design philosophy is disce:ssed in FSAR Section 7.1.2.6. The selection of equipment is given in Item 4.

3. System design meets the recommendation of ICSB-21 as follows:

B1 - Refer to FSAR Section 7.1.2.6(a).

B2 - System design meets the requirements. Refer to logic diagrams listed in FSAR Section 7.1.2.6(f).

B3 - Erroneous bypassed / inoperable alarm indications could be provided by any of the following:

- dirty relay contacts

- dirty limit switch contacts.

B4 - The bypass indication system does not perform functions essential to safety. (Refer to FSAR Section 7.1.2.6)

, 1

- A system design is supplemented by administrativa procedures. The operator will not rely solely on the indication system.

B5 - The indication system does not perform any l safety-related functions and has no effect on plant j safety systems. The indication system is located at the 1 MCB separately for each train on system level basis.

l B6 - All bypass indicators and plant video annunciator systems are capable of being tested during normal system operation.

4. The list of equipment which provides input to  ;{j/g>g bypass / inoperable alarms, and indication, is provided below:

A1 - Service Water System (SW)

Service Equipment Logic Diagram Schematic Service Water Pumps SW-P-41A/41B M-503968 M-301107 Sh. AC3,AR3

-41C/41D M-503969 M-301107 Sh. AC4,AR4 Cooling Tower Pumps SW-P-110A M-503966 M-301107 Sh. AU2

-110B M-503967 M-301107 Sh. AU6 Cooling Tower Fans SW-FN-51A M-503951 M-301107 Sh. AV4

-51B M-503452 M-301107 Sh. AW4 Cooling Tower / Service M-503973 M-310951 EH9/EHO Water Bypass /Inop.

Note: There are separate lights for the service water pump and the cooling tower subsystems.

A2 - Primary Component Cooling Water System (CC)

Service Equipment Logic Diagram Schematic Primary Cooling Water Pumps CC-P-11A M-503270 M-310895 Sh. A58/A78 11B/11C/11D A59,A79 PCCW Bypass Inop. M-503277 M-310951 EH9/EHO A3 - Containment Building Spray (CSB)

Service Equipment Logic Diagram Schematic Containment Spray Pumps CBS-P-9A/9B M-503257 M-310900 Sh. A61,A81 Containment Sump Iso. Viv. CBS-V8/V14 M-503252 M-310900 Sh. B84,D40 Cont. Spray Add. Iso. Viv. CBS-V39/V44 M-503259 M-310900 Sh. Ab Cont. Spray Nozzle Iso. Vlv. CBS-V13/V19 M-503259 M-310900 Sh. Ab Service Equipment Logic Diagram Schematic Primary Comp. Cooling Water to Containment HX CC-V131/V260 M-503259 M-310895 Sh. 4a Primary Comp. Cooling Water M-503259

s A4 - Residual Heat Removal (RH)

Service Equipment Logic Diagram Schematic RH Cold Leg Inj. Iso. Viv. RH-V14/26 M-503768/503769 M-310887 Sh. B57,B65 RH Hot Leg Inj. Iso. Viv. RH-V32/70 M-503768/503769 M-310887 Sh. B58,D90 Chg. Pump Suc. Iso. V1v. RH-V35 M-503768/503763 M-310887 Sh. B59,B66 SI Pump Suc. Iso. Viv. RH-36 M-503768/503763 M-310887 Cont. Sump Iso. Viv. CBS-V8/V14 M-503252 M-310900 Sh. B84,D40 Prim. Comp. Cooling Water to HK CC-V133/V258 M-503768 M-310895 Sh. 4A Residual Ht. Removal Pumps RH-P-8A/8B M-503761 M-310877 Sh. A57,A77 A5 - Safety Injection System (SI)

Service Equipment Logic Diagram Schematic SI Pumps SI-P-6A/6B M-503900 M-310890 Sh. A56/A76 Cont. Sump Iso. Valve CBS-V8/V14 M-503918 SI Cold Leg Iso. Valve SI-V114 M-503909 M-310890 Sh. B49 SI-P-CA-6B to Hot Legs Isolation Valve SI-VIO2/V77 M-503909 j?/pg SI-P-6A/6B to RWST Isolation Valve SI-V89/V90/V93 M-503911, 503901 M-310890 Sh. B41/B42/

B43 SI-Pump Cross Connect SI-V111/V112 M-503912 M-310890 Sh. B47/B48 Prim. Comp. Cooling Wtr. M-503918 M-310895 Sh. EH9/3 EA A6 - Chemical and Volume Control System (CS)

Service Equipment Logic Diagram Schematic Charging Pump CS-P-2A/2B M-503372,M-503330 M-310891 Sh. A62.A82 Prim. Comp. Cooling Wtr. M-503372 A7 - Feedwater (FW)

Service Equipment Logic Diagram Schematic Emer. Feedwater Pump FW-P-37B M-503586 M-310844 Sh. A80 Emer. FW Pump 37A/37B FW-V71/73 M-503599 M-310844 Sh. 4 Discharge and Bypass Vlvs. FW-V65/67 M-503599 M-310844 Sh. 4 Recirculation Valves FW-V210 M-503599 M-310844 Sh. 4 FW-V211 M-503599 M-310844 Sh. 4 Emergency FW-P-37A MS-V127 M-503585 M-310841 Sh. E87/13 Steam Inlet Valves MS-V128 M-503584 M-310841 Sh. E88/13 EFW Flow Control Valves FW-V4214A M-504152 M-310844 Sh. B3V FW-V4214B M-504152 M-310844 Sh. B3Z FW-V4224A M-504152 M-310844 Sh. B3W FW-V4224B M-504152 M-310844 Sh. B4A FW-V4234A M-504152 M-310844 Sh. B3K FW-V4234B M-504152 M-310844 Sh. B4B FW-V4244A M-504152 M-310844 Sh. B3Y FW-V4244B M-504152 M-310844 Sh. B4C A8 - Diesel Generator Service Logic Diagram Schematic DG Control Power Lost M-503491 M-310102 DG Breaker Control Power Lost M-503495 M-310102 EPS Control Power Lost M-503495 FP-31416 Protectio.: Relays not Reset M-503491 M-310102 DG - Barring Devices Fr. gaged M-503491 M-310102 Starting Air Pressure Lo-Lo M-503491 M-310102 Control Switch Pull to Lock M-503491 M-310102 Selector Switch Maintenance M-503491 M-310102 B - Interrelationship Between Auxiliary Systems and Safety Systems Auxiliary systems such as service water system (SW).

primary component cooling water system (CC), and diesel generator system (DG) are dependent on the operation of other auxiliary systems or are required for the operation of other auxiliary or safety systems.

The VAS will automatically indicate the dependent auxiliary and safety systems that are made inoperable by an inoperable auxiliary system. Initiation of the Emergency Power Inoperable indication will automatically initiate all the indicators for the same train on the bypass and inoperable status panel. Initiation of an indicator on the bypass and inoperable status panel is performed manually, automatically for the diesel generator, and will automatically initiate indication of dependent auxiliary and safety systems on the bypass and inoperable status panel.

Reference logic drawings:

M-503277 - M-503973 M-503259 - M-503768 M-503918 - M-503372 C - VAS Logic The logic used for implementing the VAS alarms will be 2(96/

shown on separate logic by computer drawings.

- _ _ _ _ _ _ - - . - - ~ _ . _ _ _ _ _ _ _ ,_ _ _ . . - . -

4 ADDITIONAL RESPONSE: The handout will be revised to indicate that alarms and indicators 5/12 are provided. The indication on the bypass and inoperable status panel is on the system level for each train. All automatic initiation is through the VAS. Indication on the status panel is manually initiated in response to the VAS alarm or when the system is bypassed or made inoperable with devices not monitored by the VAS. The VAS and the status panel have logic that will automatically indicate all systems made inoperable when a support system is inoperable.

Typographical errors on A7 and A8 will be corrected.

This items remains open pending the review of the VAS.

After the meeting, a note to clarify the service water indicators was added to Al of the 3/23 handout. A8 war deleted as the Diesel Generator status monitoring lights and alarms are not considered part of the bypass and inoperable status monitoring system, since the events monitored occur less than once per year. FSAR 7.1.2.6, copy attached, will be revised.

ADDITIONAL RESPONSE: Item A8, diesel generator, will be returned to the list as data 7/15 for other diesels indicate that they may require maintenance outages mote th.n once per year.

The functions that are listed all initiate a VAS common alarm which indicates that a train is inoperable, TRN EMERG POWER INOPERABLE.

Diesel generator status is indicated on the diesel generator status light panel on Section HF of the MCB, not on the bypass and inoperable status light panel on Section CF of the MCB. These status monitoring lights along with specific and common VAS alarms provide continuous status of the diesel generators.

We will add the bypass / inoperable status monitoring system pushbuttons to the computer inputs that initiate the VAS bypass / inoperable alarms. This will ensure that the same information on system status is available at the monitoring system or through the VAS. A summary of the current status of the VAS bypass / inoperable alarms will be available on demand to ensure that operator is aware of the status of redundant systems when a system is bypassed /made inoperable. A system level VAS alarm will be initiated if the redundant trains are bypassed /made inoperable.

ADDITIONAL RESPONSE: The 3/23 handout, Part B, is revised to include the Diesel 9/14 Generator in the discussion of the interrelationship of the auxiliary systems. Logic diagrams will be changed.

i STATUS: FSAR 7.1.2.6 revised, Amtndment 56. (SER 7.5.2.1) 2/86 420.11 Summarize the status of those instrumentation and control items (7.1) discussed in the Safety Evaluation Report (and supplements) issued for the construction permit which required resolution during the operating license review.

RESPONSE: There are no unresolved items relating to Chapter 7 of the SAR 3/23 identified in the construction permit SER (Supplements 1 to 4).

STATUS: Closed.

5/12 420.12 Various instrumentation and control system circuits in the plant (7.1.2.2) (including the reactor protection system, engineered safety features actuation system, instrument power supply distributica System) rely on certain devices to provide electrical isolation capability in order to maintain the independence between redundant safety circuits and between safety circuits and non-safety circuits.

1. Identify the type of isolation devices which are used as boundaries to isolate non-safety grade circuits from the safety grade circuits or to isolate redundant safety grade circuits.

1

2. Describe the acceptance criteria and tests performed for each isolation device which is identified in response to Part 1 above. This information should address results of analyses or tests performed to demonstrate proper isolation and should assure that the design does not compromise the required protective system function.

RESPONSE: 1. BOP uses the same type E 7300 system, with the same 3/23 qualifications, as is used by NSSS (NSSS equipment for Seabrook is identical to that for SNUPPS).

2. Radiation data management system will require submittal of further documentation of isolation devices used.
3. Power supply distribution isolation is covered under RAI 430.40A.

ADDITIONAL RESPONSE: The current status of the RDMS isolators was discussed. Further 9/14 discussion is deferred pending overall resolution of train separation criteria.

STATUS: Open pending documentation of testing to be performed to show that 9/14 the isolator will perform the required isolation function. The maximum credible fault voltage and current should be justified.

1 _. __

ADDITIONAL RESPONSE: The design of the RDMS supplied by the General Atomic Company is 11/82 consistent with the criteria for physical independence of 1/83 electrical systems established in " Attachment C" of AEC letter 2/86 dated December 14, 1973 (see FSAR Appendix 8A) and in Regulatory Guide 1.75, Revision 2. In addition, the independence of Class 1E equipment and circuits follows IEEE Standard 384-1981, Section 7 regarding specific electrical isolation criteria.

All Class 1E equipment is supplied with power from the appropriate Class IE power source train.

Communications within the RDMS System between the various microcomputer based monitors takes place via redundant semiduplex lines, transmitting and receiving low level digitally coded signals. All of these monitors are provided with semiconductor-based optical isolators that isolate all communication lines from the internal circuitry of the monitors.

Further, all Class lE monitors are provided with state-of-the-art fault isolation devices. Each communication line is provided with overcurrent and overvoltage protection. Overcurrent protection is provided by incorporating a low current fuse in each line just before it enters the optical isolator circuitry which is part of each monitor. The overvoltage protection is provided by the use of a Transzorb device between the two communication lines and from each communication line to ground (see Figures 1, 2, and 3).

The Transzorbs are semiconductor-based devices incorporating a zener diode and Silicon Controlled Rectifier (SCR) units. When the i..put voltage exceeds 28 volts, the zener diode will conduct all voltage above 28 volts, charging the capacitor. When the capacitor voltage reaches 2 volts (SCR trigger voltage) the SCR conducts and shorts the fault voltage to ground or between the lines, whichever is the case. If the power in the fault voltage is of a significant nature, it will cause the fuse to blow, which will result in complete circuit isolation.

The qualification plan for the fuse /Transzorb combination used as an isolation device consists of the following two steps:

1) A Maximum Credible Fault Voltage test has been performed (copy of Test Report 0357-9018, dated 6/15/81, is attached) to prove that the components, when exposed to the maximum credible voltage, will protect the RM-80 such that the safety-related functions will not be affected.

The following is a summary of the test procedure and results which confirm that the isolator performs the required isolation function.

I

P The testing was accomplished by applying fault voltagss at communication of a radiation monitor port A (and subsequently port B) of +140 volts de, -140VDC and 140 volts ac. These fault voltages envelope the maximum credible fault voltages, surge or continuous, at Seabrook. Fault voltages are limited by routing low level signal cables in raceways separate from all other cables (FSAR 8.3.1.4.c) and due to the low fault potential of the power sources that feed instrumentation that is connected to low level cables (inverters are limited to 120 11.2 V ac, transformers to 120 112 V ac, battery chargers on equalize charge to 137 10.5 V de). Fault voltages were applied between each conductor and ground as well as between conductors. A communications error rate test was performed.

This test verifles that the Class lE portions of the RM 80 $2!f5 j

were not damaged by the fault voltages. In each case, port B continued to function properly thereby proving proper operation of radiation monitor and that the isolator protects the lE functions from faults on the non-1E circuits.

Port B was similarly tested. port A continued to function properly indicating proper operation of the monitor before and after the test and isolation from the faulted input.

Proper operation during application of the fault voltages will be addressed with 420.16.

2) A study to prove that the Transzorb and fuse have no age-related failures over the 40-year life of the plant.

The results of the study are:

a. The Transzorb is a solid-state device with an activation energy of 1 ev. The manufacturer on a periodic basis samples test units to 150-2000 C for 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />. By extrapolation on an Arrhenius curve using the activation energy and the test temperature and test time, the life of the device is several orders of magnitude greater than 40 years at normal operating conditions (40 0C). Therefore, the Transzorb has no significant age-related failures.
b. A fuse is nothing more than a piece of wire which has no age-related failures which would cause it not to blow upon high current through it. There are no insulation materials in the device which would degrade with age.

ADDITIONAL RESPONSE: Qualified isolation devices that meet the requirements of 1/83 IEEE-279 are provided at the interface between protection and 2/86 control systems. Faults in the control systems will not prevent the protection system from performing its safety function.

Non-lE cables and circuits in seismic and nonseismic areas are associated with one Class 1E train, are never routed in raceways containing Class lE or associated cables of another train or

channel and are physically separated the same as the Class IE circuit with which they are associated. (See RAI 430.149.) The Seabrook design complies with requirements of FSAR Appendix 8A, IEEE 384-1974 and Regulatory Guide 1.75, Rev. 2.

Electrical interaction (crosstalk) between the Class lE and non-lE cables in the same routing group is minimized by the use of shielded cables, grounding, separation by voltage level and dedicated raceways for circuits that are noise sensitive (nuclear instrumentation) or are noise sources (control rod drives). (See e 7 gg FSAR 8.3.1.4 and RAI 430.149.) (SER 7.3.2.15)

ADDITIONAL

RESPONSE

2/86 During the November 20-21, 1985 ICSB meeting, we were informed that the use of fuses as isolators was unacceptable to the ICSB.

The reason given was that fuses are replaceable with fuses of a larger size and, therefore, may not provide the desired protection. To addresa the interchangeability question, we performed a fault test with the fuses jumpered with 14 AWG wire.

The purpose of this test was to detenmine if the RM 80 could perform its safety function with only the transzorbs limiting the fault. This test showed that the fuses are required. The GA test submitted previously showed that the 0.5 amp fuse, in conjunction with the transzorb, provide the required isolation between the Class 1E and associated circuits of the RM 80s. Since the main objection to the fuse is interchangeability, we are taking the following steps:

a. The fuse boards will be replaced with new boards that do not contain fuse clips. It will be a one-for-one replacement for the existing boards and will be installed in the came barriered compartment within the RM 80s.
b. Special fuse assemblies will be purchased where the fuses are soldered to fuse clips. The new fuse clip assemblies will be screwed to the fuse boards. These fuse clip assemblies will have a unique part number. (See also attac1ed sketch, "Seabrook Fuse Assembly.")
c. This change will have no impact on the seismic and environmental qualification of this Class IE equipment.
d. This will be the only fuse assembly of this type on-site.

There is no other fuse of this type used in the RDMS or any other system at Seabrook.

e. The RDMS documentation package will be revised to include the new fuse assembly and fuse board part numbers.
  • i
f. The RDMS manuals will be revised for the nzw fuse assembly and fuse board.
g. The fuse assembly and fuse board will be noted on the maintenance history cards which are reviewed prior to servicing or repair of the Class IE RM 80s.
h. The spare parts data base will have a reference to the special requirement for these fuses.
1. All work on these Class 1E devices is covered by the Quality Assurance program.

These steps will prevent the 0.5 amp fuse from being replaced with anything but the correct size fuse.

Typical wiring for the Class IE circuits are shown on Cable Schematics M-310956, Shs. EIS/la through ic. Typical wiring for the "A" associated communication loop is shown on Cable Schematics M-310956, Shs. L2a through L2c.

Prior to startup after the first refueling outage, we will install qualified (i.e., nonfuse) isolation devices. The qualification documentation will be submitted to the NRC for review prior to installation. (SERs 7.5.2.2 and 7.3.2.15) 420.13 The discussion in Section 7.1.2.2 states that Westinghouse ter'.4 (7.1.2.2) on the Series 7300 PCS system covered in WCAP-8892 are consideret (7.5.3.3) applicable to Seabrook. As a result of these tests, Westinghouse (7.7.2.1) has stated that the isolator output cables will be allowed to be routed with cables carrying voltages not exceeding 580 volts ac or 250 volts dc. The discussion of isolation devices in Section 7.5.3.3 of the FSAR, however, considered the maximum credible fault accidents of 118 volts ac or 140 volts de only. Also, the statement in Section 7.7.2.1 implies that the isolation devices i were tested with 118 volts ac and 140 volts de only. In order to clarify the apparent inconsistency, provide the following:

l i

(a) Specify the type of isolation devices used for Seabrook l

l process instrumentation system. If they are not the same as l the Series 7300 PCS tested by Westinghouse, specify the fault voltages for which they are rated and provide the supporting test results.

(

(b) Provide information requested in (a) above for the isolation devices of the nuclear instrumentation system. As implied in WCAP-8892, the tests on Series 7300 PCS did not include the nuclear instrumentation system.

(c) Describe what steps are taken to insure that the maximum credible fault voltages which could be postulated in Seabrook, as a result of BOP cable routing design, will not exceed those for which the isolation devices are qualified.

i l

L

RESPONSE: The isolation devices used are as described in 420.12.

3/23 Isolation device design is identical and has been quallfled the same as for SNUPPS. The routing of cables leaving the cabinets is consistent with the interface criteria in WCAP 8892A.

STATUS: Closed.

5/12 420.14 The FSAR information provided describing the separation criteria (7.1.2.2) for instrument cabinets and the main control board is insufficient. Please discuss the separation criteria as it pertains to the design criteria of IEEE Standard 384-1977, Sections 5.6 and 5.7. Detailed drawings should be used to aid in verifying compliance with the separation criteria.

RESPONSE: Handout submitted to staff. Overview of main control board was 3/23 presented using drawings and pictures. FSAR Sections 7.1.2.2 and 1.8 will be revised to be applicable to both balance of plant and NSSS control panels. The design criteria of IEEE Standard 384-1977, Sections 5.6 and 5.7 for the main control board and instrument cabinets has been met.

STATUS: Closed.

9/14 HANDOUT: 1. Instrument Cabinets 3/23 Section 5.7 of IEEE-384-1977 is met by having independent cabinets for redundant Class 1E instruments, examples of this separation may be found on instrument cabinets MM-CP-152A and MM-CP-152B, both located in the main control room, control building Elevation 75'-0".

2. Main Control Board (MCB)

Sections 5.6.1 through 5.6.6 of IEEE-384-1977 are met as follows, and as described in UE&C Specification 9763-006-170-1, Revision 5:

1 (a) Section 5.6.1 - The main control board, seismically qualified by analysis and testing per UE&C Specifications 9763-006-170-1 Revision 5, and 9763-SD-170-1, Revision 0, is located in the main l control room of the Seabrook station control building (Elevation 75'-0") which is a Seismic Category I structure.

! (b) Sections 5.6.2 through 5.6.6 - MCB Zone "B" (front

! contains the low pressure safety injection; rear l contains miscellaneous systems like steam generator blowdown, heat removal, spent fuel) will be used to describe compliance with above referenced sections of f

i

.~ - _ - . .

IEEE-384-1977. UE&C drawings 9763-F-510102 Rsvision 6, 9763-F-510115 Revision 4 and 9763-F-510116 Revision 4 could be used to ascertain the compliance with the standard.

b.1 Internal Separation (5.6.2) - the front section of Zone B is divided into Class 1E train "A" (and it's associated non-Class 1E circuits train "AA")

on the left-hand side, separated from the Class 1E train "B" (and it's associated non-Class 1E circuits train "BA") by a full size top-to-bottom steel barrier. However, due to process requirements there are instruments of the opposite train, "B", on the train "A" side; they are separated by a steel enclosure fully surrounding the instrument or open at the rear after a depth 6" deeper than the instrument itself.

The rear section of Zone B is all Class IE train "A" or it's associated non-Class 1E circuit train "AA". Again, as in the front section due to process requirements, there are instruments of the opposite train which are separated by a steel enclosure in the same fashion as in the front section.

Refer to next Item, b.2, for wiring separation.

b.2 Internal Wiring Identification (5.6.3) - All wiring within each section is identified by different jacket colors, as follows:

Class IE train "A" - red Class IE train "B" - white Non-Class 1E train "AA" - black with red stripe

Non Class 1E train "BA" - black with white stripe Each wire / cable insulation is qualified to be flame retardant per either IPCEA-S-19-81 (NEMA

> WC3) paragraph 6.13.2 or UL-44 Section 85 or IEEE i Standard-383 Section 2.5. In addition, all wiring within each section is run in covered wireways

! formed from solid or punched sheet steel. Minimum wire bundles were allowed where it was physically

! impossible to install wireways or where it would

! have been hazardous to the operator / maintenance personnel.

Class 1E and Non-Class 1E wiring of the same train are run in the same wireway. The wireways were further identified with red "A" or white "B" to depict the train assignment of the wire being run within the particular wireway.

i 1 f 4

- - .. _ ._ . ~ . . ... . . _ _ . . , _ . . _ _ _ . . _ . _ , _ _ _ _ . . _ _ _ _ _ . _ . _ _ . _ _ _ , . _ , _ _ . . _ . . _ _ _ , . _ , - , . , . _ _

b.3 Common Terminations (5.6.4) - No common terminations were allowed in the MCB.

b.4 Non-Class IE Wiring (5.6.5) - Class IE and Non-Class IE associated circuits wiring of the same train are run together in the same metallic wireway but are separated by specific identifying jacket colors as described above (b.2).

b.5 Cable Entrance (5.6.6) - Field cables to be terminated on the MCB terminal blocks are routed in train assigned raceways through the cable spreading room which is located directly under the main control room (refer to UE&C Drawing 9763-F-500091, Revision 6). The raceways run all the way up to the floor slots of the same assigned train located in the floor right underneath the MCB. (The floor slots location and train assignment are shown on UE&C Drawings 9763-F-500100 Revision 6, 9763-F-101347 Revision 5 and 9763-F-310432 Revision 8).

420.15 Identify all plant safety-related systems, or portions thereof, (7.1) for which the design is incomplete at this time.

RESPONSE: The design of all safety-related systems has been completed. The 3/23 design details associated with procurement and installation are ongoing in accordance with the project schedule.

STATUS: Closed (design modifications are being covered under the other 5/12 RAIs).

420.16 Identify where microprocessors, multiplexers, or computer systems (7.1) are used in or interface with safety-related systems.

RESPONSE: NSSS does not use microprocessors, multiplexers or computers in or 3/23 to interface with safety-related systems (multiplexors are used l

for information transmission).

l The radiation data management uses microprocessors and computers.

l Detailed descriptions on how the system works will be submitted

! later.

ADDITIONAL i RESPONSE: The RDMS is functionally identical to the systems installed at 5/12 Byron-Braidwood, St. Lucie 2, Waterford 3, SNUPPS and Comanche Peak.

NRC will review handout presented, copy attached. More I information is needed on the IE microprocessor software and design j features.

[

i l

The Class 1E monitors are identified in FSAR Tables 12.3-13, 12.3-14 and 12.3-15. They are described in Section 12.3.4 ADDITIONAL RESPONSE: Software design control and testing was discussed. The controls 9/14 will be documented. Information on the testing will be provided.

- ADDITIONAL RESPONSE: A description of the Radiation Data Management System (RDMS) and 11/82 its major functional components has been previously submitted to the NRC.

Verification of monitor software performance is accomplished via functional testing of the performance as demonstrated in the vendors' acceptance test procedure (a typical test procedure is UE&C Foreign Print #72797). In addition, verification of the monitor response to radiation sources is accomplished via an acceptance test and transfer calibration procedure (UE&C Foreign Print #72761).

Documentation and tracking of sof tware versions for the RM-80 microcomputer is accomplished via a multi-step method which is detailed below:

Software Documentation Procedure J

1. System Requirements and DeslKn Basis The System Data Base Document and Block Diagram reflect the customer's specification requirements. These drawings define the functional software task. Changes to these drawings are controlled via engineering change orders.
2. RM-80 Software Design Basis The Software Design Task is defined by the Software Design Basis Document. It is developed by an iterative process that includes coding, checkout, reviews, and debugging. It is the design specification for the software. Changes to this document are controlled by Engineering Change Orders (ECO).

j 3. Testing of RM-80 Software i

! After the design related debugging, reviewing and testing 4 steps are finished, a generic software test is performed according to an approved test procedure. Changes to the test procedure are ECO controlled.

l 4. Final Design Review i

l A Final Design Review is held. Minutes of this design review and all other reviews are maintained in the corresponding software design file.

l i

1 l

5. Software Release A RM-80 Software Checklist is completed to insure all the proper steps have been followed.
6. Software Documentation The software is controlled by the GA software librarian who assures conformance to the documentation control specified in the GA Quality Assurance Manual.

STATUS: A meeting was held at the CA Technology offices on December 13 and 2/86 14, 1983 to provide the information requested by the NRC.

(SER 7.5.2.2) 420.17 The FSAR information which discusses conformance to Regulatory (7.1) Guide 1.118 and IEEE-338 is insufficient. Further discussion is (7.2) required. As a minimum, provide the following information:

(7.3)

(1.8) 1. Confirm that the Technical Specifications will provide detailed requirements for the operator which insure that 4 blocking of a selected protection function actuator circuit is returned to normal operation af ter testing.
2. Discuss response time testing of BOP and NSSS protection systems using the design criteria described in Position C.12 or Regulatory Guide 1.118 and Section 6.3.4 of IEEE 338.

Confirm that the response time testing will be provided in the Technical Specifications.

3. The FSAR states that, " Temporary jumper wires, temporary test instrumentation, the removal of fuses and other equipment not 4

hard-wired into the protection system will be used where applicable". Identify where procedures require such operation. Provide further discussion to describe how the Seabrook test procedures for the protection systems conform

) to Regulatory Guide 1.118 (Revision 1) Position C.14 guidelines. Identify and justify any exceptions.

4. Confirm that the Technical Specifications will include the RPS and ESFAS response times for reactor trip functions.
5. Confirm that the Technical Specifications will include response time testing of all protection system components, from the sensor to operation of the final actuation device.
6. Provide an example and description of a typical response time test.

RESPONSE: Handout was distributed and found acceptable with changes 3/23 discussed during meeting. The revised handout is included in the meeting minut.s.

b STATUS: 1. Conformance to Regulatory Guide 1.118, Revision 2 was 2/86 addressed in FSAR 1.8 Amendment 45 and 49.

2. Use of temporary modifications for surveillance testing will be addressed during the site audit. (SER 7.3.2.14)

ADDITIONAL RESPONSE: The comparison to Regulatory Guide 1.118 has been changed back to 11/82 Revision 1, see the 3/23 Handout, to be consistent with the commitment to IEEE 338-1975 made in the PSAR.

ADDITIONAL The 1E electric power and safety system design and testing will RESPONSE also conform to the guidance of Regulatory Guide 1.118 (Rev. 2, 1/83 6/78) and the requirements of IEEE 338-1977. Attached is a revised FSAR 1.8 that discusses Regulatory Guide 1.118 (Rev. 1, 11/77 and Rev. 2, 6/78).

HANDOUT: 1. Technical Specification Tables 3.3-1 reactor trip system, 3/23 3.3-3 engineered safety features actuation, and 3.3-5 reactor trip /ESF actuation system interlocks, provide the operator with the minimum operable channel criteria and the appropriate action statement.

2. BOP and NSSS protection system time response tests will be conducted in accordance with Regulatory Guide 1.118 Revision 1, IEEE-338-1975, ISA dS67-06, and draft Regulatory Guide Task IC 121-5, January, 1982, with the following exceptions and positions:

(a) Task IC 121-5 Regulatory Position C1 states that the term " nuclear safety-related instrument channels in nuclear power plants" should be understood to mean instrument channels in protection systems.

(b) Response time testing will be performed only on those channels having a limiting response time established and credited in the safety analysis.

(c) The revised discussion of Regulatory Guide 1.118 in FSAR Section 1.8 (copy attached).

Response time testing is specified in Tables 3.3-2 and 3.3-4.

3. It is not anticipated that any Seabrook test procedures performed on protection systems will require the use of temporary jumpers, lifted wires or pulled fuses. All procedures will, in fact, utilize the hard-wired test points within the system and therefore, comply with Regulatory Guide 1.118 Revision 1. Position C14.

If during plant operation, conditions or test requirement 1 show that deviation from this guide is the only practical method of obtaining the desired test results, then all l

l

, . _ _ _ _ _ -. - _ . , _ _ , . - . - y_ _ . _ _ ,

affected testing will be performed and documented under the control of a special test procedure. We will inform ICSB, prior to licensing, of any temporary modifications identified during preparation of the surveillance procedures.

4. Response times a're'specified in Tables 3.3-2 and 3.3-4.
5. Compliance with Regulatory Guide 1.118, Revision 1 IEEE-338-1975, and ISA dS67-06 ensures that the complete channel is tested with the exception noted on Table 3.3-2 of Seabrook Technical Specifications.
6. Response time tests have not yet been prepared. Test methods to be employed arp outlined below:

Pressure Sensors The process variable will be substituted by a hydraulic ramp, the ramp rate to be selected based on the transient for which the sensor is required to respond.

In the event that the sensor is required to respond to more than one transient, the ramp rates will be selected to represent the fastest and slowest transients.

Temperature Sensors Will be tested in place using the loop current step response (LCSR) method. See NUREG-0809.

Impulse Lines Tests will be conducted during the startup testing phase to establish the relationship between response time and impulse line flow, subsequent tests will be limited to flow testing.

Electronic Channel The signal conditioning and logic section of the instrument channel will be tested by inputting a step change at the input of the process racks, and measuring the time required until the final device in the channel actuates.

420.18 It is stated in FSAR Section 7.1.2.11 that, "A periodic (7.1.2.11) verification test program for sensors within the Westinghouse scope for determining any deterioration of installed sensor's response time, is being sought". NUREG-0809, " Review of Resistance Temperature Detector Time Response Characteristics",

and draft Standard ISA-dS67.06, " Response Time Testing of Nuclear Safety-Related Instrument Channels in Nuclear Power Plants", are documents which propose acceptable methods for response time testing nuclear safety-related instrument channels. Please provide further discussion on this matter to unequivocally indicate the test methods to be used for Seabrook.

RESPONSE: See our Response to 420.17 for a discussion of the proposed 3/23 response time testing program. The referenced portion of 7.1.2.11 will be deleted (see attached copy).

STATUS: Closed.

9/14 420.19 FSAR Section 7.1.1 does not provide sufficient information to (7.1.1.1) distinguish between those systems designed and built by the nuclear steam system supplier and those designed or built by others. Please provide more detailed information.

RESPONSE: Draft revision of FSAR 7.1.1 provided to staff and found 3/23 acceptable and is attached to the meeting notes.

STATUS: Closed.

9/14 420.20 Section 7.1.2.7 of the FSAR discusses conformance to Regulatory (7.1.2.7) Guide 1.53 and IEEE Standard 379-1972. The information provided addresses only Westinghouse provided equipment and associated topical reports. Provide a conformance discussion that addresses the BOP portions of the plant safety systems and auxiliary systems required for support of safety systems.

EISPONSE: FSAR has been revised to cover single f ailure criteria for BOP and 3/23 NSSS and is attached to the meeting minutes.

ADDITIONAL RESPONSE: The change to FSAR 7.1.2.7 was reworded. Copy is attached.

5/12 STATUS: Closed.

9/14 420.21 The information in Section 7.2.1.1.b.6, " Reactor Trip on Turbine (7.2.1.1) Trip", is insufficient. Please provide further design bases discussion on this subject per BTP ICSB 26 requirements. As a minimum you should:

1. Using detailed drawings, describe the routing and separation for this trip circuitry from the sensor in the turbine building to the final actuation in the reactor trip system (RTS).
2. Discuss how the routing within the nonseismic category I turbine building is such that the effects of credible faults or failures in this area on these circuits will not challenge the reactor trip system and thus degrade the RTS performance. This should include a discussion of isolation devices.
3. Describe the power supply arrangement for the reactor trip on turbine trip circuitry.
4. Provide discussion on your proposal to use permissive P-9 (50% power).
5. Discuss the testing planned for the reactor trip on turbine trip circuitry.

Identify any other sensors or circuits used to provide input signals to the protection system or perform a function required for safety which are located or routed through nonseismically qualified structures. This should include sensors or circuits providing input for reactor trip, emergency safeguards equipment such as auxiliary feedwater system and safety-grade interlocks.

Verification should be provided to show that such sensors and circuits meet IEEE-279 and are seismically and environmentally qualified. Identify the testing or analyses performed which insures that failures of nonseismic structures, mountings, etc.

will not cause failures which could interfere with the operation of any other portion of the protection system.

RESPONSE: Add to the SNUPPS response to " Reactor Trip on Turbine Trip" that 3/23 circuits and sensors used in a nonseismic structure are Class IE and are run in separate conduits meeting Regulatory Guide 1.75 with the exception of seismic qualification. Ilydraulic pressure and limit switches on the turbine stop valves are two examples, the response will be attached to the meeting minutes.

Permissive P-9 has an adjustable setpoint between 10 - 50%.

Reactor trip on turbine trip circuitry is testable at power.

The turbine impulse chamber pressure transmitters are Class 1E and routed as Class 1E, with the seismic exception.

There are no other safety-grade sensors routed through nonseismic areas. The only safety-related outputs in nonseismic areas are signals to close the feedwater control valves, close the condenser dump valves and trip the turbine generator. These circuits are designed as described above.

ADDITIONAL RESPONSE: The handout was discussed and revised.

5/12 Each turbine stop valve is monitored by two independent switches.

STATUS: Closed. ICSB will follow PSB review of separation per Regulatory 7/15 Guide 1.75.

HANDOUT: Revised SNUPPS Submittal 3/23 9/14 Evaluations indicate that the functional performance of the 2/83 protection system would not be degraded by credible electrical faults such as opens and shorts in the circuits associated with reactor trip or the generation of the P-7 interlock. The contacts of redundant sensors on the steam stop valves and the trip fluid pressure system are connected through the grounded side of the ac supply circuits in the solid state protection system. A ground fault would therefore produce no fault current. Loss of signal caused by open circuits would produce either a partial or a full reactor trip. Faults on the first stage turbine pressure circuits would result in upscale, conservative, output for open circuits and a sustained current, limited by circuit resistance, for short circuits. Multiple failures imposed on these redundant circuits could potentially disable the P-13 interlock. In this event, the nuclear instrumentation power range signals would provide the P-7 safety interlock. Refer to Functional Diagram, Sh. 4 of Figure 7.2-1.

SSPS input circuits and sensors in nonseismic structures are Class 1E and are routed in conduit to maintain train separation and to prevent the application fault voltages greater than the maximum credible fault voltages (see 420.29). The electrical and physical independence of the connecting cabling conforms to Regulatory Guide 1.75.

STATUS: Closed.

9/14 420.22 FSAR Section 7.2.1.1.b.8 states that, "The manual trip consists of (7.2.1.1) two switches with two outputs on each switch. One output is used to actuate the train A reactor trip breaker, the other output actuates the train B reactor trip breaker." Please describe how this design satisfies the single failure criterion and separation requirements for redundant trains.

RESPONSE: Manual trip design is identical to SNUPPS, Watts Bar, 3/23 Byron-Braidwood. Drawing was reviewed and found acceptable.

STATUS: Closed.

5/12 420.23 Describe how the effects of high temperatures in reference legs of (7.2) steam generator and pressurizer water level measuring instruments subsequent to high energy breaks are evaluated and compensated for in determining setpoints. Identify and describe any modifications planned or taken in response to IEB 79-21. Also, describe the level measurement errors due to environmental temperature effects on other level instruments using reference legs.

L

r RESPONSE: The steam generator level transmitter reference legs will be 3/23 insulated to prevent excessive heating under accident conditions.

Setpoints will include errors for high energy line breaks with the insulation.

For the pressurizer level, we will review SNUPPS report and determine applicability to Seabrook.

REVISED RESPONSE: SNUPPS did not insulate reference legs in containment. We are 5/12 evaluating their approach for application to Seabrook and will advise the NRC on our final corrective action.

STATUS: 1. SBN-513, May 31, 1983, submitted level measurement error 2/86 based on analysis that takes credit for safety injection actuation on high containment pressure (Hi-1) and manual action.

2. SBN-916, December 31, 1985, provided a technical description of the HESITET code requested at the November 1985 ICSB meeting. In a phone conversation, January 29, 1986, the NRC indicated that the reference leg heatup analysis methodology is acceptable.
3. In a phone conversation, January 29, 1986, the NRC requested information on the alarms used to alert the operator to small line breaks inside containment and the manual actions in response to the alarms. The analysis will be redone assuming a 15-minute response time to be consistent with the boron dilution event. A revised response will be submitted by February 28, 1986. (SER 7.3.2.8) 420.24 State whether all of the systems discussed in Sections 7.2, 7.3, (7.2) 7.4 and 7.6 of the FSAR conform to the recommendations of (7.3) Regulatory Guide 1.62 concerning manual initiation. Identify (7.4) any exceptions and discuss how they do not conform to the (7.6) recommendations. Provide justification for nonconformance areas.

RESPONSE: Systems discussed in Sections 7.2, 7.3, 7.4 and 7.6 of the FSAR 3/23 conform to the recommendations of Regulatory Cuide 1.62 concerning manual initiation. There are no exceptions taken.

STATUS: Closed.

5/12 420.25 The information provided in Section 7.2.2.2.c.10.(b) on testing (7.2.2.2) of th, power range channels of the nuclear instrumentation system, covers only the testing of the high neutron flux trips. Testing of the high neutron flux rate trips is not included. Provide a description of how the flux rate circuitry is tested periodically to verify its performance capability.

1

1

, RESPONSE: The power range nuclear instrumentation system and all associated

3/23 bistables including the rate trips are testable at power.

I STATUS: Closed.

5/12 420.26 Identify where instrument sensors or transmitters supplying (7.2) information to more than one protection channel are located in a (7.3) common instrument line or connected to a common instrument tap.

The intent of this item is to verify that a single failure in a common instrument line or tap (such as break or blockage) cannot defeat required protection system redundancy.

RESPONSE: NSSS design is 3dentical to SNUPPS. There are no shared taps l51/8I 3/23 for redundant BOP safety instruments.

2/86 i

STATUS
Closed.

5/12 420.27 If safety equipment does not remain in its emergency mode upon (7.3) reset of an engineered safeguards actuation signal, system modification, design change or other corrective action should be

! planned to assure that protective action of the affected equipment

, is not compromised once the associated actuation signal is reset.

This issue is addressed by I&E Bulletin 80-06. Please provide a discussion addressing the concerns of the above bulletin. This discussion should assure that you have reviewed the Seabrook

. design per each of the I&E Bulletin 80-06 concerns. Results of j your review should be given.

RESPONSE: We have reviewed the electrical schematics for engineered safety 3/23 feature (ESP) reset controls. In the Seabrook design, all systems serving safety-related functions remain in the emergency mode upon removal of the actuating signal and/or manual resetting of ESF actuation signals. The required testing (per 80-06) will be j performed as part of the start-up test program described in Chapter 14.

l l STATUS: Closed.

5/12 420.28 The description of the emergency safety feature systems which is (7.3.1.1) provided in the FSAR Section 7.3.1.1 is incomplete in that it does

, not provide all of the information which is requested in Section

! 7.3.1 of the standard format for those safety-related systems, ,

interfaces and components which are supplied by the applicant and mate with the systems which are within the Westinghouse scope of supply. Provide all of the descriptive and design basis information which is requested in the standard format for these systems. In addition, provide the results of an analysis, as is requested in Section 7.3.2 of the standard format, which

, demonstrates how the requirements of the general design criteria

)

I 4

+=----rw- ---we. ~.--- .-- - ---w- ,,. . ,-- - - . - . . - . . , - . - , .. .,,,-r , ,y-,,w - _ - - - - , - - .3s e-- - - , . - --,y y - .,i. . . . - -e.. 4e., -

and IEEE Standard 279-1971 are satisfied and the extent to which the recommendations of the applicable Regulatory Culde are satisfied. Identify and justify any exceptions.

RESPONSE: Tables supplied in response to 420.32 and the additional 3/23 information to be supplied when answering 420.29 will satisfy the requirements of this question.

ADDITIONAL RESPONSE: See 420.29.

5/12 STATUS: Closed.

7/15 420.29 Confinn that the FMEA referenced in FSAR Section 7.3.2.1: (1) is (7.3.2.1) applicable to all engineered safety features equipment within the BOP and NSSS scope of supply, and (2) is applicable to design changes subsequent to the design analyzed in the referenced WCAP.

RESPONSE: Discussion of this item was deferred to the next meeting.

3/23 ADDITIONAL RESPONSE: The Seabrook design complies with the interface criteria in (28629) Appendix B of WCAP 8584, Revision 1. The FMEA in WCAP 8584 is 5/12 applicable to all BOP and NSSS safety features equipment at 2/83 Seabrook including design changes made to the systems analyzed in WCAP 8584.

Separation by potential Item 3, is met by routing low level or control cables in raceways that are separate from each other and from all other cables (FSAR 83.1.4.c). Fault voltages are limited by the low fault potential of the power sources that feed the cables that are routed in the raceways (inverters are 120 1 1.2 V ac, transformers 120 1 12 V ac, battery chargers on equalize charge 137 1 0.5 V de). This ensures that the maximum credible fault voltages that could be applied to the SSPS are within the fault voltage envelope for which the SSPS is qualified to withstand without loss of function.

STATUS: Closed.

7/15 420.30 Section 7.3.2.2 of the FSAR indicates that conformance to (7.3) Regulatory Guide 1.22 is discussed in Section 7.1.2.8. However, Section 7.1.2.8 addresses Regulatory Guide 1.63. Correct this discrepancy.

RESPONSE: The reference to Section 7.1.2.8 will be changed in Amendment 45 3/23 to Section 7.1.2.5 where Regulatory Guide 1.22 is addressed.

STATUS: Closed.

9/14 420.31 Using detailed drawings, discuss the automatic and manual operation (7.3.2.2) of the containment spray system including control of the chemical additive system. Discuss how testing of the containment spray system conforms to the recommendations of Regulatory Guide 1.22 and the requirements of BTB ICSB 22. Include in your discussion the tests to be performed for the final actuation devices.

RESPONSE: Draft of response submitted to staff. Overview of containment 3/23 spray system was presented using drawings. System description and operation were reviewed. Staff questioned redundancy of temperature system. Tank temperature is monitored by a temperature indicating switch that actuates a VAS alarm and by an independent temperature indicating controller that controls auxiliary steam to the tank. Fluid systems are totally separable into trains "A" and "B". The electrical systems are also completely separable into trains "A" and "B" as per the piping systems. provlsions are available for on-line tenting of CBS system as described in FSAR 7.3.2.2.

The assignment of components to slave relays for on-line testing is indicated in the ESF table in the response to ^20.32.

ADDITIONAL RESPONSE: The response was clarified to specify that the spray additive 5/12 tank is the tank being discussed.

This item is considered closed.

STATUS: Closed.

5/12 420.32 please provide a table (s) listing the components actuated by the (7.3) engineered safety features actuation system. As a minimum, the table should include:

1. Action required, i

! 2. Component description,

3. Identification number, l
4. Actuation signal and channel.

l RESPONSE: Tables supplied at the meeting are attached.

3/23 STATUS: Closed.

5/12 2

l

420.33 Section 7.3.2.2.o.12 discusses testing during shutdown. Describa (7.3.2.2) provisions for insuring that the " isolation valves" discussed here are returned to their normal operating positions af ter test.

RESPONSE: Administrative controls to ensure that equipment and systems are 3/23 restored to normal after testing will be addressed in equipment control procedures that follow the guidance of ANS 18.7, 1976.

The system inoperative status monitoring panel will be manually actuated when a system is made inoperative.

STATUS: Closed.

S/12 420.34 Portions of paragraph 7.3.1.2.f, appear not to apply to ESFAS (7.3) response times. In particular, the discussion on reactor trip breakers, latching mechanisms, etc., should be replaced by a discussion of ESF equipment time responses. The applicant should provide a revised discussion for ESFAS (a) defining specific beginning and end points for which the quoted times apply, and (b) relating these times to the total delay for all equipment and to the accident analysis requirements.

RESPONSE: FSAR 7.3.1.2.f wil? be revised as indicated on the attached markup.

3/23 STATUS: Closed.

9/14 420.35 Using detailed drawings, describe the ventilation systems used to (7.2 & 7.4) support engineered safety features areas including areas containing systems required for safety shutdown. Discuss the design bases for these systems including redundancy, testability, etc.

RESPONSE: Overview given at meeting on HVAC system for control room.

3/23 Equipment for system is redundant and safety grade. The HVAC instrumentation and control required for safety-related equipment is Class 18 and trains "A" and "B" oriented. Radiation detectors for intake air are redundant and safety related. Other systems in the control building are redundant and safety related.

Control of safety-related HVAC systems are operated from the l control room and those systems required for remote safe shutdown

( also have local control. The control room outside air intake l lines are shared between Units 1 and 2. Each unit has its own l controls and isolation valves.

I

STATUS
Closed.

! 5/12 i

l 420.36 Using detailed system schematics, describe how the Seabrool;

! (7.3.2.3) auxiliary feedwater system meets the requirements of NUREG-0737, 1

.- - -- -- . ~_.

TMI Action Plan Item II.E.1.2 (See question 420.01). Be sure to include the following information in the discussion:

a) the effects of all switch positions on system operation.

b) the effects of single power supply failures including the effect of a power supply failure on auxiliary feedwater t control after automatic initiation circuits have been reset in a post-accident sequence.

1 c) any bypasses within the system including the means by which j it is insured that the bypasses are removed, d) initiation and annunciation of any interlocks or automatic isolations that could degrade system capability.

e) the safety classification and design criteria for any air systems required by the auxiliary feedwater system. This

! should include the design bases for the capacity of air reservoirs required for system operation. ,

f) design features provided to terminate auxiliary feedwater flow to a steam generator affected by either a steam line or feed line break.

I g) system features associated with shutdown from outside the control room.

RESPONSE: Overview of emergency feedwater system was presented to staff 3/23 using drawings for description of system operation.

Emergency feedwater system was discussed with staff and it is considered an open item. Significant concerns identified:

a) Lack of safety-grade air system.

i b) Single failure in pneumatic control valve.

c) Loss of one train of power while operating from remote safe I

shutdown panel.

l d) On-off control of the EFW control valves.

ADDITIONAL RESPONSE: The concerns expressed in this RAI and in the letter, dated 1 9/14 April 22, 1982 (Items A - K), were disowned in meetings with l ICSB, ASB, RSB, YAEC, PSNH, and UE&C 09 Jane 23 and 24 and July 14

and 15, 1982. Our letter SBN-300, dated July 27, 1982, provided response to your April 22 letter. Our letter SBN-321, dated September 7, 1982, described the changes that are being made to the emergency feedwater system. A draft copy of the revision to l FSAR Section 6.8 reflecting these changes is attached.

t

1 l

\

ADDITIONAL  ;

RESPONSE: A revised FSAR, p 6.8-5. is attached that clarifles the train I assignment of the normal flow control valve. )

1/83 STATUS: See RAI 420.0'a (b) . (SERs 7.3.2.11 and 7.3.1.7.1) 2/86 420.37 Using detailed system schematics, describe the sequence for (7.3) periodic testing of the:

a) main steam line isolation valves b) main feedwater control valves c) main feedwater isolation valves d) auxiliary feedwater system e) steam generator relief valves f) pressurizer PORV The discussion should include features used to insure the availability of the safety function during test and measures taken to insure that c,uipment cannot be left in a bypassed condition after test completion.

RESPONSE: Periodic testing was discussed using detailed drawings.

3/23 Significant discussion items are:

a) To be presented at next meeting.

b) Standard Westinghouse testing system used.

c) When testing main feedwater control and main feedwater isolation valves using train "A", the system for train "B" remains coutpletely operable.

d) During testing of emergency feedwater pumps the discharge valve is closed and recirculation valve opened. The system inoperable indication is in accordance with Regulatory Guide 1.47.

During testing, the capability exists to test the entire ESFAS as including actuation of the EFW pump.

e) Discussed with no comments.

f) Discussed with no comments.

ADDITIONAL RESPONSE: The MSIV logic has been redesigned so that periodic testing can be 9/14 performed during normal power operation as a series of overlapping

tests. Since the MSIVs cannot be fully closed at power, the actuation logic is blocked by a signal from the solid state protection system (SSPS) test cabinet when the test relay is energized. Operation of the slave relay and the test switch actuates the isolation logic. Proper operation of the logic is
indicated at the logic gate that has been blocked.

Af ter the SSPS is returned to normal, the MSIV is exercised by 4 partial stroke closure at a reduced speed. The exercise signal overlaps the actuation test to verify the operability of the complete logic.

The restoration of the flow restrictor after the exercise test is monitored.

STATUS: Drawings F-503667, F-503668, M-310841, Sh. EIS/7a through 7j, and 2/86 Sh. EIT/7a through 7f. (SER 7.3.2.5) 420.38 The information supplied in FSAR Section 7.4.1 does not adequately j

(7.4.1) describe the systems required for safe shutdown as required by Section 7.4.1 of the standard format. Therefore, provide all the descriptive and design basis information which is requested by Section 7.4.1 of the standard format. Also, provide the results of an analysis, as requested by Section 7.4.2 of the standard i format, which demonstrates how the requirements of the general design criteria and IEEE Std. 279-1971 are satisfied and the extent to which the recommendations of the applicable regulatory guides are satisfied. Identify and justify any exceptions.

RESPONSE: Staff to review handouts presented at this meeting and come back 3/23 with any further questions. Update list for 420.39 and submit with minutes. YAEC given written position on safe shutdown, to be forwarded formally. Rewritten FSAR 7.4 is attached.

] APJITIONAL 2ESPONSE: The analog instruments associated with the remote shutdown panel 5/12 are Non-lE and are independent of the control room instruments.

i

! The controls at the remote shutdown locations have the same

! qualification as the controls at the main control board.

REVISED RESPONSE: The design of the controls at the remote shutdown locations have 9/14 undergone considerable revision to comply with the requirements of 1/83 Appendix R and to be consistent with the changes required for safety grade cold shutdown from the control room.

l l Since the same safety grade equipment will be used for remote shutdown without a fire, all the associated controls at the remote j

t

- - - , -- ,-.,w-,--,w,_y_ __,,,-,,.y___m,,,,my.. .c.. ,,__.,y_ , _ . , . , - . , _ , - , . _ , . , , , _ _

y.m. . _ , _ . , , . , . , . . , , , - , . _ _

,_,.rr_. -- .

- . - ~ - - . . .. .. - - - . . _ . .-- - - - _ - . .-

i J- .

x shutdown locations are safety grade and meet the applicable requirements of IEEE 279-1971, 323-1974, and 344-1975.

l The instrumentation at the remote locations (with the exception of the wide range nuclear instrumentation) are separate loops that are completely independent of the instrument loops that provide indication in the control room. Since the remote shutdown locations are not required L., nave the controls and indication necessary to control the plant during accidents. the

instrumentation at the remote shutdown locations do not meet all the requirements for safety grade equipment. We have determined j that the electronics and indicators at the remote shutdown panels (CP-108 A & B) and the field wiring do meet the requirements of IEEE 344-1975. The transmitters and indicators are mechanically similar to transmitters and indicators that are qualified to 344-1975. We are cbtaining the necessary documentation to certify that the transmitters and indicators will be operable following a seismic event. We will be able to certify that the instruments at the remote shutdown panels will be available following all postulated natural phenomena and, therefore, will meet the design i basis of the remote shutdown equipment. This documentation will be available for audit prior to fuel loading.

The design for the safety grade wide-range nuclear instrumentation j has the electronics mounted such that they would not be affected

by a fire in the control room cable spreading room. The i indication that will be provided at the remote shutdown location j will be safety grade. We are reviewing a conflict between our i Appendix R response (de-energization of the SSPS) and the ICSB j guidance to meet Appendix K (do not disable ESF actuation prior to i

cooldown). We will provide our position on this item.

I The draft revision to FSAR 7.4 submitted with the March 23, 1982,

meeting minutes is being revised to reflect the latest design of the remote shutdown equipment and will address the positions in l

your april 21, 1982 letter, item-by-item.

ADDITIONAL l RESPONSE
A revised FSAR Section 7.4 is attached.

I 1/83

$ ADDITIONAL

. RESPONSE: Our compliance with the ICSB positions on remote shutdown j 2/83 capability is documented as indicated below:

Letter dated Apell 21. 1982 l

i Position Compliance Documentation l

i

1) hot shutdown 7.4.2, 7.4.6, 7.4.7 1
manual actions 1.4.2, 7.4.6 no temporary modifications 7.4.6 (revised) 4 4

j i t

l

2) cold shutdown 7.4.6, 7.4.7
3) disable ESFAS modified by later position ICBS Guidance for the Interpretation of GDC-19 Concerning Requirements for Remote Shutdown Stations
1) hot shutdown 7.4.2, 7.4.6, 7.4.7 service conditions 7.4.1, 7.4.5, 7.4.7 seismic qualification 7.4.6
2) redundant instrumentation 7.4.6, 7.4.6, 7.4.7
3) manual actions 7.4.2, 7.4.6 no temporary modifications 7.4.6 (revised)
4) cold shutdown capability 7.4.2, 7.4.5, 7.4.6
5) loss of off-site power 7.4.5d
6) ESFAS 7.4.5b no change of state 7.4.4
7) access to keys 7.4.4
8) Appendix R 7.4.7 STATUS: FSAR 7.4 was revised Amendment 49, 52, 53 and 56. Additional 2/86 information was submitted in SBN-917, dated December 31, 1985, that addresses SER 7.4.2.4.

420.39 The information supplied for remote shutdown from outside the control room is insufficient. Therefore, provide further discussion to describe the capability of achieving hot or cold shutdown from outside the control room. As a minimum, provide the following information:

a. Provide a table listing the controls and display l instrumentation required for hot and cold shutdown from

! outside the control room. Identify the safety classification and train assignments for the safety-related equipment.

b. Design basis for selection of instrumentation and control equipment on the hot shutdown panel,
c. Location of transfer switches and remote control station (include layout drawings, etc.).
d. Design criteria for the remote control station equipment including transfer switches.
e. Description of distinct control features to both restrict and to assure access, when necessary, to the displays and controls located outside the control room.
f. Discuss the testing to be performed during plant operation to verify the capability of maintaining the plant in a safe shutdown condition from outside the control room.
g. Description of isolation, separation and transfer / override provisions. This should include the design basis for preventing electrical interaction between the control room and remote shutdown equipment.
h. Description of any communication systems required to coordinate operator actions, including redundancy and separation.

! 1. Description of control room annunciation of remote control or overridden status of devices under local control.

j i J. Means for ensuring that cold shutdown can be accomplished.

k. Explain the footnote in FSAR Section 7.4.1.4 which states i that, " Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the control room". Discuss the modifications required on the instrumentation and controls of the pressurizer pressure control including opening control for pressurizer relief valves, heaters and spray and the nuclear instrumentation that are necessary to shutdown the plant from outside the control room. Also discuss the means of defeating the safety injection signal trip circuit and closing the accumulator isolation valves when achieving cold shutdown.

RESPONSE: See 420.38.

3/23 ADDITIONAL RESFOMSE: We will investigate the absence of pressurizer level indication in 5/12 the table that was provided in response to Item a.

Response to Item g should refer to 7.4.1.1 and 7.4.1.3.a.5 vice 7.4.11.

See 420.36.

HANDOUT: a) Table is attached.

3/23 5/12 b) See response to Item 440.13 (attached).

1/83

{

}

I f

c) Salector switches are at the sama location as the controls.

i d) Controls are the same safety classification as the controls i

in the control room. Instrumentation is not safety-related, e) The controls are located in areas that are controlled by the

. security system. The selector switches are key-locked.

4 f) Verification of the capability of maintaining the plant in a safe shutdown condition from outsido control room will be in accordance with commitment in Chapter 14, Table 14.2-5, Item

33. Reactor coolant pumps will not be tripped for this test. Verification of natural circulation will be in accordance with commitment in Chapter 14, Table 14.2-5, Item 22.

g) Isolation is discussed in revised FSARs 7.4.3, 7.4.4, and 7.4.5.f (see RAI 120.38).

h) See response to 430.67 (attached).

1) Any switch that is in the local position is alarmed by the VAS.

j) See Items a and b.

k) The footnote has been deleted. See rewritten 7.4 submitted ~

in 420.38.

ADDITIONAL RESPONSE: a) A revised table will be attached to the meeting minutes.

9/14 1/83 b) Item-by-item compliance with RSB BTP 5-1 will be documented in our response to RAI 440.133.

d) See 420.38 for the design of instrumentation, e) The remote shutdown locations are the vital switchgear rooms on elevation 21' 6", two levels directly below the control room on elevation 75. Access is through the stairwell on the south side of the control building or through stairwells in the turbine building.

Access to all levels of the control building is controlled by the station security system. The operators' key cards will allow access to all levels of the control building.

Administratively controlled keys are also available to assure access should the security system be inoperable.

1) VAS will be reviewed under 420.49.

l

.-- - . . . - - ._ - - - - - - ~_. - __. _ .. .~.

STATUS: See RAI 420.38. (SER ~.4.2.4) 2/86 f ADDITIONAL a) A revised remote shutdown equipment table is attached.

RESPONSE 1/83 420.40 Concerning safe shutdown from outside the control room, discuss

{

the likelihood that the auxiliary feedwater system will be i automatically initiated on low-low steam generator level following l a manual reactor trip and describe the capability of resetting the I

initiating logic from outside the control room. Describe the i method of controlling auxiliary feedwater from outside the control i room.

l

  • RESPONSE: Even though the emergency feedwater system may be automatically 3/23 initiated as the main control room is evacuated, the emergency

, feedwater system can be controlled from the remote safe shutdown

! panel without resetting the actuation logic. Additional information required by staff is furnished in the response to j 420.38 and 420.39.  ;

I j STATUS: Closed, i 9/14 i

J 420.41 Subsection 7.4.2 states that, "The results of the analysis which

! (7.4.2) determined the applicability to the Nuclear Steam Supply System

! safe shutdown systems of the NPC Ceneral Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1". This statement

does not address the balance of plant (BOP) safe shutdown systems. Also, sufficient information giving results of the j analysis performed for safe shutdown systems cannot be found from j Table 7.1-1. The efore, provide the results and a detailed j discussion of how the BOP and NSSS systems required for safe shutdown meet CDCs 13, 19, 34, 35, and 38; IEEE Standard 279 requirements; Regulatory Guides 1.22, 1.47, 1.53, 1.68, and 1.75.

l Be sure that you include a discussion of how the remote shutdown

station complies with the above design criteria.

I i RESPONSE: Closely related to Items 38 and 39. Staff will review to see if 3/23 more response is required.

j ADDITIONAL j RESPONSE: Table 7.1-1 will be revised to include the CDCs, Standards, and

[ 9/14 Regulatory Guides listed as being applicable to Section 7.4. A

{ draft revision of Table 7.1-1 is attached.

l 1 STATUS: See RAI 420.38.

! 2/86 I

i l

1

)

l t

L .. _ -. - _-_._. _ _ _ ,_ .-.. ,.___.__. , . _ _ _ _ _ _ . _ _ _ _ . _ _ - _ _ _ , _

I l

- l 420.42 FSAR Section 7.4.2 states that, "It is shown by these analyses, (7.4.2) that safety is not adversely affected by these incidents, with the associated assumptions being that the instrumentation and controls indicated in Subsections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown". Please provide a discussion pertaining to the phrase " associated sssumptions". Your discussion should address loss of off-site power associated with plant load rejection or turbine trip.

RESPONSE: Covered in the response to 420.38.

3/23 ADDITIONAL RESPONSE: The phrase " associated assumptions" will be deleted. Loss of 9/14 off-site power will be addressed in the revised 7.4 (see 420.38).

STATUS: See RAI 420.38. (SER 7.4.2.4) 2/86 420.43 Please discuss how a single failure within the station service (7.4.2) water system and/or the primary component cooling water system affects safe shutdown.

RESPONSE: Each of the independent and redundant flow trains of the station 3/23 service water system and the primary component cooling water system is capable of performing their safety functions necessary to effect a safe shutdown assuming a single failure. See Sections 9.2.1, 9.2.2 and 9.2.5 for further details.

STATUS: Closed.

5/12 420.44 Using detailed electrical schematics and logic diagrams, discuss (9.2.5.5) the tower actuation (TA) signal which is generated to isolate the normal service water system and initiate the cooling tower system. Be sure to include in your discussion the possibilities of inadvertent switchover (loss of off-site power, etc.) and the affects this would have.

RESPONSE: The tower actuation circuit is being revised. The revised 3/23 drawings will be submitted for review.

ADDITIONAL RESPONSE: The TA actuation logic is being revised to correct deficiencies in 9/14 the logic and to provide the design features described in 420.73.

Latch relays are now used that require a signal to actuate and another signal to reset. Loss of off-site power or loss of power to the TA circuit will not cause inadvertent actuation. The redundant cooling tower train will pr> vide the service water function if one cooling tower train does not actuate. FSAR 9.2.5.5 will be revised, marked-up copy is attached.

. STATUS: FSAR 9.2.5.5 was revised, Amendment 48. Drawings M-503962, 2/86 M-301107 Sh E87/4a through 4g. (SER 7.6.7.8)

ADDITIONAL RESPONSE: The TA circuit is operable without off-site power since it is 1/83 fed from the emergency power supplies.

420.45 FSAR Section 7.4.2 states that, " Loss of plant air systems will not (7.4.2) inhibit ability to reach safe shutdown from outside the control room". Using detailed drawings, please provide further discussion on this matter. Clearly indicate any function required to reach safe shutdown from outside the control room which is dependent on air and the means by which the air is provided.

RESPONSE: Instrument air system is redundant, piping is safety grade and 3/23 seismically supported but appropriate safety-grade compressor has not been located. Critical to define how long system can operate from accumulator tanks. Staff questioned atmospheric relief valve as to safety classification - valve itself is safety grade but control system is not. This item is still open.

REVISED RESPONSE: Instrument air is no longer required for safe shutdown as the 9/14 emergency feedwater control valves no longer have pneumatic 2/86 operators, the atmospheric dump valves are provided with backup 2/f*pg gas supplies, and the RHR system can be operated without the use of instrument air.

STATUS: See RAI 420.47.

2/86 420.46 Describe the procedures to borate the primary coolant from outside (7.4) the control room when the main control room is inaccessible. How much time is there to do this?

RESPONSE: Handout given to NRC. Staff questioned if MOV's and controls 3/23 mentioned are safety grade. Items are safety grade. If problem exists during review, it will be coverca under overall discussion of shutdown. " Adequate time" mentioned in response is minimum of four hours.

STATUS: This issue was discussed at the June 23 and 24, 1982, meeting, 9/14 and is closed.

HANDOUT: Boration of the primary coolant will require an alignment of the 3/23 suction of charging pumps from the refueling water storage tank (RWST) to the boric acid storage tank (BAST). This will be required once the plant starts its cooldown. The gravity feed from the BAST to the suction of the charging pumps contains manual isolation valves located in the primary auxiliary building. The RWST suction valves contain motor-operated valves (MOV) that can be controlled from the motor control center in the Switchgear Rooms. If need be, the MOV's can be operated locally. There is adequate time for an operator to follow the procedure since the plant is in a safe hot shutdown condition.

420.47 Using detsiled drawings (schematics, P& ids'), describe the (7.4) automatic and manual operation and control of the atmospheric relief valves. Describe how the design complies with the requirements of IEEE-279 (i.e., testability, single fai?ure, redundancy, indication of operability, direct valve position, indication in control room, etc.).

RESPONSE: Operation of these valves from a remote location is not considered 3/23 a safety-related function; therefore, they are not designed to meet IEEE-279. Overview of operation given at meeting. Item still under review by staff and considered open.

REVISED RESPONSE: The operators for the atmospheric dump valves are being provided 9/14 1/83 with safety-related controls and backup gas supplies that are seismically and environmentally quallfled. Safety grade manual

9/'j ?f 2/86 controls will be provided and will override the non-1E automatic controls.

STATUS: FSARs 7.3.2.3 and 9.3.1.1 were revised Amendment 56. Draft 2/86 FSAR 10.3.2.4 is attached and will be issued in the next amendment. Drawings M-506585, M-503670, and M-310841, Sheet E2T/10a through 10e (ECA 03809116c copies provided). (SER 7.4.2.2) 420.48 Using detailed electrical schematics and piping diagrams, please (1.4.2) discuss the automatic and manual operation and control of the (7.3) station service water system and the component cooling water system. Be sure to discuss interlocks, automatic switchover, testability, single failure, channel independence, indication of operability, isolation functions, etc.

RESPONSE: Reviewed system design and operation from drawings and 3/23 s.hematics. Staff will review isolation of nonseismic portion of service water system during earthquake without another accident.

ADDITIONAL RESPONSE: Low service water pump discharge pressure (could be the result of 5/12 tunnel blockage due to an earthquake) will result in tower actuation (TA). The TA signal will isolate the nonseismic portion of the SW system.

ADDITIONAL RESPONSE: An analysis was performed that shows that a complete f ailure of 9/14 the nonseismic SW piping will reduce SW pump discharge pressure below the tower actuation setpoint. The nonseismic SW piping is isolated on tower actuation, safety injection and loss of off-site power (see revised 9.2.5.5 in response to 420.44).

ADDITIONAL l RESPONSE: As was discussed in the 9/14 meeting, we have performed an analysis 11/82 that shows that a complete failure of the non-safety service water ]

2/83 piping will result in a tower actuation (TA) that will isolate the 2/86 non-safety piping and restore flow to the sa aty users.

Subsequent analyses have determined that any failure greater than an 8-inch nominal opening will result in a TA. It was also pointed out that the non-safety piping is isolated by a safety injection signal or a loss of off-site power. Since the isolation is performed automatically for large breaks and for the critical condition II, III and IV events, the remaining concern relates to the effect of reduced flow to the safety users for fallures of the non-safety piping that do not cause a TA.

We have analyzed the effect of the largest non-safety piping failure (8-inch) that does not result in a TA under the worst case conditions of maximum sea water temperature (650F), lowest tide and normal power operation heat loads with one diesel generator under full load test. This will result in a reduced service water flow to the CC heat exchanger of 5150 gpm (11,500 gpm normal) and 1500 gpm to the diesel (1800 gpm normal). The effects of the reduced flow are discussed below.

Component CoolirA Reduced service water flow to the cc heat exchanger will result in an increase in the cc outlet temperature from the normal 850F to a steady-state value of about 950F. This is lower than the 1200 F design requirement of the safety-related equipment or the 1300F 4-hour limit for the reactor coolcnt pumps.

The containment temperature will increase slightly. (It was determined that the maximum containment temperature after 10 minutes without any cooling is 1280F.) Safety-related equipment inside the containment will not be affected as all such equipment is qualified for high energy line break environments.

The above analysis was performed for a 20" break in the non-safety piping; therefore, there is a larger change in flow than is indicated for the diesel generator with an 8-inch break.

Diesel Generator The normal flow requirement for the diesel generator is based on an inlet temperature of 900F. The reduced flow of 1500 gpm at 650F meets the cooling requirements without affecting the operation of the diesel generator.

From the above discussion it can be seen that failure of the nonseismic piping does not prevent the accomplishment of the gj/g6 safety functions and is automatically isolated for critical conditions II, III, and IV events.

! Low service water pressure and high component cooling water temperature alarms alert the operator to abnormalities that would result from failure of the non-safety service water piping. The non-safety piping would be isolated manually to stop flooding of the non-safety turbine building.

STATUS: Response has been revised to incorporate comments from 2/86 November 21-22, 1985 ICSB meeting. (SER 7.4.2.1) 420.49 The information supplied in FSAR Section 7.5 concentrates on the (7.5) post accident monitoring instrumentation and does not provide sufficient information to describe safety related display instrumentation needed for all operating conditions. Therefore, please expand the FSAR to provide as a minimum additional 4

information on the following:

1. ESF Systems Monitoring
2. ESF Support Systems Monitoring
3. Reactor Protective System Monitoring
4. Rod Position indication System
5. Plant Process Display Instrumentation
6. Control Boards and Annunciators
7. Bypass and Inoperable Status Indication
8. Control Room Habitability Instrumentation
9. Residual Heat Removal Instrumentation Please use drawings as necessary during your discussion.

RESPONSE: All except Item 6 will be covered in response to Regulatory Guide 3/23 1.97. Summary of VAS and annunciator system will be provided.

ADDITIONAL RESPCUSE: Letter SBN-268, dated 5/4/82, forwarded additional information on 5/12 the main plant computer system and the VAS.

The annunciators are standard lighttoxes that respond to digital inputs. Power is supplied from inverters and the de system.

Audible alarms and controls are shared with the VAS.

The alarm sequence is:

Operator Alarm Ringback Condition Action Visual Audible Audible

1. Normal -

Off Off Off

2. Off Normal - Fast On Off Flash
3. Off Normal Slience Fast Off Off Flash
4. Off Normal Acknowledge Steady Off Off
5. Normal - Slow Off On Flash (momentary)
6. Normal Reset Off Off Off The annunciator alarms are a subset of the VAS alarms and were selected to provide essential alarms if the VAS is inoperable.

The alarm points are shown on Drawings 9763-C-509109 through 509114. Some VAS inputs are obtained from relays in the annunciator that duplicate the input to the annunciator. Failure of the VAS will not affect the annunciator.

FSAR 7.5 will be revised in our response to Regulatory Culde 1.97, Revision 2.

STATUS: SBN-268 was discussed on 6/21/82 by NRC/pSNH/YAEC. Information 7/15 was requested on software QA and security; control of alarm priority (criteria and method for assigning priorities);

management functions; and the use as a Regulatory Culde 1.47 monitor (see RAI 420.10).

ADDITIONAL RESPONSE: VAS Software QA and Security 9/14

1. The testing of the video alarm system (VAS) is being conducted as part of the startup test program in two phases, phase 1 will be run af ter installation of the computer equipment at the plant site and will validate the functional operation of the VAS system. Tests will be run using projected worst case conditions derived from simulator data.

Phase 2 will verify operation of individual computer inputs as plant systems are checked out.

2. Changen to the software after the phase 1 testing has been completed will be controlled by procedure. This procedure, under control of the Station plant Manager, will ensure that changes to the tested software are authorized and .iequately tested before they are implemented. The change contcol procedure will require operator authorization to make '.he change, documentation of the change, rotest of the affected system, and integration into the procedures and operator training as applicable.
3. The following operator change functions are under keylock and administrative procedure control:

delete / restore a point from alarming delete / restore a group of points from alarming delete / restore a point from scan modify a point's alarm limits modify a point's engineering value

4. Procedures will be available for review three months prior to fuel loading:

VAS Alarm Priority The Operations Group is in the process of reviewing the VAS alarms for priority, alarm message, point identification and destination. Their comments will be incorporated in the project documents. The following priority guidelines are being used:

Priority One - Immediate operator response required to:

A. Prevent plant shutdown.

B. Minimize the consequences of a shutdown.

Priority Two - Occurrence of alarm indicates a degradation of a major plant system that could result in plant shutdown, power reduction, or reduced availability of a safety system.

Priority Three - Occurrence of alarm indicates degradation of a system component or are informational items describing a change of state.

STATUS: The VAS software response will be reviewed by the NRC and 9/14 discussed during a conference call to be scheduled later. FSAR 7.5, 7.2.2.2 (13) and (20) are being revised to provide the additional information requested.

ADDITIONAL VAS RESPONSE: A telephone conversation was held on 9/27 with representatives of 11/82 the NRC (R. Stevens, J. Joyce, J. Rosenthal), PSNif (C. Cellneau, D. Johnson), and YAEC (W. Fadden, R. Marie). The additional response, dated 9/14, was discussed in detail. Significant items of discussion were:

1. The VAS software was produced prior to implementation of formalized quality control procedures for production of software. Tife VAS software requirements (functional description) were reviewed extensively by PSNil operations and YAEC (a summary of the development of the VAS software up to the installation of the computer at Seabrook is attached).

Computer startup and preparations for Phase I and II testing is in progress.

2. The software change control procedure will be implemented prior to the start of the Phase II testing.
3. All procedures associated with software change control or testing will have an independent review performed.
4. Limited alarm suppression is employed, mainly associated with the status of specific equipment or suppression of redundant alarms (see CBS logic diagrams M-503257 and M-503260).
5. The NRC expressed concern that system unreliability be identified and appropriate corrective action taken.

RESPONSE: The Seabrook computer will be maintained by the Computer 11/82 Engineering Department that has expended considerable money and 1/83 effort to establish the in-house resources required to provide prompt repair of the computer. As the computer provides many aids to the operating staff, its performance is highly visible to station management. Any evidence of unacceptable availability of the VAS function will be promptly identified and reviewed by the Station Operation Review Committee. The availability goal of the VAS function is 99%.

6. The main computer and the CPU at the remote locations, are provided with full capability backups that will automatically assume all functions on failure of the operating computer or CPU. Only data that changes state and returns to its original state during the less than 5 second transfer time will be lost.
7. Redundant I/O equipment is not available. Critical paraments are monitored by different IRTUs so that critical data will not be lost.
8. CRT functions can be manually transferred without loss of data to other CRTs on the MCB.

FSAR:

Attached are draft copies of revised FSAR Sections 7.2.2.2.c(13) and 7.5 that provide the additional information requested.

ADDITIONAL The Seabrook Post-Accident Monitoring Instrumentation complies RESPONSE: with the guidance of Regulatory Culde 1.97 (Rev. 1, 8/77) with the 1/83 exceptions discussed in FSAR 1.8. A revised FSAR 1.8 is attached.

STATUS FSAR 1.8 and 7.5 were revised Amendment 56, to address 2/86 compliance with Regulatory Culde 1.97 (Revision 3, May 1983).

FSAR 7.2.2.2.c(13) was revised, Amendments 48 and 56.

(SER 7.5.2.1, 7.5.2.3, 7.5.2.4) 420.50 If reactor controls and vital instruments derive power from common (7.5) electrical distribution systems, the failure of such electrical distribution systems may result in an event requiring operator action concurrent with failure of important instrumentation upon which these operator actions should be based. IE Bulletin 79-27 addresses several concerns related to the above subject. You are requested to provide information and a discussion based on each IE Bulletin 79-27 concern. Also, you are to:

1. Confirm that all a.c. and d.c. instrument buses that could affect the ability to achieve a cold shutdown condition were reviewed. Identify these buses.
2. Confirm that all instrumentation and controls required by emergency shutdown procedures were considered in the review.

Identify these instruments and controls at the system level of detail.

3. Confirm that clear, simple, unambiguous annunciation of loss of power is provided in the control room for each bus addressed in item 1 above. Identify any exceptions.
4. Confirm that the effect of loss of power to each load on each bus identified in item 1 above, including ability to reach cold shutdown, was considered in the review.
5. Confirm that the re-review of IE Circular No. 79-02 which is required by Action Item 3 of Bulletin 79-27 was extended to include both Class 1E and Non-Class IE inverter supplied instrument or control buses. Identify these buses or confirm that they are included in the listing required by Item 1 above.

RESPONSE: Refer to the attached response to IE Bulletin 79-27 and two 3/23 attached responses to IE Circular 79-02.

9/14

1. All IE and non-1E ac and de instrument buses were reviewed.

Refer to the listing of buses reviewed in the attached response to Bulletin 79-27.

l 2. Redundant instrumentation and controls required for safe L shutdown are available at the control room and the remote shutdown location. Loss of an entire power train will not prevent the ability to accomplish cold shutdown with the control and indication powered by the other train.

3. Annunciation of loss of power is provided in the main control room through Seabrook video alarm system. The wording of all alarms is subject to review by the station operating staff to insure clarity.
4. See Item 2.
5. Refer to the two attached responses to Circular 79-02. The buses are listed in the response to Bulletin 79-27.

ADDITIONAL RESPONSE: Item I was revised. We will clarify the reviews performed for 5/12 Items 2 and 4. All required instrumentation and controls will be identified.

Our emergency procedures wil! contain the items requested by I&E Bulletin 79-27 Items 2.a. 2.b and 2.c.

We will provide additional information on our inverters as requested by I&C Circular 79-02 (time-delay, modifications).

ADDITIONAL RESPONSE: Item 1 was revised. The NRC clarified the additional information 7/15 requested in Items 2 and 4. A handout on inverters was reviewed and is included in the meeting minutes.

HANDOUT: Time Delay Circuits on Inverters 7/15

1. Class lE 7.5 kVA inverters (I-1A, -1B, -lC, -ID, -1E and -lF).

There are no time delays on the voltage sensing circuits on the Class lE inverters. High de voltage at the output of the rectifier section will result in tripping the ac input only.

Power will continue to be supplied from the 125 V de battery.

2. Non-Class lE 60 kVA inverters (I-2A and I-2B).

There are no time delays on the voltage sensing circuit, on these inverters. High or low de voltage at the rectifier section output and high or low ac voltage at the inverter section output will trip the inverter off and force an autorstic transfer to the backup ac supply through the solid state transfer switch.

3. Non-Class IE 25 kVA inverter (I-4).

There are no time delays on the voltage sensing circuits on this inverter. High or low de voltage at the inverter section input will trip the inverter input breaker and force an automatic transfer to the backup ac supply through the solid state transfer switch.

No modifications to the IE and non-lE inverter were found necessary as a result of the re-review of IE Circular 79-02.

STATUS: Closed.

9/14

- - . ~ ,. . . _ -

i

.r .

! 420.51 Table 7.1-1 indicates that conformance to R.C. 1.97 is discussed (7.5) in Section 7.5.3.2. However, Section 7.5.3.2 is a section of

definitions only. We find partial discussion on conformance in l Section 7.5.3.1. Correct Table 7.1-1. Also, FSAR Section 1.8 i states that Regulatory Guide 1.97, Revision 2, is presently being l reviewed and the extent of compliance will be addressed at a later

! date. Discuss the plans and schedule for complying with R.G.

1.97, Revision 2.

)

! RESPONSE: Applicant is working on response to Regulatory Guide 1.97, l 3/23 Revision 2. Schedule will be supplied at a later date.

i 4 STATUS: See RAI 420.49.

2/86

{

) 420.52 Provide a discussion (using detailed drawings) on the residual

! (7.6.2) heat removal (RHR) system as it pertains to Branch Technical

! Position ICSB 3 and RSB 5-1 requirements. Specifically address j the,following as a minimum:

, 1. Testing of the RHR isolation valves as required by branch j position E of BTP RSB 5-1.

2. Capability of operating the RHR from the control room with i either on-site or only off-site power available as required j by Position A.3 of BTP RSB 5-1. This should include a discussion of how the RHR system can perform its function assuming a single failure.  ;

i 3. Describe any operator action required outside the control room af ter a single failure has occurred and justify.

In addition, identify all other points of interface between the j Reactor Coolant System (RCS) and other systems whose design e

pressure is less than that of the RCS. For each such interface, i discuss the degree of conformance to the requirements of Branch

! Technical Position ICSB No. 3. Also, discuss how the associated l interlock circuitry conforms to the requirements of IEEE Standard t 279. The discussion should include illustrations from applicable I drawings.

RESPONSE: The RHR isolation valves can be tested while on RHR by operating i 3/23 only one RHR pump, removing power from one valve associated with j the operating pump, simulating high pressure in the isolation i channel for the valve that has power removed and verifying that i the associated valve in the nonoperating loop closes. The system

, is restored, the sequence repeated for the other isolation I channel, cooling shifted to the other loop and the test sequence i repeated.

{ NRC will review reply to RAI 440.23 and 440.24 that address power

! sources.

-51 ,

i

- . . - . _ _ _ _ _ , . _ _ _ ~ _.. _ . - . . _ . _ _._ _ _ . _ . _ ..-_-. _ -

_ - . - - ._ ._ .- - . . - .. -. .. - = - - . - - . . _ - - . .

I J

l 5 There is no other system interfacing with the reactor coolant system (RCS) whose design pressure is less than that of the RCS. i ADDITIONAL '

RESPONSE: We will add alarms that will actuate if either suction valve for an 11/82 operating RHR pump is not fully open or if the flow through the i 1/83 RHR pump is below the minimum required for pump protection.

If the suction valves close due to a power failure in the logic j circuit (circuit is designed to fail to the isolation condition to

, ensure protection of the low pressure piping), the valves can be ,

! reopened at the remote shutdown location. This operation can be performed expeditiously, less than 10 minutes, since selection of i

{

local control with the key-locked selector switch will isolate the i automatic controls, interlocks and remote controls. Local control switches are provided. Temporary circuit modifications are not required. Selection of local control is alarmed in the control j Room. The opposite train valve will provide automatic isolation on high pressure if a valve is opened using local control.

4 FSAR 5.4.7.2 discusses the effects of temporary loss of RHR flow j if the RCS is intact and filled such that the SGs are still available for decay heat removal.

4 An analysis of the time available to restore shutdown cooling when the RCS is vented was performed using the following assumptions.

i 1. Decay heat load was calculated per ANS 5.1 with a 20% margin I based on 102% rated thermal power.

f 2. Forty eight hour delay from shutdown for cooldown and j lowering of vessel level.

3. Vessel level at center of nozzles.

l

4. Only water in vessel was considered.

i j 5. Initial temperature of 140 0F, maximum for mode six.

l 6. No losses to ambient.

More than 12 minutes is available before the bulk coolant reaches saturation temperature. If bulk boiling does occur it will take a total of more than 50 minutes to uncover the core. This time can 1

be extended by adding coolant to the RCS with the operable

charging pump.

I j STATUS: FSAR 5.4.7.2 was revised, Amendment 53. The response was 2/86 discussed at the November 21-22, 1985 ICSB meeting and found j acceptable. (SER 7.6.7.7) Drawings M-503747, M-503748, M-503761, j M-506635, and M-506650.

l i

I a

i I

420.53 FSAR Section 7.6.4, Accumulator Motor-Operated Valves, states that.

(7.6.4) "During plant operation, these valves are normally open, and the motor control center supplying power to the operators is de-energized". Describe how power is removed and how the system complies to Positions B.2, B.3 and B.4 of BTP ICSB 18 (PSB).

Also, identify any other such areas of design and state your conformance to the positions of BTP ICSB 18.

RESPONSE: Covered in response to 420.59.

3/23 STATUS: Closed.

5/12 420.54 FSAR Section 7.3.1.1 states that, "The transfer from the injection (7.3.1.1) to the recirculation phase is initiated automatically and completed (7.6.5) manually by operator action from the main control board".

Describe automatic and manual design features permitting switchover from injection to recirculation mode for emergency core cooling including protection logic, component bypasses and overrides, parameters monitored and controlled and test capabilities. Discuss design features which insure that a single failure will neither cause premature switchover nor prevent switchover when required. Discuss the reset of Safety Injection actuation prior to automatic switchover from injection to recirculation and the potential for defeat of the automatic switchover function. Confirm whether the low-low level refueling water storage tank alarms which determine the time at which the containment spray is switched to recirculation mode are safety grade.

RESPONSE: Will be discussed later.

3/23 REP 90NSE: The step-by-step automatic and manual switchover operations are

5. described in detail in FSAR Section 6.3.2.8 and Table 6.3-7. The 2/86 ECCS/ Containment Spray Recirculation Signal is generated for each train by a combination of the safety injection signal and low-low level in the RWST. The level signal uses 2 out of 4 logic to a prevent premature switchover and to ensure switchover is j accomplished. Each ESF train uses completely redundant equipment

! for recirculation to ensure that the safety functions are accomplished. The operator is provided with safety grade indicators for RWST and containment sump level, and manual controls for all the valves required for recirculation so that recirculation can be accomplished without any automatic action.

Non-safety grade but independent low-low level alarms are available from the VAS and the annunciator to alert the operator of the need for recirculation.

The safety injection signal sets latching relay K740 that requires separate action to reset after the safety injection signal has been reset. This ensures automatic recirculation on low-low level i

l 1 I

in the RWST even if the safety injection signal is reset before the low-low level is reached. Lights will be provided on MCB AP and BF to indicate when K740 is latched to ensure that it is reset af ter periodic testing. Their operation is verified as part of gj[f6 the quarterly logic testing.

ADDITIONAL RESPONSE: The independence of the non-safety grade RWST low-low level alarms 7/15 was discussed. Details will be provided later. Level setpoints are provided in Figure 6.3-6 (Amendment 45).

ADDITIONAL RESPONSE: The four transmitters that provide the low-low level recirculation 9'14 signal will provide an annunciator alarm when any two of the four 1,' a 3 low-low level bistables have tripped. A wide range level transmitter will provide an analog input to the station computer.

The station computer will generate a VAS low-low level alarm at the same setpoint as the annunciator alarm.

STATUS: Drawings M-503258, M-310900 Sh. E87/8d shows the indicating light.

2/86 FSAR Figure 7.6-3 will not be revised since it only shows functional logic and is not intended to show the detail on the UE&C logic drawings. (SER 7.6.7.6) 420.55 FSAR Section 5.2.5.8 states that calibration and functional testing (5.2.5.8) of the leakage detection systems will be performed prior to initial (7.6) plant startup. Please provide justification since Position C.8 of Regulatory Cuide 1.45 states that, " leakage detection systems should be equipped with provisions to readily permit testing for operability and calibration during plant operation".

RESPONSE: The electronics can be tested with plant at power. There are 3/23 readouts that can be checked during plant operation. Radiation sensors can be tested at power because they have check source in them. Level sensors will be channel calibrated in accordance with Technical Specifications.

STATUS: Closed.

5/12 420.56 As shown on Drawing 9763-M-310882 SH-B54a, two circuit breakers in (7.6) series are employed in the power and control circuits for the residual heat removal inlet isolation valves. Tripping of either breaker will remove power from the position indicating lights and valve position indication will be lost. Discuss how this arrangement complies with Branch Technical position ICSB No. 3 which calls for suitable valve position indication to the control room.

RESPONSE: Handout submitted to staff. Valve position indicator lights will 3/23 be powered from dif ferent source so that true valve position will always be indicated when power is removed from valve motor by racking out breaker. This applies to RHR interface valves.

E STATUS: Drawings M-310882 Sh. B54a and Sh. EH0/16a. (SER 7.6.7.5) 2/86 HANDOUT: Two circuit breakers in series cre employed in the circuits of ,

3/23 motor-operated valves inside containment. This is part of the containment penetration protection provided in response to Regulatory Guide 1.63. Refer to FSAR Section 8.3.1.1.c.7a.

Valve position indication is provided on both RCS-RHR interface valves which are in series. As with any circuit, when power is removed because of a fault, indication will also be lost.

We believe that our revised design meets the intent of ICSB 3 position B4.

In addition to the normal valve position indication lights, the valve full closed position is also monitored by the station computer to alarm whenever the valve is not fully closed and the reactor coolant system is above the pressure rating of the RHR system.

420.57 Section 7.6.2.1 indicates that the interlock circuits of the (7.6) residual heat removal isolation valves, RC-V22 and RC-V87, have a transmitter that is diverse from the transmitter associated with valves RC-V23 and RC-V88. Discuss the method (s) used to achieve this diversity.

RESPONSE: Different manufacturers for pressure transmitters are used to 3/23 achieve the diversity.

STATUS: Closed.

5/12 420.58 Discuss conformance of the accumulator motor-operated valves to (7.6) the rccommendations of Branch Technical Positions ICSB No. 4.

! RESPONSE: Handout submitted to staff. Change response to indicate valve 3/23 position is monitored through video alarm system (VAS). Details of VAS will be in the response to 420.49.

Staff will review adequacy of alarm.

STATUS: Closed.

9/14 HANDOUT: The design of the accumulator motor-operated valves conforms to 3/23 the recommendations of ICSB No. 4. Refer to FSAR Section 7.6.4 for a response to Branch Technical Positions B1 and B2.

Branch Technical Position 93:

Valve position is monitored and alarmed by the video alanm system.

Branch Technical Position B4:

The automatic safety injection signal bypasses all main control board switch functions which may have closed the SI accumulator valve.

1 The safety injection signal will not automatically return power to the de-energized motor control center.

420.59 Section 7.6.r. :sf the FSAR lists the motor-operated valves which (7.6) will be prott;ted from spurious actuation by removal of motor and control power by de-energizing their motor control centers (MCC 522 and MCC 622). The FSAR also states that control of the breakers supplying power to these MCCs is provided in the main control room. Provide the following information:

(a) The control the the MCC breaker from the Main Control Board for a typical Safety Injection System accumulator isolation valve is not shown on schematic diagram 9763-M-310890 Sh.

B35a. Identify the drawing where this is shown.

(b) The residual heat removal inlet isolation valves are not included in the list of valves protected against spurious operation. State whether protection against spurious action of these isolation valves is planned and if so, provide information on how it is accomplished. If not, then justify.

RESPONSE: (a) Refer to FSAR Section 8.3.1. Alarm is provided in the 3/23 control room when the breaker is closed.

1/83 i (b) Reply given in response to RAI 440.23 and will be reviewed by the staff.

ADDITIONAL RESPONSE: We will explain the operation of valves 35, 36, 89, 90 and 93 and 5/12 the effects of failure of valve 93 or its position switches.

ADDITIONAL RESPONSE: A telephone conversation was held on 11/10/82 with representatives 11/82 of the NRC (R. Stevens), PSNH (R. LaRhette), and YAEC (W. Fadden) i to discuss the peration and testing of the interlocks associated i with ECCS recis.ulation. Significant items of discussion were:

1. The pump recirculation line isolation valves (SI-V89, 90, 93) j are provided to prevent RWST contamination and subsequent

! release to the environment. The valves are arranged so that

( the line will be isolated assuming any single failure.

l Failure to isolate will not affect the performance of the ECCS for cooling the core.

2. The RHR recirculation valves (RH-V35 and 36) are provided so that either RHR pump can supply both safety injection and both centrifugal charging pumps. No single failure of the SI

pump recirculation valves (SI-V89, 90, 93) or the associated interlocks, will prevent the operation of either RHR recirculation valve.

3. These valves and the associated interlocks will be periodically tested. The test schedule and procedures will be available for review three months before fuel loading.

ADDITIONAL All motor-operated valves that have power removed to prevent RESPONSE: spurious operation are provided with redundant valve position 1/83 indication (VPI). The redundant VPI uses a different power supply 2/86 so that it is operable when the power is removed from the valve motor. A draft copy of a revision to FSAR 7.6.9 is attached. Jjdf6 STATUS: FSAR 6.3.2.2 was revised, Amendment 53. Drawings M-310882, 2/86 Sh. B54a through B54e and Sh. EH0/16a through 16d. (SER 7.6.7.3) 420.60 The following apparent errors have been noted in the schematic (7.6) diagrams.

(a) Drawing M-310980, Sh. B35d, Rev. O Contacts 5-SC on LOCAL REMOTE SWITCH SS-2403 appear incorrectly developed. An X indicating contacts closed should appear under the REMOTE column for contact 5 to allow remote closing of the accumulator valves.

(b) Drawing 9763-M-310900, Sh. B52a, Rev. 1 Motor starter 42 open coil is mislabeled 42/C instead of 42/0.

RESPONSE: We agree with your observation of drawing errors on the two 3/23 schematic sheets mentioned and this will be corrected in the next revision of these drawings.

STATUS: Closed.

5/12 420.61 FSAR Section 7.6.6 discusses interlocks for RCS pressure control (7.6.6) during low temperature operation. Using detailed schematics, discuss how this interlock system complies with Positions B.2, B.3, B.4 and B.7 of BTP RSB 5-2. Be sure to discuss the degree of redundancy in the logic for the low temperature interlock for the RCS pressure control. Also, include a discussion on block valve control.

RESPONSE: Reply for the low temperature operation of the RCS pressure 3/23 control will be under RAI 440.11.

The block valves and manual controls are Class 1E, train oriented, with controls being on the main control board.

l 4

REVISED RESPONSE: Design of the cold overpressure interlocks will be changed to 5/12 make them single failure proof.

ADDITIONAL RESPONSE: Thi single failure problem with the cold overpressure interlocks 9/14 wa, related to the use of one auctioneer card in each circuit to arm the other circuit and actuate the same circuit. Redundant auctioneer cards will be added to each circuit so that the arming and actuating signals will be independent, therefore, no single failure will prevent operation of both relief valves. FSAR Figures 7.6-4 will be revised.

STATUS: FSAR 5.2.2.11 revised, Amendment 53 and 56. FSAR 7.6.6 2/86 revised Amendment 49. FSAR Figure 7.6-4 revised. Amendment 49.

Drawing FP-70001 Sh. 38. (SER 7.6.7.2) 420.62 If control systems are exposed to the environment resulting from (7.7) the rupture of reactor coolant lines, steam lines or feedwater lines, the control systems may malfunction in a manner which would cause consequences to be more severe than assumed in safety analyses. I&E Information Notice 79-22 discusses certain non-safety grade or control equipment, which if subjected to the adverse environment of a high energy line break, could impact the safety analyses and the adequacy of the protection functions performed by the safety grade systems.

The staff is concerned that a similar potential may exist at light water facilities now under construction. You are, therefore, requested to perform a review per the I&E Information Notice 79-22 concern to determine what, if any, design changes or operator actions would be necessary to assure that high energy line breaks will not cause control system failures to complicate the event beyond the FSAR analysis. Provide the results of your review including all identified problems and the manner in which you have resolved them.

The specific " scenarios" discussed in the above referenced Information Notice are to be considered as examples of the kinds of interactions which might occur. Your review should include those scenarios, where applicable, but should not necessarily be limited to them.

RESPONSE: We will identify key control systems that effect plant safety and 3/23 analyze for effects of high energy line break. Review will be completed and formal response to I&E Information Notice 79-22 submitted.

STATUS: NRC to document review (SER 7.7.2.2, 7.7.2.3).

(420.62 &

.63) 2/86 1

1 RESPO!SE: Since questions 420.62 and 63 deal with the same control systems 1/83 and require similar analysis, we have combined the acawers. j The evaluation required to answer Question 420.62 and 63 consists of postulating failures which affect the major control systems and determining what the resulting event will be. The following are events which were considered:

a. Loss of any/or combination of instruments (due to a high energy line break),
b. Loss of power to all systems powered by a single power supply,
c. Break of an instrument sensing line providing input to multiple sensors or failure of a common sensor providing input to multiple control systems.

The analysis was conducted for the following five major control systems:

1. Rod control
2. Steam dump
3. Pressurizer pressure
4. Pressurizer level
5. Feedwater For this analysis, all operational modes were considered.

Loss of Any Single Instrument Table 1 Sensor Failure Analysis, is a sensor by sensor evaluation of all sensors, which provide input to a control loop of the above system and could be affected by a High Energy Line Break (HELB).

This table does not include equipment which is located in areas that are not affected by a HELB, nor does it include Class IE equipment which is qualified to operate in its harsh environment.

The table provides the particular sensor by Tag number, sensor function, failure both high and low, effect of the failure, and bounding event. In addition, the failure of multiple sensors due to a HELB was analyzed.

Our analysis of the effects of each single and multiple sensor failure associated with each postulated HELB indicates that the resulting events are bounded by the FSAR analysis.

Loss of Common Power Supplies The five major control systems are powered either from a protection set, control group, or Balance of Plant (BOP) Process l

l t

Control System. The four (4) protection cabinets and the Control Groups 1 and 3 are powered from redundant 120 volt vital instrument buses. Control Groups 2 and 4 are powered from a common 120 volt vital instrument bus. The two BOP Process Control Systems are powered from a common 120 volt bus.

The following table provides the control cabinet and inverter power supply by tag number:

Tag ( UPS #

cpl UPS 1-1-1A CP2 UPS 1-1-1B CP3 UPS 1-1-lC CP4 UPS 1-1-1D CPS UPS 1-1-1A CP6 UPS 1-1-1E CP7 UPS 1-1-1C f;r 8 UPS 1-1-1E CP153 UPS 1-4 cpl 75 UPS 1-4 Table 2 considers loss of power to protection sets and control groups. The table indicates the system, signal affected, itemized effect, and bounding event for each protective set and control group. It should be noted that Control Groups 2 and 4 are 4

analyzed separately in this table. This was done to account for the fact that they are powered from separate feeders. It can be seen from reviewing the table that the effect would be the same if Control Groups 2 and 4 were lost at the same time.

Table 3 considers loss of power to BOP process control equipment feed from a common power supply. This table also indicates the system, signal affected, itemized effects, and bounding event.

Loss of Common Sensors There are no common impulse lines or hydraulic headers that provide signals to two or more control systems at Seabrook Station. The following sensors provide input to multiple control systems:

Tag # Signal Input To MS PT507 Steam Header Pressure Steam Dump, Feedpump Speed Control MS PT505 Turbine Impulse Pressure Steam Dump, Feedwater Control l

l Power Range Power Range Flux Rod Control, Tavg

! Neutron Detectors l

l .- _ .-. .__

We have considered the failure both high and low of these sensors and determined that the results are bounded by the FSAR Analysis.

A table will be provided to document the effects.

Summary Our review of the five major control systems clearly shcws that the loss of any single sensor or power supply will result in events that are bounded by the FSAR analyses. In addition, we have considered multiple failures of sensor or power supplies and have determined that in all casas the resulting event will be bounded by the FSAR analysis.

r f

TABLE 1 SENSOR FAILURE ANALYSIS SENSOR FAILURE TAG NO. FUNCTION HI/LO EFFECT BOUNDING EVENT FW-FT-4065 Controls minimum Feed Pump LO Computer alarm and flow indication indicate No event if both Recire. Valve 4065 and low flow for one feed pump. Minimum Feed Pump Pumps running. If provides signal for flow Recire. Valve goes full open. above 30% power and indication on MB and only one pump computer alarm. running, SG level will decrease, bounding event loss of normal feedwater.

See FSAR Section 15.2.7.

Hi Flow indicator on MCB indicates high flow for No event. (If at

& one feed pump. Minimum Feed Pump Recire, high flow, pump y Valve goes full closed. This will have no continues to operate, affect if actual pump flow is above minimum if at low flow, pump flow requirements. If the actual flow is below is tripped; the minimum flow requirement, a low flow alarm will remaining pump or alert the operator. the startup feed pump would be sufficient to provide required ficw.)

FW-FT-4064 Sane as for FT 4064 (FT-4064 is used in conjunction with pump 32A and FT-4065 is used in conjunction with pump 32B.)

TAELE 1 SENSOR FAILURE ANALYSIS SENSOR FAILURE TAG NO. FUNCTION HI/LO EFFECT BOUNDING EVENT FW-PSL-4310 Switches provide LO/Hi The failure of any one switch has no effect No event.

-4311 NPSH pump trip since they form a 2-out-of-3 logic.

-4312 signal to Feed Pump 32A.

FW-PSL-4320 These switches preform the No event.

-4321 same function for Pump 32B

-4322 as PSL 4310, 4311 and 4312 preform for Pump 32A.

FW-PT-508 Feedwater header pressure LO Feed pump speed increases if pump is in auto. No event if pump is

& provides input to process Flow control valves close to maintain SG in manual. No event y controller for feed Pump level.if in auto. if pump and flow speed control, control valves in auto. If flow control valves are in manual, SG level will increase. Bounding event is excessive feedwater flow.

See FSAR Section 15.1.2.

Hi Feed pump speed decreases if in auto. No event if pump in manual, if in auto, there would be a decrease in SG level. Bounding event loss of normal feedwater.

See FSAR Section 15.2.7.

TAGLE 1 SENSOR FAILURE ANALYSIS 1 SENSOR FAILURE TAG NO FUNCTION HI/LO EFFECT BOUNDING EVENT MS-PT-507 Steam generator header LO Feed pump speed decreases if in auto. No event if in pressure provides input to manual. If in auto, feed pump speed control. SG level decreases over time. Bounding event loss of normal feedwater.

See FSAR Section l

15.2.7.

1 Hi Feed pump speed increases if in auto. No event if in manual. If pump and level control valves

& are in auto, valve i will throttle down.

q There is no event.

If pumps in auto and valves in manual, SG level will increase over time. Bounding event is excessive feedwater flow.

See FSAR 15.1.2.

I NI-NE-41P Power range Flux auto rod LO No control action. Controlled from high No event.

] 42P control Actioneer Circuit.

.l 43P 44P

, Hi If in auto rods drive in, reactor power Inadvertant opening

will decrease, resulting in temperature of a pressurizer pressure decrease. safety or relief valve. See FSAR i Section 15.6.1

TABLE 2 LOSS OF POWER TO CONTROL GROUP 1 (CP-5) i CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Sterm Dump Trip Open Cond No control action. No event.

to Cond Dump. Steam dump to condenser Auto Modulation Blocked. Atmospheric dump of Cond valves and steam Lenerator Dump Valves safety valves still MS-PV 3009,10, available.

11,12,13,14,15, 16,17,18,19 and 20 Rod Control Neutron Flux No control action. No event.

FW Co n'ol Auto control of FW-FCV 510 closes causing. Loss of normal feedwater.

4 FW-FCV 510 Loss of FW TO SG 1 See FSAE 15.2.7.

y Steam Flow Feedpump speed may Reference from decrease. During power Loop 1 to Pump operation this would Speed Control cause a plant trip on low SG level.

Pressurizer Low-Level Cutoff No control action, auto No event.

Level for Pressurizer functions blocked.

Heaters and ,.

Letdown Isolation Pressurizer Heater Control, Variable heater and For loss of power to CP-5 Pressure Pressurizer spray off. RCS cold over during power operation, the Spray Valves pressurization loss of auto bounding event is loss of RC-PCV 455 A&B control for RC-PCV-456A. normal feedwater, FSAR and PORV During power operation Section 15.2.7. During all RC-PCV-456A plant will trip on low SG other modes of operation, level. During all other the bounding event will be modes of operation, plant either inadvertent opening will trip on high or low of pressurizer safety or pressurizer pressure, relief valve, see FSAR Section 15.6.1, or RCS overpressure, see FSAR Section 15.2.2.

TABLE 2 LOSS OF POWEH TO CONTROL GROUP 2 (CP-6)

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Stctm Dump Turbine Pressure Steam Dump to Cond Blocked No event, to Cond Loss of Load Atmospheric dump and steam Interlock generator safety valves still available.

i Rod Control Turbine impulse Auto / manual rod withdrawal No event.

pressure (PT 505), blocked. Remote Dispatching Neutron Flux Defeated.

FW Control Auto control of FW-FCV 520 closes causing Loss of normal feedwater.

FW-FCV 520, loss of FW in SG 2. See FSAR Section 15.2.7.

Steam Flow Feedpump speed may Reference from decrease. During power

& Loop 2 to operation, this would cause y Feedpump Speed a plant trip on low SG level.

Controller Prsssurizer Auto control of Pressurizer Heaters For loss of power to CP-6 Level Pressurizer off, Letdown isolated, during power operation, the Heaters, charging pump speed bounding event will be loss Letdown isolation decreases. of feedwater, FSAR Section and charging During normal operation 15.2.7. During all other pump speed. plant trips on low SG modes of operation, bounding level. During other modes event will be inadvertent of operation plant trips opening of pressurizer on low pressurizer pressure. safety or relief valve, see FSAR Section 15.6.1 or RCS overpressure FSAR Section 5.2.2.

Pressurizer RC - PCV-456B No control action. No event.

Pressure High pressure PORV remains closed.

signal

TABLE 2 LOSS OF POWER TO CONTROL GROUP 3 (CP-7).

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Stsco Dump None -

No event.

To Cand Rod Control Neutron Flux No control action. No event.

FW Control Auto control of FW-FCV 530 closes causing Loss of normal feedwater, FW-FCV-530, loss of FW in SG 3. see FSAR Section 15.2.7.

Steam flow Feed pump speed may Reference from decrease. During power Loop 3 to operation this will cause Feedpump a plant trip on low SG 1evel.

Controller 5

y Prassurizer Flow control Loss of normal charging During normal operation Lsval Valve CS-FCV-121 flow and loss of seal bounding event will be injection. Thermal barrier loss of-feedwater, FSAR cooling is available. 15.2.7. During all During normal operation, other modes of operation, plant will trip on low SG bounding event will be level. During all other inadvertent opening of modes of operation, plant pressurizer safety or will trip on low relief valve, see FSAR pressurizer pressure. Section 15.6.1.

Prsssurizer Prz. Pressure PORV Block Valve RC-V122 No event.

Pressure Interlock to opens. PORV RC-PCV-456A RC-PCV 456A and remains closed.

PORV Block Valve RC-V/22 Control

TABLE 2 LOSS OF POWER TO CONTROL GROUP 4 (CP-8)

~

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED _

ITEMIZED EFFECT BOUNDING EVENT Steau Dump Steam Heater Steam dump to cond. No event.

to Cond Pressure blocked. Atmospheric dump MS-PT-507, and steam generator safety T Auctioneered, valves still available.

T Referenced Rod Control Stop Turbine No control action. No event.

Loading, defeat remote dispatching, Rod speed demand and direction y control FW Control Feedpump FW pump in auto mode, Loss of normal feedvater.

FW Pump Speed Speed Controller pump speed decreases. See FSAR Section if .2.7.

Control Signal, During power operation Steam Generator this will cause a plant Header pressure, trip on low SG 1evel.

Feedwater Manifold Pressure Pressurizer Auctioneered T Charging flow control During power operation, Level Avg. valve CS-FCV-121 goes bounding event is loss of closed. Charging pump feedwater. During all speed decreases. During other modes of operation, power operation plant will bounding event is trip on low SG level. inadvertent opening of a During all other modes pressurizer safety or relief of operation plant will valve, see FSAR Section trip on low 15.6.1.

pressurizer pressure.

Pressurizer Interlock to PORV Block valve. No event.

Pressure open PORV RC-V124 opens.

RC-PCV-456B, PORV RC-PCV-456B remains Open Signal to closed.

PORV Block Valve RC-V124

TABLE 2 3

LOSS OF POWER TO PROTECTION SET I (CP-1)

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Steam Dump None No effect. No event.

Rod Control Power Range Rods drive in, power Inadherent opening of a Flux decreases, auto rod pressurizer safety or relief Turbine Pressure withdrawal blocked, valve. See FSAR (MS-PT-505) turbine loading and Section 15.6.1 TAVG (TE 411A&B) remote dispatching stopped.

This will cause a plant trip on low pressurizer pressure i

j FW Control S. G. Level If signal used for control. Excessive feedwater flow.

(FW-LT-551 & 554) Feedwater Control Valve See FSAR Section 15.1.2 FW-FCV 510 will go full d open. During power T operation, plant will trip on high SG level.

Pressurizer Prz. Level If affected signal used Level RC-LT-459 for control, charging pump speed increases, charging flow control valve During power operation CS-FCV-121 goes full open, bounding event is letdown isolated and excessive feedwater flow.

i heaters blocked. During all other modes of operation, bounding event i

Pressurizer Pressure If channel is selected will be either RCS i

Pressure (PT 455) for control the back overpressure, see

! up heaters will come on and FSAR Section 5.2.2 or j spray will be blocked. increase in reactor coolant inventory,

During power operation see FSAR Section 15.5.2.
plant will trip on low SG S

level.

I During all other modes of operation plant will trip either on high pressurizer pressure or level.

4

TABLE 2 LOSS OF POWER TO PROTECTION SET II (CP-2)

CONTROL SYSTEM SIGNAL i AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Steam Dump Turbine Impulse Steam dump demanded No event.

Pressure (PT 506) but blocked.

Rrd Control Power range Flux, No control action. No event.

TAVG

! FW Control S. G. Level If signal used for control. Excessive feedwater flow, s (FW-LT-552 & 553) FW Control Valve FW-FCV520 see FSAR Section 15.1.2.

will go full open. During power operation, plant will trip on high SG level.

Pressurizer Prz. Level If affected signal used During power operation, 4 L:vsl (RC-LT-460) for control, letdown is bounding event will be isolated, heaters blocked. excessive feedwater flow, During power operation, see FSAR Section 15.1.2.

plant will trip on high SG During all other modes of level. During all other operation, the bounding modes of operation, plant event will increase in will trip on high reactor coolant inventory, pressurizer level. see FSAR Section 15.5.2.

I Pressurizer Prz. Pressure No control action No event.

4 Pressure (RC-PT-456) PORV, RC-PCV-456B,

~

blocked.

1

TABLE 2 LOSS OF POWER TO PROTECTION SET III (CP-3)

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Steam Dump None No effect. No event.

Rod Control Power Range No control action No event.

FW Control None No effect No event.

Presrurizer Prz. Level If affected signal used L: val (RC-LT-461) for control, charging pump speed increases, charging flow control valve CS-FCV-121 goes full open, letdown Bounding event will isolated and heaters either increase in reactor 4 blocked. coolant inventory, see y FSAR Section 15.5.2, or Pressurizer Prz. Pressure If channel is selected RCS overpressure, see Pressure (RC-PT-457) for control the backup FSAR Section 5.2.2.

heaters will come on and

" pray will be blocked.

The plant will trip in either high pressurizer level or pressure.

I 1

TABLE 2 LOSS OF POWER TO PROTECTION SET IV (CP-4)

CONTROL SYSTEM SIGNAL AFFECTED AFFECTED ITEMIZED EFFECT BOUNDING EVENT Stcam Dump None No effect. No event.

Rod Control Power Range Flux No control action. No event.

FW Control None No effect. No event.

Pressurizer None No effect. No event.

L" val Praesurizer Pressurizer If affected signal No event.

Prsseure Pressure used for control (RC-PT-558) PORV, RC-PCV 456 A & B blocked.

TABLE 3

. LOSS OF POWER TO PROCESS CONTROL GROUP (CP-153,175)

Power supply UPS-1-4 SENSOR FUNCTION EFFECT BOUNDING EVENT FW-FT-4064 Control of minimum Feed Pump Recire Valves If the feed pumps are FW-FT-4065 Feed Pump Recire Valves go full open, operating above 30 percent 4064 and 4065 capacity, SG level will decrease over time causing plant trip. Bounding event will be loss of norm,1 feedwater, see FSAR Section 15.2.7.

4 Power Supply PP 122A Y

FW-PSL-4310,11.12 Switches NPSH pump No event.

provide NPSH Trip Blocked.

trip of Feed Pump l Power Supply PP 122B FW-PSL-4320,21,22 Switches provide NPSH Pump No event.

NPSH trip of Feed Pump Trip Blocked.

420.63 If two or more control systems receive power or sensor information (7.7) from common power sources or common sensors (including common headers or impulse lines), failures of these power sources or sensors or rupture / plugging of a common header or impu'se line could result in transients or accidents more severe than considered in plant safety analyses. A number of concerns have been expressed regarding the adequacy of safety systems in mitigation of the kinds of control system failures that could actually occur at nuclear plants, as opposed to those analyzed in FSAR Chapter 15 safety analyses. Although the Chapter 15 analyses are based on conservative assumptions regarding failures of single control systems, systematic reviews have not been reported to demonstrate that multiple control system failures beyond the Chapter 15 analyses could not occur because of single events.

Among the types of events that could initiate such multiple failures, the most significant are, in our judgment, those resulting from failure or malfunction of power supplies or sensors 7

common to two or more control systems.

To provide assurance that the design basis event analyses adequately bound multiple control system failures, you are requested to provide the following information:

(1) Identify those control systems whose failure or malfunction could seriously impact plant safety.

(2) Indicate which, if any, of the control systems identified in (1) receive power from common power sources. The power i sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction

.of more than one control system and should extend to the effects of cascading power losses due to the failure of higher level distribution panels and load centers.

(3) Indicate which, if any, of the control systems identified in Item 1 receive input signals from common sensors. The sensors considered should include, but should not necessarily be limited to, common hydraulic headers or impulse lines feeding pressure, temperature, level or other signals to two or more control systems.

(4) provide justification that any simultaneous malfunctions of the control systems identified in (2) and (3) resulting from failures or malfunctions of the applicable common power source or sensor are bounded by the analyses in Chapter 15 and would not require action or response beyond the capability of operators or safety systems.

RESPONSE: We will submit formal response similar to that submitted on other 3/23 Westinghouse plants.

STATUS: See 420.62.

9/14 l

l l

. 4 420.64 FSAR Section 7.7.1 discusses steam generator water level control. l (7.7.1) Discuss, using detailed drawings, the operation of this control I system. Include information on what consequences (i.e. ,

overfilling the steam generator and causing water flow into the steam piping, etc.) might result from a steam generator level control channel failure. Be sure to discuss the high-high steam generator level logic used for main feedwater isolation.

RESPONSE: High-high steam generator level trip will be changed to two out of 3/23 four logic.

ADDITIONAL RESPONSE: S/G level is not programmed as a function of power level. 420.67 5/12 from the draft memo dated 3/22/82 is now 420.70.

STATUS: FSAR 7.2.2.3.e was revised Amendment 54. FSAR Figure 7.2-1 2/86 Sh. 7 was revised Amendment 53. FSAR Table 7.3-2 was revised, Amendment 54. (SER 7.3.2.7) 420.65 Recent review of a plant (Waterford) revealed a situation where (7.2) heaters are to be used to control temperature and humidity within (7.3) insulated cabinets housing electrical transmitters that provide input signals to the reactor protection system. These cabinet heaters were found to be unqualified and a concern was raised since possible failure of the heaters could potentially degrade the transmitters, etc.

Please address the above design as it pertains to Seabrook. If cabinet heaters are used, then describe as a minimum the design criteria used for the heaters.

RESPONSE: Class IE electronic transmitters are not mounted in an insulated 3/23 cabinet with heaters for temperature and humidity control. The subject design, therefore, does not pertain to Seabrook.

STATUS: Closed.

5/12 Note: The NRC memo dated March 22, 1982, on the SSPS slave relay contacts is now 420.81.

420.66 It is not clear from the drawings provided and the description of (7.2) the turbine trip circuits and mechanisms that the equipment used to trip the turbine following a reactor trip meets the criteria applicable to equipment performing a safety function.

It is the staff position that the circuits and equipment used to trip the turbine following a reactor trip should meet the criteria applicable to a safety function with the exception of the fact that the circuits may be routed through nonseismic qualified structures and the turbine itself is not seismically qualified.

Please provide further discussion on how the Seabrook design meets the staff position.

RESPONSE: We will comply with the attached Westinghouse Interface Criteria 5/12 for Implementation of Turbine Trip on Reactor Trip. We are discussing the design changes required with General Electric Co.,

the turbine supplier.

ADDITIONAL RESPONSE: We will provide redundant, safety-grade circuits and solenoids 9/14 powered from the 1E inverters, that are energized to trip the 1/83 turbine. These circuits meet the requirements of IEEE 279-1971 except that the portion in nonseismic areas is not Seismic Category 1. (See RAI 420.21 and 420.29).

ADDITIONAL RESPONSE: As shown on FSAR Figure 7.2-1, Sh. 16, redundant P-4 (reactor 2/86 trip breakers open) signals are input to the two turbine trip circuits. One circuit energizes the mechanical trip solenoid, the other de-energizes the electrical trip solenoids to depressurize the Emergency Trip System and close the turbine valves. We have marked up FSAR Figure 7.2-1, Sh. 16, to show the cross-trip circuits provided so that both trip circuits will be activated if either train of reactor trip breakers is opened. FSAR Figure 7.2-1, Sh. 16, will be revised in a future amendment.

Details of the Trip System is provided in the following documents:

M-301961, Shs. E91/4a, E91/4b, FE4/1A, and FE4/1K M-310966, Shs. EH0/15a and 15b Foreign Prints 22823, Shs. 1*, 4, 5, 23617, 22133, GEK 46487A, GEK46488, 20003, and 20005 The Westinghouse NSSS and General Electric turbine generator at Seabrook are essentially similar to the design at Millstone 3 and Vcgtle that have recently been reviewed and accepted by the NRC 1 (see Figure 7.2-1, Sh. 16, in the Millstone 3 and Vogtle FSARs).

Considering the diverse, redundant, and highly reliable design of the General Electric Trip System, the difficulty associated with modifying the Trip System and the recent NRC acceptance of similar designs we will not be modifying the turbine trip circuit as we i had indicated in our prior response.

420.67 The Reactor Coolant System hot and cold leg resistance temperature (7.2) detectors (RTD) used for reactor protection are located in reactor coolant bypass loops. A bypass loop from upstream of the steam generator to downstream of the steam generator is used for the hot les resistance temperature detector and a bypass loop from downstream of the reactor coolant pump to upstream of the pumps is used for the cold les resistance temperature detector. The magnitude of the flow affects the overall time response of the temperature signals provided for reactor protection.

  • Modified by ECA 99109678

. I i

It is the staff's position that the magnitude of the RTD bypass l loop flow be verified to be within required limits at each '

refueling period and that this requirement be included into the plant technical specifications. Please provide discussion on how the Seabrook design complies with the staff's position. If there are any exceptions please describe and provide justification.

RESPONSE: Westinghouse letter SNP-4340, attached, evaluates the potential 5/12 for reduced flow in the RTD Bypass System due to corrosion product deposition. Based on their analysis, we do not consider flow reduction due to crud to be a problem.

We will verify the bypass flow rates during the preoperational testing program. The low flow alarm in the combined return line will be set at a value to indicate unacceptable flow degradation in either the cold or hot leg bypass manifolds.

This response is the same as was made to Catawba.

This item is open pending NRC review.

STATUS: The NRC reiterated the position that the bypass flow be 7/15 reverified each refueling. Technical Specification revision is required.

ADDITIONAL RESPONSE: Preoperational verification of bypass flow will be by test 9/14 procedure that follows the guidance of NAH/NCH "U-2.1.9, Resistance Temperature Detector Bypass loop Flow Verification.

Surveillance procedures that verify the bypass loop flow will be available 90 days before fuel loading. The surveillance procedure will be performed every refueling. Any required Technical Specification will be generated as part of procedures outilned in NUREG 0452, Revision 4.

STATUS: Closed.

9/14 420.68 Operation of either of two manual reactor trip switches (7.2) de-energizes the reactor trip breaker undervoltage coils and, at the same time, energizes the breaker shunt coils for the breakers associated with both protection logic trains.

It is the staff's position that the plant technical specifications include a requirement to periodically, independently verify the operability of the undervoltage and shunt trip functions. Please describe how the Seabrook design complies with our position. If there are any exceptions please identify with sufficient justification.

RESPONSE: We defer response pending generic resolution of this item by 5/12 Westinghouse and the NRC (Ref. NS-EPR-2588, dated 4/29/82).

.- - . ~ = .._ . . - - .. . . - . - . . _ - ,

ADDITIONAL RESPONSE: A Westinghouse - NRC meeting to discuss this item is scheduled for 1/83 January 26. We support the Westinghouse position on the proposed testing. We will implement any changes that are agreed upon in the generic Westinghouse - NRC discussions.

ADDITIONAL RESPONSE: The shunt trip has been upgraded to class 1E and automated so

2/86 that it is energized by the SSPS in addition to the manual trip i switch. The Westinghouse design change permits independent
verification of the shunt trip and undervoltage trip actuation by the SSPS or the manual trip switch, f

STATUS: FSAR Figure 7.2-1 Sh. 2 was revised, Amendment 56. FSAR 7.2 was

2/86 revised, Amendment 55. Drawing M-310944 Sh. HD3a. (SER 7.2.2.2) 4 420.69 Several safety system channels make use of lead, lag or rate signal (7.2) compensation to provide signal time responses consistent with assumptions in the Chapter 15 analyses. The time constants for these signal compensations cre adjustable setpoints within the

! analog portion of the safety system. The staff position is that the time constant setpoint be incorporated into the plant I

technical specifications. Please provide a discussion en this 1 matter.

RESPONSE: The time constants are in Tables 2.2-1 and 2.2-2 of the Technical 5/12 Specification. Attached is a revised Table 2.2-2 with editorial corrections and inclusion of the time constants that clarify Item 4.E.

STATUS
Closed.

! 9/14 420.70 The present Seabrook design shows that three steam generator level

(7.2) channels are to be used in a two-out-of-three logic for isolation (7.3) of feedwater on high steam generator level and that one of the i three level channels is used for control. This design for actuation of feedwater isolation does not meet Paragraph 4.7 of IEEE-279 on " Control and Protection System Interaction". For example, the failure of the level channel used for control in the l

low direction could defeat the redundancy requirements (i.e., a j single failure of one of the remaining channels defeats the

, two-out-of-three requirements). Therefore it is the staff's position that the system be modified (i.e., addition of a fourth protection channel) to meet the redundancy requirements or provide an analysis justifying that isolation of feedwater on high-high steam generator level is not required for safety. Please provide a discussion based on the above staff requirements.

RESPONSE: This was addressed in the March 23 -25 meetings as Item 420.67.

5/12 Commitment was made to change the S/C high level trip to 2 out of 4 (see 420.64).

STATUS: See 420.64. (SER 7.3.2.7) 2/86 420.71 FSAR Figure 7.2-1, Sh. 2 shows a reactor trip initiated by a (7.2) General Warning Alarm from the Solid State protection System. The information presented in the FSAR does not sufficiently describe this trip signal. Therefore, please provide additional information to describe and justify this reactor trip.

RESPONSE: The Seabrook SSPS is functionally similar to that discussed at 5/12 Catawba. FSAR Section 7.2.2.2 will be revised per attached markup as was done at Catawba.

l STATUS: Closed.

9/14 420.72 Using detailed drawings (schematics, P&ID's), describe the (7.3) automatic and manual operation and control of the main steam and feedwater isolation valves. Describe as a minimum how the design complies with the requirements of IEEE-279 (i.e., single failure, redundancy indication of operability, direct valve position indication in the control room, automatic actuation, etc.).

RESPONSE: (a) Discussions on circuit modifications to the MISV controls S/12 continue. Response is deferred pending resolution (see 420.37a).

(b) The MFWIV's were discussed with 420.37.

STATUS: Closed (items called out above were discussed with those of 9/14 420.37).

420.73 Instrumentation for process measurements used for safety functions (7.3) such as reactor trip or emergency core cooling typically are (7.4) provided with the following:

1 a) An indicator in the control room to provide the operator information on the process variable being monitored which can also be used for periodic surveillance checks of the instrument transmitter.

4 b) An alarm to indicate to the operator that a specific safety function has been actuated.

c) Indicator lights or other means to inform the operator which specific instrument channel has actuated the safety function.

d) Rod positions, pump flows, or valve positions to verify that the actuated safety equipment has taken the action required for the safety function.

e) Design features to allow test of the instrument channel and actuated equipment without interfering with normal plant '

operations.

i

. i During escent' rsviews, it h s bsen fcund that enn or mora of tha features above was not provided for certain instrumentation used to initiate safety functions. Examples include instrumentation used to isolate essential service water to the air compressors, 4 instrumentation used to isolate the nonsafety-related portion of the component cooling water system, and instrumentation used to isolate the spray additive tank on low-low level.

The staff position is that instrumentation provided to perform safety functions such as isolating nonseismic portions of systems, closing valves when tank levels reach low level setpoints, and similar functions should be provided with alarms and indicators commensurate with the importance of the safety function and should be testable without interfering with normal plant operations. The applicants should provide the staff with a list of all instrument channels which perform a safety function where one or more of the features listed in a through e of the concern above are not currently provided. For each of these instrument channels, the applicants should indicate which of the features a through e are not currently provided. The staff position on these instrument channels is further that the applicants should:

a) Provide an alarm to indicate that the safety function has been actuated if such an alarm is not in the current design, b) If not in the curren't design, provide means to inform the

, operator which specific channel has actuated the safety function.

c) If not in the current design, provide indication that the actuated safety equipment has taken the action required for the safety function.

d) If not in the current design, provide the capability for testing each safety function without interfering with normal plant operations and without lif ting instrument leads or using jury rigs. The capability for testing should include the transmitter where indicators are not provided to perform operability checks of the transmitters.

The staff will provide requirements in the plant technical specifications for testing these safety functions. Please provide discussion on how the Seabrook design meets the above stated staff position. If there are any exceptions please describe and provide justification.

RESPONSE: A preliminary list was provided. We are evaluating the missing 5/12 features and will respond at the next meeting.

STATUS: Our review continues. A complete report will be submitted at a 9/14 later date.

i i

l l

L

ADDITIONAL RESPONSE Safety function instrumentation at Seabrook can be divided into 11/82 two general classifications; actuation instrumentation and control 1/83 instrumentation.

Actuation instrumentation performs functions that are considered protective functions (i.e., reactor trip and engineered safety features actuation) or are necessary to provide essential auxiliary functions (cooling tower actuation, isolation of the non-safety component cooling water piping). This instrumentation is designed to meet the requirements of IEEE 279 and typically has the following features:

a) Dedicated indicator in the Control Room.

b) Alarm on actuation of a specific safety function.

c) Indicator lights on the MCB, VAS alarm, channel indication at the instrument cabinets to alert the operator to a channel in the trip condition and to identify the specific channel, this indication is not applicable to functions that only have one sensing instrument.

d) Indication to monitor the performance of the actuated equipment.

e) Capability to perform the surveillance tests specified in the Technical Specifications (see Section 7.2.2.2(c)). These tests can be performed without interfering with normal plant operation or the use of jury rigs or lif ted leads. The design conforms with the guidance of Regulatory Guide 1.22 and 1.118.

Control instrumentation performs functions associated with the control of auxiliary supporting features in response to changes in a measured variable (start of cooling fans to maintain environmental conditions, operation of valves to meet minimum flow conditions for a pump). These control functions only affect the operation of one of the redundant safety trains, the other train is available to perform the safety function if one train fails.

This instrumentation is not designed to meet the requirements of IEEE 279 and typically has the following features:

f) Control Room or local indication to monitor the controlled variable, g) Independent alarm in the Control Room if the controlled variable exceeds the expected control band.

h) Capability to perform periodic calibration and functional tests. These tests can be performed without interfering with normal plant operation or the use of jury rigs or lif ted leads.

_ .- - ~.. _ _ - - _ _ - - _ . - . _ _ , - _ , _ . . _ _ _ - .

We have reviewed the safety function instrumentation at Seabrook l to verify the availability of the typical features discussed previously. Table 420.73-1 lists all the instrumentation that does not have all of the applicable features listed, the missing feature is specified with corrective action planned to provide the feature or justification why the feature is not required.

TABLE 420.73-1 Safety Function Instrumentation Desir,n Features

1) Safety Function - Cooling tower actuation signal (TA).

Missing Features - c) No alarm if one pressure channel has tripped.

Remarks - c) An alarm will be provided if any pressure channel is tripped, the specific channel will be indicated at the instrument cabinet.

STATUS: See 420.44.

2/86

2) Safety Function - Isolation of non-safety component cooling water piping on low level in the head tank.

Missing Features - c) No alarm if only one level channel has tripped.

e) The containment isolation valves (CC-V57, 121, 122, 168, 175, 176, 256, 257) are not tested during power operation.

Remarks - c) An alarm will be provided if any level channel is tripped, the specific channel will be indicated at the instrument cabinet.

e) The actuation of these valves would cause a loss of cooling to the reactor coolant pumps, the actuation signal is blocked and continuity testing will be performed as discussed in FSAR 7.3.2.2.e.

STATUS: Drawings M-503278 and M-506195.

2/86 l

I l

L __

Y TABLE 420.73-1 (continued)

Safety Function Instrumentation Design Features

3) Safety Function - RWST lo-lo level recirculation actuation.

Missing Features - a) Indication from level transmitters (CBS-LT-930, 931, 932, 933) is not available, c) Two out of four channels tripped is alarmed.

Remarks - a) Narrow-range transmitters are normally over-ranged so indicators would not be useful for routine surveillance. Increased surveillance will be employed to ensure operability of the jhf5 level transmitters. Accident monitoring is provided by CBS-LI-2380 and 2383 and Technical Specification monitoring by CBS-LI-2381.

c) Alarm is considered adequate since there are '

channel tripped indicators at the instrument cabinet and the function will not actuate unless there is a coincident safety injection signal.

4) Safety Function - Emergency feedwater high flow isolation.

Missing Features - a) Indication is not provided for the backup instrumentation (i.e. , B Train instruments for S/G A&C, A Train instruments for S/G B&D).

Remarks - a) Provisions are available for periodic channel calibration without interfering with normal plant operations. This includes checking the full span of the instrumentation.

Only the transmitter zero can be checked during the periodic channel checks as EFW flow to the steam generators is not established during the '

nonrefueling surveillances. The zero for the backup instrumentation can be checked at the instrument cabinets.

5) Safety Function - RHR pump low flow recirculation valve control.

Missing Features - g) An independent low flow alarm is not available.

Remarks - g) An independent low flow alarm will be provided.

STATUS: See 420.52.

2/86

/

I

6) Safety Function - High temperature start of cooling fans for the l emergency feedwater pump house, service water pump i house and cooling tower switchgear area.

Missing Features - .f) Local indication is not provided.

Remarks - f) Local temperature indication will be provided.

STATUS: Drawings M-506431, M-506841, and M-506844.

2/86 ADDITIONAL Based on discussions with the NRC we have reviewed our position on RESPONSE: testing of the tower actuation signal. The Seabrook design permits 1/83 testing of all actuated equipment in judiciously selected load groups.

STATUS: FSAR 7.3.2.3 revised, Amendment 56. (SER 7.3.2.4) 2/86 420.74 On November 7, 1979, Westinghouse notified the Commission of a (7.3) potential undetectable failure which could exist in the engineered safeguards P-4 interlocks. Test procedures were developed to detect failures which might occur. The procedures require the use of voltage measurements at the terminal blocks of the reactor trip breaker cabinets.

In order to minimize the possibility of accidental shorting or grounding of safety system circuits during testing, suitable test jacks should be provided to facilitate testing of the P-4 interlocks. Provide a discussion on how the above issue will be resolved for Seabrook.

RESPONSE: In SBN-120, dated May 15, 1980, we committed to the tests described 5/12 in NS-TMA-2204.

ADDITIONAL RESPONSE: We will provide suitable circuits for testing the P-4 interlock.

7/15 Details will be provided later.

ADDITIONAL RESPONSE: Test switches and meters will be permanently installed to perform 9/14 the tests outlined in SBN-120.

STATUS: Closed. . Drawings M-310944 SH-HD3e and M-310949 SH-FB6f (ECA 2/86 03/113132A copies provided). (SER 7.3.2.3) 420.75 On Hay 21, 1981, Westinghouse notified the Commission of a (7.3) potentially adverse control and protection system interaction (9.3.4) whereby a single random failure in the Volume Control Tank level (6.3) control system could lead to a loss of redundancy in the high head safety injection system for certain Westinghouse plants. Please determine whether this generic problem exis+.s un Seabrook and, if so, how the problem is to be resolved.

/

RESPONSE: The generic problem is applicable to Seabrook. Wa are evaluating 5/12 Westinghouse recommendations for procedural changes.

ADDITIONAL RESPONSE: In SBN-164, dated June 18, 1981, we committed to reviewing the 9/14 plant procedures to ensure that the operators would be properly alerted and would take appropriate action. The procedures will be available for review 3 months prior to fuel loading. An analysis performed by Westinghouse (see NAH-1935, dated April 23, 1982, copy attached) indicates that there is in excess of ten minutes from the VCT low level alarm until the VCT is empty.

STATUS: Open pending NRC review. (SER 7.3.2.2) 9/14 ADDITIONAL The alarms listed on Table 1 of NS-TMA-2451, dated May 21, 1981 RESPONSES:. and attachment of NAH-1935, dated April 23, 1982, are provided 1/83 by the Video Alarm System.

420.76 Discuss the likelihood that emergency core cooling will be (7.4) automatically initiated following a manual reactor trip initiated during a temporary evacuation of the control room. For example, is it possible for the reactor coolant system to be cooled to the point that the pressurizer empties during the time interval between manual reactor trip and the time an operator can take control of auxiliary feedwater outside the control room? Analyses and operating experience from plants similar to Seabrook should be presented during the discussion. Based upon the likelihood of emergency core cooling actuation following a manual reactor trip, should the capability for resetting the equipment be provided outside the control room?

RESPONSE: Westinghouse has analyzed the transient resulting from 9/14 evacuation of the control room using the following assumptions:

11/82 2/86 1. The reactor, turbine, MSIVs, and RCPs were tripped, in this order, prior to leaving the control room, no other operator action was taken.

2. The trip was from various power levels from 0 to 100% power with no decay heat (50% power was the most limiting).
3. EFW temperature was 40 0F.
4. Both EFW pumps operate at the time of reactor trip and provide 1440 GPM.

The analysis shows that low main steam pressure safety injection will not occur until more than 568 seconds after the reactor trip. This will provide sufficient time for the operator to throttle EFW flow to stop the cooldown. It should be noted that Assumptions 2 and 4 are extremely conservative. A more detailed

/

analysis using realistic decay heat loads expected during a power ascension and delay in actuation of EFW (actuation on the initial shrink after a trip is not expected) will show considerably more time is available to throttle EFW.

If safety injection is actuated, the operator has the capability of terminating flow by stopping the charging and RHR pumps from CP 108 A & B and by tripping the SI pumps at the switchgear. The charging and RHR pumps can be restarted from outside the control y ';>f*

room without temporary modifications if necessary. Automatic start of the SI pumps is not defeated by local trip of the breaker.

STATUS: Open pending NRC review with RAI 420.38. (SER 7.4.2.4) 9/14 420.77 The FSAR states that the pressurizer auxiliary spray valve is used (7.4) during cooldown when the reactor coolant pumps are not operating (5.4.10.3) and FSAR Section 7.4 lists the auxiliary spray as a system required for safe shutdown. FSAR Figure 9.3-13 shows this system as a single path with a single diaphragm operated valve. A single failure could conceivably:

1) Prevent the use of auxiliary spray for cooldown,
2) Cause inadvertent actuation, or
3) Prevent isolation of the system.

Using detailed fluid and schematic drawings, please provide further discussion describing the operation of the auxiliary spray system.

RESPONSE: The safety grade power operated relief valves will be used to 9/14 depressurize the RCS during safe shutdown; therefore, the auxiliary spray valves have been deleted from FSAR 7.4. See the draft revision provided for RAI 420.38.

STATUS: Closed. FSAR 7.4 was revised, Amendment 48. (SER 7.4.2.5) 2/86 420.78 Provide a discussion on the termination of possible inadvertent (7.4) boron dilution. Will automatic equipment be used for termination?

RESPONSE: The revised criteria for the boron dilution accident promulgated 5/12 by NUREG-0800 are under review.

ADDITIONAL RESPONSE: We will meet the operator response times specified in NUREG 0800 9/14 following receipt of a flux increase alarm from the safety grade wide range neutron monitor.

STATUS: Closed. (SER 7.6.7.1) 2/86

420.79 Describe the design features used in the rod control system which (7.7.1.2)

1) Limit reactivity insertion rates'resulting from single failures within the system.
2) Limit incorrect sequencing or positioning of control rods.

The discussion should cover the assumptions for determining the maximum control rod withdrawal speed used in the analyses of reactivity insertion transients.

RESPONSE: Section 7.7.1.2.2 of the FSAR will be revised per attached markup 5/12 to describe features that limit reactivity insertions, maximum rod speeds and incorrect sequencing resulting from single failures within the system. This evaluation is identical to that made for the SNUPPS review. The SNUPPS and Seabrook rod control systems are functionally identical.

STATUS: Closed.

9/14 3 420.80 The FSAR (Section 5.2.2.8) information describing direct position j indication of relief and safety valves is insufficient to allow the staff to complete its review. Therefore, please provide additional information on how the Seabrook design complies with each specific requirement of NUREG-0737. TMI Item II.D.3.

i

. RESPONSE: The FSAR will be revised when the details of the valve position

! 5/12 indication system are known (see 420.05 response).

i l STATUS: See 420.05(a).

l 2/86 l

480.81 During the Seabrook drawing review it was discovered that safeguards actuation circuits have parallel relay contacts to handle specific load requirements. The slave relays used for the a

output of the solid state protection system (SSPS) have apparently

been qualified by Westinghouse for use in circuits drawing a maximum current of 4.4 amps. It is our understanding that the Seabrook 5 Kv and 15 KV systems expose the SSPS slave relay
contacts to a magnitude of 5.2 amps upon safeguards actuation.

The applicant has decided to use parallel contacts to carry the

current, relying on simultaneous closure (and opening) of the i

safeguards contacts upon protection signal actuation.

This design concept is unacceptable to the staff. We have concluded that paralleling contacts may not solve the concern with the current ratings of the Westinghouse slave relay contacts since closure (or opening) of the SSPS slave relay contacts at the exact same time cannot be assured. One set of contacts will, in most instances, function before its redundant counterpart thus allowing the full 5.2 amps te that set of contacts. Also, it appears that the present test methods do not allow for checking operation of

/

l each individual set of contacts when paralleled. It is the staff's position that the relays used in the protection ~ system should be qualified for the maximum expected current. l

, The applicant is requested to modify the Seabrook design to comply j with the above staff position. l RESPONSE: We will perform an independent test to verify the contact current ,

5/12 carrying capabilities of the SSPS slave relays. The test will be {

performed on single contacts controlling actual switchgear  ;

components.

l' Upon completion of the tests, the NRC will be notified on the disposition of the issue regarding the use of these relays.

The NRC expressed concern that the testing meet similar requirements as were utilized during the W testing. Departures should be justified.

ADDITIONAL

j. RESPONSE: An independent test was performed to verify the contact current 1/83 carrying capabilit3es of the SSPS slave relay. Three relays were t

2/83 removed from the Seabrook SSPS cabinet for use in the test. They

2/86 will be replaced with new relays. The test was performed using a single set of contacts controlling the close coil and lockout coil from the Could Model SHK 350 5 kV breaker used in the Seabrook design. This load is the maximum load that any of the SSPS slave relay contacts energize; approximately 5.5 amps at the test

, voltage. Test voltage was 137.5 1 0.5 volts de based on the maximum voltage expected on the plant's 125 V de distribution j system including instrument error. Each relay was cycled 1000

{ times; twice the number of operations expected during the lifetime

of the plant. A cycle consisted of energizing the load by closing I the SSPS slave relay contact. After the 70 to 80 milliseconds (average closing time for Model 5HK 350 breaker), an auxiliary relay interrupted the current flow. The auxiliary relay simulated the function of the breaker auxiliary "b" contact which interrupts the closing circuit once the breaker has closed. Two sketches, showing the test setup, are attached.

Each of the three relays tested passed the 1000 operation test, successfully energizing the closing and lockout coils.

Furthermore, measurements of contact resistance made before, during and after the test showed that there was less than a 5%

increase from the pre-test contact resistance values. This small change in resistance represents only 0.0006% of the total test circuit resistance.

Inspection of the relay contacts upon completion of the '.est revealed no visible contact wear.

The small increase in contact resistance, the lack of any visible contact wear, and t.he test results which show that the relay performs its safet) function before, during and after the test verified the ability of the SSPS slave relay to perform its design function using a single set of contacts.

The parallel contact design will be retained since either contact Jj/gf, will provide the safety function.

A test report will be available by 2/1/83.

STATUS: Closed. (SER 7.3.2.6) 2/86 l

I  !

SB 1 & 2

%d47 Amendmant 53 FSAR August 1984 All components except the flow restrictors and portions of the 30" lines are located outside of the containment.

10.3.2.2 Flow Restrictor The primary function of the flow restrictor is to limit the flow from a steam generator in the event the main steam pipe ruptures downstream of the restrictor

-(see section 5.4). Also, the flow restrictors are the primary elements for the steam flow input signal to the feedwater control system.

10.3.2.3 Penetrations Because .of the high temperatures involved, and the restraint imposed by the containment, a separate penetration is provided for eacF main steam line.

The penetrations are manufactured in accordance with the ASME Code,Section III, Class 2 and MC requirements. For a complete description of ;>enetrations see Subsection 3.8.2.

10.3.2.4 Atmospheric Relie f Valve A power-operated atmospheric relief valve (ARV) is provided in the 30-inch line from each steam generator. These valves provide for controlled removal of reactor decay heat during riactor cooldown, plant startup, and af ter a

% turbine trip, when the condenser and/or the turbine bypass system are not h- available.

The atmospheric relief valves are located adjacent to the main steam safety valves described in Subsection 10.3.2.6. The safety valves will operate without plant operator action for an indefinite period, and will maintain the main steam pressure between 1185 psig and 1255 psig during the hot standby condition. When available, the atmospheric relief valves can be used to reduce main steam pressure for both hot and cold shutdown conditions.

M Each ARV automatically regulates its respective steam generator outlet header pressure to approximately 1135 psia. The valves are capable of automatic operation over the steam pressure range of 1300 psia to 125 psia, when the residual heat removal (RHR) system is put into operation. Manual operation of the valves' controllers will allow atmospheric relief down to atmospheric -

pressure. The capacity of each valve is 400,000 lbs/hr at 1135 psia inlet pressure, for a total combined capacity of 10% of the maximum steam flow.

The maximum capacity of each valve does not exceed 970,000 lbs/hr. at 1200 psia inlet pressure, to limit heat release if a valve inadvertently opens.

Operation position control offrom thetheARVmaincan beboard.

control eitherThe automatic pressure valve can also be s control or m operated f rom the remote shutdown panel and locally.% ' '- , __' th et- .,2 -I: :-!! f ::!;c- af ter r esismic ::: t i: by lece! -:n 21 - .- d -

n . c_ . _ : : : ':- ; ' _- -- tr " x ;iiz' - '-- .

. . . . t i ^^ _ $th II  :--':^I "^8""I"'" *'" EEE $ Cl._,,1ame bg 10.3-3

i 9204 7 10.3 Insert 1 Af ter a seismic event the valves can be manually controlled from the control room or the remote shutdown panel. The backup high pressure gas supply is discussed in section 9.3.1.1.

I 4

i r

i i

4'20.57 SB 1 & 2 Amendment 56 FSAR November 1985 7, b - dW (

b. SI-V93 (Safety injection pumps discharge to refueling water stor-ago tank) is protected against spurious actuation by providing a non-reversing contactor in series with the normal reversing contactor. Control of this extra contactor is provided through a separate switch on the MCB. Position indication is from the normal valve control circuit (see Drawing 9763-M-503901).

SI-V93 cannot be opened until the RH recirculation valves, RH-V35 (Train A) and RH-V36 (Train B) are both closed, the control switch for SI-V93 has been placed in "open", and then the key locked sel ;or switch has been placed in "open". _

7.6.

c. Other safety-related motor operated valves have power On t removed for reasons other than to ,cevent a single failure loca from preventing a safety function (BTP EICSB 18). These envi va l v e s are provided with control room position indication miti that is independent of the motor operator power supply.

are Position indication is available when power is removed are from the motor operator.

near prec . , . . _ . . . . . . . . . . . . . _ _

locations described, a HELB signal is automatically generated which closes the following valves: y a) The steam generator blowdown containment isolation valves.

b) The auxiliary steam isoletion valves.

c) The letdown line containment isolation valves.

Refer to Subsections 9.3.4.5, 10.4.8.6a, and 10.4.11.5 for further details. 55 7.6.11 Shutdown Monitor The shutdown monitor measures the countrate from a neutron counting instrument. It performs a statistical time average of the neutron countrate and displays this average in the source range (from 0.1 counts per second (cps) to 104 cps). It also provides aa alarm output to indicate a decrease in reactor shutdown margin when the neutron countrate increases by an amount equal to the preset alarm ratio. The shutdown monitor alarm setpoint is continuously recalculated and automatically reduced as the reactor is shut down and the neutron flux is reduced. When the neutron countrate achieves a steady value and then eventually increases, the alarm setpoint remains at its lowest value unless it is manually reset. An alarm will occur when the time averaged neutron countrate increases due to a reactivity addition to a value equal to the preset alarm setpoint. The response time for the alarm depends on the initial countrate and the rate of change of neutron flux.

The preset alarm ratio is chosen to ensure an early alarm will occur during an inadvertent boron dilution event. Analysis of inadvertent boron dilution events is discussed in Section 15.4.6. 56

(

7.6-8 l

_ _ _ _ _ _ - . ~ . _ _ _ _ . _ _ , _ _ . _ . . _ _._. . - _ _ _ _ _ _ . _ . - . _ _ _

T A,- a.cy ) 3 A%gwgg .h i**PLND * -4 6 p.

..w.. . .. 4 444 esee men , .et

.,en. .

me. ' e em * ..,, g , og g e og . . ,

','9 ,,_ ,. ,, j , . , . ,, _ ,

he m 6 -4 ( .e e ,,&

  • e e.. e t " g

, u 1

- i.

w w.e . Y faw.-

l

, ,e %

ix,

%. =- .._. =. ,= e,= .,n . .

i i m i , , y ;eame- w w. .

j 3

- - - - - ~~;

O we ..ww. = s %ces etem enses.s.t.a. e nov -

et6eut es e:". L4a.'t e%

a Gi ess ee.bd EuSPfle b, ., T t.'.t e 8$.8. ,4, e* .h,h

%us.L,G g ,

,p se.. ==.. em v4. .mo c, , . - 1 '"'

s=:y i g:

8jf f]g,(,4 y- y ..~3 - N '_ g, -

w=te m

i

, i i :

i i

ed e 4. w at e et is "l'iO r*A- O"J.

.y w was ***

- . ~ _

.. { w -M

          • vie I

-7

,g i

- .. s I .. g g,, , 8 l

s-

> s vt (n g m m' %y4J rnors- '?n)' y u p,e,,,* * .M l rse+E auseo d.

, . . , > dn' m-- - r W Y%V' = , h:- -

t-~~--

a=

.. ; u-  ; -; _ 'n n - =m n; i I[n n t l m? 'l l = l [ = ='l l =. =.. 14 '__$.,)L. do

. .ee. 1 ...e~

i  : m = r t. -

= u ns',

.s'.'~a~ L

_ ___ .m_. __

-j l 'f' ~

I, . . .em ... .. w j .

,- i.

- -um t

} 1 l

I )['" l =.. . l sc t

( 75:~ tes tow . . . _

8 _*--

m_ Lw]

=. . a (g  ; M

+.t

.q

.)

k. 4 s 5 A I I l "V s -

l e -viv .. ' l

' l ,

U ,

'~

e SIi " - I isx. .x. c *n:,rx.:' ;

. "r.:::::C' '%.r.:* m  : *

4 . . , I usc.

v

. f.m ..

  • i- 4w ..g g

= =<g '= - :r= 3 _3,,,, ,,(.. .t.n: . ~~

s

_ f xv

-$**.rr11 s

,,;,=,,,,,,

g

--. a nu.

  • 7,294 Dog surse N WE N m MCK PUBUC SERV,CE COMPANY OF NEW HAMPSHIRE W FUNCTIONAL DIAGRAMS SLABROOK STATON - UNITS t & 2 FINAL SAFETY ANALYSIS REPORT 9763-C-600056 [ FIGURE 7 2-1 SHEET 16