ML20247F349
| ML20247F349 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 05/16/1989 |
| From: | Scaletti D Office of Nuclear Reactor Regulation |
| To: | Marriot P GENERAL ELECTRIC CO. |
| References | |
| NUDOCS 8905300058 | |
| Download: ML20247F349 (61) | |
Text
- _ - _ _ _ _ - - _ - _ - _ _ -
.. w * ~
.May 16. 1989-
, ? Docket'No. STN'5'0-605 l Mr. Patrick W. Marriott,. Manager E Licensing & Consulting Services-l GE Nuclear Energy General Electric Company ,
175 Curtner Avenue.
LSan Jose, California 95125
Dear Mr. Marriott:
SUBJECT:
_ REQUEST FOR ADDITIONAL INFORMATION REGARDING THE GENERAL ELECTRIC' COMPANY APPLICATION FOR CERTIFICATION OF THE ABWR DESIGN In our: review ~of your application for certification of your Advanced Boiling Water Reactor (ABWR).' Design, we have identified a'need for additional '
information. Our request for' additional information, contained in:the .
enclosure, addresses the areas of Standard Review Plan Chapters 7, 8 and'17.
Additional questions related to the Instrumentation and Control Systems' portion of the ABWR review will be developed during the course of their review of Amendment 6 to the ABWR Standard Safety Analysis Report. These Questions-will be provided to you' in the near future.
In order for'us to maintain the ABWR " review schedule, we request that you provide your. responses .to this request by July. 1989. If you have any concerns regarding this request please call me on 11,(301)492-1104.
. Sincerely,
/s/
Dino C. Scaletti, Project Manager Standardization and'Non-Power
-Reactor Project Directorate Division of Reactor Projects - III, IV,.
V and Special Projects Office of Nuclear' Reactor Regulation 4
Enclosure:
As stated c
cc: . See next page to J8 "O' ?
DISTRIBUTION:
Docket F11e_v9 JStewart ACRS 10) x
$8 NRC~PDR"d"" JSpraul EHylton IS$ PDSNP Reading JLazevnick mg DScaletti= EJordan no CMiller- BGrimes 88 GThomas OGC
-ge gg (RAI CHAPTERS 7,8.17) oso
- d PM L P D:PDSNP /q D6 ti:ds/cw ton CHille 05//689 05///r/89 f(v/89 o1[u
i EY %, UNITED STATES g NUCLEAR REGULATORY COMMISSION
[ j WASHINGTON, D. C. 20555 D
'k.....,/ May 16, 1989 Docket No. STN 50-605 i
'Mr. Patrick W. Marriott, Manager Licensing & Consulting Services GE Nuclear Energy General Electric Company 175 Curtner Avenue
. San Jose, California 95125
Dear Mr. Marriott:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION REGARDING THE GENERAL ELECTRIC COMPANY APPLICATION FOR CERTIFICATION OF THE ABWR DESIGN In our review of your application for certification of your Advanced Boiling Water Reactor (ABWR) Design, we have identified a need'for additional information. Our request for additional information, contained in the enclosure, addresses the areas of Standard Review Plan Chapters 7, 8 and 17.
Additional questions related to the Instrumentation and Control Systems' portion of the ABWR review will be developed during the course of their review of Amendment 6 to the ABWR Standard Safety Analysis Report. These Questions will be provided to you in the near future.
In order for us to maintain the ABWR review schedule, we request that you
, provide your responses to this request by July 1989. If you have any concerns regarding this request please call me on 11,(301)492-1104.
( Sincerely,
. b
! Dino C. Scaletti, Project Manager Standardization and Non-Power Reactor Project Directorate Division of Reactor Projects - III, IV, Y and Special Projects Office of Nuclear Reactor Regulation
Enclosure:
As stated cc: See next page
r "t ...'2-Mr. P. W. Marriott Docket No. STN 50-605 cc: Mr. Rober t Mitchell
, ' General Electric Company 175 Curtner Avenue San Jose, California 95114 Mr. L. Gifford, Program Manager Regulatory Programs GE Nuclear Energy 12300 Twinbrook Parkway Suite 315 Rockville, Maryland 20852 Director, Criteria & Standards Division Office of Radiation Programs U. S. Environmental Protection Agency 401 M Street, S.W.
Washington, D.C. 20460 Mr. Daniel F. Giessing Division of Nuclear Regulation and Safety Office of Converter Reactor Deployment, NE-12 Office of Nuclear Energy Washington, D.C. 20545 4
W
-i ... . =-
REQUEST.FOR ADDITIONAL INFORMATION-QUALITY ASSURANCE 260,1 General Electric's commitment to QA-related Regulatory Guides (RGs) is given in Table 17.0-1. In accordance with Chapter 17 of the Stand 6rd Review Plan (NUREG-0800), a commitment to RGs'1.8, 1.26,
~
and 1.29 should also be made. This can be done by referencing another section of the Safety Analysis Report.
260.2 Clarify why Table 17.0-1 shows RG 1.94 as not applicable to the ABWR scope while similar RGs for installation, inspection, and testing (RGs 1.30 and 1.116) are shown as being applicable.
260.3 Revision 3 of RG 1.28 states, " Applicants and licensees may commit to follow either the ANSI /ASME N45.2-series standards or the ANSI /ASME NQA-1-1983 standard, but not a combination of the two." Table 17.0-1 indicated GE's commitment to the N45.2-series standards, but the third paragraph of SSAR Section 17.0 states that the terms and definitions of NQA-1 apply and SSAR section 17.1 refers throughout to
- NQA-1. Clarify weather GE is commits to the N45.2-series standards referencedinRG1.28(AsclarifiedinReference1),totheNQA-1 standard, or to both.
0
.~_m. .-_. _. _ _ _ _ _ _ _ _ _ _ _ _ _ . _ ______-____________._.____._______.-____..______m____.._.-________-.m__ __.______.m.____.______.___m_._____ -m____
[1l J ;
- 2'-
3 INSTRUMENTATION & CONTROL '
i 1.0 GENERAL The applicant has committed in Section 7.1 to a design that will employ microprocessor-based safety systems, multiplexed sensor interfaces, fiber optic data links, and other features implemented by technologies more advanced than l for previous BWR designs reviewed by the staff, i
~ Since the applicant has not referenced the. design of these more advanced features to designs previously reviewed and approved by the staff (for advanced designs, this is not unexpected), we require that the applicant interpret the Standard Review Plan from the perspective of current acceptance criteria for advanced technologies, rather than relying solely on acceptance criteria appropriate for analog / hardwired designs. The design basis for these advanced features must be clearly established in the SAR.
I Specifically, 10CFR50 Appendix A, General Design Criterion 1, requires that
' systems and components important to safety be designed, fabricated and tested
[
{#
to quality standards commensurate with the importance of the safety functions to be performed; this Criterion also requires that the applicant identify and evaluate applicability, adequacy, and sufficiency of generally recognized codes and standards.
In particular, Regulatory Guide 1.152, " Criteria for Programmable Digital l Computer System Software in Safety-Related Systems of Nuclear Power Plants" endorses ANSI /IEEE-ANS 7-4.3.2-1982 as a method acceptable to the staff for designing software, verifying software, implementing software, and validating computer systems used in safety-related systems of nuclear power plants.
Additionally, IEEE Std 603, " Standard Criteria for Safety Systems for Nuclear Power Generating Stations" has been recognized as having value for more
-_-_______._____._-m.____a____a__ _____ _ _ ____
1 i .*- l advanced designs. IEEE-603 has not been addressed by the applicant's submittal, and no equivalent criteria have been presented to justify the absence. Though RG 1.152 has been listed at applicable in Table 1.8-20 there is no discussion in Chapter 7 of the implementation. Neither is there evidence i in the submittal that current IEEE and other computer / electronics industry ]
standards related to advanced technology have been considered in the design. l The staff's position for this evaluation is that the proposed use of computer- J based safety systems requires that additional emphasis be given to design I topics that were not as significant for earlier generation analog designs reviewed by the staff, or topics that must be addressed differently for an advanced computer-based system. These topics involve systems, hardware, and software aspects of an advanced design. Some specific areas of interest to the staff are: software design, development, and verification & validation (V&V); .
failure modes and effects; n11 ability /ava11 ability; demonstration of improved design margins and transient response; design basis for electromagnetic compatibility and surge withstand capability of the systems / equipment; design basis for " mild" environmental qualification of semiconductor and fiber optic technologies being used; and man / machine interface requirements applicable to a computer-based system.
! The staff requires that the applicant clarify the design approach being taken in these areas. For example, what criteria and standards beyond those listed in Chapter 7 were considered, rejected, or partially / completely incorporated in the design? What were the design goals (e. g., reliability goals)? What design tradeoffs were considered and addressed? What plant interface requirements / constraints are levied by the ABWR design? How are the safety system functional requirements allocated to hardware and software subsystems?
What was the rationale for using digital rather than analog design, and which portions of the proposed systems use digital technology? Specific questions related to these general topics are numbered in the following sections.
1 ,. *-
J
-i Since the advanced reactor protection system and engineered safety features I actuation system instrumentation proposed for the ABWR is significantly different than previously reviewed, the staff requires that the' design basis for the advanced features be carefully and rigorously established in this application. The questions provided herein are intended to focus on the_ design basis issues of major interest at this point in the review; SAR Section 7.1 is the primary focus.- Questions relating to the ABWR software design verification and validation will be provided upon receipt of those portions of the SSAR.
I 2.0 SYSTEMS AND HARDWARE TOPICS /0VESTIONS l
. Presented in this section are information requests and questions regarding safety systems and hardware described in SAR Chapter 7. The staff recognizes that forthcoming submittals, such as SSAR Amendment 6, may address some of the following issues. For areas in which specific designs have not been identified, GE should answer the questions by_ listing the criteria and guidlines used in the interface requirement.
2.1 Topical Reports Identify the topical reports that will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff. A limited number of topical reports have been identified to date in the SAR, but do not address several significant issues.
Specific questions on these topics are provided in this request for additional information. Subjects addressed in these topical reports should include but not necessarily be limited to the following:
i 4
1 .
420.1(7)
Overallblockdiagram(s)anddescriptionsofthereactorprotectionand engineered safety features actuation system, showing the architecture of the system, the allocation of functions to modules, and the communication channels among modules. Digital and analog modules should be identified. Methods for assuring required independence should be clearly identified, as well as power supply dependencies, division boundaries and non-safety system interfaces. A description of the scope of on-line and diagnostic testing features for the proposed system should be provided with reference to this diagram, to illustrate compliance with testability requirements.
420.2(7)
The applicant's overall design verification program, covering development of the functional requirements, criteria, specifications, design, manufacture, test, and qualification methods and procedures; this should include a V8V plan for software design verification / validation.
420.3(7).
Failure modes and effects analysis for the I&C system.
420.4(7) -
A defense-in-depth analysis, demonstrating the diversity in the system that precludes the likelihood of common mode failures.
1 420.5(7)
System (and significant component) reliability goals, assumptions, methodology, model, analysis, and evaluation. ,
420.6(App 31)
Methodology, basis and acceptance criteria for qualifying the system and equipment to the design basis electromagnetic interference (EMI) environment. j l
l l
-1 ..'-
420.7(App 31)
Methodology, basis, and acceptence criteria for qualifying the system and equipment to the design basis surge withstand capability (SWC).
420.8(App 31) ,
Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design basis thermal environment established by localized heat transfer within electronic equipment, including in non-accident environments; this should also address requirements for humidity controls to preclude damage !
from electrostatic discharge.
~
420.9(App 31)
Methodology, basis, and acceptance criteria for qualifying electronic and fiber-optic systems and equipment to the design basis radiation environment, including in environments normally considered " mild" for insulation materials.
420.10(7)
Task analysis for the man / machine interface to the system.
420.11(7.6.1.1)
Wide Range Neutron Monitor design basis. (NEDO-31439, May 1987) If this
!' system is not part of the ABWR (Section 7.6.1.1 indicates it is not) provide justification for its exclusion.
420.12(7.4.2.2.2) 10CFR50.62 (ATWS) conformance. Specifically address the manually initiated SLCS conformance (7.4.2.2.2(1)) to the ATWS rule (50.62(4)) of automatic !
initiation.
\
- - - - - - - - - - - - - - - )
t , f o.
420.13(10/87)
One of the goals of the ABWR is simplification. The October, 1987 presentation mentions a 60% reduction in instrumentation. Which plants is this referenced .
to? Provide a description of the instrumentation which is no longer considered necessary.
420.14(7.1.2.3.9) ;
Address the effects of Station Blackout on the HVAC required to maintain functional electronics.
420.15(7.4)
Address the redundancy and diversity of the power supplies for ARI.
420.16(7.4)
Address the decision to make the ARI Non-1E instead of IE system. l 2.2 Design and Perfomance Information .
A description of the design and performance information relative to the I&C aspects of the safety related systems have been provided. The staff requires more information to establish the design basis of the proposed systen.
420.17(7)
Describe the trade-off analyses leading to the selection of an analog or digital approach for implementing the logic of the safety system. Describe the major criteria that the tradeoff was based on. Show how the tradeoff criteria is in accordance with applicable design criteria.
l t ..
w j
L )
i 420.18(7)
For the proposed use of digital computers, show how the digital system is superior to analog alternatives to implementing the logic. Show how the analyses determined that the reliability of the digital computer based system was better than the reliability of the analog system.
420.19(7.1)
The submittal describes an intelligent multiplexed digital system as the implementation for the logic of the safety system. Figure 7.1-1 shows a system that is highly interconnected. Show how this interconnection satisfies the independence criteria in accordance with IEEE Std 603 and IEEE Std 379.
\
420.20(7)
Describe the fiber optic links in the safety systems. What signals are multiplexed on each link? Show how the independence criteria in accordance with IEEE Std 603 and IEEE Std 379 is satisfied with the proposed configuration of fiber optic links.
420.21(7)
Describe the safety computer system's interface to any non-safety computer systems and other plant instrumentation. Describe if information transfer from
, IE to N-1E computers is via broadcast or handshake, c
420.22(7)
Provide a table of conformance to IEEE 603 and ANSI /IEEE 7-4.3.2. This table should address whether the safety systems meets the requirements of these standards.
420.23(7)
Provide a table of conformance to IEEE 384, indicating where credit is taken for isolation or separation, what devices or methods are used, and the basis of isolation device qualification. If specific types of components have not been chosen, provide specification level infonnation including testing acceptance criteria.
,1 . .
420.24(7) j Are any artificial intelligence features provided in the proposed system, )
wher+, pr .habilistic judgements are madt by the system, or whereby the system can learn" eJring its operational life? !
420.25(7)
Is credit taken in the safety analysis for any rotating memory devices such as disk drives?
420.26(7.1.2.1.6)
What is the definition of " Safety Associated" as used in SAR Section 7.1.2.1.67 420.27 (7)
Specify which parameters are to be triplicated. At what point does the triplicationstart(floworifice, sensor?)andend(transmitter,triplogic?).
If there is trip 11 cation of sensors is there diversity between sensors?
420.28(15.A)
Section 15. A.2.2 defines " Safety" and " Power Generation." The staff did not locate definitions for "important to safety" and " safety related" which are used in Chapter 7.
420.29(7.1.1)
For those systems were it has not already been done (example 7.1.1.3.5) clarify whether ranual or automatic initiation will be used.
420.30(7.1.2.2)
Definetheword" sufficient"usedinsection(j).
420.31(7.1.2.3.2)
For section 7.1.2.3.2(1)(c.d.e)and(2)(a) define" sufficient."
1 .
420.32(7.1.2.3.2)
The listed design basis should include instrumentation necessary to inform the operator that isolation has been completed and control should provide ability for operator to reset (with adequate safeguards against inadvertently breaking isolation) 420.33(7.1.2.3.2)
Add to 7.1.2.3.2 (2)(c) ..."without causing plant shutdowns" or reducing safety margins.
420.34(7.1.2.3.7)
ForSection7.1.2.3.7(b)providealistingofthenonessentialpartsofthe cooling water system which should be isolatt List any nonessential parts for which isolation is not provided.
420.35(7.1.2.6.5)
Is the wetwell to drywell vacuum breaker control manual or automatic?
420.36(7.1.2.6.6)
If the CAMS system is only a monitoring system, why is it not always on instead of waiting for a LOCA to monitor radiation?
420.37(7.1.2.6.7)
What is the imediate safety action required by relief valve leakage and is it automatic?
420.38 (Table 7.1-2) !
The table indicates RG 1.151 applies only to safety related display and Non-1E control systems. Section 7.1.2.10.11 refers to other safety systems including RPS and ECCS. Clarify which systems RG 1.151 is to apply to.
420.39 (Table 7.1-2)
The table lists few systems for which RG 1.97 is applicable. Address the RG
.1.97 for all categories and variables.
l
ot :.'-
420.40(7.3.1.1.1.1)
TheHPCFpumpisinterlocked(7.3.1.1.1.1(c))withtheundervoltagemonitor.
If the breaker cannot close will it retry and what information is available to the operator if it doesn't close that would indicate an undervoltage proble:a7 420.41 (7.3.1.1.1.1)
Does the 36 seconds (7.3.1.1.1.1(e)) include time for diesel generator to start?
420.42 (7.3.1.1.1.1)
Section 7.3.1.1.1.1(f) states that separation prevents a single design basis event from disabling core cooling. This section should note that this event must be considered in conjunction with an additional single failure.
420.43.(7.3.1.1.2)
Manual pushbuttons are provided to initiate ADS imediately required.
Describe when manual action is required before the P9 second umer actuates ADS.
420.44(7.3.1.1.1.3(a))
- One pressure sensor is used to detect low RCIC system pump suction pressure.
Explain the criteria used to justify a single pressure sensor. .
<f 420.45(7.3.1.1.1.3(6))
Define Analog indication. Is this an analog system or digital simulation?
420.46(7.3.1.1.1.4(g))
The injection valves cannot be opened at normal pressure, is this because of interlocks or because of motor size. l 420.47(7.3.1.1.4)
Is the suppression pool cooling automatically initiated? The SAR describes the system as being used to reduce the suppression pool temperature imediately after a blowdown. Section 5.4.7.1.1.5 indicates automatic initiation.
l l
- - , i.
2.3 Failure Modes and Effects Nofailuremodesandeffectsanalysis(FMEA)wasprovidedintheapplicant's submittal. An FMEA is required in order to demonstrate conformance of the design to single failure criteria. The staff is particularly interested in the detectability of failures in a computer-based system and the possibility of introducing failure modes not characterized by analog / hardwired systems previously reviewed.
Detectability of failures in a safety system is critical when considering failure modes, since all non-detectable failures identified in the failure analysis must be assumed to occur. Failures in the system may be detected at the system or channel level by periodic testing, surveillance, alarms, or diagnostics.
420.48(7.1.2.1.6)
SAR7.1.2.1.6(2) appears to define " fault" as the "... inability to open or s close any control circuit." Explain the basis for this definition and the extent of its use in the FMEAs. Are there any other potential failure modes excessive time to close a circuit?
i
. 420.49(7) 4 Describe the fault tolerant features of the digital design. Describe the types of faults that are tolerated by these design features. Show how these features would respond to various faults, and show that the effectiveness of the safety system is not compromised.
,. 1 l 420.50(7.1) J Describe the self-diagnostic features of the computer-based safety system.
Describe the diagnostics that are run on-line, in a background mode and in a maintenace mode. Describe what happens when an on-line diagnostic uncovers an error in the computer system.
420.51(7.1)
Describe the data buses that are used in the multiplexer. Describe the features that are implemented to ensure that the bus or multiplexer is not cause of a single point failure. Describe what happens when a single card on a data bus fails. Show what design features prevent the error from propagating and not challenging the remainder of the safety system. If specfic equiptment has not been selected, please provide the interface criteria.
420.52(10/87)
As indicated in the October 1987 ABWR presentation, the self-test sequence of-the digital processor equipment is supposed to reduce the need for surveillance and monitoring by human personnel. Describe how it was proven that the old and new surveillance schedules are functionally equivalent.
420.53(7)
. Is a diverse (hardware implemented) watchdog timer provided in the design for detecting system stall?
420.54(7)
Does the FMEA consider unusual failure modes and their effects such as system stall, interruption and restoration of power (or function), metastability, or timino errors? Provide a descriptive surrnary of the failure modes addressed in the FMEA or describe the interface criteria.
420.55(7)
Provide a summary of any graceful degradation features provided in the 180 systems or describe the interface criteria.
'I ...-
420.56(7)
Demonstrate that the effects of hardware and external failures on software performance have been sufficiently addressed in the FMEA or describe the interface criteria.
420.57(7)
What provisions have been made in the design process to preclude the introduction of.a software virus that could affect the system when operational?
420.58(7).
Beyond the redundancy requirements levied by single failure criteria, provide information to demonstr' ate sufficient diversity in the 180 system to preclude common mode failures.
420.59(7)
Describe the methods or interface criteria used to assure that equipment which is not qualified for all service conditions will not spuriously operate during exposure to conditions for which the equipment is not required to function to mitigate the effects of accidents or other events.
<; 420.60(7.1.2.2)
Provide examples for section (g) which meet the design bases. .
420.61(7.1.2.2)
Explain section (h) further. Does this mean one 480V bus, 4160 bus the generator? Samequestionat7.2.3.2(2)(b).
420.62 (7.1.2.10.11)
Provide justification for going to a 2/3 scram instead of 1/3 when one is bypassed.
I .:
)
2.4 Reliability At the applicant's October 1987 presentation to the staff, it was stated that the advanced control and instrumentation features of the ABWR would increase availability and reliability. No reliability / availability design basis is discussed in the applicant's submittal; design features promoting reliability are not described in depth.
420.63(7)
What are the reliability / availability goals for the reactor protection and engineered safety features systems?
420.64(7)
Describe the reliability model and assumptions used to demonstrate achievement '
of the reliability goals; this should include a description of the system architecture.
420.65(7)
What methodology is used in determining the system reliability / availability?
420.66(7)
! Describe the data validation features in trip 11cated sensors. .
420.67(7)
What testing will be done to demonstrate reliability? What is the specific scope of these tests?
420.68(7)
What is the effect upon the number of spurious trips generated by the RPS if the digital design replaces the previous analog design. Providr comparison?
420.69(7) .
Identify what limitation on application of new technology have been defined for the RPS design. Are all types of digital technology acceptable for this
- i. _
)
application? What limits the technology application and what are the- '
performance parameters used to constrain the new technology application?-
l 420.70(7.1.2.1.6)-
Is there any system for in-service testing of the ARI?-
420.71(7.1.2.1.6)
Is the CRD scram discharge high water level used as the example of the fifth ,
test valid given that there is no scram discharge volume.
420.72(7.1.2.1.6)
Section (1) of 7.1.2.1.6 states that normal surveillance can identify failures.
Discuss whether this system has the capability of transmitting this information to the plant computer so that an imediate alarm can be given in addition to waiting for the scheduled surveillance.
420.73 (7.1.2.1.6)
Section (4) notes that the four divisions are tested in sequence. When the thirty minute sequence is complete does the test system start over again or is this an operator initiated test?
420.74(7.1.2.1.6) -
!- Section (5) notes that only one division shall be bypassed at any one time.
Describe the. interlock protection or administrative controls which assure this.
J 420,75(7.1.2.2)
For section 7.1.2.2 (j) clarify that the physical am' electrical separation does not preclude the proper environmental qualification of redundant 11C equipment.
420.76(7.1.2.3.2)
For section 7.1.2.3.2(1)(c,d,e)and(2)(a) define" sufficient."
1
, j ,
6 a i
- 16'-
i 4
2.5 Basis for Design Margins i
One of the reasons stated for the utilization of microprocessors'for the implementation of instrumentation and logic functions is that less uncertainty j exists in the margins between actual safety limits and the limiting safety trips. The margins are stated to be set from experimental data on setpoint drift (seeSection 7.1.2.1.4.1) and from quantitative reliability requirements for each system and its components,
, 420.77(7.1.2;1.4.1)'
Provide the documented bases for this procedure.
420.78(7.1.2.1.4.1)
Will this procedure be a topical report used as a design tool?
420.79(7.1.2.1.4.1)
What experimental data has been used to provide inputs to this design approach?
i 420.80(7.1.2.3.1)
Section7.1.2.3.1(c)statesthatnooperatoractionisrequiredfor10 minutes following LOCA. Section 6.3.1.1.1(3) states, that no operator action is required fer 30 minutes after an accident. Section 6.3.2.8 also states 30 -
minutes. Clarify which statement is the design basis. Same question 9 7.3.1,1,1.4(1)ar,d7.3.1.1.1.2(1).
420.81(7.1.2.3.1)
Section 7.1.2.3.1(c) states that operator action is not required. Describe what operator actions are desired but not required for the first period of time (10 or 30 minutes) for various accident scenarios.
.__._________._-._.__._______.___.___.-_________._.m__.2___ _ _ _ _ __
i t ,.
j l
420.82(7.1.2.3.3) i In section 7.1.2.3.3(1)(c)ismanualcontrolrequiredonlyafter30 minutes? j Why isn't automatic control also provided?
420.83(7.1.2.3.4)
Is the suppression pool cooling also provided with automatic control?
2.6 Electromagnetic Compatibility (EMC) Qualification The application of microprocessor systems for logic functions and data concentrators installed throughout a plant containing high energy active equipment introduces questions of possible electromagnetic coupling effects.
The applicant has not provided information on the criteria, design standards, design goals or approach addressing EMC for the safety systems.
420.84(App 31)
What EMI coupling protection is to be provided for the I&C systems and how will its effectiveness for specific installed conditions be verified? (Examplesof standards such as FCC Docket 20780, Part 15 Subpart J, " Class A Computing Devices
- have been identified by industry for computing devices as a source limitation for radiated and conducted noise. Also ANSI C63.12-1984 "Reconsnended Practice on Procedures for Control of System Electromagnetic Capability,"isavailableasadesignguidancetool.) Address these effects, possible limitations, and the criteria and standards to be used by GE in the ABWR design fer safety systems equipment.
420.85(7)
How are the Class 1E circuits protected / isolated from the IE and N-1E CRT high voltage circuits in the main control panels?
420.86 (7)
If hardwired meters are used explain how the adjacent electronics in the control panels are protected from EMI and fault propagation from faulted current transformers.
420.87(response 440.113)
The response noted that RIP trips have mostly been caused by noise in the adjustable speed drive (ASD). Describe the changes that have been made to reduce the susceptibility of the RIP's or the reduction in noise of the ASD's.
2.7 Surge Withstand Capability (SWC)
No evidence of the specification of surge withstand capability was identified in the material submitted.
420.88 (7)
List the criteria or standards for surge withstand capability to be applied to the equipment. ANSI /IEEE C62.45-1987 " Guide On Surge Testing for Equipment Connected to Low-Voltage AC Power Circuits" is an example of criteria currently being applied to limit the possible affects frou line surges.
i 420.89(7) -
?.ist the design goals for the survivability and continued operation of safety systems equipment in the presence of line switching transients, lightning induced surges and other induced transients within the systems as installed.
2.8 ElectrostaticDischargeRequirements(ESD) l Requirements have not been identified by the applicant for the electrostatic discharge withstand capabilities for microprocessor based equipment.
1
i 420.90(7)
Address the possible effects of ESD at keyboards, keyed switches and other exposed equipment components or provide interface requirements.
420.91 (7)
Most of the I&C system microprocessor equipment is likely to be located in a mild environment, but survivability requirements or limitations on the voltage potential buildup by humidity control or other measures is not discussed.
Also, the data concentrators are provided at remote locations where the environmental control is not clearly described. Identify the criteria, riesign limits and testing program for this area of ESD controls.
t 2.9 Thermal Qualification The application of high technology semiconductor materials and related technologies to computing devices has resulted in high current densities in some portions of equipment used in non-nuclear applications. This type of equipment may be used for the ABWR.
420.92(7)
Identify how these higher current densities, which can result in localized high heat spots, will be considered in the design described by Sections 7.0.
420.93(7)
Does an analysis of these potential hot spots result in special thermal design constraints?
420.94 (7)
What design criteria are to be applied and what will be the effects upon the microprocessor reliability?
I
{
l 1
t .
420.95(7).
Since the plant environmental limitations only identify general area
, ' temperature ranges, what consideration will be given to localized cooling and heat transfer?
420.96(15A.6)
The safety system auxiliaries (Figure 15A.6-1) should be modified to include' any HVAC required to assure continued operation of the electronics.
420.97(7.3.1.1.4(h)) <
This refers to Section 3.11 for EQ. Section 3.11 invokes IEEE 323 as A basis for qualification. IEEE 323 was written assuming 40 year life. Address how this standard is to be extrapolated to a 60 year design life for the ABWR.
2.10 Radiation Qualification for Semiconductors and Fiber Optic Materials The more extensive use of semiconductors and fiberoptic materials in the RPS identifies an area of design not previously discussed in the sG ndard review plan. The radiation qualification for semiconductor and fiberoptics is an
. evolving part of the technology related to microprocessors and fiberoptic communication nc0 works.
Since the semiconductor and fiberoptic materials are to be distributed through- )
out the plant the staff requires that the criteria and design application details be identified in order that equipment reliability and operating life i projections may be identified. Space, defense and airline applications have developed criteria and standards which may apply te the ABWR. The October 1987 presentation identified the airline industry as a source of established !
technology for intelligent multiplexing systems. !
l I
l 1
-r ,
420.98(10/87) '
Identify the specific airline criteria and standards which will form a part of the design guidance and list any other sources that GE is using as guidance.
2.11 Man / machine interface While a computer-based system can provide more effective man / machine ir.terface, the internal system operation is more complex, and can be more obscure to the
, operator or maintenance person if he is required to intervene at a complex level.
420.99(7) i Have the operator tasks with regard to interfacing with the safety system been analyzed? What was the result of the analysis? How did the result of the analysis affect the requirements, design and implementation of the safety system?
420.100(7) ,
Describe the hardware design features that provide administrative control of devices capable of changing the data or program in the computer-based safety system.
420.101(7)
What data or program elements are adjustable /calectable by operater?
420.102(7)
What capability of providing a permanent and current record of the system data base is provided in the system?
420.103(7)
Provide the basis for assumed operator response times.
- i. 1 F
l
. i r, ,
420.104(7)
Discuss the range of possible scenarios for transferring the system from automatic to manual mode (and vice versa) and the potential for error or disturbance during such a transfer. Describe any differences characterized by these transfers with respect to BWR designs previously reviewed by the staff.
For example, discuss consideration of I&F Bulletin 80-06, " Engineered Safety Features Reset Controls".
2.12 AnticipatedTransientsWithoutScram(ATWS)DesignBasis i
The current criteria for ATWS capabilities is the NRC ATWS Rule 10CFR50.62. The -
existing BWR plant designs have been provided with a Safety Evaluation of the Topical Report (NEDE-31096-P) which contains an Appendix A " Checklist for Plant Specific Review of Alternate Rod Injection System (ARI). No topical reference was found in the submittal.
420.105(7.1)
Indicate if this checklist is applicable to this design and how the compliance to the ATWS rule is to be achieved.
420.106(7)
Define the logic by type ar.d verify the diversity of the risctor internal pump trip circuits. If software is to be a part of this design, identify the form and diversity to be applied to this function. l 420.107(9.3.5.2) '
Describe procedural controls considered adequate to control the keylocked SLCS.
3 L
l j
1 2.13 Additional Specific Questions 420.108(7.1.2.2)
Insection(m)considerreplacing" obviate"withpreventorpreclude.
420.109(7.1.2.3.1)
In Section 7.1.2.3.1(c), describe how provision for manual control limits dependence on operator judgement in times of stress.
i 420.110(7.1.2.3.1)
For Section 7.1.2.3.1(2), describe any precautions taken to prevent or minimize inadvertent initiation of non-safety systems during accidents.
420.111(7.1.2.3.7)
Why isn't the requirement to meet the Seismic Category I design requirements (7.1.2.3.7(1)(c))listedintheotherapplicablesections?
420.112 (7.1.2.4.3)
Are the other sections to be revised to include the normal operation parameters similar to 7.1.2.4.3(1)(a)?
+
420.113(7.1.2.6.1.1) .
Has consideration been gi>en to providing the annunciators with backup diesel or battery power? (Ref.7.1.2.6.1.1(g))
420.114 (7A.1-1)
The copy of section 7 provided to the staff did not include Appendix 7A nor an indication that it was to be provided later. Provide this section or a schedule for providing it.
1
- r. .
)
420.115(7.3.1.1.1.3(e))
In the discussion about torque switches and thermal overloads. There is a l reference to section 3.8.4.2 which is the applicable codes and standards for seismic qualification of the Reactor and Control Building. What is the correct reference?
420.116(1.2.2.4.8.1.2)
The fourth paragraph seems to imply that all three systems are needed to mitigate a LOCA. Is that accurate?
420.117 (9.3.5.1.1)
Describe interlocks and indications used to prevent injection of tile testing mode demineralized water instead of baron. ,
420.118(15.2.4.5.1)
Describe when appropriate operator action in seconds is required to prevent significant radiological impact.
420.119(7.4.1.2(7))
Are there any other vaives which must isolate upon initiation of the SLCS.
420.120(7.3.2.1.2(3)(c)) !
List all exemptions to the requirement rather than providing an example.
{
420.121(7.3.1.2(7))
The first paragraph states that pipe break outside containment e.nd feedwater line break are discussed below. The staff could not locate these items.
420.122(15.2.2.2.1.4) i Is the instrumentation required for the operator to verify bypass valve performance and relief valve operation IE or N-1E?
l
y- ..
i ELECTRICAL SYSTEMS 435.1 The scope of the electrical systems that GE. intends to provide under-the ABWR design is poorly defined. In sections 1.2.2.5.1.1 and 8.1.2.1 a brief description of the Ur,it Auxiliary AC Power System is provided that states that this system supplies power to unit-loads that are non-safety related and uses the main generator as the normal power source with the reserve auxiliary transformers as a backup source. It is not clear however whether this system will be provided under the ABWR design. No detailed description or single line diagrams of this system,. the main generator, unit ;
auxiliary tra'nsformer, or reserve auxiliary transformers are pro-vided. Nor is this system identified as being outside the ABWR design with appropriate interface requirements provided. The staff requires that a clear distinction be made between the electrical-systems that will be provided under the scope of the ABWR standard design and those that will be provided by others. This is necessary so that the staff can judge the completeness and adequacy of the electrical systems within the ABWR design and the completeness and adequacy of the interface requirements to those systems outside the ASWR design scope. Please provide this information. l 05.2 The ABWR SSAR does not address how the ABWR will cope with a station blackout event,. The station blackout rule,10 CFR 50.E3, which became effective July 21, 1988, requires thit each light water-cooled nuclear )
power plant licensed to operate must be able to withstand for a speci- l fied duration and recover from a station blackout (loss of all alterna- ]
tingcurrentpower). Please provide details on the design aspects of l I
ABWR systems and equipment that will be used to cope with a station blackout. In particular address the capabi'ities of the de power sys- )
tems to cope with a station blackout, the loading and endurance of the f batteries used to cope with a station blackout, and the capabilities ofanyalternateac(AAC)powersourcesusedtocopewithastation 4 blackout. Identify any interface requirement needed on the offsite 4
l
k i .l power system or othcr systems in order to support the station blackout design criteria. Additional information and guidance on station black--
out can be found in Regulatory Guide 1.155 and NUMARC-8700.
435.3 Section 8.1.2.1 of the ABWR SSAR states that the' transfer of the Class IE buses to the alternate preferred power source is a manual transfer. This seems to contradict sections.3.1.2.2.9.2.1 and 3.1.2.2.9.2.2 which indicate that the transfer is automatic. Please clarify, and if the transfer is automatic provide details on the type of transfer (slow, fast, make-before-break, etc.), the signals used to initiate transfer, and how the transfer is accomplished.
435.4 (a) In section 8.2.3 of the ABWR SSAR one of the Nuclear Island interfaces identified is four 6.9kV feeders to four transformers powering ten RIP pumps. However figure 8.3-1 and figure 8.3-2 show motor generator sets between two of the 6.9kV feeders and the RIP pumps. Please clarify whether the motor generator sets will be used in the ABWR design and if so, describe their function.
(b) Also, witt. regard to the same subject, section 15.3.1.1.1 states
[ that since four buses are used to supr ly power to the RIPS, the I worst single failure can only cause three RIPS to trip, and the frequency of occurrence of this event is estimated to be less than 0.001 per year. Further down in this same section a statement is made that the probability of additional RIP trips is low (less .
than 10-6' per year). Justify these figures in light of the fact that historically, a total loss of offsite power occurs about once per 10 site-years (NUREG/CR-3992). Also, has the effect of a fault l on the cosanon feeder upstream of the 6.9kV feeders been considered with respect to the coastdown capability of the RIPS and motor gen-erator sets (braking effect)? !
o i
fi . Ea 1
435.5 (a) Section 8.2.3 identifies the nominal voltage and number of feeders interfacing between the Nuclear Island and remainder of plant power systems; but they do not specify any interface requirements such as voltage and frequency tolerances, avail-able fault current, loading, availability, etc. that are neces-sary to completely define the required interfaces. Please provide the information.
(b) You also need to provide additional information on the power sources (Unit Transformer, Startup Transformer, etc.) and the way they are configured to provide power to the RIP pumps in order to support the availabilities claimed for these power sources in section 15.3.1, We suggest a one-line diagram similar to that which you provided in your presentation to the staff on September 14, 1988, be included in the ABWR SSAR to better define this interface.
435.6 Section 8.3.1.1.4.1 and Figure 8.3-4 briefly describe the 120VAC Safety-Related Instrument Power System. This is interruptible power backed up by the divisional diesel generators. Please identify the major loads and type of instrument loads fed by this system.
1 1
435.7 Section 8.3.1.1.4.2.2 and Figure 8.3-C briefly describe the Clast IE k RPS Power Supply. They show a rectifier and inverter fed from the 480 VAC Class IE power system which is backed up by the 125 VDC power system. l They do not however show an independent electrical protection assembly (EPA) on the output of the RPS power supply. Redundant EPAs were re-quired (September 24, 1980 lettertoalloperatingBWRs)ontheoutput of past non-Class IE RPS power supplies in order to satisfy the single failure criteria for non-fail-safe type failures (undervoltage, over-voltage, underfrequency). Because a Class 1E RPS power supply is used on the ABWR, redundant EPAs are not required since failure of the Class 1E supply is the first random failure taken. However, because that
p b i j _. A a I-L U failure could be a non-fail-safe type failure 0 hat could result in loss of the scram function, at least one independent EPA should be monitoring the output of the RPS power supply.
(a) Please describe the type of EPA that will be used and discuss its independence from the RPS power supply.
(b) Also provide the voltage and frequency setpoints and tolerances that will be'used on the EPA.
435.8 Section 8.3 does not identify any interfaces between the Nuclear Island and the remainder of plant systems within the onsite power systems. Please verify that all of the onsite power systems are within the Nuclear Island scope, or identify the interfaces and the interface requirements.
435.9 Section 8.3.1.1.4.2.3 and Figure 8.3-5 briefly describe the Process Computer Constant Voltage, Constant Frequency Power Supply; but they do not state whether it is qualified Class IE, although it is dis-cussed under Section 8.3.1.1.4.2 entitled "120V AC Safety Related UninterruptiblePowerSupplies(IIPS)." The backup to this power supply. is from the non-Class IE 250 VDC battery, and Section 8.3.2.1
[ states that all of the 250 VDC loads are non-Class IE. (
.(a) Please clarify whether the Process Computer Power Supply is qualified Class IE.
(b) If it is Class IE explain why a backup non-Class IE 250 VDC supply is connected to it, and describe the Class IE/
non-Class IE isolation provided.
(c) If it is non-Class IE explain why a normal and backup Class 1E 480 VAC supply is connected to it, and describe the Class 1E/non-Class IE isolation provided.
L g ,-;.
435.10 (a) Section 8.3.1.1.4.2.4 states that the function of the Vital AC Power Supply System is to provide reliable 120V uninter-ruptible AC power for important non-safety related loads that are required for continuity of power plant operation. How-ever it does not identify the non-safety related loads that it supplies, nor is a one-line diagram of the power supply system provided. Please identify the non-safety related loads that this system supplies and include a one-line diagram of the power supply system in the ABWR SSAR identifying the power sources to it. If there are any IE/non-1E interfaces identify the isolation provided.
I (b) This section also states that an independent 125V DC system, including a battery and battery charger, is the normal source of power for the Vital AC Power System. However section 8.1.2.1 states that there are no non-Class IE 125 VDC batteries supplied as part of the plant design. Please clarify this apparent discrepancy. Also, include this system in the one-line diagram to be provided for the Vital AC Power System.
435.11 Section E.3.1.1.5.1 describes the physical separation and independence of electric equipment and wiring. It saems to indicate that there is separation between the divisions but a statecent is made that seems to imply that the separation may not in all cases be total. This state:nent says that electric equipment and wiring for the Class IE systems which are segregated into separate divisions are separated so that no design basis event is capable of disabling eny ESF total function. This statement could be interpreted to mean that in an area with three divisions, each with 100% capability, a single design basis event would be allowed to fail two of the divisions since 100%
capability for the ESF function would still survive. Please clarify this point and indicate whether a single design basis event will ever be allowed to fail more than one division.
1
i,..
i Design criteria (4) in section 8.3.1.1.5.2 states that interrupting
'435.12 capacity of switchgear, load centers, motor control centers, and distribution panels is compatible with the short circuit current available at the Class IE buses. Verify that this criteria ensures that the interrupting capacity of this equipment will be equal to or greater than the maximum available fault current to which it i could be exposed.
435.13 The first statement in section 8.3.1.1.6.4 indicates that the only protective trips active on the diesel generators during LOPP or l LOCA conditions are the generator differential relays and the engine l l
overspeed trip device. Following statements indicate that the other j protective relays are bypassed during LOCA conditions.
(a) Please clarify whether these other protective relays are l bypassed only during LOCA or whether they are bypassed dur-ing both LOCA and LOPP conditions.
- l l
(b) Also verify that the diesel generator protective trips meet j the other criteria specified in position C.7 and C.8 of R.G.
l 1.9, Rev. 2 (i.e., that they include the capability for (1) testing the status and operability of the bypass circuits, ll (2) alaming in the control room abnormal values of all by-pass parameters, and (3) manually resetting of the trip l
bypassfunction(automaticresetnotacceptable),andthe surveillance system indicates which of the diesel generator protective trips is activated first).
435.14 Section 8.3.1.1.7 states that, in general, non-Class 1E loads are tripped off and thereby automatically isolated from the Class 1E buses by a LOCA or LOPP signal. Please verify that LOCA and LOPP signals are used to trip non-Class IE loads and the loads are not subsequently resequenced back on automatically.
, l
_ _ _ - - - _ _ _ - _ _ _ - - - - - - - - a
[- # p .:
.. a Q 435.15 (a);Section 8.3.1.1.7(1) states that should the Class.1E bus voltage l decay to below 70% of its nominal rated value for a predetermined time a' bus transfer is initiated and the signal will' trip the supply breaker, and start the diesel generator. P. lease provide thevalueof"predeterminedtime"(,timedelay)associatedwith bus voltage below 70%. -
(b) Also, the last sentence in this section states that large motor loads will be sequence started as required and as-shown on Table 8.3-2. Table 8.3-2, however, is only a "D/G Load Table" that does nots identify any load sequencing times. Table 8.3-4 on the other hand is entitled " Load Sequence", but the table is "to be provided by December 31, 1988." Please identify the correct table that will contain load sequencing times.
435.16 Section 8.3.1.1.7(2) statesthatifthebusvoltage(normalpreferred power) is lost during. post-accident operation, transfer to diesel gen-eratorpoweroccursasdescribedin(1)above("(1)above" describes thenormalsequenceofoperationsfollowingaLOPP). This, however, does not fully describe all the sequence of operctions that need to y occur for a LOCA followed by a LOPP. (a) If the LOPF occurs near the beginning of the LOCA' sequence before the diesel generator has accel-et-ated to full speed and voltage on standby what occurs? (b) If the LOPP occurs in the middle of the LOCA sequence after the diesel gen-erttor has accelerated to full speed and voltage on standby what occLes? (c) If the LOPP occurs following completion of LOCA sequencing with the diesel running in standby at full voltage and frequency what occurs? (d) How is residual voltage handled when making the transfer from preferred power to the diesel generator with the diesel generator running in standby? (e) Are non-Class IE loads sequenced onto the diesel generator when the LOPP follows a LOCA? The LOPP following LOCA i
____1_______.__.__________ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
)
t ,
sequence is important because, if a LOPP occurs as a result of a LOCA and the subsequent trip of the main generator, it may likely happen several seconds after the LOCA due to a sequence of events resulting in an unstable or overloaded grid.
435.17 Section 8.3.1.1.7 does not have a scenario addressing the sequence of events that occurs for a LOCA without a LOPP. Please address this scenario and add it to section 8.3.1.1.7. If LOCA loads are sequenced on to the offsite power system, the sequencer used should be separate from that used to sequence loads on to the onsite power system. If this is not the case provide a detailed analysis to demonstrate that there are no credible sneak circuits or common failure modes in the sequencer design that could render both onsite and offsite power sources unavailable. In addition provide information concerning the reliability of your sequencer and reference design detailed drawings.
435.18 Section 8.3.1.1.7(3) addresses the LOCA following LOPP scenario, how-everitprovidesfewdetails.(a)IftheLOCAoccursjustafterthe LOPP but prior to load sequencing of the LOPP loads what occurs?
(b) If the LOCA occurs in the middle of the LOPP sequence, what occurs?(c)IftheLOCAoccursfollowingcompletionoftheLOPPse-quence, what occurs? (d) Are any LOCA loads not already energized' simp?y sequenced on to whatever LOPP loads are on-line or are some or all of the LOPP loads load-shed first? (e) Are non-Class IE loads tripped by the LOPP signal or the LOCA signal? (f) Is the diesel gen-erator circuit breaker tripped at any time to accomplish the LOCA following LOPP response?
435.19 Section 8.3.1.1.7(4) states that if a LOCA occurs when the diesel generator is paralleled with the preferred power source during test and the test is being conducted from the local control panel, con-trol must be returned to the main control room or the test operator must trip the diesel generator breaker. Because the diesel generator i
.1
. )
.,t. .
l 1
is not available to automatically respond to the LOCA in this circum-stance it is considered to be bypassed and automatic indication of-the bypass should be provided in the control room in accordance with R.G. 1.47. Please verify that this is the case.
435.20 In section 8.3.1.1.7(5) the description of what occurs following a LOPP during a diesel generator paralleling test with the normal pre-ferred power source is different from that described for a paralleling test with the alternate preferred power source. In the first case it is stated that the diesel generator circuit breaker is automatically tripped if the normal preferred power supply is lost during the test, and in the second case it is stated that the diesel generator breaker will trip on overcurrent if the alternate preferred source is lost dur-ing the. test.-(a) If what occurs during the two scenarios are different describe the differences and why they are different. (b) If the diesel generator breaker is automatically tripped identify what signal will trip it since an undervoltage condition may not be generated. (c) If the diesel generator breaker is tripped on overcurrent verify that no lock-outs will be generated to preclude automatic sequencing of LOPP loads. (d) Verify that in either case the diesel generator will be returnedtotheisochronousmodepriortoloadsequencing.(e) Describe what happens if a diesel generator bus fault occurs during the paralleling test.
435.21 (a) Section 8.3.1.1.8.2 is entitled " Ratings and Capability" but it provides no diesel generator ratings. Please provide the contin-uous load rating and short time overload rating of the diesel generators.
(b) In addition this section states that each diesel generator is capable of reaching full speed and voltage within 13 seconds f after the signal to start. Does the diesel governor contain a i
.t ,
ramp generator or some other circuitry to provide a controlled j acceleration to operating speed during this 13 second starting j period? If so, how will the reliability of this circuit be demonstrated? ,
435.22 Section 8.3.1.1.8.5 lists the diesel engine and its generator breaker protective trips and other off-normal conditions that are annunciated in the main control room and/or locally. Please identify which of these ,
conditions are annunciated in the main control room and which are annunciated locally.
With regard to the diesel generator alarms in the control room: A review of malfunction reports of diesel generators at operating nuclear plants has uncovered that in some cases the information avail-able to the control room operator to indicate the operational status of the diesel generator may be imprecise and could lead to misinter-pretation. This can be caused by the sharing of a single annunciator station to alarm conditions that render a diesel generator unable to respond to an automatic emergency start signal and to also alarm ab-noma 1, but not disabling, conditions. Another cause can be the use of wording of an annunciator window that does not specifically say that a diesel generator is inoperable (i.e., unable at the time to re-
- spond to an automatic emergency start signal) ehen in fact it is inoper-able for that purpose.
Review and evaluate the alam and control circuitry for the diesel generators in the ABWR design to determine how each condition that renders a diesel generator unable to respond to an automatic emergency start signal is alarmed in the control room. These conditions include not only the trips that lock out the diesel generator start and require manual reset, but also control switch or mode switch positions that ;
block automatic start, loss of control voltage, insufficient starting I
y ,
t **
.g air pressure or battery voltage, etc. This review should consider all aspects of possible diesel generator operational conditions, for example test conditions and operation from local control stations.
One area of particular concern is the unreset condition following a manual stop at the local station which terminates a diesel generator test and prior to resetting the diesel generator controls for enabling subsequent automatic operation.
Provide the details of your evaluation, the results and conclusions, and a tabulation of the following information:
(a) all conditions that render the diesel generator incapable of responding to an automatic emergency start signal for each operating mode as discussed above; (b) the wording on the annunciator window in the control room that isalarmedforeachofth6.conditionsidentifiedin(a);
(c) any other alann signals not included in (a) above that also cause the same annunciator to alann; (d) any condition that renders the diesel generator incapable of-responding to an automatic emergency start signal which is not alarmed in the control room; and (e) any proposed modifications resulting from this evaluation.
For additional information and the staff position on this item see BranchTechnicalPosition(BTP)PSB-2intheStandardReviewPlan (NUREG-0800). Describe how the ABWR design meets each position of i BTP PSB-2.
_-___-_-_--..n_ _ _ _ _ _- _ . - _ _
r ,.
435.23 Section 8.3.1.2.1 states that there are four 6.9 kV electrical divisions, three of which are independent load groups backed by' individual diesel generator sets. Figure 8.3-2 entitled "6.9 kV System Single Line" however shows only the three divisions backed by diesel generators. It does not show the fourth 6.9 kV division referred to in section 8.3.1.2.1. Please cicrify this discrepancy and show the fourth division, if it exists, in Figures 8.3-1 and 8.3-2.
435.24 In section 8.3.1.2.1 it is stated that the standby power systern redundancy is based on the capability of any two of the four divis' ions (two of three load groups) to provide the minimum safety fenctions necessary to shut down the unit in case of an accident and maintain it in the safe shutdown condition. Why can't the unit be shut down in case of an accident with only one of the three load groups available? Identify the systems or loads needed that require that two of the three load groups be available.
435.25 In sections 8.1.3.1.2.3(6)and8.3.1.2.1(3) it is stated that the undervoltage detection schemes for the 6.9 kV offsite power feeders is outside the nuclear island scope of supply, and BTP PSB-1 is therefore imposed as an interface requirement for the applicant. 'On the contrary however, the purpose of the undervoltage protection logic required by the BTP is to protect and ensure the adequate opera-tion of safety equipment at the 6.9 kV safety buses and below. It is required to be qualified Class 1E and should be physically located at and electrically connected to the Class IE 6.9 kV switchgear. The undervoltage protection logic therefore protects equipment that is within the nuclear island scope, monitors voltage on the 6'9 kV safety buses that are within the nuclear island scope, and should be located
)
- _ _ _ _ - - - - -- - - 1
4.
'i ,;-
L in the Class IE 6.9 kV switchgear that is within the nuclear island scope. The setpoints of the undervoltage relays should be chosen to protect and ensure adequate operation of all safety loads down to the 120 volt level. The only connection between the requirements of the undervoltage protection and the.6.9 kV offsite feeders is that the feeders should be required to maintain adequate voltages to the safety buses under all operating conditions to enwre acceptable operation of safety equipment and to ensure that the undervoltage relays will not be unintentionally tripped. This should be accomplished by im-posing appropriate interface requirements on the offsite feeders.
You should th,erefore provide the second level undervoltage protection required by the BTP and address the other positions of BTP PSB-1.
i 435.26 Clarify sts.tement (1)(b) of section 8.3.1.2.2 regarding conformance of the SSLC power supply to GDC 2, 4,17, and 18. If the SSLC power supply is not in conformance with any part of the GDCs so state and justify.
435.27 Section 8.3.1.2.2 states that the SSLC redundancy is based on the capability of any two of the four divisions to provide the minimum safety functions necessary to shut down the unit in case of an accident ard maintain it in the safe shutdown condition. Why can't the unit be shut down in case of an accident with only one of the four divisions available? Identify the systems or loads needed that require that two of the four divisions be available.
435.28 In section 8.3.1.2.4, item (1) states that certified proof tests are performed on cable samples to certify 60 year life by thermal aging.
Subsequent items, (2) thru (5), identify various cable attributes such as radiation resistance, mechanical / electrical endurance, flame re-t sistance, and level of gas evolution that are also demonstrated by certified proof tests performed on cable samples. Do the tests
I,,
-6 ,
n ,.
identified in items (2) thru (5) demonstrate that the cables have an acceptable level of the particular attributes at the end of their 60 year life? How is this demonstrated?
435.29 (c) Section 8.3.1.3.1 discusses the means used to physically identify safety related po*r systems equipment. It states that all cables for Class 1E systems and associated circuits (except those routed in conduit) are tagged every 15 ft. In addition all cables are tagged at their tenninations with a unique identifying number.
R.G. 1.75 Rev. 2 states that these cables should be marked _at intervals not to exceed 5 ft. and tha preferred method of marking the cable is color coding. IEEE 384-1974 also states that these cable markings shall be applied prior to or during installation.
Please verify that these reconnendations are met or justify the differences. If exception is taken to position C.10 of R.G. 1.75, Rev. 2 regarding cable marking, the exception should be identified in section 8.1.3.1.2.2 and wherever the exception is applicable.
(b) Section 8.3.1.3.1 also describes the marking of conduit and cable trays. Please verify that in accordance with the requirements of l q.
IEEE 384-1974 these markings are applied prior to the installation of cables.
i ~
(c) The identification requirements for instrumentation and control system cables and raceways described in items (3) and (4) of section 8.3.1.3.2.1 should be the same as those for power sys-tems provided in section 8.3.1.3.1 subject to the above comments.
'435.30 Provide a description of the ABWR cable spreading araas in the ABWR SSAR. Describe how the requirements specified in section 5.1.3 of IEEE 384-1974 (as modified by position C.12 of R.G.1.75) are met.
b
__ i__.____ _ _ _ _ . _ _ _ _ _ .
,, 4 -
- r 3 l
435.31 (a) Item (7)ofsection 8.3.1.4.1.2 discusses electric penetration assemblies. It states that electric penetration assemblies of different Class IE divisions.are separated by distance, separate roors or barriers and/or locations on separate floor levels. !
With regard to separation by distance, no specifics are given on what is the minimum distance provided between redundant penetra-tions. . As required in IEEE 384-1974 the minimum physical separa-tion for redundant penetrations should meet the requirements for cables and raceways given in section 5.1.4 of that standard.
Please verify that this is the case.
(b) Item (7)ofsection 8.3.1.4.1.2 also states that power circuits going through electric penetration assemblies are protected against overcurrent by redundant overcurrent interrupting devices to avoid penetration damage. The use of redundant overcurrent interrupting devices should not be limited to only power circuits going through electric penetration assemblies. They should be usedonallpenetrationelectriccircuits(includinginstrumenta-tion and control circuits) where the available fault current is greater than the continuous rating of the electric penetration t
assembly. If the maximum available fault current is less than the continuous rating of the penetration, but is greater than
^
the continuous rating of a device upstream of the penetration whose failure can result in fault current levels in excess of the penetration continuous rating (such as a control power transformer),thenredundantovercurrentinterruptingdevices should be used. Please verify that this is the case.
(c) Provide the fault current clearing-time curves of the electrical penetrations' primary and secondary current interrupting devices plotted against the thermal capability (Int) curve of the penetra-tion (to maintain mechanical integrity). Provide a simplified one-line diagram on this drawing showing the location of the
i
)
i i
protective devices in the penetration circuit, and indicate ,
the maximum available fault current of the circuit.
I (d) Where external control power is needed for tripping electrical penetration breakers, signals for tripping the primary and back-up breakers should be independent, physically separated and powered from separate sources. Verify that your design complies a and identify the power supplies to the redundant circuit breakers.
. 435.32 Section 8.3.1.4.2.1 identifies the standards that are used for the j separation of equipment for the systems referred to in subsection 7.1.1.3, 7.1.1.4, and 7.1.1.6 (safety-related control and instruments-tionsystems). IEEE 384-1974 however is not listed. The separation of equipment in these systems should comply with the requirements of I this standard. Please verify that this is the case. In addition, the listed standards and requirements are not identified as being applicable to subsection 7.1.1.5 (safety-related display instruments-tion). Please verify that they are indeed applicable to this subsection.
. 435.33 Items (4)and(5)insection 8.3.1.4.2.2.2 state that spatial separa-tion in general plant areas and in cable spreading areas shall eq6a1
, or exceed the minimum allowed by IEEE 384. IEEE 384-1974 however pro-vides two means for establishing minimum physical separation distances.
The first, which is specified in section 5.1.1.2 of the standard allows the minimum separation distance to be established by analysis based on tests of the proposed cable installation. The second, which is specified in sections 5.1.3 and 5.1.4 of the standard, specifies I
specific minimum physical separation distances that must be maintained.
Please clarify whether you intend to meet the specific distances specified in the standard or whether you intend to establish your own I separation distances through analysis based on tests. The preferable option is to meet the specific distances specified in IEEE 384-1974.
p , _
pr ,
l 435.34 (a) Section 8.3.1.4.2.2.4 discusses the use of isolation devices in power circuits. It states that non-Class IE instrument and control circuits will not be energized from a Class IE power supply unless potential for degradation of the Class IE power source can be demonstrated to be negligible by' effective current or voltage limiting (i.e., functional isolation) under all design basis conditions. Please explain what this means.
Does it imply that no isolation device will be used if no credible failure modes can be identified that will result in fault currents? Qualified isolation devices should be used in all cases where a non-Class IE circuit is connected to a Class IE power supply.
(b) It also states in section 8.3.1.4.2.2.4 that Class IE power supplies which interface non-Class IE circuits are required
, to be disconnected or otherwise decoupled from the non-Class 1E circuits such that conditions of the non-Class IE portion of the system cannot jeopardize the Class IE portions (e.g.,
byacurrentlimitingelement). Verify that, if overcurrent interrupting devices such as fuses or circuit breakers are used as isolation devices, redundant qualified interrupting devices will be used at the Class IE/non-Class 1E interfaces.
List all the locations where there is an interface between a Class IE power supply and non-Class IE circuit. Identify the isolation device that is used at the interface.
(c) Where redundant Class IE power circuits interface with a comon non-Class 1E system such as a computer, the isolation devices used should enscre that a worst case abnormal occurrence (fault, overvoltage, voltage surge or spike, etc.) on one of the Class IE power circuits cannot migrate through the non-Class 1E system and affect the redundant Class IE circuit. This is in addition l^ ,
y e>.*-
to the nonnal criteria for isolation-devices that require that any worst case occurrences (maximum credible faults, etc.) in the non-Class IE system not affect the Class IE system. 1 435.35 Item (4)ofsection 8.3.1.4.2.3.1 states that the scram solenoid con- 'l duits will have unique identification but no specific separation re-quirements, and the scram group conduits may run in the same raceway with other divisional circuits. If the scram group conduits are run in the same raceway with other divisional circuits or if they have less than the minimum separation from Class 1E circuits, they uust be '
treated as associated circuits and must meet the requirements specified in section 4.5 of IEEE 384-1974 Please verify that this is the case, -
and identify the specific separation requirements that will be applied to the scram group conduits when they become associated circuits.
435.36 Item (6)ofsection 8.3.1.4.2.3.2 states that any electrica1' equipment and/or raceways for RPS or ESF located in the suppression pool level swell zone will be designed to satisfactorily complete their function before being rendered inoperable due to exposure to the environment created by the level swell phenomena. This information is not sufff-cient for us to evaluate the effects on flooding of electrical equip-ment. Please identify all electrical equipment, both safety and non-safety, 'that may become submerged as a result of the suppression pool level well phenomena or as a result of a LOCA. For all such equipment that is not qualified for service in such an environment provide an analysis to determine the following:
(a) The safety significance of the failure of this equipment (e.g.,
spurious actuation or loss of actuation function) as a result of flooding.
(b) The effects on Class IE electrical power sources serving this equipment as a result of such submergence, and (c) Any proposed design changes resulting from this analysis.
~ ,,
- s. .-
435.37 In the description of the DC power system in section 8.3.2.1 it is-stated that the operating voltage range of Class 1E DC loads is 105 to 140 Y. It is also stated that the maximum equalizing charge h voltage for Class IE batteries is 140 VDC, and the DC system minimum l' ' discharge voltage at the end of the discharge period is 1.75 VDC per cell. For a 125 VDC lead acid battery with 60 cells,1.75.YDC per cell equates to a final discharge voltage of 105 VDC at the battery terminals. This is the same as the stated minimum operating voltage.
of the Class IE DC loads. There is therefore no allowance for voltage drop from +he battery terminals to the terminals of the Class IE loads at the finai , voltage value of 1.75 VDC per cell. Please address this
- discrepancy. Also, provide the results of your DC '.altage analysis showing battery terminal voltage end worst case DC load terminal voltage at each step of the Class IE battery loading profile. See the following question with regard to the battery loading profile.
435.38 Section 8.3.2.1 addresses the DC power systems in general and section 8.3.2.1.3.2 specifically addresses battery capacity. With regard to battery capacity, section 8.3.2.1.3.2 states that battery capacity is sufficient to satisfy a safety load demand profile under the conditions of a LOCA and loss of preferred power, and the batteries have suffi-cient stored energy to operate connected essential loads continuously for at least two hours without recharging.
(a) Provide the stated load demand profiles and a breakdown of the loading during this demand.
(b) Provide the manufacturer's ampere-hour rating of the batteries at the two hour rate and at the eight hour rate, and provide the one minute ampere rating of the batteries.
(c) Address station. blackout with regard to battery capacity. If a station blackout coping analysis is being prepared for the !
.z l
r ,
l
.}
4 t
. ABWR, provide a battery load demand profile for the coping j duration. Frovide a breakdown of the loading during this demand, f l
435.39 In section 8.3.2.1 it is stated that each 125 VDC battery is provided with a charger and a standby charger shared by two divisions, each of which is capable of recharging its battery from a discharged state to l a fully charged state while handling the normal, steady-state DC load.
(a) Provide the continuous and current-limited output ratings of the battery chargers.
(b) In accordance with position C.I.b of R.G. 1.32, Rev. 2 verify that the capacity of the battery charger supply is based on the largest combined demands of the various steady-state loads and the charging capacity to restore ,
the battery from the design minimum charge state to the fully charged state, irrespective of the status of the plant during which these demands occur.
(c) Verify that the battery charger can operate stably
- c. as a battery eliriinator (i.e., with the charger remaining connected to supply the loads while the battery is dis-connectedfromtheloads).
(d) . Verify that no reverse DC current can flow into the battery charger output from the battery, during periods of low A', input battery charger voltage or during total
- loss of AC input voltage to the charger.
435.40 Section 8.3.2.1 and figure 8.3-8 identify the connection of the non-Class IE 250 VDC battery chargers to divisions 1 and 3 of the Class IE system. Identify the isolation devices used at this interface. Are the Class IE breakers shown at the
4 l
l' i interface, tripped on an accident signal? If not, they should be, or else redundant qualified breakers should be provided.
435.41 Section 8.3.2.1.2 very generally identific the type of loads fed from the 125 VDC Class IE power system. Please provide,a more specific breakdown of the loads fed from each division of the 125 VDC Class IE power system.
435.42 In section 8.3.2.1.3 it is stated that an emergency eyewash is installed in each battery room. In order to ensure that water cannot be inadvertently splashed on the batteries the eyewash stations should be located away from the batteries and the eye-wash installation and its piping should be seismically qualified.
Please verify that this is the case.
435.43 Section 8.3.2.1.3.3 states that battery rooms are ventilated to remove the minor amounts of gas produced during the charging of batteries. Verify that, in accordance with positica C.1 of R.G. l 1.128 the ventilation system will limit hydrogen concentration to less than two percent by volume at any location within the battery area. Also, in accordance with position C.6.e of R.G. l l .1.128, verify that ventilation air flow sensors are installed -
in the battery rooms with their associated alarms installed in the control room.
435.44 With regard to the DC power systems, section 8.3.2.2.1 states that all abnormal conditions of important system parameters such as charger failure or low bus voltage are annunciated in the main control room and/or locally. Please identify the. specific meters and alarms used for monitoring the status of the Class 1E DC power systems and indicate whether they are located in the main control room and/or locally. As a minimum the following indications and alarms should be provided in the control room:
i o
Battery current (ammeter-charge / discharge)
Battery charger output current (ammeter)
DCbusvoltage(voltmeter)
Battery charger output voltage (voltmeter)
Battery discharge alarm DC bus undervoltage and overvoltage alarm DC bus ground alarm (for ungrounded system)
Battery breaker open alarm Battery charger output breaker open alarm Battery charger trouble alarm (one alarm for a nuirber of abnormal conditions which are usually indicated locally)
Because the ABWR is an advanced reactor design, you should consider the use of a state-of-the-art battery and electrical system monitor-ing system to assure immediate notification of Mttery and electrical ,
system problems and to provide for post event sequence analysis.
This system should provide for the monitoring of at least the indi-vidual cell parameters of the batteries and the status of the various electrical system circuits, and ideally should provide for monitoring the status of all AC and DC system circuits down to and including all control circuits.
- I 435.45 Section 8.LLI states that conductors are specified to continue to operate at 100% relative humidity with a service life expectancy of 40 years. The following sentence states however that the Class IE cables are designed to survive the LOCA ambient condition at the end of the 60-yr. life span. If the intent is to qualify the cables for tho N-year life of the plant, why is a service life expectancy of only 40 years specified for the 100% relative humidity condition?
,. o , .,
435.46 The following questions pertain to Table 8.3-1 "D/G Load Table-LOCA,"
Table 8.3-2 "D/G Load Table - LOPP," and Table 8.3-3 " Notes for Tables 8.3-1 and 8.3-2:"
(a) Please provide a translation for the acronyms used in these tables.
(b) Please correct the numerous errors / discrepancies between tables 8.3-1 and 8.3-2 regarding the ratings of the loads.
There are many instances where the rating of an identical piece of equipment is different in table 8.3-1 from that given in table 8.3-2.
(c) Please explain why the loads shown on the diesel engine are larger than their rated values. If this is to account for losses through the generator please explain the advantage of calculating the loads on the diesel engine versus the sore commonly used means of calculating the loads on the output of the diesel's generator. Provide the factors and their rationale used for increasing the various loads from
- their rated values, since the loads are not all increased ,
a like amount.
(d) Provide a more complete breakdown of the loads identified in the category "Other Loads".
(e) Why is the load identified as "NPSS CYCF" listed as 31.8kW t for the D/G "c" LOCA load while it is listed as 37.9kW for the D/G "c" LOPP load? In all other cases LOCA and LOPP loads are the same value if they are energized under )
both conditions. l
_ - _ - _ - - _ - - - - - - - - - - - _ _ -- - - I
~24-m (f)' I do'not understand note (5). It says, " Division III HPCF pump motor starts by L2 signal on the case of loss of pre-ferredpower(LOPP)." Table 8.3-2 however shows the HPCF pumps running on both divisibns II and III (B and C) during a LOPP. Do one or both motors start and run during a LOPP?
Note (5) also says "As HPCF pump motors has very large cap-l acity, they are connected to Div. II, III' to equalize the' DG
. load capacity." What is the intent of this note? If the HPCF pumps are 100% redundant pumps, wouldn't you want to connect their_ motors to different divisions anyway to preserve their redundancy? .
(g) Note (6) states that the CUW pump may operate under LOPP condition, but not operate with SLC pump operation. On.
this calculation, it states, CUW pump is not considered because SLC pump is included. Because the CUW pump opera-ting load is greater than the SLC pump operating load, the CUW pump load should be used instead of the SLC pump load during LOPP, in order to provide the worst case loading on the diesel generator. Please justify or change the table
- accordingly.
t (h) Note (7) states that the TCW/TSW pumps are connected to non-div. switchgears. Although these pumps are listed in tables 8.3-1 and 8.3-2, no loading on the diesels are identi-fied for these pumps. If these pumps cannot be connected to the diesel generators why are they shown in tables 8.3-1 and 8.3-27 If they can be connected to the diesels, then a load should be identified for them on the diesels during the LOPP condition. This will provide worst case loading on the diesels during a LOPP.
h .._.___.________.____.____.___..__i._.-_____.-- _ _ _ - _ . _
(1) Note (9) states that the remainder of plant equipment are connected to div. I and, if A and B mote:s are provided, they are connected to div. I and II respectively. Ac ,ording 3 to this note loads should only be shown on D/Gs "A" and "B" i in the category ("Other Loads") that the note refers to. '
There is, however, a load of 210kW shown on D/G "C" under this category. Please clarify this apparent discrepancy.
(j) Note (10) says, "Only part of HNCW (HVAC horitel cooling water system) will be. considered under LOCA case." This note,however,isprovidedintheLOPPtable(table 8.3-2).
Anote_(note (3))isprovidedintheLOCAtable(table 8.3-1) for this equipment which states, " Loads are shed with LOCA signal." It appears then that note (10) should read, "Only part of HNCW (HVAC nonnal cooling water system) will be considered under LOPP case." Please clarify whether this is the case. If the foregoing is the case, a load for the HNCW equipment should be shown on the diesels for the LOPP condition (table 8.3-2). Presently, a load on the diesel generators during LOPP is not identified for this equipment.
^
435.47 The following questions pertain to Figure 8.3-1 " Power Distributi6n Single Line Diagram":
(a) The division II 6.9kV bus is shown broken into two separate buses. This is apparently an error. Please correct.
(b) The circuit between the division III 6.9kV bus and the 480V switchgear P/C 6E-1 does not show an intervening transformer.
Please correct.
(c) Identify the ratings of the diesel generators and 6900/480V transformers on this drawing.
, ;. y . . , . >
(d) Discuss the circuit from the division I, II, and III 480V U switchgear to the turbine island labeled as "To 480V Switch-gear (AlternatePreferredPower)." If this is a power feed to. loads in'the turbine island identify the loads it' feeds, the circumstances under which the loads are fed, and describe the 2E/non-1E isolation provided. If this is 6 power feed from the turbine island identify the source of power and the .
need for a._second source of power to the 480V Class IE bus.
In either case identify the interface requirements for this circuit.
(e) On every bus shown in figure 8.3-1 there is one circuit shown
. connected to ground through-a circuit breaker. Describe the
^ function of this' circuit. If the circuit is'used to provide a safety ground on the bus during maintenance operations describe the intericcks, controls, and alarms provided to assure it is not inadvertently energized during non-main-
-f.enance operations.
(f) Note 2 on this drawing says, "See 480V MCC one-line diagram 3 .for. details." _There is, however, no "480V MCC one-line
[ diagram" provided in the SSAR. Please provide us this
. diagram and include it in the ABWR SSAR.
(g) The arrangement of the normal preferred and alternate pre-ferred power sources to the 6.9kV buses does not agree with I
that shown on figure 8.3-2. Please correct this discrepancy.
435.48 The offsite power circuits to the 6.9kV Class IE buses shown in figure 8.3-2 "6.9kV System Single Line" should be appropriately labeled as " Normal Preferred Power" or " Alternate Preferred Power."
l Also, the way the offsite circuits are arranged on this drawing Ci__ _ _ _ _ _ _ - - - _ _ _ - - - - - _ _
.?
makes it appear that they are connected to the same 6.9kV High Voltage Switchgear as the RIPS. .The offsite circuits to the
-Class IE buses should be directly connected to a winding of the Offsite Power Transformers that is separate from that which feeds the non-Class IE loads. The Offsite Power Transformers, hod:ever, i should have the capability of feeding both Class IE and non-Class l 1E loads so the plant does not have to rely on only Class IE loads l when only one offsite power source is lost. Also, the offsite power supply circuits to the Class IE buses should be arranged so that all three Class IE divisions are not simultaneously deenergized on the loss of only one of the offsite power supplies. These should be included as interface requirements. Please verify that this is the case.
435.49 With regard to figure 8.3-3 "480V System Single Line":
(a) Identify the feeds to 480V switchgear P/C 6A-1, P/C 6A-2, P/C 68-1, and P/C 68-2. Describe the purpose and function of these switchgear and the R/B MCCs they feed. Identify the type of loads they feed.
(b) Identify the location, purpose and function of P/C 6SB-1.
4 Identify the type of loads it feeds. Why does it have <
feeds from all three divisions of 480V switchgear? Identify the isolation devices used, and provide a connection diagram of the three divisional feeds to P/C 6SB-1. If P/C 6S8-1 is outside the nuclear island provide its interface i requirements.
(c) If the T/B MCCs are non-Class IE identify the isolation devices used and the interface requirements.
x
,....j.-
~28-435.50. The non-safety related instrument power system shown in figure 8.3-4 <
has two redundant Class IE power feeds to it. Identify the isola-tion devices used between the Class 1E and non-Class IE systems. A Class IE circuit breaker tripped on a LOCA signal or two redundant Class 1E circuit breakers coordinated with the upstream MCC feeder.
breaker are acceptable isolation devices.
435.51 On figures 8.3-5, 8.3-6, 8.3-7, and 8.3-8 describe the function and operation of the various devices that ar+ identified by device numbers. Also, on figures 8.3-7 and 8.3-8 define the acronym SID located next to the diode device. Describe the function and opere-tion of this device.
435.52 On figure 8.3-7 "125V DC Power System" describe the function and operation of the various key interlocks shown on the figure.
435.53 On figure 8.3-8 "250V DC Power System" describe the type of isolation provided between the Class IE divisional power feeds and the non-Class IE DC Power System. Also describe the type of isolation and separation provided between the power feed from
} P/C 6E-1 (Division III) and the power feed from P/C 60-1 I '
(DivisionI).
t' '
435.54 With regard to the classification of structures, components, and systems in Table 3.2-1; item R1 "DC Power Supply - Nuclear Island" and item R2 " Auxiliary AC Power System" are very general in their present form. We have therefore determined that Table 3.2-1, items R1 and R2, should be expanded to include the following list of items. Please incorporate these items into Table 3.2-1 adding 1
any additional items necessary to make it a complete list.
L
) .
1
~'
,, p ,; . ~
'R1 DC Power Supply - Nuclear Island 125' volt batteries, battery racks, battery chargers, and distribution equipment Control and power cables (including underground cable system,cablesplices,connectorsandterminalblocks) 4 Conduit and cable trays and their supports l Protective relays and control panels l Containment electrical penetration assablies Motors R2 Auxiliary AC Power System 6900 volt switchgear 480 volt load centers 480 volt motor control centers 120.VAC safety related distribution equipment including inverters Controlandpowercables(includingundergroundcablesystem, cablesplices,connectorsandterminalblocks)
- Conduit and cable trays and their supports
- Containment electrical penetration assemblies -
- Y Transformers Motors Load sequencers Protective relays and control panels Valve Operators
- Ra'ceway installations containing Class IE cables and other raceway installations required to meet seismic Category I requirements (those whose failure during a seismic event may result in damage to any Class 1E or other safety related systemorcomponents).
i
)
l i
435.55 Section 8.3.1.1.8.9 states that the qualification tests are performed on the diesel generator per IEEE Std. 387 as modified by Regulatory Guide 1.9 requirements. If the qualification tests hay 1 been performed please provide us the results of the tests.
If the tests have not yet been performed please indicate at what ,
point the tests will be conducted.
435.56 There have recently been a number of problems identified with the electrical systems at Nuclear Power Plants. Although a number of these arose as a result of modifications done on the elect'ical r
systems after the plants were licensed, some were or could have been the result of poor original design.
(a) Generic Letter 88-15 addresses a number of electrical system problems that have occurred primarily as a result of inadequate control over the design process. Some of these inadequacies have occurred in areas of electrical system design which have historically well established principles such as circuit breaker coordination and fault current interruption capability. As a result the staff
[ has not normally undertaken a detailed review of these areas, relying instead on the designers exercise of these t
well established principles. It is important that these areas have comprehensive, detailed design criteria and guidelines established for the design engineer. Controls should exist to ensure that these criteria are followed during the design process. Please address the specific problems discussed in GL 88-15 identifying the criteria and guidelines uhed to ensure that these inadequacies will not be found in the ABWR design. Provide a general discussion of the controls that exist over the design process in the electrical system area of the ABWR design.
3.ig.'
I (b) NRC Information Notice No. 88-M identifies a problem where the anti-pump circuitry on circuit breakers can, under certain circumstances, result in loss of manual or automatic control of the circuit breaker. Subsequent to this, engineering personnel at Zion identified a problem between the closing logic and anti-pump circuits of certain circuit breakers that would prevent the closing of these circuit breakers following a loss of offsite power. Please review the automatic and manual closing and tripping logic of the ABWR circuit breakers to determine if there are any conditions that could result in loss of manual or automatic control through interaction with the breaker anti-pump circuits. Provide us the results of your review.
(c) NRC Bulletin No. 88-10 and NRC Information Notice No. 88-46 identifies a problem with defective refurbished circuit breakers. Although the primary concern is with circuit breakers used in safety-related circuits, there is also a concern with non-safety-related breakers used for electrical
. penetration protection, since these also provide a safety-related function but undergo less scrutiny. Please identify how you ensure that non-Class IE breakers purchased for use in' containment electrical penetration circuits are high quality, new circuit breakers from the circuit breaker manu-facturer, rather than refurbished circuit breakers.
435.57 With respect to the application of single failure criterion to manually-controlled, electrically-operated valves, list all valves for which SRP Branch Technical Position ICSB 18 (PSB) may apply. Describe (1) how power is locked out to active and passive valves, (2) how power can be reinstated from the control room if valve repositioning (activevalves)isrequiredlater,and(3)howthevalveposition indication meets the single failure criterion.
g,..v' I
435.58 Experience with Nuclear Power Plant Class 1E electrical system equipment protective relay applications has established that relay trip setpoint drifts with conventional type relays have resulted in premature trips of redundant safety related system pump motors when the safety system was required to be operative.
While the basic need for proper protection for feeders / equipment against permanent faults is recognized, it is the staff's posi-tion that total non-availability of redundant safety systems due to spurious trips in protective relays is not acceptable. Provide a description of your circuit protection criteria for safety systems /
equiprent to avoid incorrect initial setpoint selection and the above cited protective relay trip setpoint drift problems.
435.59 Explicitly identify all non-Class IE electrical loads which are or may be powered from the Class IE AC and DC systems. For each load identified provide the horsepower or kilowatt rating for that load and identify the corresponding bus number and division from which the load is powered. Also identify the type of isolation
^
device used between the non-Class IE load and Class IE power supply.
s 0 435.60 Section 8.3.1.2.1 states compliance with the recommendations of 5 R.G. 1.106 " Thermal Overload Protection for Electric Motors on Motor-Operated Valves". Describe the means used to bypass the thermal overload protection to Class IE MOVs during accident conditions. Describe what type of indication for the bypass or lack of bypass is provided in the control room. Provide a schematic of the design or give MOV drawing references as specific examples of the design.
435.61 Experience with nuclear power plant Class IE motor-operated valve motors has shown that in some instances the motor winding on the l
I 1'^
. 3 ., . . i l
l valve operator could fail when the valve is subjected to frequent I cycling. This is primarily due to the limited duty cycle of the I motor. Provide the required duty cycle of the ECCS and RCIC steam and water line motor operated valves as they relate to their respec- )
tive system modes of operation during various events. Demonstrate that the availability of the safety systems in the ABWR design will not be compromised due to the limited duty cycle of the valve operator motors.
435.62 Provide the minimum required starting voltages for Class 1E motors. I Compare these minimum required voltages to the voltages that will 4 be supplied at the motor terminals during the starting transient j when operating on offsite power and when operating on the diesel f
generators. l l
l
+ l l
l L
l L--__-______--_______