ML18150A508
| ML18150A508 | |
| Person / Time | |
|---|---|
| Site: | Surry  |
| Issue date: | 07/31/1987 |
| From: | Stewart W VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.) |
| To: | NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM) |
| References | |
| 87-347, NUDOCS 8708070173 | |
| Download: ML18150A508 (46) | |
Text
e e
VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 W. L. STEWART VICE PRESIDENT NUCLEAR OPERATIONS July 31, 1987
,r----,
United States Nuclear Regulatory Commission Attention:
Document Control Desk Washington, D. C.
20555 Gentlemen:
VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 ANTICIPATED TRANSIENT WITHOUT SCRAM-AMSAC DESIGN Serial No.87-347 Docket Nos.
50-280 50-281 License Nos. DPR-32 DPR-37 Virginia Electric and Power Company stated in our letter of January 7, 1987, (Serial No. 85-316D) that we would submit our AMSAC plant specific design features by July 31, 1987.
In accordance with that letter, we are submitting our AMSAC plant specific design as an attachment to this letter.
The attachment addresses each of the fourteen items identified by the NRC in the SER issued for Westinghouse plants.
Engineering is in progress on this system but is not complete.
Certain changes
- may, therefore, result between the details contained in the attachment to this letter and the actual system which is eventually installed in the plant.
Should changes be made, which based on our review significantly alter the design specified in this submittal, we will provide information on the change.
As stated in letter Serial No. 85-316D, the schedule for installation of the ATWS mitigation systems remains planned for the refueling outage at the end of fuel cycle 10.
Due to the extended unplanned outages experienced this year, these outages are now forecast as follows:
Surry Unit 1 Surry Unit 2 Refueling Outage End of Cycle 10 Refueling Outage End of Cycle 10 Fall 1989 Spring 1990 This installation schedule is based on the time requirements to complete the engineering design details and lead time necessary for equipment delivery consistent with our three year outage forecast.
Very truly yours,
~\\_~
W. L. Stewart
/reJ708070173 S7fi73l __ _
PDR ADOCK 05000280 1
p PDR
cc:
U. S. Nuclear Regulatory Commission 101 Marietta Street, N. W.
Suite 2900 Atlanta, Georgia 30323 Mr. W. E. Holland NRC Senior Resident Inspector Surry Power Station Mr. Chandu P. Patel NRC Surry Project Manager Project Directorate II-2 Division of Reactor Projects - I/II
Attachment LICENSING POSITION.<<I'WS MITIGATION SYSTEM ACTUATION CIRCUITRY (AMSAC)
SURRY POWER STATION - UNITS I AND 2
. 1 Attachment LICENSING POSITION ATWS MITIGATION SYSTEM ACTUATION CIRCUITRY (AMSAC)
SURRY POWER STATION - UNITS 1 AND 2
1.0 INTRODUCTION
In order to comply with 10CFR50.62 "Requirements for Reduction of Risk From Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," the Westinghouse Owners Group (WOG) prepared and submitted for Nuclear Regulatory Commission (NRC) review and approval topical report WCAP-10858 "AMSAC Generic Design Package."
The NRC's acceptance position of the generic topical report and WCAP-10858A "AMSAC Generic Design Package" formed the basis for preparing Surry's licensing submittal.
2.0 BACKGROUND
The Anticipated Transients Without Scram (ATWS) Final Rule, 10CFR50.62, allowed the NRC to amend its regulations to require improvements in design and operation of pressurized water reactors to reduce the likelihood of a failure to scram and to mitigate the consequences of an ATWS.
The NRC does not believe that the current reactor trip system achieves adequate reliability.
This is due to two reasons:
(1) reliability standards are not sufficiently developed or qualitatively documented; and (2) the dominant role played by common mode failures.
Consequently, the ATWS Final Rule requires diversity from sensor output to the final actuation device to automatically initiate auxiliary feedwater flow and trip the turbine under conditions indicative of an ATWS.
3.0 CRITERIA Surry must implement paragraph (C)(l) of 10CFRS0.62, "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip
- system, to automatically 1
initiate the auxiliary feedwater system and initiate a turbine trip under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."
Although the required ATWS mitigation system does not have to be safety related, it is part of the class of systems and components defined in General Design Criteria (GDC) 1, which requires that "structures,
- systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed."
Generic Letter 85-06 "Quality Guidance for ATWS Equipment That Is Not Safety Related" provides direction for the Quality Assurance program that must be applied to the ATWS mitigation system.
4.0 DESIGN DESCRIPTION The Westinghouse Owners Group (WOG) in concert with Westinghouse Electric Company prepared WCAP-10858, "AMSAC Generic Design Package."
This document was submitted to obtain NRC approval design prior to implementation of the changes required by 10CFR50.62.
The application for NRC review was submitted in 1985 with the Draft SER issued in June 1986, and the Final Safety Evaluation published July 7, 1986.
The Final Safety Evaluation (Final SER) approved WCAP-10858 and accepted the principal of using only one of three proposed functional designs to detect the onset of ATWS.
An accepted version of WCAP-10858, WCAP-10858-Revision A, was issued in October, 1986.
By definition, an ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of the reactor trip system to shut down the reactor.
The three functional designs discussed in WCAP-10858 proposed to provide detection of a failure of the Reactor Protection System (RPS) to initiate a reactor trip and a loss of feedwater or loss of load are based on the power level indication (reactor or turbine power) and the monitoring of (1) steam generator inventory level, (2) feedwater flow, or (3) feedwater pump breaker and valve position status.
2
_)
5.0 e
For each functional design, provision for the existing reactor protection system to operate is provided by time delaying the ATWS mitigation signal.
Likewise, automatic arming of each functional design is P!ovided by two turbine load signals above a predetermined value and a time delay on de-energizing is used to keep the ATWS mitigation system armed for a preset period even if the existing reactor protection system trips the turbine successfully.
Functional design 1, using steam generator narrow range level as the detection variable, will be used at Surry.
One narrow range level transmitter in each of the three generators will be used in conjunction with the first stage turbine pressure channels to derive the ATWS mitigation system.
If the level in any two steam generators is less than or equal to 13 percent of narrow range level span and the turbine is greater than or equal to 40 percent load ATWS mitigation will be initiated automatically.
A time delay of approximately 27 seconds is provided to allow the existing reactor protection system to respond first.
In the event of an ATWS event and the expiration of the time delay, the main turbine will be tripped, all three auxiliary feedwater pumps will start, and the steam generator blowdown isolation valves will receive an automatic close signal.
ATWS mitigation by AMSAC is automatically blocked below 40 percent power by a newly installed permissive (C-20) that is derived from the First Stage Pressure (FSP) transmitters.
This automatic block will be defeated for approximately 120 seconds following a
decrease of FSP below 40 percent.
This time delay is required for the instance wherein an ATWS event occurred and the turbine load was reducing causing FSP to drop below 40 percent.
The ATWS mitigating actions, AMSAC, will still be initiated automatically if a loss of heat sink (steam generator inventory loss) occurs within the 120 second time delay.
SPECIFIC REQUIREMENTS The NRC Staff accepted WCAP-10858 as a generic concept.
Consequently, the Staff approved:
(1) implementation of any one of the three 3
.J e
functional designs for the detection of an ATWS event; (2) use of existing transmitter impulse lines, transmitter power supplies, and isolators; (3) testing of the ATWS mitigation system in bypass; and (4) the use of an operating bypass, the C-20 permissive, to prevent spurious actuation in either start-up or shutdown.
The Staff also identified 14 key elements which will be reviewed on a case by case basis.
These 14 key elements and the reasons for the Surry positions are discussed below.
Engineering is in progress on this system but is not complete, therefore certain changes may be made between details contained in the plans outlined in this letter and the system installed in the plant.
The 14 key elements are:
A.
Diversity B.
Logic Power Supplies C.
Safety Related Interface D.
Quality Assurance E.
Maintenance Bypasses F.
Operating Bypasses G.
Means for Bypassing H.
Manual Initiation I.
Electrical Independency from Existing Reactor Protection System J.
Physical Separation from Existing Reactor Protection System K.
Environmental Qualification L.
Testability at Power M.
Completion of Mitigative Action N.
Technical Specifications A.
DIVERSITY NRC Guidance The plant specific submittal should indicate the degree of diversity that exists between the AMSAC equipment and the existing Reactor Protection System.
Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is 4
L required from the sensors output to, but not including, the final actuation device, e.g., existing circuit breakers may be used for the auxiliary feedwater initiation.
The sensors need not be of a diverse design or manufacture.
Existing protection system instrument-sensing
- lines, sensors, and sensor power supplies may be used.
Sensor and instrument sensing lines should be selected such that adverse interactions with existing control systems are avoided.
Position Diversity between the existing Westinghouse Reactor Protection System/Safeguards System (RPS/SS) and the ATWS mitigation system (AMSAC) to minimize the potential for common cause failures is required from sensor output, but not including the final actuation device.
Different types of technology and/or different manufacturers would fulfill the diversity requirement.
The instrument sensors do not have to be diverse.
Therefore, existing protection system instruments, impulse lines, and transmitter power supplies may be used.
Instruments and their related impulse lines must be selected to prevent adverse interaction with existing control systems.
Surry plans to implement Functional Design 1 of WCAP-10858, Low-Low Steam Generator Level, to initiate the AMSAC.
The attached preliminary Logic Diagrams show the manner in which the Low-Low Steam Generator Level will be implemented.
One of the three narrow range level instrument loops (Channels I, II, and III) on each of the three steam generators (A, B, and C) will be used to provide nonsafety-related signal inputs to the AMSAC logic system.
A signal from Channel I will provide steam generator A level input to AMSAC.
A signal from Channel II will provide steam generator B level input to AMSAC, and a signal from Channel III will provide steam generator C level input to AMSAC.
Channel I and II narrow range steam generator A, B,
and C level signals provides protection, indication, and computer input functions.
Channel III narrow range steam generator A,
B, and C level signal provide 5
e protection, indication, computer input, and control functions.
Channel III narrow range steam generator C level is the only signal that could be compromised by adverse feedwater control system interaction.
If the Channel III narrow range steam generator C level signal fails, either high or low, the two remaining signals from Channels I and II, narrow range still be able mitigation.
steam generators to satisfy the A and B levels, respectively, would AMSAC logic matrix and initiate Each Surry Unit has four separate physically isolated 120V ac buses which are Channel related.
Each vital bus will be supplied by an independent Uninterruptable Power Supply (UPS) via DC-85-33-1 and DC-85-34-2.
Two UPSs are connected to one of each units two Class lE batteries.
Upon rectifier/charger failure within the
- UPS, the battery will pick up the inverter load.
Upon failure of the inverter section of UPS, a static switch will transfer the vital bus to a
regulating transformer.
Therefore, the integrity of the channel will always be maintained.
By using signals from three different channels, i.e., I, II, and III, the level transmitters, their associated impulse lines, and the level transmitter power supplies are electrically and physically independent
- and, therefore, non-interacting.
Channel III and IV turbine impulse chamber pressure are used to develop the C-20 permissive.
Both of these signals are also used to provide control inputs to the feedwater control system.
The implementation of AMSAC does not adversely affect or degrade the turbine impulse chamber pressure signals.
The independence of the AMSAC signals derived from the protection system will be provided by Class IE qualified isolators in the AMSAC panel.
The signals obtained from the isolators will never be returned to the protection system.
This *is consistent with the requirements of General Design Criterion 24 Separation of Protection and Control System.
Consequently, the use of isolated steam 6
generator level and turbine impulse chamber pressure signals will neither compromise the protection system nor introduce an adverse control system interaction.
The Surry RPS/SS utilizes a Westinghouse 7100 Process Instrumentation and Control System (7100 System).
The 7100 System is a current based instrumentation system.
All 5 analog signals will be isolated at
.AMSAC for the solving of coincidence logic.
Independence of
.AMSAC from the existing RPS/SS will be achieved through the use of new existing qualified isolators which buffer the current signals originating in the 7100 System.
Connecting.AMSAC downstream of the new isolators will ensure that the nonsafety-related.AMSAC will not degrade the existing RPS/SS.
Actuation logic diversity will be provided between the RPS/SS and
.AMSAC.
The existing Westinghouse RPS/SS is a relay based system which performs this function.
The RPS/SS uses Type BF input relays by Westinghouse to provide input isolation for the Westinghouse Type BFD logic relays which in turn solve the coincidence logic.
The relays drive output relays which also are Westinghouse Type BFD.
The BFD relay is for 125V de application, and the BF relay is for 120V ac application.
The SS also utilizes Westinghouse type BFD relays for solving coincidence logic and equipment actuation with Westinghouse type BF relays used for input isolation.
Additionally, Westinghouse type MG-6 latching relays are used in the SS for manual actuation and system reset.
All of the relays are of the multi-contact hinged armature type *
.AMSAC will use a programmable logic controller (PLC) to solve the coincidence logic.
The PLC will use a microprocessor manufactured by Intel (8086) which represents an entirely different technology with respect to relay logic as used in the RPS/SS.
Input isolators will be required for the PLC.
Output relays, will also be required in order to provide isolated safety-related mitigation permissives to existing final actuation devices.
The output relays will be Electro Switch Type CSR rotary relays.
The RPS/SS slave output relays are conventional hinged armature machine tool type relays.
.AMSAC output relays will use different principles of operation and will be made by a different manufacturer.
7
Therefore, a sufficient degree of diversity is provided through the consistent application of different manufacturers and different operating principles.
B.
LOGIC POWER SUPPLIES NRC Guidance The plant specific submittal should discuss the logic power supply design.
According to the rule, the AMSAC logic power supply is not required to be safety-related (Class IE).
- However, logic power should be from an instrument power supply that is independent from the reactor protection system (RPS/SS) power supplies.
Our review of additional information submitted by WOG indicated that power to the logic circuits will utilize RPS/SS batteries and inverters.
The staff finds this portion of the design unacceptable, therefore, independent power supplies should be provided.
Position The ATWS logic power supply is not required to be safety-related, however, it should be a reliable instrument power supply, independent from the RPS power supplies (vital buses, associated batteries and inverters), and battery-backed.
A nonsafety-related static inverter (consisting of 5
KVA inverter with integral static transfer switch and manual bypass switch), and associated 120V ac distribution panel, located in the non-safety-related (black) battery Building, will be used as the AMSAC logic power supply for both units 1 and 2.
It will derive its 125V de normal source from the "black battery", to provide regulated 120V ac, 1 phase, 2 wire power (approximately 15 amp each) to the AMSAC panels located in the Units 1
and 2
Emergency Switchgear Rooms.
Upon inverter output
- failure, the static transfer switch will automatically transfer the load to the 120V ac alternate source (nonregulated) from an existing 120/240V ac Distribution Panel Unit 2, in the "Black Battery" Building.
When the inverter output 8
e returns to normal, either automatic or manual retransfer may take place.
The "black battery", as designed, has a 70 amp, 2-hour future load duty, which is sufficient to handle the 5 KVA static inverter input requirements.
The static inverter will be monitored locally (indicating lights) and annunciated in the Control Room consistent with accepted human factors guidelines.
The "Black Battery" Building was selected as the static inverter location to minimize input ac and de cable lengths, cable sizes, and voltage drops.
Since the AMSAC panel loads will not change significantly, the regulating capability of the inverter will be maintained.
The integral power supplies for the Gould Programmable Controllers are rated for input voltage of 95-138V (long term) and 80-lSOV (10 sec).
C.
SAFETY-RELATED INTERFACE NRC Guidance The plant specific submittal should show that the implementation is such that the existing protection system continues to meet all applicable safety criteria.
Position Isolators are the devices which buffer AMSAC from the safety-related equipment and systems.
New qualified isolators, Technology for Energy Corporation Model TEC-156A will provide nonsafety-related analog signals to AMSAC.
The company will use Electro Switch CSR rotary relays, which will be mounted in the top of the AMSAC panel with a steel shelf interposed between the coil section and the contact section, to provide isolated safety-related AMSAC outputs to actuate safety-related equipment.
safety criteria applicable to This approach does not violate any the RPS/SS, i.e.,
IEEE Standard 279-1968, General Design Criteria 17, 18, 20 through 25, and Surry's UFSAR Section 7.2.
9
e D.
QUALITY ASSURANCE NRC Guidance The plant specific submittal should provide information regarding compliance with Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related."
Position The Surry AMSAC complies with the requirements of Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety Related."
I.
ORGANIZATION NRC Guidance The normal line organization is expected to verify compliance with this guidance.
A separate organization is not required. If desired, the existing Appendix B QA organization may be involved but this is not required.
Position Virginia Electric and Power Company will purchase only portions of the AMSAC equipment as non-safety-related.
These purchases will be made in accordance with our Nuclear Operations Department Standards using personnel who are involved in both safety-related and non-safety-related purchases.
The Appendix B
QA organization may be involved as deemed appropriate.
10
4
]J 2/
e II.
PROGRAM NRC Guidance It is expected that the existing body of plant procedures or practices will describe the quality controls applied to the subject equipment.
A new or separate QA program is not required.
Position Virginia Electric and Power Company will use the existing program of Nuclear Operation Department Standards and Station Administrative Procedures which apply to non-safety-related equipment for the non-safety-related AMSAC equipment.
A new and dedicated QA program will not be implemented.
III.
DESIGN CONTROL NRG Guidance MeasureJ:.I are to be established to ensure design specifications are included or correctly translated into design documents 1./ and to ensure that all design control activities are consistent with the requirements of 10 CFR 50.59.
Normal supervisory review of the designer's work is an adequate control measure.
Except for design control measures, where the utility is responsible for ensuring that design control measures are applied at contractor or subcontractor organizations, the term "measures" applies only to activities within the licensee's or applicant's organization.
- However, the design control measures to be applied at contractor or subcontractor organizations need be no more stringent than those required of the utility.
Except for the record keeping requirements of 10 CFR 50.59 and requirements XVII of this guidance document, any records that are generated as a result of implementing these QA controls are not required to be maintained.
11
1' e
Position Virginia Electric and Power Company has determined that a portion of the work involved in the installation of
.AMSAC is safety-related as it involves the interface of safety-related and non-safety-related equipment.
As such design work will be controlled in accordance with the standards for safety-related work as identified in the Virginia Power Nuclear Design Control Program.
IV.
PROCUREMENT DOCUMENT CONTROL NRC Guidance Measures are to be established to ensure system specifications and quality requirements, where applicable, are included in procurement documents.I/
Position Virginia Electric and Power Company through the use of the Virginia Power Nuclear Design Control Program, the Nuclear Operations Department Standards and the Station Administrative Procedures will ensure system specifications and quality requirements are included as applicable in non-safety-related
.AMSAC documents.
V.
INSTRUCTIONS, PROCEDURES AND DRAWINGS NRC Guidance procurement Measures are to be established which ensure that quality controls will be applied to activities that affect quality.
These measures may include such things as written instructions, plant procedures, cautionary notes on drawings and special instructions on work 12
e e
orders.
Any methodology which provides the appropriate degree of guidance to utility personnel performing quality-related activities will satisfy this requirement.
Maintenance on the equipment shall be based on the appropriate use of vendor information.
Any departure from such vendor guidance shall be based on an adequate engineering rationale *. ?./
Position Virginia Electric and Power Company will implement this modification through a separate Design Change Package (DCP) for each unit.
The Nuclear Operations Department Standards provide for this means of implementation via the Virginia Power Nuclear Design Control Program.
The DCPS are being prepared as safety related DCPs.
Each DCP will be issued and approved by the Station Nuclear Safety and Operating Committee prior to implementation.
Each DCP will also provide procedures, instructions and drawings sufficient to provide for proper installation.
Maintenance information supplied by vendors will be included.
VI.
DOCUMENT CONTROL NRC Guidance Measures are to be established to control the issuance of and changes to documents affecting quality.*?_/
Position Virginia Electric and Power Company will control and retain implementation documents in accordance with the Virginia Power Nuclear Design Control Program and will control procurement documentation in accordance with the Nuclear Operations Department Standards.
13
e e
VII.
CONTROL OF PURCHASES ITEMS AND SERVICES VIII.
NRC Guidance Measures are to be established to ensure that all purchases conform to appropriate procurement documents.I/
Such measures may include the performance of receipt inspections by stores or warehouse personnel or plant engineering personnel.
Position The Company will assure the control of purchased items and/or services for AMSAC which are non-safety-related in accordance with the Nuclear Operations Department Standards which includes ( provisions inspections as required.
for IDENTIFICATION AND CONTROL OF PURCHASED ITEMS NRC Guidance receipt Measures are to be established, where necessary, to identify and control purchased items.
Examples of circumstances requiring such control include the storage of environmentally sensitive equipment or material and the storage of equipment or material that has a limited shelf-life.
Position The company will assure the identification and control of non-safety-related material purchased for AMSAC in accordance with the Nuclear Operations Department Standards and the purchase order requirements determined in accordance with the Nuclear Design Control Program.
No limited shelf-life items are presently included in the design.
14
e e
IX.
CONTROL OF SPECIAL PROCESSES NRC Guidance Measures are to be established to control special processes, including welding, heat
- treating, and non-destructive testing.
Applicable codes, standards, specifications,
- criteria, and other special requirements may serve as the basis of these controls.
Position The Company at this time is not planning to use any special processes in the purchase, fabrication or installation of the non-safety-related AMSAC materials.
However, work performed at a vendor would be performed as normally done on standard products or would be in accordance with the purchase order or specification or approved procedure as required for non-safety-related AMSAC.
X.
INSPECTION NRC Guidance Measures are to be established to inspect activities affecting quality.
Inspections are to be accomplished in order to verify that these activities are in conformance with the available documentation~/, or, if no documentation is available, to verify that these activities are being satisfactorily accomplished.
In
- general, the line organization is responsible for determining the inspection requirements and for ensuring that sufficient inspections are performed.
Inspections need not be performed by personnel who are independent of the line organization.
Inspections shall be performed by knowledgeable personnel.
15
e Position The Company will have inspections performed on non-safety-related AMSAC equipment as deemed necessary based on compliance with the Nuclear Operations Department Standards and the Nuclear Design Control Program.
XI.
TESTING NRC Guidance Measures are to be established to test, as appropriate, non-safety-related ATWS equipment prior to installation and operation and periodically.
Results of the tests should be evaluated to ensure that the test requirements have been satisfied.
Position The Company will in accordance with the Final Design Testing Section of the Design Change Package as required by the Nuclear Design Control Program assure that the system performs properly prior to operation.
The periodic testing is discussed in Section "L" later in this response.
XII.
CONTROL OF MEASURING AND TEST EQUIPMENT NRC Guidance Measures are to be established to control, calibrate, and adjust measuring and test equipment at specific intervals.
16
e XIII.
Position Measuring and Test Equipment will be maintained and calibrated in accordance with Station Administrative Procedures.
HANDLING, STORAGE AND SHIPPING NRC Guidance Measures
- storage, purchases are to be established to control handling,
- shipping, cleaning, and preservation of in accordance with utility practices and manufacturer's recommendations.
Position This will be performed in accordance with the Nuclear Operations Department Standards.
XIV.
INSPECTION, TEST, AND OPERATING STATUS NRC Guidance Measures are to be established to indicate status of inspection, test, and operability of installed non-safety-related ATWS equipment.
Position The inspection and testing of installed non-safety-related AMSAC equipment will be as discussed in Section "L" of this response.
The operating status of AMSAC will be indicated by annunciators in the control room and status lamps on the AMSAC panel.
17
e XV.
NONCONFORMANCES NRC Guidance Measures are to be established nonconformances.
Position The company nonconformances will in identify accordance and with Operations Department Standards Administrative Procedures.
XVI.
CORRECTIVE ACTION SYSTEM NRC Guidance to identify disposition the Nuclear and Station Measures are to be established for prompt correction of conditions which, are adverse to quality (i.e.,
nonconformances),
and to preclude repetition of conditions adverse to quality.
Position The Company nonconformances will in identify accordance and with Operations Department Standards Administrative Procedures.
18 disposition the Nuclear and Station
j e
XVII.
XVIII.
RECORDS NRC Guidance Measures are to be established to maintain and control records of activities in accordance with the requirements are to be of 10 CFR 50.59.
In addition, measures established to maintain and control appropriate records to ensure that the requirements specified in the table accompanying the ATWS rule (49 FR 26036, pp. 26042-26043) have been met.
Position The Company will maintain records in accordance with the Nuclear Operations Department Standards and the Nuclear Design Control Program.
AUDITS NRC Guidance Audits which are independent of line management are not required, if line management periodically reviews the adequacy of the quality controls and takes any necessary corrective action.
responsible for determining whether Line management is reviews conducted by line management or audits conducted by an organization independent of line management are appropriate.
Position Independent audits are not planned at this time but may be performed as required.
19
E.
e MAINTENANCE BYPASSES NRC Guidance The plant specific submittal should discuss how maintenance at power is accomplished and how good human factors engineering practice is incorporated into the continuous indication of bypass status in the control room.
Position AMSAC maintenance during unit power operation will be accomplished through operation of either of two bypass switches.
One is located in the Main Control Room on Benchboard Section 2 and the other is located within the AMSAC panel.
In neither case will the lifting of leads, tripping of breakers, use of physically blocking relays, nor the pulling of fuses be required to bypass AMSAC.
Bypass status will be annunciated in the Main Control Room above Vertical Section 1.
The alarm will be located to provide bypass status to the reactor operator.
The new alarm will meet accepted human factors guidelines as delineated in Virginia Electric and Power Company's Human Factors Standard STD-GN-0005.
In accordance with the Virginia Electric and Power Company Nuclear Design Control Program, a review of the human factors acceptability of this modification will be performed and its results will be noted in the implementation document.
For maintenance bypass the following human factors principles will be implemented:
- 1.
The information provided by displays and control equipment added to the Main Control Room as a result of implementing the ATWS Final Rule will not increase the potential for operator error under both normal and abnormal plant conditions.
Bypass for maintenance will be clearly displayed to the operator.
- 2.
AMSAC will be integrated into the applicable Emergency Operating Procedures and into applicable Maintenance Procedures.
20
e e
- 3.
.AMSAC will be integrated into the operator training program and the Surry simulator will also be modified to incorporate the implementation of.AMSAC.
- 4.
.AMSAC is of course time delayed to allow the existing reactor protection system to respond first.
Consequently, the alarm
".AMSAC ACTUATED" should always be received after the existing reactor protection system commences mitigation.
Since.AMSAC will be installed to mitigate a
failure of the RPS prioritization of the ".AMSAC ARMED" and ".AMSAC ACTUATED" alarms may be required.
During normal operation the operator will be trained to expect.AMSAC BYPASSED,.AMSAC TROUBLE, and.AMSAC ARMED alarms.
As.AMSAC BYPASSED and
.AMSAC TROUBLE will be status
- alarms, prioritization may be required.
The alarm.AMSAC ARMED will be a pre-trip annunciation which could prompt operator responses and prioritization may be required.
F.
OPERATING BYPASSES NRC Guidance The plant specific submittal should state that operating bypasses are continuously indicated in the control room; provide the basis for the 70 percent or plant specific operating bypass level; discuss the human factors design aspects of the continuous indication; and discuss the diversity and independence of the C-20 permissive signal (defeats the block of ATWS).
Position The design bases for the defeats the operating pressures increasing are:
new ATWS unique C-20 permissive, which
- bypass, two out of two turbine first stage
- 1.
"Westinghouse Anticipated Transients Without Trip Analysis,"
WCAP-8330, August 1974.
e
- 2.
"Anticipated Transients Without Scram for Light Water Reactors,"
NUREG-0460, December 1978.
- 3.
- Anderson, T.
M.,
"ATWS Submittal," Westinghouse Letter NS-TMA-2182 to S. H. Hanauer of the NRC, December 1979.
These three documents demonstrated that ATWS mitigation need not be initiated below 70 percent turbine load because reactor coolant system pressure does not approach the ASME Boiler and Pressure Vessel Code Level C Service Limit of 3200 psig (NRC criteria for successful ATWS mitigation).
Continuing analyses on the part of Westinghouse, the results thereof which were presented at the WOG meeting in Pittsburgh, Pennsylvania, on December 18, 1986, have confirmed that peak reactor coolant system pressure resulting from an ATWS at 70 percent turbine load will not exceed the ASME Level C Service Limit of 3200 psig.
However, as the pressure decreases, there will be bulk boiling of the reactor coolant system inventory for 10 minutes after the ATWS peak pressure even with operator intervention.
Consequently, to preclude bulk boiling of the reactor coolant, the C-20 permissive setpoint must be reduced to 40 percent turbine load as determined by Westinghouse to ensure spurious ATWS mitigations do not occur at low power levels, i.e., less than 40 percent turbine load, or during startup.
An automatic bypass will be provided to defeat automatic ATWS mitigation below 40 percent turbine load.
Should an ATWS occur below 40 percent turbine load, operator action will be required to initiate auxiliary feedwater flow to preclude the consequences of operating without a heat sink.
The revision of the C-20 permissive to 40%
is in accordance WCAP-10858-A, which was submitted to the NRC Owners Group on February 26, 1987.
to Addendum 1 with by the Westinghouse Diversity from the existing reactor trip system (7100 System/RPS/SS) will be provided from the sensor output.
Sensor output is defined as the signal available at the isolated output of the diverse isolators, Technology for Energy Corporation Mode TEC-156A.
The ATWS mitigation system will use Gould Model 884 programmable logic controllers (PLCs).
These devices will comply with the NRC's diversity requirements because:
e
- 1.
The PLCs are manufactured by someone other than Westinghouse.
- 2.
The PLCs use integrated circuit technology versus the discrete component/operational amplifier technology of the 7100 System.
- 3.
The 7100 System comparators (Model 139-118 modules) have a voltage output where as the PLCs have analog to digital converters which provide a digitally coded output signal.
Independence from system) will be IEEE-STD-323-1974 the 7100 System and the RPS/SS (the rea~tor trip provided by diverse isolators qualified to and IEEE-STD-344-1975 to ensure independence between AMSAC and the reactor protection system consisting of the 7100 system and the RPS/SS.
Qualified analog signal isolators manufactured by Technology for Energy Corporation will be used.
The Model TEC-156A diverse isolator complies with IEEE-STD-384-1974 as interpreted by R.G. 1.75-1978, Revision 2.
The Channel III and IV I
turbine load signals will be independently isolated.
The operating bypass will defeat ATWS mitigation below 40 percent turbine load.
Consequently, the bypass will be continuously annunciated in the control room until it is defeated by the C-20 permissive.
The control room annunciation is consistent with accepted human factors guidelines.
A human factors review will be conducted during the design process to assure that the information provided by this display will not increase the potential for operator error under both normal and abnormal plant conditions.
AMSAC will be integrated into the operator training program and the Station's simulator will also be modified to incorporate the implementation of AMSAC including this continuous annunciation, when the turbine is below 40 percent load.
The C-20 permissive, which will defeat the operating bypass, will utilize the existing 7100 System turbine impulse chamber pressure signals that originate in Channels III and IV.
The use of the 23
e e
- lines, ATWS and pressure Final Rule.
existing pressure transmitters, sensing transmitter power supplies is permitted by the Justification for using diverse isolators, Corporation Model TEC 156A, is provided in the WCAP-10858.
Technology for Energy SER which approved G.
MEANS FOR BYPASSING NRC Guidance The plant specific submittal should state that the means for bypassing is accomplished with a
permanently installed, human factored, bypass switch or similar device, and verify that disallowed methods mentioned in the guidance are not utilized.
Position The means for bypassing, whether it be for maintenance or testing, will be by permanently installed bypass switches.
The lifting of leads, pulling of fuses, tripping of breakers, and use of physically blocking relays will not be required for bypassing.
Two switches per Unit will be utilized.
The primary bypass switch will be located in the Main Control Room on Benchboard Section 2.
The second bypass switch will be located within the ATWS mitigation, panel, AMSAC.
As stated under Operating Bypass and Maintenance Bypasses, both switches will be annunciated in the Main Control Room.
Both bypass switches will adhere to the requirements of NUREG-0700 with respect to operating level, direction of operation, labeling, and annunciation.
A human factors review will be conducted as a part of the design process to assure that the control equipment, which will be added to the Main Control Room as a result of implementing the ATWS Final Rule, will not increase the potential for operator error under both normal and abnormal plant conditions.
AMSAC will be integrated into the operator training program, and the Surry simulator will be modified to incorporate the implementation of AMSAC.
24
e H.
MANUAL INITIATION NRC Guidance The plant specific submittal should discuss how a manual turbine trip and auxiliary feedwater actuation are accomplished by the operator.
Position Manual initiation of turbine trip can be accomplished from the control room via the two pushbuttons on benchboard Section 2.
The turbine can be manually tripped via the trip handle which is located in the turbine pedestal in the Turbine Building.
Manual initiation of auxiliary feedwater flow can be accomplished from the control room by turning the control switches for electrically driven auxiliary feedwater pumps l-FW-P-3A/B to start, and by turning the selector switches for PCV-MS-102A and/or PCV-MS-102B to open to start the steam turbine driven auxiliary feedwater pump.
All three auxiliary feedwater pumps are also controllable outside the control room from the Auxiliary Shutdown panel which is located in the Emergency Switchgear Room.
The electrically driven pumps can also be started at their breakers in the Emergency Switchgear Room by use of the local breaker control switch. All of these methods are diverse from the existing 7100 System/RPS/SS.
I.
ELECTRICAL INDEPENDENCE FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance The plant specific submittal should show that electrical independence is achieved.
This is required from the sensor output to the final actuation device at which point nonsafety-related circuits must be isolated from safety-related circuits by qualified Class IE isolators.
Use of existing isolators is acceptable.
However, each plant specific submittal should provide an analysis and tests which demonstrate that the existing isolator will function under the maximum worst case fault conditions.
The required method for 25
3/
qualifying either the existing or diverse isolators is presented in A
d.
A 3/
ppen ix.-
Position ATWS mitigation equipment, per 10CFRS0.62, need not be safety
- related, however, the existing steam generator instrumentation is safety related and AMSAC will provide outputs to the safety-related engineered safeguards
- system, Isolators will be required to ensure the independence of the existing RPS/SS, New Technology for Energy Corporation Model TEC-156A isolators will be used to provide nonsafety-related inputs to AMSAC.
The existing 7100 System isolators are not fully documented in accordance with the final AMSAC rule as fully qualified devices which provide safety circuit isolation from credible postulated voltage/current faults imposed on the nonsafety-related circuits and therefore will not be used.
The requirements for establishing electrical independence were presented in Appendix A information, Appendix All isolators, as follows:
to the SER.
is complied Based on preliminary design with for the TEC-156A
- 1)
Surry will utilize diverse isolators for ATWS implementation.
The maximum credible faults are 120V ac and 125V de as these two voltages are the only ones available with the AMSAC Panel and are the highest voltages the input signals could credibly encounter.
The TEC-156A isolators were tested to 120V ac and 2000 V de.
The test verified the isolation capabilities of the TEC-156A isolators by demonstrating that the lE side of the isolator was not degraded.
Appendix A to NRC letter #86-654 dated October 6, 1986.
26
- 2)
The maximum credible faults which the isolator could be exposed to are 120V ac and 125V de.
The 120V ac is used to provide power to each of the 7100 System modules.
The 120V ac power is also used to interrogate the comparators which provide a
voltage signal to the reactor protection system.
The annunciator utilizes 125V de for field sensing which eclipses the 40V de of the instrument loop power supplies.
The maximum voltage applied during the testing of the isolator were 120V ac and 2000V de.
The voltages were applied in both open circuit and short circuit test.
- 3)
The data which verifies the application of the maximum credible faults to the output of the isolators is contained in the following test reports.
"Test Report on Isolation Testing and Measurements of the TEC Model 156 Series Isolators Including Shorts, Opens, and 120V ac Fault with Fuses Shorted" 156-TR-02 by Technology for Energy Corporation, dated July 30,
- 1985, and "Test Report on Isolation Testing and Measurement of the TEC Model 156 Series Isolators at 2000V de at 20MA with Fuses Shorted" 156-TR-03 by Technology for Energy Corporation, dated July 31, 1985.
- 4)
The pass/fail acceptance criteria for the TEC-156A isolators are contained in the above two reports (156-TR-02 and 156-TR-03).
- 5)
The Surry AMSAC panels including isolators will be procured seismically qualified and environmentally qualified for a mild environment.
Environmental qualification and seismic qualification for the TEC-156A isolators is provided in "Qualification Test Report for Environmental and Seismic Testing of the TEC Model 156 and TEC Model 159 Isolators" by Technology for Energy Corporation, dated August 6, 1981.
- 6)
The following design features will be used to protect the 7100 System from any potential electrical interference 27
e e
originating within AMSAC.
All signal communication cables between the 7100 System and AMSAC will be two conductor shielded.
The shielded cables will be routed through conduit to preclude safety/nonsafety interaction.
The ATWS mitigation system, and AMSAC, will be housed in a front door access totally enclosed steel cabinet which will be solidly grounded to suppress any potential electromagnetic interference (EMI) or radio frequency interference (RFI).
The Class lE signals from the 7100 System will be supervised by the TEC 156A isolators, which are transformer couple operational amplifiers, prior to entering the Gould/Modicon Series 884 Analog 8
Channel Input Modules.
This design precludes common mode and crosstalk between the Class lE 7100 System and the non-lE ATWS Mitigation System.
Electrostatic coupling, i.e., EMI and RFI are suppressed by utilizing a stainless steel spot welded case which provides 120 dB of isolation at 60Hz.
The stainless steel case will be rigidly mounted to a grounded and totally enclosed steel panel which will provide an additional layer of electrostatic shielding.
- 7)
The TEC-156A isolators are transformer coupled operational amplifiers.
Consequently, the only Class lE power source required is the 4-20 ma signal itself. The isolator is a 4 inch long box, 2 inches wide with the Class lE terminals on one end (for the input signal) and the non-Class lE terminals on the other end (for the isolated output and the power connection, 24V de).
The use of transformer coupling provides inherent fail safe isolation and the required energy transfer to make a Class lE power supply unnecessary.
The nonsafety-related isolator power supply will be supervised by an undervoltage relay which will alarm in the control room consistent with accepted human engineering practice.
Virginia Electric and Power Company at present plans that the AMSAC output isolators will be Electro Switch Control Switch Relay Series 24 28
CSR.
The two CSR relays per panel will be mounted on a shelf in the AMSAC panel.
The shelf will perform three functions:
- 1)
Separate the safety-related top of the panel from the nonsafety-related bottom portion of the panel; 2) Provide additional EMI/RFI rejection; and
- 3) provide a mounting surface for the CSR relays.
The CSR relays will be mounted such that the drive mechanism will be below the shelf (nonsafety-related portion of the panel) and the contact section will be above the shelf (safety-related portion of the panel).
Appendix A]./
of the SER provides the requirements for the CSR relay as an output isolator.
Based on preliminary design input, compliance with Appendix A]./ is as follows:
- 1)
The Electro Switch Series 24 CSR relay was tested in accordance with Electro Switch Specification ESC-Std-1000 to 2200V ac and 500V de.
The maximum credible faults are 125V de and 120V ac due to the circuits interlocked on the input and output of the isolator.
Isolation of input and output is assured through design.
Only the drive shaft of the rotary solenoid passes through the barrier, thus assuring complete separation of Class lE from non-Class lE.
Test documentation is on file at Electro Switch for the CSR relays.
- 2)
The Electro Switch CSR relays were seismically tested with a 2 ampere 125V de source applied and bench tested to 500V de and 2200V ac.
The bench tests, far exceed the isolation requirements of the application for the maximum credible voltage faults of 125V de and 120V ac.
The de voltage level is based on switchgear control circuits and certain solenoid valves circuits.
The ac voltage level is based on certain other solenoid valve circuits.
The maximum current is 6.7 amperes for the switchgear closing coil.
The switchgear "make" rating of a CSR contact is 95 amperes at 125V de.
- 3)
Data confirming the application of the maximum credible fault to the output of the isolator is on file at Electro Switch.
The tests were performed in accordance with Electro Switch Specification ESC-Std-1000 which IEEE-Std-323-84 and ASME-NQA-1-1-1983.
29 compiles with
e
- 4)
The pass/fail criteria for the CSR are clearly defined in Electro Switch Specification ESC-Std-1000.
- 5)
The CSR isolator is seismically qualified as documented in Electro Switch Engineering Test Report No. 2903-1 dated April 15, 1980.
Environmental qualification of the CSR isolator is provided by similarity to the fully qualified LOR and LSR.
The CSR is a special version of the LSR.
The applicable document for environmental qualification is Electro Switch Engineering Test Report No. 2983-3 dated January 11, 1985.
- 6)
The CSR isolator provides between the Class lE contact complete decks electrical separation and the non-Class IE rotary solenoid and control decks.
Electrostatic coupling, EMI, common mode, and crosstalk are all precluded by the relay design.
Only dry contacts are available to the Class IE circuits.
- 7)
The CSR isolator, being a reverse isolator (i.e., non-Class IE to Class lE) would be by definition not powered by a Class lE source.
The contact inputs which initiate isolator operation are provided by programmable logic controllers in a two out of three logic matrix.
The power for the CSR's rotary solenoid is the same power source as that of the AMSAC panel's, i.e., 120V ac from the inverter/ distribution panel backed by the "Black Battery".
J.
PHYSICAL SEPARATION FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance Physical separation from existing reactor protection system is not
- required, unless redundant divisions and channels in the existing reactor trip system are not physically separated.
The implementation must be such that separation criteria applied to the existing protection system are not violated.
The plant specific submittal should respond to this concern.
30
e Position The implementation of an ATWS mitigation system, AMSAC, at Surry will not compromise existing separation criteria as identified in Surry's UFSAR, IEEE Standard 279-1971, IEEE Standard 379-1977 and IEEE Standard 384-1981.
Cable routing will be independent of the protection system and the new AMSAC panels are located in the Emergency Switchgear Rooms which precludes interaction with the 7100 System and RPS/SS which are located in the Instrumentation Rack Rooms.
K.
ENVIRONMENTAL QUALIFICATION NRC Guidance The plant specific qualification of submittal should ATWS equipment occurrences only, not for accidents.
Position address the environmental for anticipated operational The AMSAC panel and related ATWS mitigation equipment, except cable located in a potentially harsh environment, will be environmentally qualified for mild environments in accordance with the statement of clarification to 10CFRS0.49 and IEEE-Standard-323-1983.
- Cables, which are part of the safety related interface, are qualified under our exisitng EQ program.
AMSAC will be powered by the Black Battery Inverter which is battery backed.
Consequently, a loss of offsite power will not disable AMSAC, and the blower in the bottom of the panel will provide adequate short-term ventilation for the enclosed programmable logic controllers and CSR relays until the safety-related diesels restore the safety-related air-conditioning system.
Other anticipated occurrences, such as loss of power to the reactor coolant pumps, tripping of the main turbine generator, and loss of circulating water, will not result in challenges to the operating environment of AMSAC.
This is due to the installation of the equipment in an area of the plant which has a mild environment.
31
e L.
TESTABILITY AT POWER NRC Guidance e
Measures are to be established to test, as appropriate, non-safety-related ATWS equipment prior to installation and periodically.
Testing of.AMSAC may be performed with.AMSAC in bypass.
Testing of
.AMSAC outputs through the final actuation devices will be performed with the plant shut down.
The plant specific submittals should present the test program and state that the output signal is indicated in the control room in a
manner consistent with plant practices including human factors.
Position Testing of.AMSAC requires four control switches, one pushbutton and a three section status panel which displays the test results.
An I&C technician assigned to perform a periodic test at power would proceed as follows:
o He will obtain the key to the
.AMSAC panel from the Shift Supervisor, proceed to the Instrument Rack Room, and unlock the AMSAC panel door.
Upon opening the door, ATWS TROUBLE will be annunciated in the Main Control Room.
o The inner door of the AMSAC panel will have a three section status array as shown on attached preliminary ESK-4ATWS.
Each section will provide the status of a
programmable logic controller (PLC), identified as PLC-A, PLC-B, and PLC-C.
Below each status array will be a
function switch for each PLC, a master bypass switch, and a test pushbutton switch.
o He would then turn the master bypass switch from "Normal" to "Bypass."
This would result in.AMSAC BYPASSED being annunciated in the Main Control Room.
o Any meters located in the panel would display the values presented and the values available to the control room operator can be cross can be checked to assure general agreement.
The AMSAC panel meters will be calibrated periodically in accordance with station procedures, which will be developed.
32
Note:
For the purpose of this discussion, testing of PLC-A will be described, as testing of PLC-Band PLC-C would be identical.
To test PLC-A, the operator will rotate the 8-position function test switch for PLC-A from "Normal" to "ABC."
o Position "ABC" will enable testing of the three steam generator level comparators through a sequencer which will be enabled by the pushbutton switch.
The operator would press the pushbutton to test the comparator for steam generator A.
If satisfactory, the status light for low level in steam generator A would illuminate.
Depressing the pushbutton a
second time would advance the test to steam generator B, and again depressing the pushbutton a third time would test the comparator for steam generator C.
o Advancing the test switch to position "2/3" would allow testing of two out of three steam generator levels low.
Again, a sequencer will be used to allow testing for all three possible 0
combinations.
To start the test, the operator would depress the pushbutton to test the A and B combination with the result displayed by the 2/3 status light. Depressing the pushbutton a second time tests for the Band C combination, and depressing the pushbutton a third time will complete the combination by testing for C and A.
Advance the test switch to the next position "III/IV."
This position will test the two turbine load comparators.
Again, a sequencer will be used, initialized by the pushbutton, to test/
display the isolated signal from Channel III followed by the isolated signal from Channel IV.
o Advancing the test switch to position "2/2" allows testing of both turbine load signals present.
Since this will be a function test, a sequencer will not be required, but the pushbutton will still be utilized to initiate the test and enable the status light.
33
e o
The next position on the test switch is "C-20."
This position will test the 120 second time delay upon no longer satisfying the two out of two turbine load signals.
Depressing the pushbutton will initiate the time delay and the status light will illuminate 120 seconds later.
o Advancing the test switch to the "Trip" position will allow verification of the 27 second time delay, expiration of which will initiate mitigation.
Depressing the pushbutton will start the timer which, in turn, will illuminate the timer status lamp and the output lamp.
The timer status lamp will verify the 27 second setpoint, and the output status lamp will verify operation of the PLC-A output module to the two train-related output relays.
o The next position, "Reset", will allow the time delays to be reset, so that misoperation will not result when the switch is returned to normal and will also reset the counter monitoring PLC-A module status in the unlikely event of a
detected module failure.
o The status of the two output relays for each unit will be validated by operation when the applicable Surry Unit 1 or 2, is in cold shutdown or refueling mode, The procedure would proceed as in the paragraph above except that two PLCs will have their respective test switches in the "Trip" position.
Depressing the push button will start the 27 second time delay and allow the two PLCs to complete the two out of three voting logic matrix which will actuate the CSR.
The test will be considered acceptable when all three possible PLC logic matrix combinations have satisfactorily demonstrated output isolator operation.
o The operator will then crosscheck with the Control Room operator that the steam generator levels and turbine impulse chamber pressures indicated on the meters of the AMSAC,panel are in general agreement with the values indicated in the control room.
34
e e
o To return AMSAC to service, the operator will reset all of the function switches to "Normal", will return the bypass switch to "Normal",
close and lock the outer door, and will return the key to the Shift Supervisor.
Both the ATWS BYPASSED and ATWS TROUBLE annunciators will then be extinguished and the system will be available for mitigation, if required, Testing of the protection instrumentation for narrow range steam generators A, B, and C level, and for turbine load Channels III and IV is provided by Technical Services through regularly scheduled periodic tests.
These tests include calibration and operability test of the level transmitters, pressure transmitters, loop power supply modules, and the new TEC isolators.
The lifting of leads, pulling of fuses, and the installation of jumpers will not be required to test AMSAC.
M.
COMPLETION OF MITIGATIVE ACTION NRC Guidance AMSAC shall be designed so that, once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feedwater circuitry.
Plant specific submittals should verify that the protective action, once initiated, goes to completion, and that the subsequent return to operation requires deliberate operator action.
Position Once initiated, AMSAC will go to completion and deliberate operator action will be required to reset and return to normal operation.
Completion of mitigation action will be assured through circuit design.
The ATWS mitigation system, AMSAC, will use rotary relays for output.
The auxiliary feedwater pumps circuits are bi-stable.
The electrically driven pumps are enabled by 4KV switchgear which latches 35
e e
when closed, so that a loss of control power will not de-energize the pumps.
The steam turbine driven pump is enabled by tripping open the steam supply valve which is its fail safe position.
Turbine trip is accomplished through redundant trip circuits which energize solenoid valves to dump auto-stop oil pressure.
This allows the interface valve to drain the EHC system which trips the turbine.
The steam generator blowdown and sample isolation valves are also tripped to their fail safe position.
Restoring these circuits Control Room requires the relatch the turbine at to remote manual operation from the Main following:
- 1) reset the RPS/SS;
- 2)
EHC Panel; and
- 3) reset AMSAC after steam generator level has recovered above the setpoint.
N.
TECHNICAL SPECIFICATIONS NRC Guidance Technical specification requirements related to AMSAC will have to be addressed by plant specific submittals.
Position Virginia Electric and Power Company agrees with the position stated in OG-171 that:
"We believe that the imposition of Technical Specification requirements on the WOG AMSAC System would constitute a backfit under the provisions of 10 CFR Part 50.109.
We do not believe that Technical Specification requirements for AMSAC provide a substantial increase in the overall protection of the public health and safety from the low-probability anticipated transient without scram (ATWS) events.
"We believe that Technical Specifications for AMSAC are unnecessary, do not enhance the overall safety of nuclear power plants, and constitute a backfit.
We believe that normal nuclear plant administrative controls are sufficient to control AMSAC."
36
e e
Virginia Electric and Power Company will institute an administrative control program or will use or modify existing programs to provide for testing, maintenance, training and control of AMSAC.
6.0 ADDITIONAL NRC CONCERNS A.
Appendix R Position A review of Appendix
'R' has been completed to determine the effect of AMSAC.
The overall impact of AMSAC was favorable as it provided further assurance of reactor trip, turbine trip, and auxiliary feedwater initiation while adding minimal additional combustible load.
The review identified Volume I, Chapters 3, 4, and 5 and Volume III Chapter 8 as the areas potentially affected by the addition of an ATWS mitigation system.
Chapter 3 provides the safe shutdown system analysis.
Paragraph 3.2.7 through 3.9.4 were reviewed.
Paragraph 3.6.1 discusses reactor trip which results from automa_tic operation of the Reactor Protection System or operator initiated manual trip.
The failure of the Reactor Protection System is precluded as the system is fail safe.
The ATWS mitigation system, AMSAC, does trip the reactor directly through the rod control motor generator
- sets, and indirectly through turbine trip, but the AMSAC system requires power to trip, i.e., it is not fail safe.
Paragraph 3.6.4, "Reactor Heat Removal Function",
identifies the role played by the auxiliary feedwater system in recovering from a
postulated fire.
The addition of the ATWS mitigation system, AMSAC, does not adversely change or affect the function of the auxiliary feedwater system.
Paragraph 3.6.5, "Process Monitoring Function" identifies the essential monitored parameters required to achieve hot shutdown and go to cold shutdown.
AMSAC being fully Class lE isolated, does not affect the process monitoring function.
Paragraphs 3.6.6, "Support Functions", and 3.6.7, "Hot Standby and Cold Shutdown", exclude the reactor protection system as a
requirement to achieve and maintain safe shutdown.
- AMSAC, as an extension of the reactor protection system, likewise would not be required to support safe shutdown.
37
(,
e e
Paragraph 3.7.4 describes the design and function of the auxiliary feedwater system during the hot shutdown to residual heat removal stage of incident recovery.
The addition of the ATWS mitigation system, AMSAC, does not change or affect the function of the auxiliary feedwater system, as the purpose is to improve the reliability of the reactor protection system and not to mitigate the consequences of a
fire.
Paragraph 3.9, "Associated Circuits of Concern", was reviewed and found to be unaffected by the AMSAC modification.
The ATWS mitigation system, AMSAC, will not affect:
- 1) the coordination of the Emergency Power System, 2) electrical protection of associated circuits of concern by common enclosure (the AMSAC panel), and 3) introduce spurious operation other than that already identified in Tables 3-5.C and 3-5.D.
Chapter 4
identifies the methodology used to provide compliance to Appendix R.
The areas of concern are Fire Areas 3
and 4,
Emergency Switchgear Rooms Units 1
and 2,
respectively.
Paragraph 4.4.2 addresses these fire areas.
As a result of the
- fire, the 4
kV emergency switchgear and the 7100 Process Instrumentation and Control System may be unavailable.
The consequences of adding the AMSAC panels would be the potential for fire related misoperation resulting in a reactor trip via a
Since the reactor is placed in a safe state consistent with the safe shutdown analysis, it can be assumed that misoperation of the ATWS mitigation system, AMSAC, also is of no consequence and is bounded by the existing report.
Attachment 1
to Chapter 5 of the Appendix 'R' Report describes the worst case fire scenario.
The two most sensitive fire areas are the Emergency Switchgear Rooms and the Cable Vault/Tunnel.
A fire in either of these areas results in jeopardizing control and indication functions in the Control Room, prohibits the use of the Auxiliary Shutdown Panel, and requires the most extensive use of local shutdown capability in combination with the Control Room and Remote Monitoring Panel.
The addition of an ATWS mitigation
- system, AMSAC, in the Instrument Rack Rooms of each Unit has no impact on the worst case fire scenario because automatic 38
e e
initiation of the auxiliary feedwater system has already been assumed to be lost, and the use of local shutdown capability will still be required.
ATWS mitigation System (AMSAC) does not affect the stations' fire protection capability.
The AMSAC system's function is to provide an improvement in reactor protection reliability.
Chapter 8
provides the combustible
- loadings, some of these loadings will increase due to the installation of AMSAC, but the increases should be acceptable.
When final design information is available, a final loading review will be performed.
The AMSAC modification does not adversely impact or affect the existing Surry Appendix R Report.
Consequently, complying with 10CFR50.62 will not prejudice existing compliance with 10CFR50 Appendix Rat Surry.
39
A C
D E
F G
H J
K l
~
SIii GEN A l£'1EL A
LOW.S IJ,: N.R.
4 L
.'iOl.,\\TION
'TY?,CAL)
~
SIii GEN 8 l£'1EL C
~
-.------...__Lo_w_s_1J_:i:_N_.R_. _---------
L
~
SlllGENCl£VU E
~
..i ~-LO_w_s_1_J,:_N_.R_. _}----+-~
L NOTES:
. I. £ STATUS LIGHT LOCATED 0'1£R 1H£ NUCl£AR INSlRUMENTATION SYSTEII
/
M SIii GEN..
.. J; Slll GEN 8 l£'IEL LOW J;
SiM GEN C l£'1EL LOW J;
SIii GEN A l£'1EL LOW J;
Slll GEN B l£'1EL LOW J;
Slll GEN A l£'1£L LOW J;
N p
Q 2/3 2/3 R
LOW l£'1EL IN 2/J Slll GEN.S PLC A LOW LE'IEL IN 2/J Slll _ GEN.S PLC 8 LOW l£'1£L IN 2/J STM GEN.S PLC C s
T SAFETY RELATED SWEC 14937.46 u
V DC-87-XX-1 & DC-87-XX-2 LOOC DIACRAU ANTIOPATED TRANSIENTS lllTHOUT SO!AII SURRY POIIOI STATION WICINIA POl\\£R STONE & MBSTER ENGINEERING CORPORATION A
14937.46-LSK-5-15A e
A B
C D
E F
G
~
lURB IMPULSE CHAMB 6
PRESS HIGH 2 37%
L 1S0lA110N (TYPICAL)
~
lURB IMPULSE CHAMB 7
PRESS HIGH 2 J7%
L NOT£S:
- 1. ALL \\111111[ UGHIS ARE LOCATED AT THE ATWS PANEL
- 2. £. P£RM1SSl'I£ LICHT LOCATED OVER THE MJCL[AR INSlRUMENTA 110N SYSTEM
.l TEST S'M TCH 4l-PLC A SHOIIN. 4J-PLC B AND 4J-PLC C SIMILAR.
ESCUTCHEONS 1-AIWS 43-PLC A NORM
~
~
I!,
+
N I!,
~
+
C'...; '
~'<}
<o 2/2 Am MAINTAINED MAINTAINED NOT[ J H
A B
1-ATWS NORMAL
~---~Am K
L M
N p
Q R
!URS IMPULSE QIAMBER PRESS Hl CH m I:
ffi. lURB IMP\\JlSE "QIAMBER PRESS HI QI Ii
.c.
!URS IMPUlSE QIAMBER PRESS HI CH m
.c.
~
lURB IIIPUI.SE QIAMBER PRESS HI CH Ii k
lURB IMPIJLSE CHAMBER PRESS H QI m I:
ffi. lURB IMPULSE CHAMBER PRESS HI CH Ill
.c.
s T
C-20 PERMJSSl'I[
SATISflED PLC A C-20 PERMISSl'1£ SATISFIED PLC B C-20 PERIIJSS1'1£ SA11Sf1ED PLC C SAFETY RELATED SWEC 14937.46 u
V AOO BYPASSlll I:
LSK-!>-15C,
~
ATWS BYPASSED k
LSI<-!>-I SC
~
ATWS BYPASSED I:
LSK-!>-15C AIYl'S DC-87-XX-1 & DC-87-XX-2 LOGIC DIAGRAM ANTIOPA T£D TRANSIENTS WITHOUT SCRAM SURRY PO'IER STATION
\\1RGINIA POIIER STONE o!c WEBSTER ENGINEERING CORPORATION 14937.46-LSK-5-158
~
e
t f
A B
C D
E I.
F G
H J
K L
M N
p Q
R
- s T
u V
~w mu IN 20AST-1 LSK-5-15A 2 J SIM GEN.S ENGERGIZE TURBINE 1 "LSIH-2A PLC-A
!RIP SOI.ENOID LOCAL SIIHCHES LSK-5-1!>8 4
1-ATWS & 4J-PL.C-A
- !RIP STEAM IN NORMAL CEN. 61.0MlOIIN LSK-5-12A VAL 'IES !RAIN A 1
C-20 PERMISSIVE LSK-5-158 SATISFIED START PLC-A FW-P-JA LSK-5-IJA 0-
~W LEVEL IN AUX FEED PUMP LSK-5-15A 2 J SlM GEN.S PLC-9 ISOI.ATION OPEN (TiPICAL)
PCV-MS102 LSK-5-1.lB e
LOCAL SV,HCHES UX FD PP-2 START LSK-5-1!>8 5
1-ATWS I< 4l-PLC-B IN NORMAL TRIP C-20 PERMISSl'IE ROO COHlROI. 11.G.
LSK-5-158 2
SATISflED SIET A PLC-8 3
~W LEVEL IN LSK-5-15A 2 J SIM GEN.S PLC-C Al'IIS Al'IIS 6
LOCAL S\\\\1TCHES B'IPASSIED A
ACTUAlED LSK-5-1!>8 1-ATWS & 4J-PLC-C C
C.
IN NORMAL 20AST-2 ENGERGIZE TURBINE --CD LSK-1-2A C-20 PERMISSl'IE TRIP SOI.ENOID LS1HH5B 3
SATISF1ED PLC-C TRIP STEAM GEN. BLO'lltlOIIN LSK-5-12A VAL 'IES TRAIN B ATWS ARMED B
START PLC-A FW-P-JB LSK-5-IJA AUX FEED PUMP AlWS ARMED ATViS C
2/3 OPEN PLC-B ARMED PCV-IISl02B LSK-5-IJB C.
AUX FD PP-2 START ATWS ARMCO D
ESCUTCHEON PLC-C TRIP 4J-PLC A ROD CONTROi. M.G.
SAFETY RELATED LJ SE1 B SWEC 14937.46 NOTES:
- t. £ STATUS UQiT LOCAlED O'IER lHE NIJ(llAR INSTRUMENTATON S'ISTEM DC-87-XX-1 &
4J-Al'IIS DC-87-XX-2 RESET B.
B.
IIAINTAJIIED LOGIC DIAGRAII SPRING RETURN ANTIOPATED lRANSIENTS lllnlOUT SCRMI FROLI RESET SURRY POYiER STA 110N
- r. e'l
\\IRGINIA POllER STONE ~ WEBSTER ENGINEERING CORPORATION
- AC.11)-J.. a.ta 1'llnl,
~ 14937.46-LSK-5--lSC
A B
C r
E F
G H
Bl.ACK BAITTJiY INIOIER VOLTAGE LOW Am PI.C-8 VOi.TAG( LOW A!WS PLC-B IIOOULE f AILURE A!!S PI.C-B FREQUENCY LOW Am PLC-C VOi.TAG( LOW Am
©.;-
PI.C-C IIOOUL£ f AILURE PLC-C FREQUENCY LOW Am PLC-A VOi.TAG£ LOW Am
@)Am
- (
PLC-A )
IIOOUI.E f AJLURE PLC-A FREQUENCY LOW Am:i A'lllS PANEL DOOR OPEN Am J
K L
M N
PLC-A TROUIII.E PLC-B 1ROUBl£ PLC-C TROUBI.E p
Q R
s A
llQU.
T Ali!S 1ROUBL£ i;
u V
I. PROCRAMIIA8l£ LOGIC CONTROU£R (PLC) VOi.TAC£ LOW IS A PLC P011£R SUPPLY MONITOR CONSISTING Of A TRANSISTOR DC VOL TACE OUTPUT OEING SUP£R\\1SED BY A DC VOi.TAG£ INPUT TRANSISTOR ON ANOTlf£R PLC.
- 2. PLC FREQUENCY LOW IS A WA TOI DOG TIMER CONSISTING Of AN OSCILA TOR ORJI/ING A TRANSISTOR 10 TRANSISTOR LOGIC (TTL) OUTPUT IIODUL* 'lllilOl TAU(S TO A TTL INPUT 11DDUL£ ON ANOTHER PLC.
. )'
J. Bl.AOC BATTERY UNJN1ERUPTA8l£ POWER SUPl'I. Y (UPS) e VOL TAG£ IIONITORING IS fOR PLC PROTECTION AND TO DETECT TOTAL LOSS Of SYSTEII.
- 4. ALL MIITE LIGHTS ARE LOCATED AT THE ATWS ANfl.
SAFETY RELATED SNEC 14937.46 DC-87-XX-1 & DC-87~XX-2 LOGIC DIAGRAM ANTICIPATED TRANSIENTS MTHOUT SCRAM SURRY P0\\1£11 STATION 1/JRGJNIA P0\\1£11 STONE,c MB STER ENGINEERING CORPORATION
~ 14937.46-LSK-5-150