Text

Forwards Updated ATWS Mitigating Sys Actuation Circitry plant-specific Design,Per NRC 871202 Request
	ML18151A510
Person / Time
Site:	Surry, North Anna, 05000000
Issue date:	02/18/1988
From:	Stewart W; VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.)
To:	; NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM)
References
	85-316H, NUDOCS 8802220255
	Download: ML18151A510 (97)
	v • d • e

.

/

e e VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 W. L. STEWABT VICE PRESIDENT NUCLEAR OPERATIONS February 18, 1988 United States Nuclear Regulatory Commission Serial No. 85-316H Attention: Document Control Desk Docket Nos. 50-280 Washington, D.C. 20555 50-281 50-338 50-339 License Nos. NPF-4 NPF-7 DPR-32 DPR-37 Gentlemen:

VIRGINIA ELECTRIC AND POWER COMPANY NORTH ANNA POWER STATION UNITS 1 AND 2 SURRY POWER STATION UNITS 1 AND 2 ANTICIPATED TRANSIENT WITHOUT SCRAM-AMSAC DESIGN On December 2, 1987, a telephone conference was held by NRC personnel including a consultant from EG&G and Virginia Electric and Power Company personnel to discuss our AMSAC Design Submittals. The discussions involved information included in our July 31, 1987 Surry submittal, serial number 87-347, and our September 30, 1987 North Anna submittal, serial number 85-316G. These discussions resolved all open items with the exception of three open items per station.

The open items were:

1. Change C-20 permissive time per WCAP-10858-Revision 1 for both stations.

2. Update logics to reflect changes for Surry.

3. Provide information on physical separation for North Anna.

4. CoIIllllit to perform periodic testing for both stations.

These open items and further clarification on other items which were discussed is provided in the attachments to this letter. Attachment 1 is our updated North Anna AMSAC plant specific design and Attachment 2 is the same for Surry.

:-**-----)

~fl~~

[880222025!:°1 88021.8

, F'll.R ADOCK 05000280 I

I f\ '\'

l1CD

1F'

.l-*, I .,/

These documents supercede our earlier design submittals, July 31, 1987 for Surry and September 31, 1987 for North Anna. Changes from these submittals are indicated by bars in the margin.

Very truly yours, cc: U. S. Nuclear Regulatory Commission Region II 101 Marietta Street, N.W.

Suite 2900 Atlanta, Georgia 30322 Mr. J. L. Caldwell NRC Senior Resident Inspector North Anna Power Station Mr. W. E. Holland NRC Senior Resident Inspector Surry Power Station

!'TORTII ANNA AND SURRY ANTICIPATED TRANSIEl'IT' WITIIOUT SCRN1-AMSAC DESIGN * ,

. . D~>t:kk~t # _p0-28t9 Con<trol *!li~Q~,Sp Dn.-w0.2 B8 o f ~

. RE-GULAT()RY .DOV~ ffl;'F.

ATTACHMENT 1 I

L__

Attachment LICENSING POSITION ATWS .MITIGATION SYSTEM ACTUATION_ C!RCUITRY (AMSAC)

NORTH ANNA POWER STATION - UNITS l ANO 2

1.0 INTRODUCTION

In order to comply with 10CFRS0.62 ~Requirements for Reduction of Risk From Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," the Westinghouse Owners Group (WOG) prepared and submitted for Nuclear Regulatory Conmission (NRC) review and approval topical report WCAP-10858 "AMSAC Genetic Design Package." The NRC's accept-nee position of the generic topical report and WCAP-10858A "AMSAC Generic Design Package" formed the basis for preparing North Anna's licensing submittal.

2.0 BACKGROUND

The Anticipated Transients Without Scram (ATWS) Final Rule, 10CFRS0.62, allowed the NRC to amend its regulations to require improvements in design and operation of pressurized water reactors to reduce the likeli-hood of a failure to scram and to mitigate the consequences of an ATWS.

The NRC does not believe that the current reactor trip system achieves adequate reliability. They believe this is due to two reasons: (1) reliability standards are not sufficiently developed or qualitatively documented; and (2) the dominant role played by co111110n mode failures.

Consequontly, the ATWS Ffnal Rule requires diversity from sensor output to the final actuation device to automatically initiate auxiliary feed-water flow and trip the turbine under conditions indicative of an ATWS.

3.0 CRITERIA North Anna must_ implement paragraph (C)(l) of 10CFRS0.62, "Each pressurized water reactor must have equipment from sensor output to final 134-8SD-5281NA-4

actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary feedwater system and initiate a turbine trip under conditions indicative of an ATWS. *This equipment must be designed* to- "pe-rform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."

Although the required ATWS mitigation system does not have to be safety related, it is part of the class of systems and components defined in General Design Criteria (GOC)

1, which requires that "structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards conniensurat_e with the importance of the safety functions to be performed. II Generic Letter 85-06 "Quality Guidance for ATWS Equipment That Is Not Safety Related" provides direction for the Quality Assurance program that must be applied to the ATWS mitigation system.

4.0 DESIGN DESCRIPTION The Westinghouse Owners Group (WOG) in concert with Westinghouse Electric Company prepared WCAP-10858, "AMSAC Generic Design Package." This document was submitted to obtain NRC approval of the design prior to implementation of the_ changes required by 10CFRS0.62. The application for NRC review was submitted in 1985 with the Draft SER issued in June 1986, and the Final Safety Evaluation published July 7, 1986. The Final Safety Evaluation (Final SER) approved WCAP-10858 and accepted the principal of using only one of three proposed functional designs to detect the onset of ATWS. An accepted version of WCAP-10858, WCAP-10858-Revfsfon A, was issued in October, 1986. An updated version, WCAP-10858-Revfsfon 1, was submitted by the WOG on August 3, 1987.

By definition, an ATWS is an expected operational transient (1.e., loss of feedwater, loss of condenser vacuum, or loss of offsfte power) which is accompanied by a failure of the reactor trip system to shutdown the reactor. The three functional designs proposed to provide detection of a

failure of the Reactor Protection System (RPS) to initiate a reactor trip 134-BS0-5281NA-5

[ __ _

and a loss *Of feedwater or loss of load are based on the power level (reactor or turbine power) and the monitoring of (1) steam generator inventory level, (2) feedwater flow, or (3) feedwater pump breaker and valve position s~atus.

For each functional design, prov1s1on for the existing reactor protection system to operate is provided by time delaying the ATWS mitigation signal. Likewise, an automatic permissive (C-20) for each functional design is provided by. two turbine load signals above a predetermined value and a time delay on

de-en.ergizing is utsed to keep the ATWS mitigation system available for a preset period even if the existing reactor protection system trips the turbine successfully.

Functional design 1, using steam generator narrow rang~ level as the detection variable, will be used at North Anna. Each of the three narrow range level transmitters in each of the three steam generators will be used in conjuncti-0n with the first stage turbine pressure channels to derive the ATWS mitigation system. If any two of the three leval transmitters in any two of three steam generators are less than or equal to 13 percent of narrow range level span and the turbine is greater than or equal to 40 percent load ATWS mitigation, AMSAC, will be initiated automatically. A time delay of approximately 27 seconds is provided to allow the existing reactor protection system to respond first. In the event of an ATWS event and the expiration of the time delay, the main turbine will be tripped, all .three auxiliary feedwater pumps will start, the steam generator blowdown isolation and sample isolation valve~ will

receive an automatic close signal, and the breakers which supply power for each rod control motor generator will be tripped.

ATWS mitigation by AMSAC is automatically blocked below 40 percent power by

a newly inst~lled permissive (C-20) that is derived from the First Stage Pressure {FSP) transmitters. This automatic block will be defeated for approximately 360 seconds following a decrease of FSP below 40 percent. This time delay will be required for the instance wherein an ATWS event occurs and the turbine load reduces causing FSP to drop below 40 percent. The ATWS mitigating actions, AMSAC, will still be 134-8SD-5281NA-6

initiated automatically if a loss of heat sink (steam generator inventory loss) occurs within the 360 second time delay .

5.0 SPECIFIC-REQU.IREMENTS .

The NRC Staff accepted WCAP-10858 as a generic concept. Consequently, the Staff approved: (1) implementation of any one of the three functional designs for the detection of an ATWS event; (2) use of existing transmitter, impulse lines, transmitter power supplies, and isolators; (3) testing of the ATWS*mitigation system in bypass; and (4) the use of an operating bypass, the C-20 permissive, to prevent spurious actuation in either start-up or shutdown.

The Staff also identified 14 key elements which will be reviewed on a case-by-case basis. These 14 key elements, the NRC guidance for each element,. and North Anna's positions are discussed below. Engineering is in progress on this system but is not complete, therefore certain changes may be made between details contained in the plans outlined in~this letter and the system installed in the plant.

The 14 key elements are:

A. Diversity B. Logic Power Supplies

c. Safety Related Interface

o. Quality Assurance E. Maintenance Bypasses F. Operating Bypasses G. Means for Bypassing H. Manual Initiation I. Electrical Independence from Existing Reactor Protection System J. Physical Separation from Existing Reactor Protection System K. Environmental Qualification L. Testability at Power M* Completion of Mitigative Action

N. Technical Specifications 134-BS0-5281NA-7

A. DIVERSITY NRC Guidance The plant specific submittal should indicate the degree of diversity that exists between the AMSAC equipment and the existing Reactor Protection System. Equipment diversity to the extent reasonable and practicable to minimize the potential for corm,on cause failures is required from the sensors output to, but not including, the final actuation device, e.g., existing circuit breakers may be used for the auxiliary feedwater initiation. The sensors need not be of a diverse design or manufacture. Existing protection system instrument-sensing lines, sensors, and sensor power supplies may be used. Sensor and instrument sensing lines should be selected such that adverse interactions with existing control systems are avoided.

Position

Diversity between the existing Reactor Protection System (RPS) and the ATWS mitigation system . (AMSAC) to minimize the potential for co11111on cause failures is required from sensor output, but not including the final actuation device. The instrument sensors do not have to be diverse. Therefore, existing protection system instruments, impulse lines, and transmitter power supplies may be used. Instruments and their related impulse lines must be selected to prevent adverse interaction with existing control systems.

North Anna plans to implement Functional Design 1 of WCAP-10858, Steam Generator Level less than or equal to 131 of narrow range level span, to initiate the AMSAC. Attached are preliminary Logic Diagrams w~1ch show how Steam Generator Level will be implemented *

134-8SD-5281NA-8

Each of the three narrow range level instrument loops (Channels I, II, and III) on each of the three steam generators (A, B, and C)

- will be used to provide isolated non-safety-related signal inputs to the AMSAC-,-ogic system.

An isolated signal from Channels I, II, and III of steam generator A narrow range level will input to AMSAC Programmable Logic Controller A (PLC A). An isolated signal from Channels I, II, and III of steam generator B narrow range level will input to AMSAC PLC B, and an isolated signal from Channels I, II, and III of steam generator C narrow range level will input to AMSAC PLC C.

Channel I and II narrow range steam generator A,* B, and C level signals provide protection functions and through isolators provide computer input and indication functions. The same isolators will be used to provide AMSAC input. Channel III narrow range steam generator A, B, and C level signals provide protection function and through isolators provide computer input, indication, acd control functions. These isolators will also be use_d to provide AMSAC inputs. Channel III narrow range levels are the only steam generator level signals which could adversely interact with steam generator water level control system. The possibility of an adverse interaction between.control and AMSAC circuitry due to* an unrecognized failure of the Channel III narrow range level has been considered. Assuming the worst case failure, *i.e., one steam generator Channel III level fails high, the affected PLC would default to a two out of two logic ba~ed on the two operable level channels. The remaining two PLCs would continue functioning normally, that is, a low indication on two out of three narrow range steam generator level channels would continue to satis_fy the individual PLC trip logic. Therefore, adverse interaction between the. Channel III control circuitry and the AMSAC steam generator level logic has been prevented.

If a channel III narrow range steam generator level channel were to be declared inoperable due to either: failing off-scale high, 134-BSD-5281NA-9

failing off-scale low, or based on a channel check {detecting that the channel had drifted high* or low relative to the other two channels), it would be placed in trip. As a result~ the logic for the affected Programmable Controller would conservatively. default to a one out of two coincidence ..

By using signals from three different*channels, i.e., I, II, and III, the level transmitters, their associated impulse lines, and the level transmitter power supplies are electrically and physically independerit and, therefore, non-interacting.

Channels III and IV turbine impulse chamber pressure provide protection and control signals. Isolated signals will be used to develop the C-20 permissive. The isolated signals are also used to provide control inputs. The implementation of AMSAC does not adversely affect or degrade the turbine impulse chamber pressure signals.

The independence of the control system signals derived from the protection system is provided by Class lE qualified isolators.

The signals obtained from the isolators are never returned to the protection system. Thts is consistent with the requirements of General Design Criterion 24 Separation of Protection and Control System. Consequently, the use of isolated steam generator level and turbine impulse chamber pressure signals neither compromises the protection system nor_ introduces an adverse control system interaction.

North Anna's RPS utilizes a Westinghouse 7300

Process Instrumentation and Control System (7300 System). The 7300 System is a voltage.

based instrumentation system except for the required current interface with the process transmitters. All 11 analog signals will be isolated and provided to AMSAC for the solving of coincidence logic. Independence of AMSAC from the existing RPS is achieved through the use of existing qualified isolators which buffer the voltage. signals. originating in the 7300 System.

134-BSD-5281NA-10

Connecting AMSAC downstream of the existing isolators will ensure that the non-safety-related AMSAC will not degrade the existing RPS .

.Actuation logic diversity will be provided between the RPS and AMSAC. The existing RPS uses a Westinghouse Solid State Protection System (SSPS) to perform this function. The SSPS. uses input relays by C. P. Claire, Type GPl, to provide ground inputs to Motorola negative logic gates which in turn solve the coincidence logic. The negative logic gates drive master output relays which also are C. P. Claire Type GPl, and the master output relays in turn drive slave output relays. The slave output relays are Westinghouse Type AR and provide equipment actuation. AMSAC will use a programmable logic controller (PLC) to solve the coincidence logic. The PLC will use a microprocessor manufactured by Intel (8086) which represents an entirely different technology with respect to Motorola's negative logic gates as used in the SSPS. Input relays will not be required by the PLC. However, ~

output relays are required in order to provide isolated safety-related mitigation permissives to existing final actuation devices.

These output relays wi 11 be Electro Switch Type CSR rotary relays. The SSPS ~slave output relays are conventional hinged armature machine tool type relays. AMSAC output relays will use different principles of operation and will be made by a different manufacturer.

Therefore, a sufficient degree of diversity is provided through the consistent application of different manufacturers and different operating principles.

B. LOGIC POWER SUPPLIES NRC Guidance The plant specific submittal should discuss the logic power supply

design. According to the rule, the AMSAC logic power supply is 134-BSD-5281NA-11

not _required to be safety-related (Class lE). However, logic power should be from an* instrument power supply that is independent from the reactor protection system (RPS) power supplies. Our review of additional information submitted by WOG indicated that power to the logic circuits will utilize RPS batteries and inverters. The staff finds this portion of the design unacceptable, therefore, independent power supplies should be provided.

Position Virginia Electric and Power Company will assure independence from the RPS power supplies by uti1izing a non-RPS related Uninterruptible Power Supply (UPS) as the AMSAC power supply. The UPS will consist of a battery, battery charger, and inverter.

C. SAFETY-RELATED INTERFACE NRC Guidance The pl~nt specific submittal should show that the implementation is such that the existing protection system continues to meet all applicable safety criteria.

Position Isolators are the devices which buffer AMSAC from the safety-related* equipment and systems. Existing qualified isolators in the 7300 System will provide non-safety-related analog signals to AMSAC. The company will use Electro Switch Control Switch Relay Series 24 CSR rotary relays, which will be mounted in the top of the AMSAC panel with a steel shelf interposed between the coil section and the contact section, to provide isolated safety-related AMSAC outputs to actuate safety-related equipment. This approach does not violate any safety criteria applicable to the SSPS, i.e., IEEE Standard 279-1971, General Design Criteria 20 through 25, and North Anna's UFSAR Section 7.2.

134-BSD-5281NA-12

D. QUALITY ASSURANCE NRC Guidance The plant specific submittal should provide information regarding compliance with Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related."

Position North Anna's AMSAC complies with the requirements of Generic Letter 85-06, "Quality Assurance Guidance for AMSAC Equipment that is not Safety Related."

A detailed response to each of the eighteen specific g~idelines follows:

I. Organization NRC Guidance The normal line organization is expected to verify compliance with this guidance. A separate organization is not required.

If desired, the existing Appendix B QA organization may be involved but this is not required.

Position Vfrgfnfa Electric and Power Company will purchase only portions of the AMSAC equipment as non-safety-related. These purchases will be made in accordance with the Nuclear Operations Department Standards by personnel who are involved in both safety-related and non-safety-related purchases. The Appendix B QA organization may be involved as deemed appropriate.

134-BS0~5281NA-13

r r. Program NRC Guidance rt is expected that the existing body of plant procedures or practic-es wf 11 describe the qua 1i ty contro 1s app 1i ed to the subject equipment. A new or separate QA program is not required.

Position Virginia Electric and Power Company will use the existing program of Nuclear Operations Department Standards and Station Administrative Procedures which apply to non-safety-related equipment for the non-safety-related AMSAC equipment. A new and dedicated QA program will not be implemented.

III. Design Control NRC Guidance Measuresl/ are to be established to ensure design specifications are included or correctly translated into design documents 'f/ and to ensure that all design control activities are consistent with the requirements of 10 CFR 50.59. Normal supervisory review of the designer's work is an adequate control measure.

17 Except for design control measures, where the utility is responsible for ensuring that design control measures are applied at contractor or subcontractor organizations, the term "measures* applies only to activities within the HcensH's or applfcant's organization. However, the design control measures to be applied at contractor or subcontractor organizations need be no more stringent than those required of the utility.

£1 Except for the record keeping requirements of 10 CFR 50.59 and requirements XVII of this guidance document, any records that are generated as a result of implementing these QA controls are not required to be maintained.

134-BS0-5281NA-14

Position

-Virginia Electric and Power Company has determined that a portion of the work involved in the installation of AMSAC is safety-related as it involves the interface of safety-related and non-safety-related equipment. As such, design work will be controlled in accordance with *the standards for safety-related work as identified in the Virginia Power Nuclear Design Control Program.

IV. Procurement Document Control NRC Guidance Measures are to be established to ensure system specifications and quality requirements, where applicable, are included in procurement documents.~/

Position Virginia Electric and Power Company through the use of Nuclear Design Control Program, the Nuclear Operations Department Standards, and the Station Administrative Procedures will

~

ensure system specifications and quality requirements are included as applicable in non-safety-related AMSAC procurement documents.

V. Instructions, Procedures and Drawings NRC Guidance Measures are to be established which ensure that quality controls will be applied to activities that affect quality.

These measures may include such things as written instructions, plant procedures, cautionary notes on drawings and special instructions on work orders. Any methodology which provides the appropriate degree of guidance to utility personnel performing quality-related activities will satisfy

~/ Except for the record keeping requirements of 10 CFR 50.59 and requirements XVII of this guidance document, any records that are generated as a result of implementing these QA controls are not required to be maintained.

this requirement. Maintenance on the equipment shall be based on the appropriate use of vendor information. Any departure

from such vendor guidance shall be based on an adequate

. engin~er-ing "rationaleJ/

Position Virginia Electric and Power Company will implement this modification through a separate Design Change Package (DCP) for each unit. The.DCPs are being prepared safety related.

The Nuclear Operations Department Standards provide for c.1is means of implementation via the Nuclear Design Control Program. Each DCP will be issued by engineering and approved by the Station Nuclear Safety and Operating Co11111ittee prior to implementation. Each DCP will also provide procedures, instructions and drawings sufficient to provide for proper installation and testing. Maintenance information supplied by vendors will be included.

VI. Document Control NRC Guidance Measures are to be established to control the issuance of and changes to documents affecting quality.~/

Position Vtrgfnfa Electric and Power Company will control and retain implementation documents fn accordance with the Virginia Power Nuclear Design Control Program and will control procurement documentation fn accordance with the Nuclear Operations o*epartment Standards.

f/ see footnote 2, page 15 134-BS0-5281NA-16

VI I. Control of Purchased Items and Services NRC Guidance Measures are to be established to ensure that all purchases

* -conform-to appropriate procurement documents.~/ Such measures may include the performance of receipt inspections by stores or warehouse personnel or plant engineering personnel.

Position The Company will assure the c~ntrol of purchased items and/or services for AMSAC which are non-safety-related in accordante with the Nuclear Operations Department Standards which include provisions for inspections as required.

VIII. Identification and Control of Purchased Items

, NRC Gui dance Measures are to be established, where necessary, to identify and* control purchased items. Examples of circumst,ances requiring such control include the storage of environmentally sensitive equipment or material and the storage of equipment or material that has a limited shelf-life.

Position The company will assure the identification and control of non-safety-related material purchased for AMSAC in accordance with the Nuclear Operations Department Standards and the Virginia Power purchase order requirements determined in accordance with the Nuclear Design Control Program. No limited shelf-life items are included in the present design.

f/ see footnote 2, page 15 134-8SD-52SiNA-17

IX. Control of Special Processes.

NRC Guidance Measures- are to be established to control special processes, including welding, heat treating, and non-destructive testing.*

Applicable codes, standards, specifications, criteria, and other special requirements may serve as the basis of these controls.

Position The Company at this time is not planning to use any special processes in the purchase, fabrication or installation of the non-safety-related AMSAC materials. However, work performed at a vendor would be perfonned as normally done on standard

products or would be in accordance with the purchase order or specification or approved procedure as required for non-safety-related AMSAC. ;

X. Inspection NRC Guidance Measures are to be established to inspect activities affecting quality. Inspections are to be accomplished in order to verify that these activities are in conformance with the available documentatio~. or, if no documentation is available, to verify that these activities are being satisfactorily accomplished. In general, the 1ine organization is responsible for determining the inspection requirements and for ensuring that sufficient inspections are performed. Inspections need not be performed by personnel who are independent of the line organization. Inspections shall be performed by knowledgeable personnel.

2'7 see footnote 2, page 15 134-BS0-5281NA-18

Position The Company_ will have inspections performed on non-safety-related ATWS equipment as deemed necessary based on compliance with the Nuclear Operations Department Standa_rds and the Nuclear Design Control Program.

XI. Testing NRC Guidance Measures are to be established to test, as appropriate, non-safety-related AMSAC equipment prior to installation and ope~ation and then periodically. Results ~f the tests should be evaluated to ensure that the test requirements have been satisfied.

Position The Company will, fn accordance with the Final Design Testing Section of the Design Change Package as required by the Nuclear Design Control Program, assure that the system performs properly pri<>r to operation. The periodic testing is discussed in Section "L" later in this response.

XII. Control of Measuring and Test Equipment NRC Guidance Measures are to be established to control, calibrate, and adjust measuring and test equipment at specific intervals.

Position Measuring and Test Equipment will be maintained and calibrated in accordance with Station Administrathe Procedures *

134-BSD-528INA-19

xr rr. Handling, Storage and Shipping

- NRC Guidance Measures are to be established to control handling, storage, shipping, cleaning, and preservation of purchases in accordance with utility practices and manufacturer's recommendations.

Position This will be performed in accordance with the Nuclear Operations Department Standards.

XIV. Inspection, Test, and Operating Status NRC Guidance Measures are to be established to indicate status of

inspection, test, and operability of installed non-safety-related ATWS equipment.

Position The inspection and testing of installed non-safety-related AMSAC equipment will be as discussed in Section 11 L11 of this response. The operating status of AMSAC will be indicated by annunciators in the control room and status lamps on the AMSAC panel.

XV. Nonconformances NRC Guidance Measures are to be established to identify nonconformances *

134-BSD-5281NA-20

Position The Company will identify and disposition nonconformances in

- accord~nce with the Nuclear Operations Department Standards and Station Administrative Procedures.

XVI. Corrective Action System NRC Guidance Measures are to be established for prompt correction of conditions which are adverse to quality (i.e.,

nonconfonnances), and to preclude repetition of conditions adverse to quality.

Position The Company will identify and disposition nonconfonnances in

XVII.

accordance with the Nuclear Operations Department Standards and Station Administrative Procedures.

Records NRC Guidance Measures are to be established to maintain and control records of activities fn accordance with the requirements of 10 CFR 50.59. In addition, measures are to be established to maintain and control appropriate records to ensure that the requirements specified in the table accompanying the ATWS rule (49 FR 26036, pp. 26042-26043) have been met *

134-8SD-5281NA-21

Position The Company will maintain records in accordance with the

- -Nucte-ar* -operations Department Standards and the Nuclear Design Control Program_.

XVIII. Audits NRC Guidance Audits which are i~dependent of line management are not required, if line management periodically reviews the adequacy of the quality controls and takes any necessary corrective action. Line management is responsible for determining whether reviews conducted by line management or audits conducted by an organization independent of line management are appropriate.

Position Independent audits are not planned at this time but may be performed as required.

E. MAINTENANCE BYPASSES NRC Guidance The plant specific submittal should discuss how maintenance at power is accomplished and how good human factors engineering practice is incorporated into the continuous indication of bypass status in the control room.

Position AMSAC ma1ntenance during unit power operation will be accomplished through operation of either of two bypass switches. One is located fn the Main Control Room on Benchboard Section 2 and the other is located within the AMSAC 134-BSD-5281NA-22

panel. In neither case will the lifting of leads, tripping of breakers, use of physically blocking relays, nor the pulling of fuses be required to bypass AMSAC. Bypass status will be

_ a~nun~~a_t~d _in the Main Control Room above Vertical Section l.

The alarm will be located to provide bypass status to the reactor operator. The new alarm will meet accepted human factors guidelines as delineated in Virginia Electric and Power Company's Human Factors Standard STD-GN-0005. In accordance with the Virginia Electric and Power Company Nuclear Design Control Program, a review of the human factors acceptability of this modification will be performed and the results will be noted in the implementation document.

For maintenance bypass the following human factors principles will be implemented:

1. The information provided by displays and control equipment added to the Main Control Room as a result of implementing the AMSAC Fina 1 Ru 1e wn 1 not increase the po_tenti a 1 ~ for operator error under both normal and abnormal plant conditions. Bypass for maintenance will be clearly displayed to the o~erator.

2. AMSAC will be integrated into the applicable Emergency Operating Procedures and the applicable Maintenance Procedures.

3. AMSAC will be integrated into the operator training program and the North Anna simulator will also be modified to incorporate the implementation of AMSAC.

4. AMSAC will be time delayed to allow the existing reactor protection system to respond first. Consequently, the alann "AMSAC ACTUATED" should always be received after the existing reactor protection system conmences mitigation.

Since AMSAC will be installed to mitigate a failure of the RPS, the AMSAC ARMED and AMSAC ACTUATED alarms may be prioritized. During normal operation the operator will be 134-BS0-5281NA-23

trained to expect AMSAC BYPASSED, AMSAC TROUBLE, and AMSAC ARMED alarms. As AMSAC BYPASSED and AMSAC TROUBLE wiil be

st~~u_s_ala_rms, prioritization may not be required. The alarm AMSAC ARMED will be a pre-trip annunciation which could prompt operator responses and may be prioritized.

This will be reviewed; however, due to the brief time delay, 27 seconds, operator action based on this alarm is not expected.

F. OPERATING BYPASSES NRC Guidance The plant specific submittal should state that operating bypasses are continuously indicated in the control room; provide the basis for the 70 percent or plant specific operating bypass level; discuss the human factors design aspects of the continuous indication; and discuss the diversity and independence of the C-20* permissive signal (defeats the block of AMSAC).

Position The design bases for the new AMSAC unique C-20 permissive, which defeats the operating bypass, two out of two turbine first stage pressures increasing, are:

1. "Westinghouse Anticipated Transients Without Trip Analysis," WCAP-8330, August 1974.

2. "Anticipated Transients Without Scram for Light Water Reactors," NUREG-0460, December 1978.

3. Anderson, T. M., "AMSAC Submittal," Westinghouse letter NS-TMA-2182 to S. H. Hanauer of the NRC, December 1979 .

134-BSD-5281NA-24

These three documents demonstrated that ATWS mitigation need not be initiated below 70 percent turbine load because_ reactor

coolant system pressure does not approach the ASME Boiler and Pressure Vessel.Code Level C Service Limit of 3200 psig (NRC criteria - for successful ATWS mitigation). Continuing analyses by Westinghouse, the reiults thereof which were transmitted to the NRC by WOG letter OG-87-10 as Addendum l to WCAP-10858-P-A on "February 26, 1987, have confirmed that peak reactor coolant system pressure resulting from an ATWS at 70 percent turbine load will not exceed the ASME Level C Service Limit of 3200 psig. However, as the pressure decreases, there will be bulk boiling of the reactor coolant system inventory for 10 minutes after the ATWS peak pressure even with operator intervention.

Consequently, to preclude bulk boiling of the reactor coolant, the new C-20 permissive setpoint must be reduced to 40 percent turbine load. To ensure spurious AMSAC initiations dti. not*

occur at low power levels, i.e., less than 40 percent turbine load, or during startup, an automatic bypass will be provided to defeat automatic AMSAC initiation below 40 percent turbine load. Should an ATWS occur below 40 percent turbine load operator action will be required to initiate auxiliary feedwater flow to preclude the consequences of operating without a heat sink. The revision of the C-20 permissive to 40% is in accordance with Addendum 1 to WCAP-10858-P-A, which was submitted to the NRC by the ~estinghouse Owners Group on February 26, 1987.

The conservatively proposed minimum setpoint is 37 percent turbine load which provides an allowance for instrument channel -

inaccuracy to assure ATWS mitigation will be available when the unit is at or above 40 percent load.

Diversity from the existing reactor trip system (7300 System/SSPS) will be provided from the sensor output. Sensor

output is defined as the signal available at the 1solated 134-BSD-5281NA-25

output of the loop power supply (7300 System printed circuit card type NLP). The ATWS mitigation system will use Gould Model 884 programmable logic controllers (PLCs). These devices

- ~ill -io~~ly ~ith the NRC's diversity requirements because:

1. . The PLCs are manufactured by someone other than Westinghouse.

2. The PLCs use integrated circuit. technology versus the discrete component/operational amplifier technology of the 7300 System.

3. The 7300 System comparators {NAL cards) have a voltage output where as the PLCs have analog to digital converters which provide a digitally coded output signal.

Independence from the 7300 System and the SSPS (the reactor trip system) will be provided by signal isolator modules#7300 System type NLP. Adequacy of isolation is documented in

Westinghouse*s Topical Report WCAP-8892-A "Westing~ouse 7300 Series Process Control System Noise Test". WCAP-8892-A satisfies the IEEE Standard 279-1971 and Regulatory Guide 1.75.,

Therefore, the C-20 permissive (turbine load at or above 40 percent) which defeats the block of the AMSAC initiation system will be independent from the SSPS.

The operating bypass will defeat ATWS mitigation below 40 percent turbine load. Consequently, the bypass will be continuously annunciated fn the control room until it is defeated by the C-20 permissive. The control room annunciation ts consistent with accepted human factors guidelines. A human factors review will be conducted during the design process to assure that the information provided by this display will not increase the potential for operator error under both normal and abnormal plant conditions. AMSAC will be integrated into the operator training program and. the Station's simulator will also 134-8SD-5281NA-26

be modified to incorporate the implementation of AMSAC including this continuous annunciation, when the turbine is

below 40 percent load.

The C-20 permissive, which will defeat the operating bypass, will utilize the existing 7300 System turbine impulse chamber pressure signals that originate in Channels III and IV. The use of the existing pressure transmitters, sensing lines, and pressure transmitter power supplies is permitted by the ATWS Final Rule. Justification for using the existing isolators, 7300 Systems type NLP, is provided in the SER which approved WCAP-10858.

G. MEANS FOR BYPASSING NRC Guidance The plant specific submittal should state that the means f~r bypassing is accomplished with a permanently. installed, human factored, bypass switch or similar device, and verify that disallowed methods mentioned in the guidance are not utilized.

Position The means for bypassing, whether it be for maintenance or testing, will be by permanently installed bypass switches. The lifting of leads, pulling of fuses, tripping of breakers, and use of physically blocking relays will not be required for bypassing. Two switches per unit will be utilized. The primary bypass switch will be located in the Main Control Room

on Benchboard Section 2. The second bypass switch will be located wHhin *the ATWS mitigation panel. As stated under Operating Bypass and Maintenance Bypasses, both switches will be annunciated in the Main Control Room. Both bypass switches adhere to the requirements of NUREG-0700 with respect to

134-BS0-5281NA-27 operating level, direction of operation, labeling, and annunciation.

A human factors review will be conducted as part of the design process to assure that the control equipment added to the Main Control Room as a result of implementing the ATWS Final Rule

- will - not increase the potential for operator error under both nonnal and abn9nnal plant conditions. AMSAC will be integrated into the operator training program and the North Anna simulator will be modified to incorporate the implementation of AMSAC.

H. MANUAL INITIATION NRC Guidance The plant specific submittal should discuss how a manual turbine trip and auxiliary feedwater actuation are accomplished by the operator.

Position Manual initiation of turbine trip can be accomplished from the control room via the two pushbuttons on benchboard Section 2.

The turbine can also be manually tripped locally via the trip handle which is located in the turbine pedestal in the Turbine Building. Manual initiation of auxiliary feedwater flow can be*

accomplished from the control room by turning the control switches for motor driven auxiliary feedwater pumps 1-FW-P-3A/B to start, and by turning the selector switch for TV-MS-lllA and/or TV-MS-1118 to open to start the steam turbine driven auxiliary feedwater pump. All three auxiliary feedwater pumps can also be controlled outside the control room from the Auxiliary Shutdown panel which is located in the Emergency Switchgear Room. The electrically driven pumps can also be started at their breakers in the Emergency Switchgear Room by use of the local breaker control switch. All of these methods are diverse from the existing RPS *

134-BS0-5281NA-28

I. ELECTRICAL INDEPENDENCE FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance The plant specific submittal should show that electrical

- Jnde,pendence is achieved. This is required from the sensor output to the final actuation device at which point non-safety-related circuits must be isolated-from safety-related circuits by qualified Class lE isolators. Use of existing isolators is acceptable. However, each plant specific submittal should provide an analysis and tests which demonstrate that the exist-ing isolator will functioa under the maximum worst case fault conditions. The required method for qualifying either the existing or diverse isolators is presented in Appendix A.l/

Position ATWS m;tigation equipment, per 10CFRS0.62, need not be safety-related; however, the existing steam generator level instrumentation is safety-related, and AMSAC will provide ~

outputs to the safety-related engineered safeguards system.

Isolators will be required to ensure the independence of the existing RPS.

The existing isolators of the 7300 System will be used to provide non-safety-related inputs to AMSAC. The existing 7300 System isolators are fully qualified devices which provide safety circuit isolation from credible postulated voltage/current faults imposed on the non-safety-related cfrcufts. The seven specff1c requirements for establishing electrical independence were presented in the SER. Appendix

~/ to the SER, as ft applies to the 7300 System type NLP isolated output of the loop lower supply printed circuit card, is complied with as follows:

11 Appendix A to NRC Letter #86-654 dated October 6, 1986

134-BS0-5281NA-29

l) North Anna will be utilizing an existing isolator for inputs into AMSAC. WCAPs, previously submitted,

demonstrate the functioning of the isolator in the

-maxfmum*worst case faulted conditions. A description of the test, detailing application of maximum credible faults, test diagrams, and test results are all documented in WCAP-8892-A, "Westinghouse 7300 Series Process Control System Noise Test, 11 and in WCAP-7862-A, "Test Report of Isolation Amplifiers."

2} Westinghouse's testing of . 7300 System type NLP isolators included the maximum credible faults of a short circuit, an open circuit, the application of 118V ac, and the application of 140V de. The application of higher voltages is precluded by North Anna's electrical cable system design which separates high energy cabling from low voltage signal cables. North Anna's UFSAR, Section 7.2.2.2.1.5 Control and Protection System Interaction, reiterates this position.

3} Test data for open circuits, short circuits, and maximum crediPle faults are included in WCAP-8892-A.

4} The pass/fail acceptance criteria for the 7300 System type NLP isolators are provided in WCAP-8892-A.

5) North Anna's AMSAC will be procured seismically qualified and environmentally qualified for a mild environment as detailed in the statement of clarification to 10 CFR 50.49. The 7300 System type NLP isolator is environmentally qualified (40 year qualified life) under Westinghouse's generic environmental qualification program, specifically, WCAP-8587, Revision 6-A, "Methodology for Qualifying Westinghouse WRD Supplied NSSS Safety-Related Electrical Equipment," by 134-BSD-5281NA-30

G. Butterworth and R. B. Miller, dated March 1983. The WCAP which covers the 7300 System under the generic

l!l~t~~dol_ogy is EQDE-ESE-13, Revision 5, "Equipment Qualification Data Package, Process Protection System,".

Westinghouse Electric Corporation, dated June 1985.

This document envelops environmental qualification in a mild environment and R.G. 1.100 (IEEE-Standard-344-1975).

6) The following design features will be used to protect the 7300 System trom any potential electrical interfere"ce originating within AMSAC. All signal communication cables between the 7300 System and AMSAC will be two conductor shielded. The shielded cables will be routed through the cable trench to preclude safety/non-safety interaction. The only other cabling in the cable trench will be 48V de two conductor annunciator cables. The ATWS mitigation system, AMSAC, will be housed in a front door access totally enclosed-steel cabinet w~ich will be solidly grounded to suppress any potential electromagnetic interference (EMI) or radio frequency interference (RFI). The*isolated signals from the 7300 System will have their status monitored by Gould/Modicon Series 884 Analog 8 Channel Input Modules. These modules are not capable of backfeeding a signal to the 7300 System, and all inputs are independent to prevent crosstalk, noise, and the impression of conman mode voltages. The components within the module operate at low voltage and are designed to minimize the generation of interference.

The module input circu;ts are designed for individual environments to minimize the effects of EMI and electrostatic coupling. The combination of physically independent shielded cabling, totally enclosed and solidly grounded steel cabinet, and monitored input modules will adequately protect the 7300 System from

potential electrical interference.

134-BS0-5281NA-31

7) The Class lE isolators (7300 System type NLP) are mounted in protection and control system cabinets that

- . are separate

. for each of the four independent channels.

The channels are independently powered by Class lE, battery backed, 120V ac power supplies. Each channel

related protection and control cabinet is powered by that channel's Class IE power source, i.e., protection cabinet l is powered by Channel I, protection cabinet 2 is powered by Channel II, etc. Each of the four channels is both physically independent and electrically independent.

Virginia Electric and Power Company at present plans that the AMSAC output isolators will be Electro Switch Control Switch Relay Series 24 CSR rotary relays. The two CSR relays per panel will be mounted on a shelf near the top of the AMSAC panel. The shelf will perfom three functions: .1) Separate the safety-related top of the panel from the non-safety-re1ated bottom portion of the panel; 2) Provide additional EMI/RFI rejection; and 3) provide a mounting surface for the CSR relays. The CSR relays will be mounted such that the rotary solenoid/control deck section will be below the shelf

{non-safety-related portion of the panel). A barrier will be provided to separate the shelf into Train A related and Train B related sections.

Appendix ,J.I provides the requirements for the CSR relay as an output isolator. The fnfomation which follows is based on preliminary design input and will be confimed during the design process. Any substantive changes will be noted in a future letter. Appendix A to the SER, as it applies to the CSR relays, is complied with as follows:

1) The Electro Switch Series 24 CSR relay was tested in accordance with Electro Switch Specification

~ 1/Appendix A to NRC Letter #86-654 dated October 6, 1986.

l34-8SD-5281NA-32

ESC-Std-1000 to 2200 V ac and 500 V de. The maximum credible faults are 125 V de and 120 V ac due to the circuits. interlocked on the input and output of the

- * * - i so-1 ator. I sol ati on of input and output is assured through design. Only the drive shaft of the rotary solenoid passes through the barrier, thus assuring complete separation of Class lE from non-Class lE .

. Test documentation is on file at Electro Switch for the CSR relays.

2) The Electro Switch CSR relays were seismically tested with a 2 ampere 125 V de source applied and bench tested to 500 V de and 2200 V ac. The bench tests far exceed the isolation requirements of the application for the maximum credible voltage faults of 125 V de and 120 V ac. The de voltage level is based on switchgear control circuits and certain solenoid valves circuits. The ac

. voltage level is based on certain other solenoid valve circuits. The maximum current is 6.7 amperes for the -

switchgear closing coil. The switchgear "make"* rating of a CSR contact is 95 amperes at 125 V de.

3) Data confirming the application of the maximum credible.

fault to the output of the isolator is on file at Electro Switch. The test was performed in accordance

with Electro Switch Specification ESC-Std-1000 which complies with IEEE-Std-323-84 and ASME-NQA-1-1-1983.

4) The pass/fail criteria for the CSR are clearly defined in Electro Switch Specification ESC-Std-1000.

134-BSD-5281NA-33

5) The CSR isolator is seismically qualified as documented in Electro Switch Engineering Test Report No. 2903-1.

dated April 15, 1980. Environmental qualification of

th~ -csR isolator is provided by similarity to the fully qualified LOR and LSR. The CSR is a special version of the LSR. The applicable document for environmental qualification is Electro Switch Engineering Test. Report No. 2983-3 dated January 11, 1985.

6) The CSR isolator provides complete electrical separation between the Class lE contact decks and the non-Class IE rotary solenoid and control decks. Electrostatic coupling, EMI, conunon mode, and crosstalk are all precluded by the relay design. Only dry contacts are available to the Class lE circuits.

7) The CSR isolator, being a reverse isolator (i.e.,

non-Class IE to Class lE) would, by definition, not .,. be powered by a Class lE source. The cont"act inputs which initiate isolator operation are provided by programmable logic controllers in a two out of three logic matrix.

The power for~ the CSR's rotary solenoid is the same power source as that of the AMSAC panel, i.e., the TSC UPS, 120 V ac.

J. PHYSICAL SEPARATION FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance Physical separation from existing reactor protection system is not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separation criteria applied to the existing protection system are not violated. The plant specific submittal should respond to this concern

134-BSD-5281NA-34

Position

~MS~c. wj1 l_ ~e l_ocated in the Instrument Rack Rooms of the Service Building. Existing cabinets will be used to provide*

physical independence from the RPS. The installation of safety and non-safety-related equipment including cabling for AMSAC.

will be in accordance with the separatio~ criteria defined in the UFSAR and the requirements of IEEE 279-1971. The AMSAC p~nel will be a totally enclosed steel cabinet which will not adversely. interact with the protection set cabinets.

K. ENVIRONMENTAL QUALIFICATION NRC Guidance The plant specific submittal should address the environmental qualification of AMSAC equipment for anticipated operational occurrences only, not for accidents.

Position The AMSAC panel and related ATWS mitigation-equipment, except cable located in a potentially harsh environment, will be environmentally qualified for mild environments in accordance

. ~

with the statement of~clarification to 10 CFR 50.49 and IEEE Standard 323-1983. Cables, which are part of the safety related interface, are qualified under our existing EQ program.

AMSAC will be powered by a UPS which is battery backed.

Consequently, a loss of offsite power will not disable AMSAC, and the blower in the bottom of the panel will provide adequate short-tenn ventilation for the enclosed programmable logic controllers and CSR relays until the safety-related diesels restore the. safety-related air-conditioning system. Other anticipated occurrences, such as loss of power to the reactor coolant pumps, tripping of the main turbine generator, and loss of circulating water, will not result in challenges to the operating environment of AMSAC, due to the installation of the equipment in an *area of the plant which has a mild environment .

134-8SD-5281NA-35

L. TESTABILITY AT POWER NRC Guidance Measures_ are to be established to test, as appropriate, non-safety-related AMSAC equipment prior to installation and

_periodically. Testing of ATWS may be performed with AMSAC in bypass. Testing of AMSAC outputs through the final actuation devices will be performed with the plant shut down. The plant specific submittals should present the test program and state that the output signal is indicated in the control room in a manner consistent with plant practices including human factors.

Position Virginia Electric and Power Company, during each refueling outage, will perform an end-to-end test of AMSAC, including verification of proper operation of the output relays and the actuation circuitry in devices which should operate. Virginia*

Power may, however, have the associated breakers *racked out, or other final devices similarly removed from service at the time

the test. The procedures that will be used to perform this test have not been developed at the present time but will be developed in accordance with Station Administrative Procedures.

Virginta Electric and Power Company has the capability to test the AMSAC panel at power and will perform quarterly checks of

the steam generator level set points at power. The related test procedures will be prepared in accordance with the Station

Administrative Procedures.

An ou~line of a possible refueling outage "end-to-end" testing I sequence is included.

Testing of AMSAC requires the following panel components:

control switches, one pushbutton, and the three section status array which d*isplays the test results and requires the use of 0 to 10 volt de test source(s). An I&C technician a~signed to perform "end-to-end" test would proceed as follows:

134-8SD-5281NA-36

o He will inform the Shift Supervisor that testing is about t6 occur and assure that equipment which would be activated by AMSAC

~

initiation has been placed in the proper condition for the test. He would then, proceed to the Instrument Rack Room, and open the AMSAC panel door.

o Upon opening the door, 'AMSAC PANEL DOOR OPEN alarm will be annunciated in the Main Control Room.

o The inner door of the .AMSAC panel will have a three section status array as shown on attached preliminary sketch N8711-l-E-902. Each section will provide the status of a programmable logic controller (PL~), identified as PLC-A, PLC-B, and PLC-C. Below each status array will be a function switch for each PLC, the master bypass switch, and the test pushbutton switch.

Note: Should a logic check be performed while a unit was at powe~,

the individual performing the check would move the master bypass switch from "Normal" to "Bypass". This action would result in the annunciation of "AMSAC BYPASSED" in the main Control Room. "AMSAC BYPASSED" would have already been annunciated if the unit was operating below 37 percent load, or if the main Control Room bypass switch_ had already been placed in "Bypass". In the case of the "end to end" testing conducted during refueling outages, the individual performing the - test will not turn the bypass switch from

_"Normal" to "Bypass".

Note: For the purpose of this discussion, testing of PLC-A will be described, as testing of PLC-Band PLC-C woutd ~e identical.

To test PLC~A, the I&C technician will rotate the 8-position function test switch for PLC-A from "Normal" to "I, II, I II. II o Positio~ "I, II, III" of the function test switch will isolate the external level signals to enable testing of the three voltage comparators for steam generator A level via an 134-BSD-5281NA-37

external 0-IOV de test source connected to the AMSAC panel test jacks. The test pushbutton has no function for this portion of the test.

Each comparator would be. tested individually. A status light on the AMSAC panel for each channel of each steam generator narrow range level would be used to verify that the comparator is set and operating correctly. Each light would extinguish when its associated comparator trip setpoint is reached.

o Advancing the test switch to position "2/3" would allow testing of two out of three steam generator levels less than or equal to 13% of narrow range level. A sequencer will be*

used to allow testing for all three possible combinations.

To start the test, the technician would depress* the pushbutton to test the channels I and II combination with the result displayed by the 2/3 status light. Depressicg the pushbutton a second time tests for the channels I and III combination, and depressing the pushbutton a third time will complete the combination by testing for channels II and*

III.

o Next the technician will advance tha test switch to the position "Ill/IV." The position will isolate the external turbi~e load signals to enable iesting of the two voltage comparators for turbine impulse load via an external 0-IOV de test source connected to the AMSAC panel test jacks. The test pushbutton has no function for this portion of the test.

Each *comparator w6uld be tested individually. A status light on the AMSAC panel for each turbine impulse pressure would be used to verify that the comparator is set and operating correctly. Each light would illuminate when its associated comparator trip setpoint is reached.

134-BSD-5281NA-38

. o Advancing the test switch to position 11 2/2 11 allows testing

,of both turbine load signals present. Since this will be a

- single

.. - . function test, a sequencer will not be required, but the pushbutton will still be utilized to initiate the test and enable the status light.

o The next position on the test switch is 11 C-20. 11 This*

position will test the 360 second time delay upon no longer satisfying the two out of two turbine load signals.

Momentarily depressing the pushbutton will initiate the time delay and the status light will illuminate; 360 seconds later the light will extinguish.

o Advancing the. test switch to the "Trip" position will allow

verification of the 27 second time delay, expiration of which will initiate mitigation. Momentarily depressi~g the pushbutton will start the timer which will after expiration of the 27 second.time delay illuminate the associated trip status lamp.

o The AMSAC output relays for each unit will be validated* by operation of two PLCs at the same time. The two PLCs will*

complete the two out of three logic matrix which will actuate the CSR relays and the non safety related outputs.

I*

The test will be considered acceptable when all three possible PLC logic matrix combinations have satisfactorily demonstrated output isolator operation.

o The next position, 11 Reset", will allow the time delays to be reset, so that misoperation would not result during an at power logic check when the switch would be returned to

normal and will also reset the counter monitoring PLC-A module status in the unlikely event of a detected module failure.

Note: During a logic check at power the technician would crosscheck with the Control Room operator that the steam generator levels and turbine impulse chamber pressures 134-BSD-5281NA-39

indicated on the meters of the AMSAC panel are in acceptable agreement with the values indicated tn the control room *

o To return AMSAC to service, the technician will reset all of the function switches to "Normal", will assure that the bypass switch is still in."Normal", close the outer door, and will inform the Shift Supervisor. The control room operator will then assure that the switch on the control room is in the "Normal" position. The AMSAC Panel Door Open annunciator will then be extinguished.

Testing of the protection instrumentation for narrow range steam generators A, B, and C level, and for turbine load Channels III and IV is provided by Technical Services through regularly scheduled periodic tests. These tests include calibration and operability tests of the level transmitters, pressure transmitters, and loop power supply cards.

The lifting of leads, pulling of fuses, and the installation of jumpers will not be required to test AMSAC.

M. COMPLETION OF MITIGATIVE ACTION NRC Guidance AMSAC shall be designed so that, once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feedwater ,circuitry. Plant specific submittals should verify that the protective action, once initiated, goes to completion, and that the subsequent returri to operation requires deliberate operator action.

Position Once initiated, AMSAC will go to completion, and deliberate operator action will be required to reset and return to normal operation. Completion of mitigation action will be assured through circuit design. The ATWS mitigation system, AMSAC, will use rotary relays for its safety-related output.

134-BSD-5281NA-40

The auxiliary feedwater pumps circuits are bi-stable. The electrically driven pumps are enabled by 4KV switchgear which

latches when closed, so that a loss of control power will not de-ene*rg-i_ze - the pumps. The steam turbine driven pump is enabled by tripping open the steam supply valve which is its fail safe position. Turbine trip is accomplished through redundant trip circuits which energize solenoid valves to dump auto-stop oil pressure. This allows the interface valve to drain the EHC system which trips the turbine. The steam generator blowdown and sample isolation valves are also tripped to their fail safe position.

Restoring these circuits to remote manual operation from the Main Control Room requires the following: 1) reset the SSPS;

2) relatch the turbine at EHC Panel; and 3) resetting AMSAC after steam generator level has recovered above the setpoint.

N. TECHNICAL SPECIFICATIONS NRC Guidance Technical specificatioR requirements related to AMSAC will have to be addressed by plant specific submittals.

Position Virginia Electric and Power Company agrees with the position stated 1n the Westinghouse Owners Group letter OG-171 to the NRC dated February 10, 1986.

"We believe that the imposition of Technical Specification requirements on the WOG AMSAC System would constitute a backfit under the provisions of 10 CFR Part 50.109. We do not believe that Technical Specification requirements for AMSAC provide a

substantial increase in the overall protection of the public l34-BS0-5281NA-4t

health and safety from the low-probability anticipated transient without scram (ATWS) events."

1

~e- *b~ii~~e ~hat Technical Specificatio~s for AMSAC are unnecessary, do not enhance the overall safety of nuclear power plants, and constitute a backfit. We believe that normal nuclear. plant administrative controls are sufficient to control AMSAC."

Virginia Electric and .Power Company will institute an administrative control program or will use or modify existing programs to provide for testing maintenance, training and control of AMSAC.

6.0 ADDITIONAL NRC CONCERNS A. Appendix R A review of Appendix R has been completed to determine the effect of

AMSAC. The overall impact of AMSAC was favorable as it provided further assurance of reactor trip, turbine trip, and auxiliary feedwater initiation while adding minimal additional combustible load. The review identified Volume I, Chapters 3, 4, and 5 and Volume III Chapter 8 as the areas potentially affected by the addition of an AMSAC mitigation system.

Chapter 3 provides the safe shutdown systems analysis. Paragraphs 3.2.7 through 3.9.4 were reviewed. Paragraph 3.6.1 discusses reactor trip which results from automatic operation of the Solid State Protection System or operator initiated manual trip. The failure of the Solid State Protection System is precluded as the system is fail safe. The ATWS mitigation system, AMSAC. does trip the reactor directly through the rod control motor generator sets, and indirectly through turbine trip, but the AMSAC system requires power to trip, i.e., it is not fail safe. Paragraph 3.6.4 1 "Reactor Heat Removal Function," identifies the role played by the auxiliary feedwater 134-BSD-5281NA-42

system in recovering from a postulated fire. The addition of the ATWS mitigation system, AMSAC, does not adversely change or affect

the fun~ti?n o__f_ ~~e a~xiliary feedwater system. Paragraphs 3.6.6, "Support Functions," and 3.6.7, "Hot Standby and Cold Shutdown,"

exclude the reactor protection system as a requirement to achieve and maintain safe shutdown. AMSAC, as an extension of the reactor protection system, likewise would not be required to support safe shutdown.

Paragraph 3.7.4 described the design and function of the auxiliary.

feedwater system during the hot shutdown to residual heat removal stage of incident recovery. The addition of the ATWS mitigation system, AMSAC, does not change or affect the function of the auxiliary feedwater system as the purpose is to improve the reliability of the reactor protection system and not to mitigate the consequences of a fire. Paragraph 3.9, "Associated Circuits of Concern," was reviewed and found to be unaffected by the AMSAC modification. The ATWS mitigation system, AMSAC, will not affect:

1) the coordination of the Emergency Power System, 2) electrical protection of associated circuits of concern by common enc_losure (the AMSAC panel), and 3) introduce spurious operation other than that already identified in Tables 3-5.C and 3-5.D.

Chapter 4 identifies the methodology used to provide compliance to Appendix R. The areas of concern are Fire Areas 6-1 and 6-2, Emergency Switchgear Rooms, Units 1 and 2, respectively, which include the associated Instrument Rack Rooms. Paragraph 4.4.3 addresses these fire areas. As a result of the fire, the 4 kV emergency switchgear and the 7300 Process Instrumentation and Control System may be unavailable. The consequences of adding the ATWS panels would be the potential for fire related misoperation resulting in a reactor trip via a turbine trip. Since the reactor is placed in a safe state consistent with the safe shutdown analysis, misoperation of the AMSAC mitigation system, AMSAC, also is of no consequence and is bounded by the existing report.

134-BS0-5281NA-43

Attachment 1 to Chapter 5 of the Appendi~ R Report describes the worst case fire scenario. The two most sensitive fire areas are the Emergency

Switchgear/Instrument Rack Rooms and the Cable Vault/Tunnel. - *f fire* in either of these areas *results in the loss of control and indication in the Control Room, prohibits the use of the Auxiliary Shutdown Panel, and necessitates the use of local shutdown capability in combination with the Control Room and Remote Monitoring Panel. The addition of an ATWS mitigation system, AMSAC, in the Instrument Rack Rooms of each unit has no impact on the worst case fire scenario because automatic initiation of the auxiliary feedwater system has already been assumed to be lost, and the use of local shutdown capability will still be required. ATWS mitigation system (AMSAC), does not affect the station's fire protection capability.

The AMSAC system's function is to provide an improvement in reactor protection reliability.

Chapter 8 provides the combustible loadings. some _of these loadings will increase due to the installation of AMSAC, but the increa~es should be acceptable. When final design infonnation is available, a

final loading review will be performed.

The AMSAC modification does not adversely impact or affect the existing North Anna Appendix R Report. Consequently, complying with 10 CFR 50.62 will not prejudice existing compliance with 10 CFR SO Appendix Rat North Anna~

. * . .. ., .... - .. *. !~ '.- ... -

.* . .' - ~*: *

- -~**--'- ___,,,. __

134-BS0-5281NA-44

1 A B E

... f

G H J K L M N p a R S T u V 2

1111111-1-[-iQZ 3

4 5

6 Ula IOU. II S11UIII I 111.C...

7

'MS llllAWII. SHWUl 11£ IICDNl'UIAJED 8 1110 1tl[ ISI-S SIJIES IY lMGNA PGaJI UM- llfDAR:

9 I.Of lf\fl. II SIi CIII C PU:-C SAFETY RELATED SM:C .14938.46 i1 DC-87-11-1 IIEDIIA.. IIOlllA.. ROIIIA . . UIQC mMJIAII IIOll ISllllOII ISSUtD ISSUtD ISliUW Alllal'AD IIIAll51}11fS *IIWT DAIi Ull:AD*----- .

I. Ml lGf1S << UICAEI Ai ff NI/SM. PNIL. Rlt FOIi FOIi FOIi 11111,Allllll S'l'SIDI (AIISAC)

J. M1:iM: - IIOIDlt: Alfllll'AllD 1IMIIDIS ...... DAIi IIIGA... S1S1D1 PMQ. H NIIIDI NIIA POaJI SlA 11111. IN r I WUIA l'OllJI

. . acae-, - *11811HU * "w,... ... £ N8711-1--[-600, REV. D

2 1 --

A B C D E

- f G H J M N p a R S T u V J C-211 SAll5fQ

.Ma; 4

5 6

£-------IIIUM---------

7 Llll18111*uai!IAIMMICM&

8 9

& . . . . . . _ A . . . fHICl-tHICCM&

NS DIIA- 5HOLUI 11£ INIX9'GMIID 1110 111[ Ul(-1 iEMS ....

lllalA .o.11 ll&\INI UPOA*

1 11 ESWJW£0NS I

0-,U: A o-lU:I SAFETY RfLA TEO S\\l:C 14938. 46 OC-87-11-1 LOQC IWIIAII AIIIOPAD IWt.Eil'S *IIWI :DAIi

'M,Mi IIICA'IIIII 5lSIDI (AMSAC)

Ima! AIIIA , _ . SIAD. 1111 I IMIIIA l'OllJI

.£ N8711-l-f-601, RfV. 0

1 --

A lalll-H--

an,-,~--

B 1

4 C D E f G H K L CXllfall. M:1111 M N p a R s T u l51(-l-2A V

2 Cill-)---1:zA an1-1~-- I l51(-)---UA 3

lalll-l~-- 2 l51(-)---IJB 4 an1-H-- 5 an1-1~-- 2 5

E'II-H-- l 6 an1-H-- I 7

an,-,~-- l u-I CilH-2A L5K-~12A a

MACMIU 8 L5K-~ll4 MIC- C 2/J 1.51(-~llll M-e 9

MIC-u-c f~CUTCl:t[ON D

< > -0 I'~'I.

~

1 mu IIPm 111111-1-£-tol I

SAfElY RELATED I. ~ - - LIIIIJ UIWm . . . . . . . . . . . . . .

S1M:C 14938.46 11 a.

~

~~ . _ fMl.lll a.uu U11:AD * ~ UNIJ cau O:ili)

&. SfJUJtl:I: '1f NIIIS ....._

IIAINTMIUI Rlll:llUIN lallllED

< > -0 u-IED I

G'5UUI UIQC DIM:IIAII DC-87-11-1 NIIIQPAIUI IIIAH501S llfDIWI SOIAli IIIIGAUI Sl$1DI (AWSAC) ldllll AIIIA l'OIIJI SIAIION, I.NI I

\Ill.NA POIIJI

..,o 1HIS DIIA- 5HOUU) I£ NlllNl'CIIAIID 1)t[ lS-1 5EM:S 9Y IIMGINA .a.II ll!IA--. Ul'IIA11:

STQlf

lllBS 1£11 l:NCIHEIRINC CllffPOffADON Ii N8711 [

602. R[V. D

1 A C D Gr-Ml£--------*(

E

.... f

)

K L M

~~~

N p a R S EU.Ulll T u V 2 ......

3 -!Jaa

--.. M-A

.)

6

.....,u-c

~

a .;

t-~~~~A ~

l H Ulll (lOSS CE IM>>'lNIE IO.IAa) IQ.I.IQ: :ilQIAI. IS IIINIUltll ljllJINAU r 11A 111£ 1'1.C UIQC. ff ~ IS 7 .......

~

IINRIID 11A H l'lC AS USllD ,. IIOIES :i, I a 1.

2. H ff(UOC'f U. (QIU R&.S() 3Qllll IS lllllllllll Ir A MIi II H flC AS USllD II 1116 :i. I a 7. ff DPIIAIIIII i, A 1lllli 11'111 H All5Da f6 H IU.SE IIJ. CAll5I 1111 AIAIIII.

i l[QeltAI. 5Lfl'Qllf c:DIIDI (JSC) W.IIJU'IMU

,u:...A ~ lll'l'I.Y (11'5) IOJMI: IINJGalG IS fCII flC NOIECIIIN NI> mUC.CJ IOJM UJ5S CF ffllOI.

4. Ml MaJI UDffli lllf UICAIID AJ H IIISIJ; PAI&.

3 ~ 11.C-A IIIIDIS 11.C-C U. fllfllOC't a la.JAIi: 8IIIIE.

,u:...A a.; I. ~ 111111115 l't.CrA l.09 filflUIICf 6 IQ. JAIi: lilPlaL

7. ,U:-C ldlllllS l'l.C-1 t.aa fEUIIC'f I) IQ.JAIi: ~

& £AQt l'lC 111 ...... IIS IIHCillf 1/0 lllllllfS fMlaa

.& Ml UIIIIS

UICAD II . . IEl'lCN m:1111 f6 9

....,,~

M . . . . II IIIIID5 111,C,-C SAf£TY RELA 1£0 ldDJLCIII s~c 14938.46 DC-87-11-1

~

IJlQC IIAQIMI 11(8DCJUIW 11)1[ 1 IIIIID'AIID -.-i,irs *11011 SIJIAII llllllA... ffi1DI (AMSAC) 1111111 MIIA POaJI Sl'AIOI, INI I ft.C--11 IIDIA l'OllJI IQ.WI[ Ula

___,..........II;*-*-

?

£ N87JI- 1--f 60J, RfV. D

A B C D E f G H J K L M N p a R s T u V 1

CIIUl Al&C* PAIG 2 .

11.CIIIIII A-A J ----------------

I .

I lb Ii 5 I

.s L

6 I r 7

111ft L llt.llJ 11/t*I° l , - - I lM.1111 OIIM; N11U Al -

&*1-l.ll!ll(*IUU**

8 9

SAflTY RfLAJfO 51lCIWltl 1 IC-11-IH 11 IJI.IIUN( :it1U I I U J Mlllal'IID lkAH:.io.r.. "'DIOul MJIMI 111111.A- S'r.ilCM (""'SAC) 11111111 - rllllUI SIA-

- l'OoltJI SIONE

1(11Sllll lNQNtOIIHI. COIWllt<Alluu A N8711-l*f**902. HtV. C

ATTACHMENT 2 Attachment LICENSING POSITION

-ATWS*M1TiuATION SYSTEM ACTUATION CIRCUITRY(~)

SURRY POWER STATION - UNITS 1 AND 2

1.0 INTRODUCTION

In order to comply with 10 CFR 50.62 "Requirements for Reduction of Risk From Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," the Westinghouse Owners Group (WOG) prepared and submitted for Nuclear Regulatory Co11111ission (NRC) review and approval topical report WCAP-10858 "AMSAC Generic Design Package." The NRC's acceptance position of the generic topical report and WCAP-10858A "AMSAC Generic Design Package" formed the basis for preparing Surry s 1 licensing submittal.

2.0 BACKGROUND

The Anticipated Transients Without Scram (ATWS) Final Rule, 10 CFR 50.62, allowed the NRC to amend its regulations to require improvements in design and operation of pressurized water reactors to reduce the likelihood of a failure to scram and to mitigate the consequences of an ATWS. The NRC does not believe that the current reactor trip system achieves adequate reliability. This is due to two reasons: (1) reliability standards are not sufficiently developed or qualitatively documented; and (2) the dominant role played by cOfllllOn mode failures.

Consequently, the ATWS Final Rule requires diversity from sensor output to the final actuation device to automatically initiate auxiliary feedwater flow and trip the turbine under conditions indicative of an ATWS.

134-BSD-5281S-4

3.0 CRITERIA Surry m~st_ imp!~m~~t p_aragraph (C)(l) of 10 CFR 50.62, "Each pressurized water reactor must have equipment from* sensor output to final actuat~on device, that is diverse from the reactor trip system, to automatically initiate the auxiliary feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the* existing reactor trip system."

Although the required ATWS mitigation system does not have to be safety related, it is part of the class of systems and components defined in General Design Criteria (GDC) 1, whic~ requires. that "structures, sys terns, and components important to safety sha 11 be designed, fabricated, erected, and tested to quality standards co11111ensurate with the importance of the safety functions to be performed." Generic Letter 85-06 "Quality Guidance for ATWS .Equipment That Is Not Safety Related"*

provides.direction for the Quality Assurance program that must be applied to the ATWS mitigation system.

4.0 DESIGN DESCRIPTION The Westinghouse owners Group (WOG) in concert with Westinghouse Electric Company prepared WCAP-10858, "AMSAC Generic Design Package." This document was submitted to obtain NRC

approval design prior to implementation of the changes required by 10 CFR 50.62. The application for NRC- review was submitted in 1985 with the Draft SER issued in June 1986, arid the Final Safety Evaluation published July 7, 1986. The Final Safety Evaluation (Final SER) approved WCAP-10858 and accepted the principal of using only one of three proposed functional designs to detect the onset of ATWS. An accepted version_ of . WCAP-10858, WCAP-10858-Revision A, was issued in October, 1986. An updated version, (

WCAP 10858 Revision 1, was submitted by the WO& on August 3, 1987.

134-BSD-5281S-5

By definition, an ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompan!ed_ by ~-~ajlu~e of the reactor trip system to shut down the reactor. The three functional designs discussed in WCAP-10858 proposed to provide detection of a failure of the Reactor Protection System (RPS) to initiate a reactor trip and a loss of feedwater or loss of load are based on the power level indication (reactor or turbine power) and the monitoring of (1) steam generator inventory level, (2) feedwater flow, or (3) feedwater pump breaker and valve position status.

For each functional design, provision for the* existing reactor protection system to operate is provided by time delaying the ATWS mitigation signal. Likewise, an automatic permissive (C-20) for each functional design is provided by two turbine load signals above a predetermined value and a time delay on de-energizing is used to keep the ATWS mitigation system available for a preset period even if the existing I-.

reactor protection system trips the turbine successfully.

Functional design 1, using steam generator narrow range level. as the detection variable, will be used at Surry. Each of the three narrow range level transmitters in each of the three steam generators will be used in conjunction with the first stage turbine pressure channels to derive the ATWS mitigation system. If any two of the three level

transmitters _in any two of three steam generators are less than or equal to 13 percent of narrow range level span and the turbine is greater than or equal to 40 percent load ATWS mitigation, .AMSAC, will be initiated

automatically. A time delay of approximately 27 seconds is provided to allow the existing reactor protection system to respond first. In the event of an ATWS event and the expiration of the* time delay, the main turbine will be tripped, all three auxiliary feedwater pumps will start, the steam generator blowdown isolation valves will receive an automatic close signal, and the breakers which supply power for each rod control motor generator will be tripp~d.

ATWS mitigation by AMSAC is automat,cally blocked below 40 percent power by a newly installed permissive (C-20) that is derived from the First 134-BSD-5281S-6

Stage Pressure (FSP) transmitters. This automatic block will be defeated for approximately 360 seconds following a decrease of FSP below 40 percent. This time delay is required for the instance wherein an ATWS

event occurr.ed. and. the turbine load was reducing causing FSP to drop below 40 percent. The ATWS mitigating actions, AMSAC, will still be initiated automatically if a loss of heat sink (steam generator inventory loss) occufs within the 360 second time delay.

5.0 SPECIFIC REQUIREMENTS The NRC Staff accepted WCAP-10858 as a generic concept. Consequently, the Staff approved: (1) implementatfon of any one of the three functional designs for the detection of an ATWS event; (2) use of existing transmitter impulse lines, transmitter power supplies, and isolators; (3) testing of the ATWS mitigation system in bypass; and (4) the use of an operating bypass, the C-20 permissive, to prevent spurious actuation in either start~up or shutdown.

The Staff also identified 14 key elements which will be reviewed on a case by case basis. These 14 key elements, the NRC guidance for each element, and the reasons for the Surry positions are discussed below.

Engineering is fn progress on this system but is not complete, therefore certain changes may be made between details contained in the plans outlined in this letter and the system installed fn the plant.

The 14 key elements are:

A. 01Yen1ty

8. Logic Power Supplies

c. Safety Related Interface D. Quality Assurance E. Maintenance Bypasses F. Operating Bypasses G. Means for Bypassing H* Manual Initiation 134-BSD-5281S-7

r. Electrical Independence from Existing Reactor Protection System J. Physical Separation from Existing Reactor Protection System K. Environmental Qualification L. Ies_tabi_l _i ~Y.. at. Power M. Completion of Mitigative Action N. Technical Specifications A. DIVERSITY NRC Guidance The plant specific submittal should indicate the degree of diversity that exists between the AMSAC equipment and the existing Reactor Protection System. Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required from the sensors output to, but not including, the final actuation device, e.g., existing circuit breakers may be used for the auxiliary feedwater initiation. The sensors need not be of a diverse design or manufacture. Existing protection system instrument-sensing lines, sensors, and sensor power supplies may be used. Sensor and

instrument sensing lines should be selected such that advetse interactions with existing control systems are avoided.

Position Diversity between the existing Westinghouse Reactor Protection System/Safeguards System (RPS/SS) and the ATWS mitigation system

{AMSAC) to m1n1m1ze the potential for cannon cause failures is required fro11 sensor output, but not including the final actuation device. The instrument sensors do not have to be diverse.

Therefore, existing protection system instruments, impulse lines, and transmitter power supplies may be used. Instruments and their related impulse lines must be selected to prevent adverse interaction with existing control systems *

134-BS0-5281S-8

, Surry plans to implement Functional Design 1 of WCAP-10858, Steam Generator Level less than or equal to 13% of narrow range span, to

initiate- the AMSAC.

- . - - The attached preliminary Logic Diagrams

~anner in whic~ the Steam Generator Level will be implement~d.

show the .

Each of the three narrow range level instrument loops (Channels I, II

, and III) on each of the three steam generators (A, Band C) will be used to provide isolated non-safety-related signal inputs to the AMSAC logic system.

Isolated signals from Channels I, II and III of steam generator A narrow range level will input to AMSAC Programmable Logic Controller A {PLC A). Isolated signals from Channels I, II and III of steam

~enerator B narrow range level will input to AMSAC PLC B, ,and isolated signals from Channels I, II and III of steam generator t, narrow range level will input to AMSAC PLC C.

Channels I and II narrow range steam generator A, B, and C level signals provide protection, indication, and computer input functions.

Channel III narrow range steam generator A, B, and C level signals provide protection, indication, computer input, and control functions. Channel III nafrow range steam genera~or levels are the I only,signals that could adversely interact with the steam generator water level control system'.

The possibility of an adverse interaction between control and AMSAC circuitry due to an unrecognized failure of the Channel III narrow range level has been considered. Assuming the worst case failure, i.e., one steam generator Channel III level fails high, the affected PLC would default to a two out of two logic based on the two operable level channels. The remaining two PLCs would continue functioning normally, that is, a low indication on two out of three narrow range, stE!am generator level channels would continue to satisfy the individual PLC trip logic. Therefore, adverse interaction between the Channel III control circuitry and the AMSAC steam generator level.

logic has been prevented.

134-BSD-5281S-9

If a Channel III narrow range steam generator level channel were to be declared inoperable due to either: failing off-scale high,

failing_of!-scale low or based on a channel check (detecting that the channel had drifted high or low relative to the other two channels),

it would be placed in trip. As a result, the logic for the affected PLC would conservatively default to a one out of two coincidence.

Each Surry Unit has four separate physically isolated 120V ac buses which are Channel related. Each vital bus will be supplied by an independent Uninterruptable Power Supply (UPS) via DC-85-33-1 and DC-85-34-2. Two UPSs are connected to one of each units two Class IE batteries. Upon rectifier/charger failure within the UPS, the battery will pick up the inverter load. Upon failure of the inverter section of UPS, a static switch will transfer the vital bus to a regulating transformer. Therefore, the integrity of the channel will always be maintained. By using signals from three different channels, i.e., I, II, and III, the level transmitters, their associated impulse lines, and the level transmitter power supplies are electrically and physically independent and, therefore, non-interacting.

Channels III and IV turbine impulse chamber pressure are used . to develop the C-20 permissive. Both of these signals are also used to prrivide. control inputs to the feedwater control system. The implementation of AMSAC does not adversely affect or .degrade the turbine impulse chamber pressure signals.

The independence of the AMSAC signals derived from the protection system will be provided by Class lE qualified isolators in the AMSAC

_panel. The signals obtained from the isqlators will* never be returned to the protection system. This is -consistent with the requirements of General Design Criterion 24 Separation of Protection and Control System. Consequently, the use of isolated steam generator level and turbine impulse chamber pressure signals will_

neither compromise the protection system nor introduce an adverse

control system interaction.

134-BSD-5281S-10

The Surry RPS/SS utilizes a Westinghouse 7100 Process Instrumentation and Control System {7100 System). The 7100 System is a current based instrumentation

. - . - . -system.

All 11 analog signals will be isolated at AMSAC for the solving of coincidence logic. Independence of AMSAC from the existing RPS/SS will be achieved through the use of new qualified isolators which buffer the current signals originating in the 7100 System. Connecting AMSAC downstream of the new isolators will ensure that the nonsafety-related AMSAC will not degrade the existing RPS/SS.

Actuation logic diversity will be provided between the RPS/SS and AMSAC. The existing Westinghouse RPS/SS is a relay based system which performs this function. The R_PS/SS uses Type BF input relays by Westinghouse to provide input is~lation for the Westinghouse Type BFD logic relays which in turn solve the coincidence logic. The relays drive output relays which also are Westinghouse Type BFD. The BFD relay is for 125V de application, and the BF relay is for 120V ac application. The SS also utilizes Westinghouse type BFD relays fer solving coincidence logic and equipment actuation with Westinghouse

type BF relays used for input isolation. Additionally, Westinghouse type MG-6 latching relays are used in the SS for manual actuation and system reset. All of the relays are of the multi-contact hinged armature type. AMSAC will use a progranmable logic controller {PLC) to solve the coincidence logic. The PLC will use a microprocessor manufactured by Intel (8086) which represents an entirely different technology with respect to relay logic _as used in the RPS/SS. Input isolators will be required for the PLC. Output relays, will also be required in order to provide isolated safety-related mitigation pennissives to existing final actuation devices. These output relays j will be Electro Switch Type CSR rotary relays. The RPS/SS slave output relays are conventional hinged armature machine tool type relays. AMSAC output relays will use different principles of operation and will be made by a different manufacturer.

Therefore, a sufficient degree of diversity is provided through the

consistent application of different manufacturers and different operating principles.

134-BSD-5281S-ll

B. LOGIC POWER SUPPLIES NRC Guidance The pTant specffic submittal should discuss the logic power supply design. According to the rule, the AMSAC logic power supply is not required to be safety-related (Class lE). However, logic power should be from an instrument power supply that is independent from the reactor protection system (RPS/SS) power supplies. Our review of additional information submitted by WOG indicated that power to the logic circuits will utilize RPS/SS batteries and inverters. The staff finds this portion of the design unacceptable, therefore, independent power supplies should be provided.

Position The ATWS logic power supply is not required to be safety-related, however, it should be a reliable instrument power supply, independent from the RPS power supplies (vital buses, associated batteries .,.and inverters), and battery-backed.

A nonsafety-related static inverter (consisting of 5 KVA inverter with integral static transfer switch and manual bypass switch), ~nd associated 120V ac distribution panel, located in the non-safety-related {black) battery Building, will be used as the AMSAC logic power supply for both units 1 and 2. It will derive its 125V de normal source from the "black battery", to provide regulated 120V ac, 1 phase, 2 wire power (approximately 15 amp each) to the AMSAC panels located in the Units 1 and 2 Emergency Switchgear Rooms. Upon inverter output failure, the static transfer switch will automatically transfer the load to the 120V ac alternate source (nonregulated) .from an existing 120/240V ac Distribution Panel Unit 2, in the "Black Battery" Building. When the inverter output returns to normal, either automatic or manual retransfer may take place. The "black battery", as designed, has a 70 amp, 2-hour future load duty, which is sufficient to handle the 5 KVA. static inverter input requirements. The static inverter will _be monitored locally 134-8SD-5281S-12

(indicating lights) and annunciated in the Control Room consistent with accepted human factors guidelines .

The "Black Batte-ry *Building was selected as the static inverter 11 location to minimize input ac and de cable lengths, cable sizes, and voltage drops. Since the AMSAC panel loads will not change significantly, the regulating capability of the inverter will be maintained. The integral power supplies for the Gould Progra1TJTiable Controllers are rated for input voltage of 95-138V (long term) and 80-lSOV (10 sec).

C.. SAFETY-RELATED INTERFACE NRC Guidance The plant specific submittal should show that the implementation is such that the existing protection system continues to meet all applicable safety criteria.

Position Isolators are the devices which buffer AMSAC from the safety-related equipment and systems. ~New qualified isolators, Technology for Energy Corporation Model TEC-156A will provide nonsafety-related analog signals to AMSAC. The company will use Electro Switch CSR rotary relays, which will be mounted in the top of the AMSAC panel with a steel shelf interposed between the coil section and the contact section, to provide iso~ated safety-related AMSAC outputs to actuate safety-related equipment. This approach does not violate any safety* criteria applicable to the RPS/SS, i.e., IEEE Standard 279-1968, General Design Criteria 17, 18, 20 through 25, and Surry's UFSAR Section 7.2.

134-8S0-5281S-13

0. QUALITY ASSURANCE NRC Guidance The plant specific submittal should provide information regarding compliance with Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related."

Position The Surry AMSAC complies with the requirements of Generic Letter 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety Related."

I. ORGANIZATION NRC Guidance The normal line organization is expected to verify compliance with this guidance. A separate organization is not required. If desired, the existing Appendix B QA organization may be involved but this is not required.

Position Virginia Electric and Power Company will purchase only portions of the AMSAC equipment as non-safety-related.

These purchases will be made in accordance with our Nuclear Operations Department Standards using personnel.

who are involved in both safety-related and non-safety-related purchases. The Appendix B QA organization may be involved as deemed appropriate *

134-BSD-5281S-14

I I. PROGRAM NRC Guidance

__ I~- i~ expected that the existing body of plant procedures or practices will describe the quality controls a~plied to the subject equipment. A new or separate QA program is not required.

Position Virginia Electric and Power Company will use the existing program of. Nuclear Operation Department Standards and Station Administrative Procedures which apply to non-safety-rehted equipment for the.

non-safety-related AMSAC equipment. A new and dedicated QA program will not be implemented.

III. DESIGN CONTROL NRC Guidance Measures17 are to be established to ensure desjgn specifications are included or correctly translated

- into design documents '5./ and to ensure that all design control activities are consistent with the requi~ements of 10 CFR 50.59. Normal supervisory review of the designer's work is an adequate control measure.

Position Virginia Electric and Power Company has determined that a portion of the work involved in the installation of AMSAC is safety-related as it involves the interface of

!/ Except for design control measures, where the utility is responsible for ensuring that design control measures are applied* at contractor or subcontractor organizations, the term "measures" applies only to activities within the licensee's or applicant's organization. However, the design control measures to be applied at contractor or subcontractor organizations need be no more stringent than those required of the utility.

fl Except for the record keeping requirements of 10 CFR 50.59 and requirements XVII of this guidance document, any records that are generated as a result of implementing these QA controls are not required to be maintained.

134-BS0-5281S-15

safety-related and non-safety-related equipment. As such, design work will be controlled in accordance with the standards for safety-related work as identified in

IV.

- *the Virginia Power Nuclear Design Control Program.

PROCUREMENT DOCUMENT CONTROL NRC Guidance Measures are to be established* to ensure system specifications and quality requirements, where applicable, are included in procurement documents.~/

Position Virginia Electric and Power Company through the use of the Virginia Power Nuclear Design Control Program, the Nuclear Operations Department Standards and the Station Administrative Procedures will ensure system specifications and quality requirements are included as applicable in non-safety-related AMSAC procurement documents.

V. INSTRUCTIONS, PROCEDURES AND DRAWINGS NRC Guidance Measures are to be established whi~h ensure that quality controls will .be applied to activities that affect quality. These measures may include such things as written. instructions, plant procedures, cautionary notes on drawings and special instructions on work orders. Any methodology which provides the appropriate degree of guidance to utility personnel performing g! See footnote 2, page 15.

134-BSD-5281S-16

quality-related activities will satisfy this requirement. Maintenance on the equipment shall be based on the appropriate use of vendor information.

- Any departure from such vendor guidance shall be based an adequate engineering rationale.fl Position Virginia Electric and Power Company will implement this modification through a separate Design Change Package (DCP) for each unit. The Nuclear Operations Department Standards provide for this means of implementation via the Virginia Power. Nuclear Design Control Program. The DCPS are being prepared as safety related DCPs. Each DCP will be issued and approved by the Station Nuclear Safety and Operating Co11111ittee prior to implementation.

Each DCP will also provide procedures, instructions and drawings sufficient to provide for proper instal1ati9n.

Maintenance information supplied by vendors will be

VI.

included.

DOCUMENT CONTROL NRC Guidance Measures are to be established to control the issuance of and changes to documents affecting quality.fl Position Virginia Electric and Power Company will control and retain implementation documents in accordance with the Virginia Power Nuclear Design Control Program and will control procurement documentation in accordance with the Nuclear Operations Department Standards.

'f/ See footnote 2, page 15.

134-8SD-5281S-17

VII. CONTROL OF PURCHASES ITEMS AND SERVICES

- :NRG Guidance Measures are to be ~stablished to ensure* that all purchases conform to appropriate procurement documents.l/ Such measures may include the performance of receipt inspections by stores or warehouse personnel or plant engineering personnel.

Position The Company will assure the control of purchased items and/or services for AMSAC which are non-safety-related in accordance with the Nuclear Operations Department Standards which includes provisions for receipt inspections as required.

VIII. IDENTIFICATION AND CONTROL OF PURCHASED ITEMS NRC Guidance~

Measures are to be established, where necessary, to identify and control purchased items. Examples of circumstances* requiring such control include

the storage of environmentally sensitive equipment or material and the storage of equipment or material that has a limited shelf-life.

Position The company will assure the identification and control of non-safety-related material purchased for AMSAC in ll See footnote 2, page 15.

134-BSD-5281S-18

accordance with the Nuclear Operations Department Standards and the purchase order requirements determined in accordance with the Nuclear Design

- *CoTitrol Program. No limited shelf-life items are presently included in the design.

IX. CONTROL OF SPECIAL PROCESSES NRC Guidance Measures are tp be established to control special processes, including welding, heat treating, and non-destructive testing. Applicable codes, standards, specifications, criteria, and other special requirements may serve as the basis of these controls.

Position The Company at this time is not planning to u~e.any special processes in the purchase, fabrication or

installation of the non-safety-related AMSAC materials.*

However, work performed at a vendor would be performed as normally~ done on standard products or would be in accordance with the purchase order or specification or approved procedure as required for non-safety-related AMSAC.

X. INSPECTION NRC Guidance Measures are to be established to inspect activities affecting quality. Inspections are to be accomplished in order to verify that these activities are in conformance with the available documentation-fl, or, if no documentation is available, to verify that these fl See footnote 2, page 15.

134-BSD-5281S-19

activities are being satisfactorily accomplished. rn general, the line organization is responsible for determining the inspection requirements and for

-

en-suring that sufficient inspections are performed.

Inspections need not be performed by personnel who are independent* of the line organization. Inspections shall be performed by knowledgeable personnel.

Position The Company will have inspections performed on non-safety-related AMSAC equipment as deemed necessary based on compliance with the Nuclear Operations Department Standards and the* Nuclear Design Control Program.

XI. TESTING NRC Guidance Measures are to be established to test, as appropriate, non-safety-related ATWS equipment prior to installation and operation and then periodically. Results of the tests should be evaluated to ensure that the test requirements have been satisfied.

Position The Company will in accordance with the Final Design Testing Section of the Design Change Package as

. required by the Nuclear Design Control

Program assure that the system performs properly prior to operation.

The periodic testing is discussed in Section "L" later in this response.

134-BSD-5281S-20

XII. CONTROL OF MEASURING AND TEST EQUIPMENT NRC Guidance Measures are to be established to control, calibrate, and adjust measuring and test equipment at specific intervals.

Position Measuring and Test Equipment will be maintained and calibrated in accordance with Station Administrative Procedures.

XIII. HANDLING, STORAGE AND SHIPPING NRC Guidance Measures are to be established to control handl(ng, storage, shipping, cleaning, and preservation of purchases in accordance with utility practices and manufacturer*s reco11111endations.

Position This will be perfonned in accordance with the Nuclear Operations Department Standards.

134-BSD-5281S-21

XIV. INSPECTION, TEST, AND OPERATING STATUS NRC Guidance Measures are to be established to indicate status of inspection, test, and operability of installed non-safety-related ATWS equipment.

Position

.The inspection and testing of installed non-safety-related AMSAC equipment will be as discussed in Section "L" of this response. The operating status of AMSAC will be indicated by annunciators in the control room and status lamps on the AMSAC panel.

xv . NONCON FORMANCES

NRC Guidance Measures are to be established to i den ti fy nonconfonnances.

Position The company w111 identify and disposition nonconfonnances in accordance with the Nuclear Operations Department Standards and Station Administrative Procedures.

134-BSD-5281S-22

XVI. CORRECTIVE ACTION SYSTEM NRC Guidance Measures are to be established for prompt correction of conditions which are adverse to quality (i.e.,

nonconformances), and to preclude repetition of conditions adverse to qu~lity.

Position The Company will identify and disposition nonconformances in accordance with the Nuclear Operations Department Standards and Station Administrative Procedures.

XVII. RECORDS NRC Guidance Measures are to be established to maintain and control records of activities in accordance with the requirements of 10 CFR 50.59. In addition, measures are to be e~tablished to maintain and control appropriate records to ensure that the requirements specified in the table accompanying the ATWS rule (49 FR 26036, pp. 26042-26043) have been met.

PosHion The Company will maintain records in accordance with the Nuclear Operations Department Standards and the Nuclear Design Control Program.

134-BSD-5281S-23

XVII I. AUDITS NRC Guidance

-_-Audits* which are independent of line management are not required, if line management periodically reviews the adequacy of the quality controls and takes any necessary corrective action. Line management is responsible for determining whether reviews conducted by line management or au.di ts conducted by an organization independent of line management are appropriate.

Position Independent audits are not planned at this time but may be performed as required.

E. . MAINTENANCE BYPASSES NRC Guidance The plant specific submittaf should discuss how maintenance at power is accomplished and how good human factors engineering practice is incorporated into the continuous indication of bypass status in the control room.

AMSAC maintenance during unit power operation will be accomplished through operation of either of two bypass switches. One is located in the Main Control Room on Benchboard Section 2 and the other is l_ocated within the AM~AC panel. In neither case will the lifting of leads, tripping of breakers, use of physically blocking relays, nor the.

pulling of fuses be required to bypass AMSAC. Bypass status will be annunciated in the Main Control Room above Vertical Section 1. The alarm will be located to provide bypass status to the reactor 134-BSD-5281S-24

operator. The new alarm will meet accepted human factor*s guidelines as delineated in Virginia Electric and Power Company s Human Factors 1

Standard STD-GN-0005. In accordance with the Virginia Electric and Power Company Nuclear Design Control Program, a review of the human factors acceptability of this modification will be performed and its results will be noted in the implementation document.

For maintenance bypass the following human factors principles will be implemented:

l. The information provided by displays and control equipment added to the Main Control Room as a result of implementing the ATWS Final Rule will not increase the potential for operator error under both normal and abnormal plant conditions. Bypass for maintenance will be clearly displayed to the operator.

2. AMSAC will be integrated into the applicable Emergency Operating Procedures and into applicable Maintenance Procedures.

3. AMSAC will be integrated into the operator training program and the Surry simulator will also be modified to incorporate the implementation of AMSAC.

4. AMSAC is of course time delayed to allow the existing reactor protection system to respond first. Consequently, the alarm 11 AMSAC ACTUATED" should always be received after the existing reactor protection system conmences mitigation. Since AMSAC will be installed to mHigate a failure of the RPS, the AMSAC ARMED 11 11 and "AMSAC ACTUATED" alarms may be prioritized. During normal operation the operator will be trained to. expect AMSAC BYPASSED, AMSAC TROUBLE, and AMSAC ARMED alarms. As AMSAC BYPASSED and AMSAC TROUBLE will be status alarms, prioritization may not be required. The alarm AMSAC ARMED will be a pre-trip annunciation which could prompt operator responses and may be prioritized.

However, due to the brief time delay, 27 seconds, operator action based on this alarm is not expected.

134-BSD-5281S-25

F. OPERATING BYPASSES NRC Guidance The plant specific submittal should.state that operating bypasses are continuously indicated in the control room; provide the basis for the 70 percent or plant specific operating bypass level; discuss the human factors. design aspects of the continuous indication; and discuss the diversity and independence of the C-20 permissive signal (defeats the block of ATWS).

Position The design bases for the new ATWS unique C-20 permissive, which defeats the operating bypass, two out of two turbine first stage pressu~es increasing ~re:

1. "Westinghouse Anticipated Transients Without Trip Ana lysi..s, 11 WCAP-8330, August 1974.

2. "Anticipated Transients Without Scram for Light Water Reactors,"

NUREG-0460, December 1978.

3. Anderson, T. M., "ATWS Submittal, 11 Westinghouse Letter NS-TMA-2182 to s. H. Hanauer of the NRC, December 1979.

These three documents demonstrated that ATWS mitigation need not be initiated below 70 percent turbine load because reactor coolant system pressure does not approach the ASME Boiler and Pressure Vessel Code Level C Service Limit of 3200 psig (NRC criteria for successful ATWS mitigation). Continuing analyses on the part of Westinghouse, the results thereof which were presented at the WOG meeting in*

Pittsburgh, Pennsylvania, on December 18, 1986, have confirmed that peak reactor coolant system pressure resulting from an ATWS at 70 percent turbine load will not exceed the ASME Level C Service Limit of 3200 psig. However, as the pressure decreases, there will be bulk 134-BSD-5281S-26

boiling of the reactor coolant system inventory for 10 minutes after the ATWS peak pressure even with operator intervention.

Conseq_ue~tly, to pre~lude bulk boiling of the reactor coolant, the C-20 permissive setpoint must be reduced to 40 percent turbine load as determined by Westinghouse to ensure spurious ATWS mitigations do not occur at low power levels, i.e., less than 40 percent turbine load, or during startup. An automatic bypass will be provided to

. defeat automatic ATWS mitigation below 40 percent turbine load.

Should an ATWS occur below 40 percent turbine load, operator action will be required to initiate auxiliary feedwater flow to preclude the*

consequences of operating without a heat sink. The revision of the C-20 permissive to 40% is in accordance to Addendum 1 with WCAP-10858-P-A, which was submitted to the NRC by the Westinghouse Owners Group on February 26, 1987.

The conservatively proposed minimum setpoint is 37 percent turbine load which provides an allowance for instrument channel inaccuracy to assure ATWS mitigation will be available when the unit is at or ab.eve 40 percent load .

Diversity from the existing reactor trip system (7100 System/RPS/SS) will be provided from the sensor output. Sensor output is defined as the signal available at the isolated output of the diverse isolators, Technology for Energy Corporation Model TEC-156A. The ATWS mitigation system will use Gould Model 884 progranmable logic controllers (PLCs). These devices will comply with the NRC's diversity requirements because:

1. The PLCs are manufactured by someone other than Westinghouse.

2. The PLCs use integrated circuit *technology versus the discrete component/operational amplifier technology of the 7100 System.

134-BSD-5281S-27

3. The 7100 System comparators (Model 139-118 modules) have a voltage output where as the PLCs have analog to digital converters which provide a digitally coded output signal.

Independence. from the 7100 System and the RPS/SS (the reactor trip system) will be provided by diverse isolators .qualified to IEEE-STD-323-1974 and IEEE-STD-344-1975 to ensure independence between AMSAC and the reactor protection system consisting of the 7100 system and the RPS/SS. Qualified analog signal isolators manufactured by Technology for Energy Corporation will be used. The Model TEC-156A diverse isolator complies with IEEE-STD-384-1974 as.

interpreted by R.G. 1.75-1978, Revision 2. The Channel* III and. IV turbine load signals will be independently isolated.

The operating bypass will defeat ATWS mitigation below 40 percent turbine load. Consequently, the bypass will be continuously annunciated in the control room until it is defeated by the C-20 permissive. The control room annunciation is consistent ~ith accepted human factors guidelines. A human factors review will be conducted during the . design process to assure that the information provided by this display will not increase the potential for operator error under both normal and abnormal plant conditions. AMSAC will be integrated into the operator training program and the Station's simulator will also be modified to incorporate the implementation of AMSAC including this continuous annunciation, when the turbine is below 40_percent load.

The C-20 pennfssive, which will defeat the operating bypass, will utilize the existing* 7100 System turbine impulse chamber pressure

signals that originate in Channels III and IV. The use of the existing pressure transmitters, sensing lines, and pressure transmitter power supplies is permitted by* the ATWS Final Rule.

Justification for using diverse isolators, Technology for Energy Corporation Model TEC 156A, is provided in the SER which approved WCAP-10858.

134-BSD-5281S-28

G. MEANS FOR BYPASSING NRC Guidance The plant specific submittal should state that the means for bypassing is accomplished with a permanently installed, human factored, bypass switch or similar device, and verify that disallowed methods mentioned in the guidance are not utilized.

Position The means for bypassing, whether it be for maintenance or testing, will be by permanently installed bypass switches. The lifting of leads, pulling of fuses, tripping of breakers, and use of physically blocking relays will not be required for bypassing. Two switches per unit will be utilized. The primary bypass switch will be located... in the Main Control Room on Benchboard Section 2. The second bypass switch will be located within the ATWS mitigation panel (AMSAC). As stated under Operating Bypas! and Maintenance Bypasses, both switches will be annunciated in th~ Main Control Room. Both bypass switches will adhere to the requirements of NUREG-0700 with respect .to operating level, direction of operation, labeling, and annunciation.

A human factors review will be conducted as a part of the design process to assure that the control equipment, which wil 1 be added to the Main Control Room as a result of implementing the ATWS Final Rule, will not increase the potential for operator error under both normal and abnormal plant conditions. AMSAC will .be integrated into the operator training program, and the Surry simulator will be modified to incorporate the implementation of AMSAC.

134-BSD-5281S-29

H. MANUAL INITIATION NRC Guidance The plant specific submittal should discuss how a manual turbine trip and auxiliary feedwater actuation are accomplished by the operator.

Position Manual initiation of turbine trip can be accomplished from the control room via the two pushbuttons on benchboard Section 2. The turbine can be manually tripped via the trip handle which is located in the turbine pedestal in the Turbine Building. Manual *initiation of auxiliary feedwater flow can be accomplished from the control room by turning the control switches for motor driven auxiliary feedwater pumps l-FW-P-3A/B to start, and by turning the selector switchea for PCV-MS-102A and/or PCV-MS-1028 to open to start the steam turbjne.

driven auxiliary feedwater pump. All three auxiliary feedwater pumps are also controllable outside the control room from the Auxiliary Shutdown panel which is located in the Emergency Switchgear Room.

The motor driven pumps can also be started at their breakers in the Emergency Switchgear Room by use of the local breaker control switch.

All of these methods are diverse from the existing 7100 System/RPS/SS.

I. ELECTRICAL INDEPENDENCE FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance The plant specific submittal should show that electrical independence is achieved. This is required from the sensor output to the final actuation device at which point nonsafety-related circuits must be isolated from safety-related circuits by qualified Class . IE isolators. Use of existing isolators is acceptable. However, each plant specific submittal should provide an analysis and tests which 134-BSD-5281S-30

demonstrate that the existing isolator will function under the maximum worst case fault conditions. The required method for qualifying. either the existing or diverse isolators is presented in Appendi X - A).1" - -

Pas i tion ATWS mitigation equipment, per 10CFRS0.62, need not be safety related, however, the existing steam generator instrumentation is safety related and AMSAC will provide outputs to the safety-related engineered safeguards system. Isolators will be required to ensure the independence of the existing RPS/SS.

New Technology for Energy Corporation Model TEC-156A isolators will be used to provide nonsafety-related inputs to AMSAC. The existing 7100 System isolators are not fully documented in accordance with the final AMSAC rule as fully qualified devices which provide safety circuit i sol at ion from credible postulated voltage/current fau.l ts imposed on the nonsafety-related circuits and therefore* will not be

used. The requirements for-establishing electrical independence were presented in Appendh A to the SER. Based on preliminary design infonnation, Appendix Ai/ is complied with for the* TEC-156A isolators, as follows:

1) Surry will

utilize diverse isolators for ATWS implementation. The maximum credible faults are 120V ac and 125V de as these two voltages are the only ones available with the AMSAC Panel and are the highest voltages the input signals could credibly encounter. The TEC-156A isolators were tested to 120V ac and 2000 V de. The test verified the isolation capabilities of the TEC-156A isolators by demonstrating that the lE side of the isolator was not.

degraded.

it Appendix A to NRC letter #86-654 dated October 6, 1986.

134-BSD-5281S-31

2) The maximum credible faults which the isolator could be exposed to are 120V ac and 125V de. The 120V ac is used to

- ~roiiij~- po~er to each of the 7100 System modules. The 120V ac power is also used to interrogate the comparators which provide a voltage signal to the reactor protection system. The annunciator utilizes 125V de for field sensing which eclipses the 40V de of the instrument loop power supplies. The maximum voltage applied during the testing of the isolator were 120V ac and 2000V de. The voltages were applied in both open circuit and short circuit test.

3) The data which verifies the application of the maximum credible faults to the output of the isolators is con~ained in the following test reports. "Test Report on Isolation Testing* and Measurements of the TEC Model 156 Series Isolators Including Shorts, Opens, and 120V ac Fault with Fuses Shorted" 156-TR-02 by Technology for Energy ~

Corporation, dated July 30, 1985, and "Test Report on Isolation Testing and Measurement of the TEC Model 156 Series. Isolators at 2000V de at 20mA with Fuses Shorted" 156-TR-03 by Technology for Energy Corporation, dated July 31, 1985. *

4) The pass/fail acceptance criteria for the TEC-156A isolators are contained in the above two reports {156-TR-02 and 156-TR-03).

5) The. Surry AMSAC panels including isolators will be procured seismically qualified and environmentally qualified for a mild environment. Environmental qualification and seismic qualification for the TEC-156A isolators is

provided in "Qualification Test Report for Environmental and Seismic Testing of the TEC Model 156 and TEC Model 159 Isolators" by Technology for Energy Corporation, dated August 6, 1981.

134-BSD-5281S-32

6) The following design features will be used to protect the 7100 System from any potential electrical interference

- *o"rigin-ating within AMSAC. All signal communication cables between the 7100 System and AMSAC will be two conductor shielded. The shielded cables will be routed through conduit to preclude safety/nonsafety interaction. The ATWS mitigation system, and AMSAC, will be housed in a front door access totally enclosed steel cabinet which will be solidly grounded to suppress any potential electromagnetic interference (EMI} or radio frequency interference (RFI).

The Class lE signals from the 7100 System will be supervised.

by the TEC 156A isolators, which are transformer couple.*

operational amplifiers, prior to entering the Gould/~Qdic*on

'* * .r*n**-**--

Series 884 Analog 8 Channel Input *Modules. This design precludes common mode and crosstalk between the Class lE 7100 System and the non-lE ATWS Mitigation System.

Electrostatic coupling, i.e., EMI and RFI are suppresseq by utilizing a stainless steel spot welded case which provides 120 dB of isolation at 60Hz. The stainless steel case will be rigidly mounted to a grounded and totally enclosed steel panel which \t{.ill provide an additional layer of electrostatic shielding.

7} The TEC-156A isolators are transfonner - coupled operational amplifiers. Consequently, the only Class lE power source required is the 4-20 ma.signal itself. The isolator is a 4 inch long box, 2 inches wide with the.Class lE terminals on one end (for the input signal) and the non-Class lE tenninals on the other end ( for the 1so lated output and the power connection, 24V de). The use of transfonner co_upl ing provides inherent fail safe isolation and the required energy transfer to make a Class lE power supply unnecessary.

The nonsafety-rel ated isolator - power supply will be supervised by an undervoltage relay which will.alarm in the control room consistent with accepted human engineering practice.

134-BSD-528lS~33

Virginia Electric and Power Company at present plans that the AMSAC output isolators will be Electro Switch Control Switch Relay Series 24.

CSR. The- two- cs-f rei°ays per panel wil 1 be mounted on a shelf in the AMSAC panel. The shelf will perform three functions: 1) Separate the safety-related top of the panel from the nonsafety-related bottom portion of the panel; 2) Provide additional EMI/RFI rejection; and

3) provide a mounting surface for the CSR relays. The CSR relays will be mounted such that the drive mechanism will be below the shelf (nonsafety-related portion of the panel) and the contact section will be above the shelf (safety~related portion of the panel). A barrier will be provided to separate the shelf into Train A related and Train B related sections.

Appendix A1/ of the SER provides the requirements for the CSR relay as an output isolator. Based on preliminary design input, compliance with Appendix A~/ is as follows:

1) The Electro Switch Series 24 CSR relay was tested in accordance with Electro Switch Specification ESC-Std-1000 to 2200V ac and SOOY de.. The maximum credible faults are 125V de and 120V ac due to the circuits interlocked on the input and output of the isolator. Isolation of input and output is assured through design. Only the drive shaft of the rotary solenoid passes through the barrier, thus assuring complete separation of Class lE from non-Class lE. Test documentation is on file at Electro Switch for the CSR relays.

2)

The Electro Switch CSR relays were seismically tested with a 2 ampere. 125V de.source applied and bench tested to 500V de and 2200V ac.

The bench tests far exceed the isolation

. requirements of the application for the maximum credible 17 Appendix A to NRC letter #86-654 dated October 6, 1986.

134-BSD-5281S-34

voltage faults of 125V de and 120V ac. The de voltage level is based on switchgear control circuits and certain solenoid

__valv_e~ __circuits. The ac voltage level is based on certain other solenoid valve circuits. The maximum current is 6.7 amperes for the switchgear closing coil. The switchgear 11 11 make rating of a CSR contact is 95 amperes at 125V de.

3) Data confirming the application of the maximum credible fault to the output of the isolator is on file at Electro Switch.

The tests were performed in accordance with Electro Switch Specification ESC-Std-1000 which compiles with IEEE-Std-323-84 and ASME-NQA-1-1-1983.

4) The pass/fail criteria for the CSR are clearly defined in Electro Switch Specification ESC-Std-1000.

5) The CSR isolator is seismically qualified as documented in Electro Switch Engineering Test Report No. 2903-1 dated April 15, 1980. Environmental qualification of the CSR isolator is provided by similarity to the fully qualified LOR and LSR.

The CSR is a special version of the LSR. The applicable document for environmental qualification is Electro Switch Engineering Test Report No. 2983-3 dated January 11, 1985.

6) The CSR isolator provides complete electrical separation between the Class lE contact decks and the non-Class lE rotary solenoid and control decks. Electrostatic coupling, EMI, COIIIIIOn mode, and crosstalk are all precluded by the relay design. Only dry contacts are available to the Class lE circuits.

7) The CSR isolator, being a reverse isolator (i.e., non-Class lE to Class lE) would be by definition not powered by a Class lE source. The contact inputs which initiate isolator operation are provided by progranmable logic controllers in a

134-BSD-5281S-35 two out of three logic matrix. The power for the CSR's

rotary solenoid is the same power source as that of the AMSAC panel's, i.e., 120V ac from the inverter/distribution panel backed by the Black Battery 11 11 J. PHYSICAL SEPARATION FROM EXISTING REACTOR PROTECTION SYSTEM NRC Guidance Physical separation from existing reactor protection system is not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be. such that separation criteria applied to the existing protection system are not-violated. The plant specific submittal should resporid to this concern.

Position Physical separation from the existing reactor protection system will be maintained by the use of qualified electrical isolators located in the AMSAC panel which will be physically independent of the RPS/SS.

The installation of AMSAC safety and nonsafety-related equipment including cabling will be in accordance with existing separation criteria as described in the Surry UFSAR and the requirements of IEEE-279-1968.

K. ENVIRONMENTAL QUALIFICATION NRC Guidance The plant specific submittal should address the environmental qualification of ATWS equipment for anticipated operational occurrences only, not for accidents.

Position The AMSAC panel and related ATWS mHigation equipment, except cable located in a potentially harsh environment, will be environmentally qualified for mild environments in accordance with the stafement of 134-BSD-5281S-36

clarification to 10CFRS0.49 and IEEE-Standard-323-1983. Cables, which are part of the safety related interface, are qualified under our existing EQ program. AMSAC will be powered by the Black Battery Inverter - whfch - -is *battery backed. Consequently, a loss of offsite power will not disable AMSAC, and the blower in the* bottom of the panel will provide adequate short-term ventilation for the enclosed programmable logic controllers and CSR relays until the safety-related diesels restore the safety-related air-conditioning system.

Other anticipated occurrences, such as loss of power to the reactor coolant pumps, tripping of the main turbine generator, and loss of circulating water, will not result in challenges to the operating environment of AMSAC. This is due to the installation of the equipment in an area of the plant which has a mild environment.

L. TESTABILITY AT POWER NRC Guidance Measures are to be established to test, as appropriate, non-safety-related ATWS equipment prior to installation and periodically *

Testing of AMSAC may be performed with AMSAC *in bypass. Testing of AMSAC outputs through the final actuation devices will be performed with the plant shut down. The plant specific submittals should present the test program and state that the output signal is indicated in the control room in a manner consistent with plant practices including human factors.

Position Virginia Electric and Power company, during each refueling outage,

will perfonn an end-to-end test of AMSAC, including verification of proper operation of the output relays and the actuation circuitry in devices which should operate. Virginia Power may, however, have the associated breakers racked out, or other final devices similarly removed from service at the time the test. The procedures which will be used to perfonn this test have not been developed at the present time but will be developed in accordance with Station Administrative Procedures.

134-BSD-5281S-37

Virginia Electric and Power Company has the capability to test the AMSAC panel at power, and will perform quarterly checks of the steam generator level set points at power. The related test procedures will be prepared in accordance with the Station Administrative Procedures.

- ~ .

An outline of a possible refueling outage "end to end" testing sequence is included.

Testing of AMSAC requires the following panel components: control switches, one pushbutton and the three section status array which displays the test results and requires the use of Oto 10 volt de test source(s). An I&C technician assigned to perform an "end to end" test would proceed as follows:

o He will inform the Shift Supervisor that testing is about to occur and assure that equipment which would be activated by A~SAC initiation has been placed in the proper condition for the test.

He would then proceed to the Emergency Switchgear Room, and open the AMSAC panel door.

Upon opening the door, AMSAC PANEL DOOR OPEN alarm will be annunciated in the Main Control Room.

o The inner door of the AMSAC panel will have a three section status array similar to the North Anna panel as shown on N8711-E-902. Each section will provide the status of a progranmable logic controller (PLC), identified as PLC-A, PLC-B, and PLC-C. Below each status array will be a function switch for each PLC, a master bypass switch, and a test pushbutton switch.

Note: Should a logic check be performed while a unit was at power, the individual performing the check would move the master bypass switch from "Normal" to "Bypass". This action would result in the annunciation of "AMSAC BYPASSED" in the main Control Room.

"AMSAC BYPASSED" would *have already been annunciated if the unit was operating below 37 percent load, or if the main Control Room 134-BSD-5281S-38

bypass switch had already been placed in bypass. In the case of the "end to end" testing conducted during refueling outages, the individual

.. .. - . performing the test will not turn the bypass switch from "Normal" to "Bypass".

Note: For the purpose of this discussion, testing of PLC-A will be described, as testing of PLC-Band PLC-C would be identical. To test PLC-A, the operator will rotate the 8-position function test switch for PLC-A from "Nor:-ma l II to "I, II, II I. 11 0 Position "I, II, III" of the function test switch will isolate the external level signals to enabled testing of the three voltage comparators for steam generator A level via an external 0-lOV de test s~urce connected to the AMSAC panel test jacki.

The test pushbutton has no function for ~his portion of the test.

Each comparator would be tested individually. A st~tus light on the AMSAC panel for each channel of each steam generator narrow range level would be used to verify that the comparator is set and operating correctly. Each light would extinguish when its associated comparator trip setpoint is reached.

o Advincing the test switch to position 11 2/3 11 would allow testing of two out of three steam generator levels less than or equal to 13% of narrow range span. A sequencer will be used to allow testing for all three possible combinations *. To start the test, the technician_ would depress the pushbutton to test the Channels I and II combination with the result displayed by the 2/3 status light. Depressing the pushbutton a second time tests for the Ch~nnels I and III combination, and depressing the pushbutton a third time will complete the combination by testing for Channels II and III.

o The technician would advance the test switch to the next position "Ill/IV." This position will isolate the external turbine load signals to enable testing of the two voltage comparators for turbine impulse load via an external 0-lOV de test source 134-BSD-5281S-39

connected to the AMSAC panel test jacks. The test pushbutton has no function for this portion of' the test.

Each of the comparators would be tested individually. A status light on the AMSAC panel for each turbine impulse pressure would be used to verify that the comparator is set and operating correctly. Each light will illuminate when its associated comparator trip setpoint is reached.

o Advancing the test switch to position "2/2" allows testing of both turbine load signals present. Since this will be a function test, a ~equencer will not be required, but the pushbutton will still be utilized to initiate the test and enable *the status light.

b The next position on the test switch is "C-20." This posit~on wi 11 test the 360 second time de 1ay upon no 1anger satisfying the I two out of two turbine load signals. Momentarily, depressing the pushbutton will initiate the time delay and the status light will illuminate; 360 seconds later the light will extinguish.

o Advancing the test switch to the "Trip" position will allow verification of the 27 second time delay, expiration of which will initiate mitigation. Momentarily, depressing the pushbutton will start the timer which will after expiration of the 27 second time delay illuminate associated trip status lamp.

0 The AMSAC output relays for each unit will be validated by I operation of two PLCs at the same time. The two PLCs will

complete the two out of three voting logic matrix which will actuate the CSR relays and the non-safety related outputs. The I test will be considered acceptable when all three possible PLC logic matrix combinations have satisfactorily demonstrated output isolator operation.

o The next position, "Reset", will. allow the time delays to be reset, so that misoperation would not result during an _at power test when the switch would be returned to normal and will also 134-BSD-5281S-40

reset the counter monitoring PLC-A module status in the unlikely event of a detected module failure.

Note: During an. at power logic check the technician would then crosscheck with the Control Room operator that the steam generator levels and turbine impulse chamber pressures indicated on the meters of the AMSAC panel are in acceptable agreement with the values indicated in the control room.

o To return AMSAC to service, the technician will res~t all of the function.switches to "Normal", will assure that the bypass switch is still in "Normal", close the outer door, and will inform the Shift Supervisor. The control room operator will then assure that the switch on the control room is in the "Normal" position.

The AMSAC DOOR OPEN annunciator will then be extinguished.

Testing of the protection instrumentation for narrow. range steam generators A, B, and C level, and for turbine load Channels III and IV is provided by Technical Services through regularly scheduled periodic tests. These tests include calibration and operability test of the level transmitters, pressure transmitters, loop power supply modules, and the new TEC isolators.

The lifting of leads, pulling of fuses, and the installation of jumpers will not be required to test AMSAC.

M. COMPLETION OF MITIGATIVE ACTION NRC Guidance AMSAC shall be designed so that, once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. Plant specific submittals should verify that the protective action, once initiated, goes to completion, and that the subsequent return to operation requires deliberate operator action.

134-BSD-5281S-41

Posi.tion Once initiated, AMSAC will go to completion and deliberate operator acti6fi will 6~ iiqui~ed to reset and return to normal operation.

Completion of mitigation action will be assured through circuit design; The ATWS mitigation system, AMSAC, will use rotary relays*

for safety-related outputs.

The auxiliary feedwater pumps circuits are bi-stable. The electrically driven pumps are enabled by 4KV switchgear which latches when closed, so that a loss of control power will not de-energiz~ the pumps. The steam turbine driven pump is enabled by tripping open the steam supply valve which is its fail safe position. Turbine trip is accomplished through redundant trip circuits which energize solenoid valves to dump auto-stop oil pressure. This allows the interface valve to drain the EHC system which trips the turbine. The steam generator blowdown and sample isolation valves are also tripped to their fail safe position *

Restoring these circuits to remote manual operation from the Main Control Room* requires the following: 1) reset the RPS/SS; 2) relatch the turbine at EHC Panel; and 3) reset AMSAC after steam genetator level has recovered above the setpoint; N. TECHNICAL SPECIFICATIONS NRC Guidance Technical specification.requirements related to AMSAC will have to be addressed by plant specific submittals.

Position Vi rgf nia Electric and Power Company agrees with the position stated .

in Westinghouse Owners Group letter OG-171 to the NRC dated February 10, 1986.

134-BSD-5281S-42

"We believe that .the imposition of Technical Specification requirements on the WOG AMSAC System would constitute a backfit under

- - . - . of the provisions - -

10- CFR Part 50.109. We do not believe that Technical Specification requirements for AMSAC provide a substantial increase in the overall protection of the public health and safety from the low-probability anticipated transient without scram (ATWS) events. 11 "We believe that Technical Specifications for AMSAC are unnecessary,_

do not enhance the overall safety of nuclear power plants, and constitute a backfit. We believe that normal nuclear plant administrative controls are sufficient to control AMSAC. 11 Virginia Electric and Power Company will institute an administrative contra 1. program or wi 11 use or modify existing prog_rams to provide for testing, maintenance, training and control of AMSAC.

6.0 ADDITIONAL NRC CONCERNS A. Appendix R Position A review of Report ~title Appendix 'R' has been completed to detenni ne the effect of AMSAC. The overa 11 impact of AMSAC was favorable as it provided further assurance of reactor trip, turbine trip, and auxiliary feedwater initiation while adding minimal additional combustible load. The review identified Volume I, Chapters 3, 4, and 5 and Volume III Chapter 8 as the areas potentially affected by the addition of an ATWS mitigation system.

Chapter 3 provides the*safe shutdown system analysis. Paragraph 3.2.7 through 3.9.4 were reviewed. Paragraph 3.6.l discusses reactor trip which results from automatic operation of the Reactor Protection System or operator initiated manual trip. The failure of the Reactor Protection System is precluded as the system is fail safe. The ATWS mitigation system, AMSAC, does trip the reactor directly through the rod control motor generator.

134-BSD-5281S-43

sets, and indirectly through turbine trip, but the AMSAC system requires power to trip, i.e., it is not fail safe. Paragraph 3.6.4, "Reactor Heat Removal Function", identifies the role pfayed* by - the* auxiliary feedwater system in recovering from a postulated fire. The addition of the ATWS mitigation system, AMSAC, does not adversely change.or affect the function of the auxiliary feedwater system. Paragraph 3.6.5, "Process Monitoring Function" identifies the essential monitored parameters required to achieve hot shutdown and go to cold shutdown. AMSAC being fully Class lE isolated, does not affect the process monitoring function. Paragraphs 3.6.6, "Support Functions", and 3.6.7, "Hot Standby and Cold Shutdown", exclude the reactor protection system as a requirement to achieve and maintain safe shutdown. AMSAC, as an extension of the reactor protection system, likewise would not be required. to support safe shutdown.

Paragraph 3.7.4 describes the design and function of the auxiliary feedwater system during the hot shutdown to residual*

heat removal stage of incident recovery. The addition of the ATWS mitigation system, AMSAC, does not change or affect the function of the auxilia~y feedwater system, as the purpose is to improve the reliability, of the reactor protection system and not to mitigate the consequences of a fire. Paragraph 3.9, "Associated Circuits of Concern", was reviewed and found to be unaffected by the AMSAC modification. The ATWS mitigation system, AMSAC, will not affect: 1) the coordination of the Emergency Power System, 2) electrical protection of associated circuits of concern by connon enclosure (the AMSAC panel), and 3) introduce spurious operation other than that already identified in Tables 3-5.C and 3-5.D.

Chapter 4 identifies the methodology used to provide compliance to Appendix R*. The areas of concern are Fire Areas 3 and 4, Emergency Switchgear Rooms Units 1 and 2, respectively.

Paragraph 4.4.2 addresses these fire areas. As a result of the .

fire, the 4 kV emergency switchgear and the 1100* Process Instrumentation and Control System may be unavailable. The 134-BSD-5281S-44

consequences of adding the AMSAC panels would be the potential for fire related misoperation resulting in a reactor trip via a turbine trip. Since the r~actor is placed in a safe state consistent with the safe shutdown analysis, it can be assumed that misoperation of the ATWS mitigation system, AMSAC, also is of no consequence and is bounded by the existing report.

Attachment 1 to Chapter 5 of the Appendix 'R' Report describes the worst case fire scenario. The two most ~ensitive fire areas are the Emergency Switchg~ar Rooms and the Cable Vault/Tunnel. A fire in either of these areas results in jeopardizing control and indication functions in the Control Room, prohibits the use of the Auxiliary Shutdown Panel, and requires the most extensive use of local shutdown capability in combination with the Control Room and Remote Monitoring Panel. The addition of an ATWS mitigation system, AMSAC, in the Instrument Rack Rooms of each unit has no impact on the worst case fire scenario because automatic initiation of the auxiliary feedwater system has already b~en.

assumed to be lost, and the use of local shutdown capability will still be required. ATWS mitigation System (AMSAC) does not affect the stat 1on' s fire protection capability. The AM SAC system's function is to provide an improvement in reactor protection reliability.

Chapter 8

provides the combustible loadings, some of these loadings will increase due to the installation of AMSAC, but the increases should be acceptable. When final design information is available, a final loading review will be performed.

The AMSAC modification does not adversely impact or affect the existing Surry Appendix R Report. Consequently, complying with 10CFRS0.62 will not prejudice existing compliance with 10 CFR 50 Appendix Rat Surry.

134-BSD-5281S-45

1 A

111111 B E

.,***aaa f G H J K L M N p Q R Ql.rAIIT s T u v.

2

~

.£ .....

Ulal.f'IU II SIIUOIA l'Ul--A Nl12'-l-f-i02 L ~

3

~ L 4

5

~ L

..***m&

, ..... - 2

--*119.

1111>>-1-f-lOZ Ula &nil. II

~ *,maa 2/J IIUIIII 6 M-L . ~

7

~ L .

--*119.

., ... DIS DIIAIIIHG SHOW> llf INWIINJRAJQI

.. IO 'It[ LSIHI 5ElllS ar 8

~ ..,...

a*cL£WL IMIIIIA l'OIIJI IIJIAIMlli UNIA 1l 9

~

L

- cwa

. . , .. a. - 2/J LOW l.flO. II SJII IDI C fllrC j 1111a-1-£-tm 1

..,... SAff TY R£LA lID L

Sv-£C 14938.46

~

11118 Cl.NL DC-87-26-1 UJQC OIAQIAil 11 L NIIOl'AIID IIIAH:iilJHS

DIii.iT 5'IIMI 118'AIICII SCSIDI (AIISAC)

IIIIIU: Sla1 Pl)llll SIAIIIIII. lllfl I I. Ml UlltJS - UICAD Al ff All5AC PM&. IIIQIIAPCllill I. allilli - 181111[ MID'&D aMISIJIII IOall PM& llllllAD mD PMll.

SIOHC

IIIEIISllR fNCINHH1NG COlcl'OHADON

--&- _.,.,, . . .,-.. A NB/26* l*-E- 600, REV. 8

1 2

B C D E.

- f G H J M N p Q R S T u V J

4

~- fOIISIN:

SAl9D 11\C I 5

6

... C-Jlll'IJIISSl[

SAl9D

-*-= -,--

Lal _ _ _ _ _ _ _ _ __ 11\C C 7

8

& A--.... -,_--r~----...___

& * - . _ * - . _ , . tHU: * - - - -. . . tin>>

9 I-fSWTQjEONS 0-fl.CA 0-fl.CI SAFETY RflA TEO S\\f:C 14937.46 11

/ DC-87-26-1 UIQC IIIMaAII

~-... AIIICl'A'EI aAN:ilOIIS *IIWI DAM

. . . . . . Sl$IDI (AMSM:)

Sim l'OIIII 5111111111, INI I lllll:IIIA . . .

4,. N8726-l-[-60J, REV. B

1 --

A

.._H__

m>>-H--

B 4

1 C D N p Q R T u V 2 Ull-l-2A

---*1-- 1 3

---H-- 2 4

---*1--__

..,._H 5

2 5

--H-- l 6

.,._H__ I

.._H__ l3H-2A l

7 8

9 *

n/\ SAFETY RELATED L ~IUIM Ullff Ull:Allll

MMI CXlllm. . . . . . SWEC 14937.46 OC-87-26-1

.i1 J. ~ r >> - : , . . . . . fGm CIMVD UDD

Ia-..&. 8ffGli C111U Q:jQ

~ &51AUJU Of DUOS ElllaD.

UIQCDIMJIAII All-,(EI DIANSl{H IS *DWr 5a1A11 1111.AIIIIII SlSllll (AIISAC)

SIIIY l'OlfJI STAIIOII, INJ I IIQIA fOl(JI

-- -~ . ...

1HIS DltAIIIHG 5HOLU) *

..10 '9tE UiK-a 5laS IIY IMQleA ~ ~ UPDAJl" NDINIIAIID 4;, N8726* 1-f -602, R[V. B

1 A

llllact 0 ..

B C OJ

-(

E

....... )

f G H J K L M N p a R s IIE!SII.JAIIJ

--&~JuN'A T u V 2

3 11111111 4

IUH u.-c 5

6

_,_ u.-c

.... A AIISAC aaat

-- .... IIIUll;..

L H LOI (LOSS IF IIMJlftM IO.JAQ:) IO.JAQ: 5IQIAI. 15 IDIJlllD INEIIAU.Y 11A H l'lC UIQC. ff !iQIM. 15 7 IDIJIIID 11A ff ,U: AS USllD II 11111£5 l I a J.

Z. ff flllUJEY tJII (CJIU l'WI) 91M. 15 IDDNII IY A au

K ,U: AS U5'EI II IIOlfS l I a l. It[

OfllA- fl A Ml LIUI IIE MIIIU f# IIE PULSE IUh\

Ill CAIIS( . . AIMIi.

~ 1l:Ola:M. UNIJ CDD (JSC) ._IOU'TM1£ 8

. . . . Sll'ft.Y (11'5) IUD<< IIOll1lalG 15 flll l'lC MIJEIIII MG '11 ll(l(Cf 'IDOL LGill fl S1SBL IUh\ 4. All MMII 1.111115 I<< UICAJBI Al H M1SAC P.UU..

I. 11£-A IDIDIS ~ l.Glr flUWCY a IQ.JAIi: J11WU.

I. PLC-a IINRIIS 11.C-A l.Glr fllUIDCY a IQ.IMI: J11111a£.

9 J. ft.CH: IDIJIJl5 ft.C-11 tJII fEIOl:r

1111.JAII: IIOlaL

~ I. EMIi l'lC Ill IIND RS IIHCN J/0 IIIDUS FAia$.

I. All llllllS I<< UICAJBI

1B il9Ul'tf S1C1111 f#

. . . . . ff . . . . .

1 ~

SAffTY R£LA TED IAllllll&ia SM:C 14937.46 11 fUHI

,waa:rua

.u:-.

1111.tMl(HJa 11111[ ,

15!11111 ISliWI FIii ll\4fl FIii 11.1<<Jf OC-87-26-1 UD:IWIIMI Alfllll'AEI 11N151DtlS *IIWJ 5a1M1 11111.AIIII SlSIDI (AIISAC) 9.IIIY l'Olfll SIAIION, llfJ I IIDIA POIIJI

---.... ._...._. *-- Sl11Nt:

IIEBSIEJI CNGIHURIHG COll'OffA DON A N8726-1-f -603, RfV. 8

ML18151A510

Contents

Text

1.0 INTRODUCTION

2.0 BACKGROUND

1.0 INTRODUCTION

2.0 BACKGROUND

Navigation menu

ML18151A510

Text

1.0 INTRODUCTION

2.0 BACKGROUND

1.0 INTRODUCTION

2.0 BACKGROUND

Navigation menu

Search