ML19220C134
| ML19220C134 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 05/28/1969 |
| From: | Moore V US ATOMIC ENERGY COMMISSION (AEC) |
| To: | Boyd R US ATOMIC ENERGY COMMISSION (AEC) |
| References | |
| NUDOCS 7904280282 | |
| Download: ML19220C134 (14) | |
Text
{{#Wiki_filter:.,. MAY 2 8159 Roger S. Loyd, Assistant Directer for Reactor Project;, DRL TH2D: Saul Lavine, Assistant Director for Reactor Tachnology, DIL SAFETY ANALYSIS: *11RRE MILE ISLAliD NUCIIUL STATICN, UNIT liO. 2 ; DOCIET No. 50-320 The safety analysis relating to Three Mile Island Unit No. 2 instrtmentation, control and emergency pover is herewith transmitted for inclusien in the report being prepared for censideratica by ACRS at the July :aceting. ~ Orif"31 STO yass A.MW8 Voss A. Moora, Chief Instrmnantation & Power RT-443A Technology Branch DRL:1&PT3:DFS Division of React.or Licensing
Enclosure:
Instrumentatica & Control cc:
- 1. Tedesco D!.s tribution :
- 1. Powell ll",}
-74uppl. DRL Reading bec: S. Levine AD/RT Reading R. DeYoung I m Readfng V. Moore D. Sullivan \\ emer > .J).RL:XS?I3.. '....DRL :.I653 l DAD /RT AD/RT .I - $[ AN,~ RDeYoung,___YO$"',Kk R,7 ? \\ summt, l?S'ilfi?.an.;.ese....'VMobre [ SLeving ,,,,,, l l ent l 51:28.. /. 6. 9.. ..S..b.2.S.. /6 9 _5./s ?. /69. _ 5_ ;'..f/69 /. 4 U Fortn AEC-5t8 Rev. 9-53) AFCM 0 40
- e. t u san oin e,-
..e s,.ca sw om sir BI ,300 tt'1250'ZFZ-
EY 0 81959 INSTEMrr:'ATION AD CONT 1tCL The Cecr.issica's General Design Criteria and the Proposed IEIZ Criteria for Nuclear Power Plant Protection Systems (IIII No. 279), da ted August 23, 1968, served, where applicable, as the bases for judging the adequacy of the Instrumentation and Control systems. A comparison has been made with the previously approved Russellville plant for the purpose of avoiding repetitious analyses. Accordingly, only those design features which are new, or for which additional information has been received, are addressei arein, We have verified that only the redesigned rod control system, incl'ading the scram bus, and a slightly modified pump so4itor logic circuit ce.ascitute rovel features. In addition, the appJicant has submitted envircum ntal criteria (post accident, sei-w,c sec.) and testing inforzation unique to this station. IN STRUMDrfATICN Scram Bus The new design for the scram bus is shown in Figures 7-23 and 3-70 of the PSA1. As in all previously approved designs, the initiating cir-cuitry for scran is cocprised of four "two-out-of-four" (2/4) celay matrices which are, in turn, actuated by the protection instrument system ~ channels connected in a 2/4 general coincidence arrangement. I I cmcr > l sunwr >. f l I l DATE > I.. ( Form AIC-319 Rev 9 33) AICM 0 40 e a novasases, ci.e ore.ca toes o-n eit
l'!AY 23 I339 Instrumentation Es Centrol 2 Downstream of the relay ma: rices in the new design is a set of breakers which, when tripped, interrupt (a) the voltage source to all power supplies, (b) the control voltage to the control red drive SC1's, and (c) the output voltage frota the " hold" power supplies which are used to hold the safety groups subsequent to withdrawal. There are four groups of safety rods (Gr.1-4) and four groups of control rods (Gr. 5-8). Each group is acergized (moved or held) by two power supplies connected in parallel such that the loss of a power supply doss not inittsts a spurious trip of the associated group. In series with e.ech control rod power supply is a gate cir-cuit. In series with each hold supply 1. an independent trip breaker. Trip logic is 1/2 x 2 since the tripping of a power supply or its gate (breakar in the case of the safety rods) and the other power supply o,I,its gate (breakar) trips the respective red group. With respect to sfog?.e failures, our analysis indicates that, because of the redundant breaker logic (1/2 x 2), a failed breaker emnnne prevent a scram. Consequently, it appears that the only areas of vulnerability remaining to be considered are those which arise from possible short-to-line fanAts downstream of the breakars vbich, by their nature, could not be tarminated by breaker action. Any such fault which occurs imediately devnstream of a breaker is equivalent to breaker failure, Aich has been considered above. ~ I l I cr icz > ......__.. l sun-c>l ent>l ro,= uc.ne e. 9-m ucx o:w a
- n...
..a ...._..n 8/ ,310
Instru:nentation & Ccatrol 3
MAY g 3,ggg Potential failures devnstream of the power supplies and gate circuits should next be considered. An unsafe failure of any one (or combination) of the gate circuits to a pcver supply will be overridden by the breaker which interrupts the voltage to the supply. An unsafe failure (again, a short to line) downstream of the power supplies would affect only one group; the remaining seven groups would not be prevented from scram-sing.
In terms of testability, we believe that all of the faults postulated above are inherently accectable. For ex4=ple, shos e circui':s between the various portions of trip circuits would be detectable inassaich as each path of the collective circuitry can be independently tripped. Thus, the presence of a voltage dovr. ream of a tripped com-ponent would indicate the presence of a short circuit.
Sased on the foregoing analysis, we beliave that the design of the scram bus satisfias all present criteria with respect to redundancy, independence, and testability and is, for these reasons, acceptable.
Pumo Monitor Logie The pump monitor logic has been changed to permit the loss of two pumps tithout scr= Mn! provided (a) the two pumps are in different loops and (b) reactor power is less than 50% TP.
Va have concluded that this modification does not comptet '.se plant i
i Of71Cs >
SURMAME >
DATE>1.
i Form AIC.518 r Rev. 9-M) AICM 0240 a s. sosseneser **eertne we
SURNAWE >
l I
l I
h I
DATT > I..
...J..
Form AIC41s iRev. 9-53) AECM 0240 v.s novannesev omsvine w, cs roes o.awi r n/
7$)
~
OI Jt' W
Instru= mint. tion & Control 5
NAY 2 81569 components of the protection system, including the station batteries and racks, vill be designed to withstand si=ultaneeus accelerations of.08g vertical and.12g horizontal. We understand that the accelera-tion valuer represent ground motica and do not necessarily apply at the equipment location. We will discuss the matter with the applicant and will ba prepared to report orally to the Con =nittes.
Assuming satisfactory resolution of these items, we believe that the applicant's criteria with respect to the functional capability of vital components under seisnic conditions are acceptable.
CONTROL The rod control system has been redesigned to accommodtte the new drives which have replaced the previously approved rack aod pinion concept.
Tae system is daccribed and evaluated i:
Sectics 3.2.4.3 of the 2
PSA1. A block diagram is shown in Figure 3-70.
In addition, the applicant and I & W presented supplementary infor-mation to the staff Juring a meeting at Bethesda arranged for this purpose.
Each of the 69 rods is powered by a stepping motor whose stator and rotor are physically isolate <' by the pressure boundary.
Stato r windings are star-connected and are sequentially energized to produce I
CFT1CI >
8' sumur >
cart >
1
.......l._.
.... a e
Form AIC-51s ' Rev. 9-53) AECM 02w a s. no.u..m...e owes
..o-n..,
y 7$,
/
Ji3
Instrumentatica & Control 6
MAY 2 3 EU rotor motion. For exa=ple, when tvo adjacent stator vindings are energized, the rotor vill align with the magnetic vector resultant; i.e., it will align midvsy between the two vindings. Energizing the adjacent vinding while retaining power at the first two will yield a resultant alcug the central (of the three) stator vinding;. Thus, by sequentially energizing two and three vindings, a rotor vill be displaced 30 degrees per step. Further, in addition to displacing a rotor, the magnetic field serves to clamp the roller cut to the lead screw. Scram is accomplished by de-energizing the stators.
the rods are divided into eight groups (four control and four safety). Each control group has its own pair of power supplies. A fifth pair, the Auxiliary Power Supplies, are used to withdraw the safety groups one at a time. A sixth pair, the Hold Supplies, hold the safety rods in place once they have beer. withdravn. The elemenca of a pair operate in parallel in order to prevent loss of centrol, or a trip, in the event of one power supply failure.
Aa shown in Figure 3-70, each power supply (e.g., Group 5 Supply A) is energizad from a 3-phase source. Ethin a supply, the 3-phase is transduced to 6-phase, star connected. Within each supply there are six sets of six SCR's.
The cathodes of each set are connected in com-acc and to one of six output points. The anodes of each set are t.aspec-tively connectad to one of the six a.c. phases described above. Thus, each set of SC1's becomes a six-phase half-wave re cetMer N =4v l
I I
l omfAftput--pointe-(plus a cocuoa rgl turn) are"raspeet1W1'y donnect'ar16'He
~
I l
l I
~
SURNAMC D I.
CATE >
I Form AEC-H e t aev. 9 53) MCM 02+0
- L oam * = * =' ** *" "* < 8 ' * * * * - " * - * ' '
7 [
Instrumentation & Control 7 MAY 2 81c59 stator vindings of a rod motor, or motors when the stators are connected in parallel. The energiaing of two and three windings is then accom-plished by the gate circuits shcvn in 7tgure 3-70 as a single SCR sym-bol. Each symbol represents six gating circuits (one for each of the six rectifiers). The gating circuits are themselves sequenced from photo-cell circuits which receive light i= pulses f cm a coded disc rotated by the programer motors. When in motion the progra=mer motors are synchronized to the vital bus which is supplied frem an inverter. Thus, each rod is synchronized to its programmer motor and to the vital bus. Rod position indication is by means of 69 individual indicators (scale and pointer). Iod position is sensed by reed switches whose outputs are analog signals prcportional to rod motion. A deviation alarm compares the analog position for each rod to its group demand position sta annunciates any deviation. The group demand is derived from the programmer outpute our analysis of the control system considered potsucial malfune-tions which cou? d permit, or cause, spurious reactiv4.ty insertiena. With respect to malfunctions which could causa more than the intended group to be withdrawn (at design speed), we agree with the applicant's analysis that, should a multiple withdrawal of any number of rods be initiated at any power level, it would be successfully terminated by the protar. tion system. CmCI > I l SURNAWE > mrr, l 4 Form AICats.Rev 9-2 AECM 02 0 an.so.tu.s eniavm v.<a . s e-a +-eit 87 H 5
'/ AY 2 8 1959 Instrumentation & Coatrol 8 i With respect to withdrawals at greater than desi;;n speed, vc believe that the applicant has not censidered the pcssibility of excessive withdrawal speeds resulting fros a runaway progr.'rre r. Since each progra:. car is a synchronous motor supplied fr:.a an inverter, it follows that a spurious frequency change at the inv-ter vould result in a corresponding change in rod speed. At this stage of the review, however, we will accept the applicant's criterien that the drive controls, or mechanism and motor con:binatica, shall have sa inherent speed-limiting feature (Raf. PSAR, Page 3-93). We will study the final design dur$ng the POL review in order to confirs that it satis-fies the criter'.on. With respect to rod position indication, we believe that it is satisfactory inas=uch as it conforms to the provisiens of Criterien 13 and is otherwise consistant with recently approved systems of similar design. Based on the foregoing, we believe that the applicant's criteria and design approach are acceptable. IMZ2t'EXCT PCUER Gtnaral Design criterion #39 served as the basis for judging the adequacy of the Emergency Pever System. offsite F wer I l -Offsits-41sctrical power-i fe? 6 -two.e ginaarsd-safnty..faature cmcz > l SJRNAME > ; [ D ATI > Form AIC-518 i P.ev. 9-E AICM 02+0 e a eov an==aw, ** =e =+ omes e ssa e-a.+-ei ? 3/ 8/ yJiu ~
' N 2 8 I363 Instru=catation & Control 9 (essevial) buses is furnished by two auxiliary transformers, each connected to a separate bus at the 230 kv substatica. f.ach essential bu-is scrually supplied fro:a a separate transforacr, with provisicaa for autocatic transfer :o the other trans formr. In addition, a tap is made frco each Unit No. 1 auxiliary transfor=cr so that either may be used to provide anothat source of power if required. The breaker-and-a-half switching arrangement in the 230 kv substation allows any of six lines or either of the unit generators to be connectsd to either of two full capacity main buses that aupply the two auxiliary transformers of each unit. If the substatica is separat ad frcza its tias to the 230 kv system, neither the reactor nor the turbine should be tripped, and either Unit No. 1 or Unit No. 2 itscif can supply tha auxiliary demand through the substation and the auxiliary transformers. Ingineered safaty feature loads will be duplicated in two indepen-dent systems with each systan being fad frca on= of the 4160 volt essential br. as. A mm_.nlly operated bus tia is providad for emergency use. Analysis has shown that the sudden loss of Unit No. 2, or the simultaneous sudden loss of both units, will not cause instabilities within the exterusi grid. The offsite system is arranged with sufficient tidundancy and + CmCE k l l $URNAME > l J DATE >.. ' ' ~ ~ ~ ' ' - - - ~ ~ ~ ' - - - - - * - - ~ - - - - - - Form AIC.518 iRev. 9 53i AICM 02e ,i 8/ Jl.f 7 71-
Instr =catation & Ccatrol 10 MAY 2 81969 autonstic switching so that an/ single f.tilure should laave oca of the essential buses in service to m et nini=as requirements. It is therefore considered adequate to =ect the requirar. ants of tha criterica. Onsite Powr Onsite electrical power for the two engincorud safety feature buses is furnished by two diesel generators. Zach emergency generator will feed one of the two engineered safety feature 4160 volt buses (split bus arrangement), and only one is needed to supply the neces-sary load. The 4160 volt buses and tLeir associated 480 volt buses will be phyrically separated from each other. The essential buses, the diesel gener3 tors, and the fuel supplies will be of Class I seizmic design. Enclosures housing the diesel generators are of all-concrete construction with eighteen-inch interior walls and three-foot exterior walls for earthquake, fire, and tornado protection. The underground fuel oil storage tanks will supply one generator at fdl pcwer fc,r seven d.ays. Each diesel generator will start upon loss of its respec ive bus and will energiae that bus when it has achtsved rated speed and voltage. In addition, both diesel generators start upcu occurrence of (1) Initia-tion of Safety Injection, (2) Over-pressure in the Reactor Building, or (3) Loss of either transformer source, Equipment for shutdown is then sunually cennected to the bus. If there is a requirement for CFTICI > i l I sunnawt >. ..............I om,, !, ..-l .......L'. , _ m.,,. _,. m,e.. .........l 8_/ 313
2 0 l365 Inscrua.ntation & Cor.crol 11 engineared safaty feature system operation, the respective equipment is autoutic. ally started sequatially as so,;n as each generator een-necta to its bus. Zach diesel generator has a continuous rating of 3000 kv. Max-imum emergency load is 2749 kw. nua, assuming failure of one diesel, there is a 91 margin with respect to the continuous racing. The diesel generators can be separately tested (s. carted and Icaded) during reactor operation. Further, tiu splic bua design allcus the independent testing of each safety feature sequencing system. The 250/123 volt, 3-wire d-c system will consist of two buses, each supplied by a battery and static rectifier charger. The two buses and loads will be arranged as a split bus and will be designed to satis-fy the single failure criterica in terms of connecting EST loads and shedding unneesssary loads in the event of an accident. Each battery is sized to carry the necessary load for a period of two hours. ne ~ two ststion batteries will be located in separate rooms of a Class I Structure. We believe that the design of the onsita emergsney power system fulfills the requiramenta of Criterion #39 relating to independence, redundancy, cascability, and functional capability and is, for these reasons, acceptable. l i omcr > ..j....... h, sunawc >,... 1 i I DATE > l. ..l........ l Form AIC-51a < Rev. 9-33) AICM 0240 y a was..e., .,i opr.cs. o_ e 7ih 8 "[ Ji/
Instrumentation la Control 12 gy g g ggg t'a ble Separation The applicant's crite-ia relating to cable tray loading and separatica have been submitted in Sectica 8 of the 73A.1 and in Supplement f2. These criteria apply to the protection system and the on.sita power system and are sumarized below. A. F.etal enciesed bus ducts will be used for all major bus runs where large blocks of pever are to be carried. The routing of the ducts will be such as to minimize their exposure to mechanical, fire or water da= age. 3_. 'Jire and cable related to engineered safety feature and reactor protection systems will be routed and installed in such a way as to maintain the integrity of their res-pective redundant channels and protect them from physical damage. Power and control cables for duplicate auxiliaries or services will be run by diffarent routes to lessan the probability of an accident's disabling both pieces of identical equipent. C. Cables will be selected with respect to their current carry-ing capacities, insulation properties, and mechanical construe-tion. 'J. ?cver circuits af 400 volts and less shall be ins talled with e m ez >. _ _ _ _ _... nly ne layer in a tray. i l SURNAME > f ._J f i DATE > ' Porm AEC-318.Rev 9-53) AICM 0240 u aosan.etw ci.e omcs tesa e-ae-eit 8 / x,,0a
b Instrueentation & Centrol 13 E 23 1939 E. Insulation used in power cables shall be rated for 90 C ccuductor te=perature, but the sizing shall be based upcn a conductor te=perature of 75 C. We have reviewad the criteria as presented in the PCA:t and con-cluded that, if properly i=plemeted, they reduce the probability of cable fires, and provide protection against randem and systenatic failures. Our conclusion with respect to the low probability of cable fires is based on (a) the limited loadin;; of the trays carrf ng the i 480 voit power circuits,- (b) the derating to 75 C, and (c) the proper selection of all cables in terms of current carrying capacities. With respect to systematic and randce failures, we conclude that the diverse routing of redundant cables can, if pr:perly installed, provide adequate protection against the prepagatica of a ' fire, and against any lesser single event occurring within a tray. We have observed that there are no c.*iteria with respect to fus ing. We will resolve this prior to the meeting with the Cemittes. Apart from this one reservation, we are in agrescent with the applicant's cable tray loading and separation criteria. CmCZ > l 4 i SURNAMt > -{..... DATT>!- Form AIC.318 iRev ' 53; AICM 02+0 a s. eennaeast mertoe omcs 'ess e-ase.eo 8f )7 $j - 9 h}}