Text

li 3

M yn l

v L

1 o

4 O

e l

l l

O o'o1 soo,o,ogo

CONTENTS APPENDIX 7 7A ANSWERS TO QUESTIONS i

l l

I l

l l

l n,nn -

nu l

l 0072 Amendment 3 A7-1

[

Docket 50-312-

\\~-

Amendment No. 1 February 2, 1968 QUESTION One can postulate several "First faults" in the " trip" bus feeding 7A.1 the rod release mechanisms whose existence cannot be detected during routine testing (e.g., the connection of the positive side of a d.c. source to the bus). The bus can therefore be disabled by the first single failure criterion. Discuss any changes you may make to remove this vulnerability.

ANSWER Several possible alternates are under consideration for the d-c Refer to bus feeding the control rod drive clutches in order to give 7.1.2 extra assurance that the clutches will be de-energized. These include the following:

a.

Split Bus Sections This arrangement would divide the rod clutches into two or more groups, each on its own independent power bus.

Thus, should there be a series of faults which held one bus ener-gized, it would in no way inhibit trip action by the other group or groups.

b.

Split Bus Sections and Automatic Rundown I

)'

N.

This arrangement would be similar to a above, but would take credit for automatic rundown of the drives simultane-ously with a trip. Taking credit for the automatic rundown would allow greater freedom in the selection of subgroup size and arrangement.

c.

Bus Shunt Switch This arrangement would provide a short circuit across the two conductors of the clutch bus thereby reducing the voltage to zero. The effect of this arrangement on clutch release time (due to trapped magnetic flux) has not been determined.

For further information see answer to Question 7A.11.

l3 d

O oc73

- e Amendment 3 7A-1

QUESTION Discuss and evaluate the differences between the SMUD Station, 7A.2 Babcock & Wilcox designed protection systems which initiate (DRL 7.1) reactor trip and engineered safety feature action and those to be incorporated in the Three Mile Island Station (Docket No.

50-289). The discussion should include preliminary design of the complete circuit from sensors to actuation logic.

ANSWER The Rancho Seco reactor protection system is identical to the Three Mile Island reactor protection system.

The Rancho seco safeguards actuation system is identical to the Three Mile Island except that the high pressure and low pres-sure injection actuation circuits have been diversified to include inputs from both low reactor coolant pressure and high reactor building pressure. The resulting system is identical to the system described in the Crystal River PSAR Amendment 3 issued March 1, 1968 on Page 7-11 and Figure 7-2C.

QUESTION With respect to the reactor protection and engineered safety 7A.3 feature actuation circuits to be designed by other than Babcock (DRL 7.2) and Wilcox, identify the design features which dif fer from the proposed IEEE standard for Nuclear Power Plant Protection Sys-tems. Justification for all differences should be provided.

ANSWER All reactor protection and engineered safety feature actuation circuits to be designed by other than B&W will be in accordance with the proposed IEEE Standards for Nuclear Power Plant Protec-tion Systems.

QUESTION Describe and evaluate the criterion to be used in providing the 7A.4 physical identification of the reactor protection and engineered (DRL 7.3) safety feature equipment, including panels, components, and cables.

ANSWER See Section 7.1.2.3.11 of the PSAR.

0074 0

7A-2 Amendment 2

A (v)

QUESTION Describe and evaluate the changes which will be made in the 7A.5 design of the instrumentation and control systems as a result (DRL 7.4) of the ACRS recommendations contained in the Three Mile letter.

Include in the discussion:

(a) Diversity of engineered safety feature actuation signals and (b) Separation of control and protection systems.

ANSWER The Rancho Seco Safeguards Actuation System has been diversified as the result of the ACRS recommendations contained in the.

Three Mile Island letter to actuate high pressure injection and low pressure injection on signals from either low reactor coolant

-pressure or high reactor building pressure. The resulting system is identical to the system described in the Crystal River PSAR Amendment 3 issued March 1,1968 on Page 7-11 and Figure 7-2C.

The Rancho Seco control system receives inputs from channels which feed the reactor protection system in the following areas:

1.

Reactor coolant pressure

S 2.

Reactor coolant flow s_s 3.

Reactor coolant pump monitors 4.

Reactor power level In the first three areas only one of the four protection chan-nels are connected to control at any given time.

In the event of failures in the control system which semehow reflect back into the connected single channel of protection,. the remaining three channels of protection meet the single failure criterion of the Proposed IEEE Standard for Reactor Protection Systems.

3 To guarane.ee that failures in control do not carry over into i

the single connected protection channel, the output to the control system from the shared sensor and amplifier is isolated by means of an-isolation amplifier. The effectiveness of this isolation amplifier has been tested for all types of faults including open circuits, ground faults and hot shorts up to 410

-volts de and peak to peak ac.

In the fourth area, the desire to minimize unnecessary shut-downs forced on the plant by failure of a single channel of reactor power level instrunentation feeding the reactor controls has led to using an averaging circuit which. combines inputs from all four reactor power level measurements. Using this averaging circuit (which in design detail is actually an I

/ ~N k

0075 s

I'

' Amendment 2 7A-3 I

wati n Y-

average-auctioneer circuit), the control system is capable of completely ignoring single sensor failures which could other-wise force the plant to a tripped condition.

To guarantee that failures in the control system do not propa-gate into the protection system, each signal which goes to control from the shared sensors and amplifiers is isolated by means of the isolation amplifiers described above. In addition to the tests described above performed to demonstrate that the isolation amplifiers separate control and protection in any single channel up to hot faults of 410 volts de and peak ac,

~

tests were run to show that channel to channel isolation is maintained for all types of faults including opens, grounds faults and hot shorts up to 1300 volts de which represents the upper limit of the testing equipment available, and exceeds the highest fault voltage available at any point in the installed instrumentation and control system.

The system meets the requirements for separation of protection and control as specified in AEC General Design Criterion 22, the IEEE Proposed Criteria for Reactor Protection Systems, and the requirements as stated in the United States position of July 1967, with respect to Section 5.4.1.1 of the International Electro-technical Commission Document 45A.

In addition the system meets the Single Failure requirements of AEC General Design Criterion 21 and of the IEEE proposed criteria.

The system capitalizes upon the characteristics of the isola-tion amplifiers as explained in PSAR Section 7.1.1.2.3.

As shown in Figure 7A.5-1 two isolated reactor power level signals, from Channels 5 and 6, are brought to an averaging amplifier located in the Channel 6 cabinet. The average of these two signals nstitute one input to a high level auctioneer. The 3

power level signals from Channels 7 and 8 are also averaged by an amplifier located in the Channel 8 cabinet. This average signal forms the second input of the high level auctioneer.

The output of the auctioneer is the highest of the two power-level-channel average forming the input to the control system.

The use of this averaging technique to feed the reactor controls provides superior failure and safety characteristics in that downscale failures of at least two, and in some cases three, nuclear channels are required before a false rod withdrawal signal is initiated by the reactor controls.

A failure analysis of the system incorporating the isolated power level signals, averaging ac2plifiers, and auctioneer modules to develop a power level signal for control is summar-l ized as follows:

0076 UC U O

7A-4 Amendment 3

,m

(

i v

1.

No short circuit, open circuit, or combination thereof in the signal path from the output of the isolation amplifiers up to the control system will affect the operation of the protection system.

2.

Cross-connecting the inputs to the average amplifiers, either in parallel or in series has no effect upon the protection system. This includes interconnecting inputs between average amplifiers.

3.

The connecting of one average amplifier output to parallel or series the normal input of the second average amplifier has no effect upon the protection system.

4.

No component failure or malfunction in either the average amplifiers or the auctioneer has any effect upon the pro-tection system.

The only type of failure with a potential for being reflected into the protection system consists of the direct connection of at electrical power source across one of the reactor power level signals within the averaging system. The effects of such faults have'been analyzed and are shown on Figure 7A.5-2 as follows:

e i

ss 1.

A power source of 410 volts de or peak ac may be connected directly across the isolation amplifier output of a power 3

level signal without af fecting or failing any portion of the protection system. This has been established by actual test.

2.

A power source of 1,300 volts may be connected to any signal point within the system without failing more than one protection system power level input. This has been established by actual test. The test did not go beyond the 1,300-volt value, and does not represent the upper limit which is calculated to be several t imes this value.

NOTE:

The application of power sources in excess of 1,300 volts has not been attempted on the actual equipment; however,

a worst case analysis has been made. The analysis calcu-lations assume that static resistive elements of the auctioneer are present, that no credit is taken for any dynamic properties of the auctioneer amplifiers, that the average amplifiers fail as lossless circuits and offer no resistance to the propagation of the fault, and that the isolation amplifiers fail as lossless circuits and offer no resistance to propagation of the fault.

3.

The application of a 6,000-volt power source directly

(

across the output of the auctioneer will not affect the

, ~3 operation of the protection system.

0077 Amendment 3 7A-5

4.

The application of a 6,000-volt power source directly across the output of any single average amplifier will not affect the operation of the protection system.

5.

The application of 10,000 volts across one input of one average amplifier will fail one, but not more than one, protection channel power level signal. The failure of all power level signals to the protection system will occur when the voltage is raised to 12,690 volts with 260-watt capability.

6.

The application of 7,000 volts with 140-watt capability to the output of the auctioneer or average amplifier will fail all power level signals.

If the most probable failure mode of the amplifiers were con-sidered to be an open circuit, then the applicaton of 12,000 volts with a 240-watt capability would be required at the auctioneer and average amplifier output to fail all power level 3

signals.

As a result of these tests and analyses it is concluded that:

1.

The highest source of de voltage in the plant is insuffi-cient to fail any protective channel when applied as a fault in the control system.

2.

The highest source of voltage in the entire instrumentation and control system which is the neutron detector voltage of 1300 volts de, is suf ficient to fail only one of the four protection channels when applied as a fault in the control system.

3.

The only sources of voltage in the plant sufficient to fail more than one of the four protection channels are the 22,000-volt generator output bus which is totally enclosed and the 230,000-volt high lines which are outsid. the plant buildings.

4.

Therefore, voltages of the magnitude required to fail more than one of the four protection channels are not available in such a manner as to make these failures credible.

'6 U J O O

0078

-6 Amendment 3

b BT

/

CHANNEL 5 h

E in b/

oEj A+B K

2 E0

/

g oE2 be CH ANNEL 6 b

E'in

/

b BT

/

Auci

'cs O

w e1 CH ANNEL 7 h

E in

/

h p

tiNEAR Aue e

)

, isotATioN ime c

x E O AVERAGING AMP 0

Je c,g 2

oE'2 AUCT AUCTIONEER k/

BT BISTABLE CHANNEL 8 b

E'in FIGl1RE 7A.5-1 i

LINEAR POWER AVERAGE CIRCUIT

/

vn c,-

0-VU ) J l 9, %)ShlUD SACRAMENTO MUNICIPAL UTILITY DISTRICT 0079 Amendment 3

__.,,,.,,_...,----.r.

-c-,

L i st at sePLif ttl IS0Lafl05 48PLillIE1 N

O

0 s

Of $ TABLE

,w-M

-:6 Lehtat Poeta taust 300VLt

~'

Cnantti 5 1

12801 a

.,0

+

'"ll i irc.

A au

-c x

""*3

- [

r-5 1

p OU T PU T l

L.. ]

s ines auttigt acP I

110taf ica sePLIF IE R $

Listat se*L if >t t thPUT FRC3

+

CDantit$ 1 g 0 affRACE 48P

&~

O s

t M

40 M

g i

Lint 0 Pgsta tanti e005LE Bilf alit tsaatil 6 I

50Lf ast f alList Petttti10m $t$f ts. AaPtlflits $Pla 2

VOLT AGE f allinG PA0f tCitC4 $t$fEB atPL if lit $ $NOR'te 3 10Liast f allint Out Of 70U5 PR0f tCfica Cuanktis a VOLialt sifil at erf tti en Ptef ttfish $1 Site

& aCit at it$f VOLf alt f all e6 041 Of 50ER PR0f ttists taannit$

1. O'UUJJV FIGURE 7A.5-2 EFFECTS OF POWER SOURCE CONNECTED AT SPECIFIC POINTS g)suura e

SACRAMENTO MUNICIPAL UTILITY DISTRICT 0080 Amendment 3

l s

(

'\\

\\

/

QUESTION Identify the instrumentation and electrical equipment which 7A.6 must function in an accident environment. Discuss and evaluate (DRL 7.5) the qualification testing which is necessary to insure that this equipment will function in the accident environment. Discuss and evaluate the qualification testing which is necessary to insure that this equipment will function in the accident environ-ment. Your intentions with respect to obtaining the required data should be discussed.

ANSWER See Sections 8.2.3.4, 8.2.3.4.1, and 8.2.3.4.2 of the PSAR.

rs

(

)

'm,/

.cn J}

()(.!!33L

/s I

1 Amendment 3 7A-7

QUESTION With respect to the reactor protection and engineered safety 7A.7 feature signals which feed annunciators and/or a data logging (DRL 7.6) computer, describe and evaluate the design criterion to be used to assure circuit isolation.

ANSWER Instrument cable for reactor protection and for safeguards actuation will be provided with electrostatic shielding and will be installed in separate rigid iron conduit or covered trays as required to provide magnetic shielding from power and control esbles. In order to further provide " Channel Independence" for single failure criteria per IEEE standards, the following method of routing and installation will be utilized.

1.

Cable for each of the four reactor protective channels will be routed in a separate raceway.

2.

The cable to each power range neutron flux sensor will be routed in a separate raceway, however, it may be in the same raceway with cables from the reactor coolant flow sensor or reactor coolant pump monitor providing each is associated with the same protective channel.

3.

The cable to each intermediate channel neutron flux sensor will be routed in a separate raceway, however, since the outputs of these sensors are used in each of the four pro-tective channels, the cable from each sensor may be routed with other protection sensors of the same channel.

4.

The cable to each source channel neutron flux sensor will be routed in a separate raceway, however, it may be routed in the same raceway as one of the protection channels.

5.

Cable from each sensor for the safeguards actuation system will be in a separate raceway, but it may be routed with one of the protection channels.

6.

The routing of the four protection channel raceway systems will be in pairs and arranged such that each pair of raceways will have a wide horizontal separation with a vertical barrier between them and with a concrete wall or floor separating the two pairs.

7.

The above separation will be carried through penetrations.

Control and power cables will be routed in such a manner that their vulnerability to damage from any source will be minimized.

All cables will be applied using conservative margins with respect to their current carrying capacities, insulation proper-ties, and mechanical construction. Cable insulations in the reactor building will be selected such that the harmful effects of radiation, heat and humidity will be minimized.

Cables related to the reactor protection system and the nuclear service system will be routed such that there will be a separate raceway system for each channel. However, cable from one channel of pro-tection system may be routed with one channel of the nuclear Amendment 3 7A-8 gg O O 1 A O, Uvsc -

/

service system. Routing of the power and control cable raceway systems for the separate channels will have wide physical separa-tion or be routed through areas separated by concrete floors or walls.

Cables associated with a system that is common to all channels, such as annunciator and/or computer data logging, will be routed in a separate raceway system.

Incore instrumentation cables from any group of sensors may be routed in a raceway with one of the protection channels.

For additional discussion, see Section 8.3.1, paragraphs (g) and (h) of the PS AR.

Every effort will be made to maintain absolutely separate and independent protection channels to the extent that each channel will have its own annunciators, meters, switches, test points, cabinets, relays, wiring, etc., but recognizing that the very act of providing a remote meter or annunciator tends to compro-mise channel integrity and that comparing of signals in a plant computer or combining signals in a plant control may be neces-sary to increase safety, isolation amplifiers will be used to guarantee absolute isolation between the multiple outputs of any sensor which feeds any protection system.

Every output therefore from the reactor protection system sensors and the engineered safety features sensors is isolated by a separate isolation amplifier from every other output from the same sensors. As a result each output is insensitive to faults of all kinds on any other output from the same sensor (as described in the answer to Question 7A.5).

Accordingly, the signals from protection channel sensors can be sent to annun-ciators and data loggers or computers without concern for the impact of faults on the protection signal since faults there are totally isolated from the protection channels.

e.g. Faults in the annunciator cannot affect the computer, control or protection; faults in the computer c'annot affect the annunciator, control or protection, etc.

Despite the flexibility of design afforded by the use of isola-tion amplifiers, the protection systens will still be designed to maintain the maximum separation and independence of channels described in our criterion.

Figure 7A.7-1 shows the details of an isolation amplifier and the way isolation amplifiers are used in each linear power range 3

module. The arrangement shown is also typical of the reactor coolant pressure and flow inputs to control and protection.

0083 00joI

-Amendment 3 7A-9

• i

.e.

150Lafith g ACP(ifl[R$

I I

TO ICS I

N

/

10 CCNSOLE off(R l

V N

l l

N

/ 10 LOCAL WETER V

^

I OffE f0R N

N

/

TO MIGN FLUI TRIP 107 55 I

V LlhEAR l

&#PLIFf(R N

/

$UR l h t:1911 4 *10 4 l

V I

k l

/

y s

I N

/

.f 0 PGetR FLC8 50hif0R LorelC l

V I

l N

t

/

y N

l I

l N

/

10 PLAkt COMPUTER V

l N

/

$P arf V

1 I

Llh(AR Pit [R RAhsl APPLifl(R #00Ull

/N i

h.V 4

-t IkPUT h

C

.W OUTPUT IC

^

O v

l O

g, s

T T

110tAfl0N ANP*lfifR FIGURE 7A.7-1 DETAILS OF ISOLATION AS EMPLOYED IN POWER RANGE CHANNEL OF FIGURE 7.1-2 UUsvc

@suua e

SACRAMENTO MUNICIPAL UTILITY DISTR!CT 00&1 Amend:nent 3

l t

i QUESTION

. Identify, discuss, and evaluate the differences between the 7A.9 SMUD Station incore instrumentation and that to be incorporated (DRL 7.8) in the Three Mile Island Station (Docket No. 50-289).

ANSWER The Rancho Seco incore instrumentation system has been modified from the one originally shown in the PSAR. The revised system is very similar to the one described in the Three 3

Mile Island PSAR consisting of 52 self powered detector assemblies distributed throughout the core. Each detector

{

assembiy will contain six local flux detectors and one back-ground detector. There will be no inlet or outlet thermo-couples because these are necessary only on first of a kind plants to verify reactor coolant flow distribution. There will be no calibration tubes because the B&W research and development program has demonstrated that calibration of self powered neutron detectors is unnecessary. The plant computer will continue to be used as the normal readout system for the incore detectors with an alternate recording system provided to read out enough of the incore detectors to detect the presence of xenon oscillation.

Calibration of detectors will not be required. The incore scif powered detectors can be controlled ta very precise levels of initial sensitivity by quality control during the manufacturing stage. The sensitivity of the detectors changes i

O over their lifetime due to such factors as detector burnup, control rod position, fuel burnup, etc.

Experimental programs have been completed to determine the magnitude of these factors. The results of these experiments have been incor-porated into the plant computer program which will be used to continuously compensate the output of the incore detectors for these factors. Operation of detectors in both power and 3

test reactors has demonstrated that this compensation program when coupled with the precise levels of initial sensitivity i

provides detector readout accuracies sufficient to eliminate the need for a calibration system.

Each individual detector will measure the neutron flux at its locality which will be used to determine the local power density. The individual power densities will.then be averaged permitting the peak-to-average power ratios to be calculated.

Both the peak-to-average power ratio and the local power density.will be available in the cemputer.

[

QUESTION-Describe the control room ventilation system and evaluate the 7A.10 need for placing the system automatically in a recirculation

.(DRL 7.9) mode utilizing an airborne radiation detector which monitors the intake duct.

s'

,,,-~

u 0085 Amendment-3 7A-11

ANSWER The control room area will be equipped with redundant fans, filters and mechanical refrigeration equipment, plus the necessary dampers and controls for providing full recirculation for high radiation (post accident) ventilation, see Section 9.7.2 of the PSAR. Provision will be made to initiate re-circulating air flow automatically on an air intake duct high radiation signal or manually by the control room operator.

QUESTION Describe and evaluate the design changes that will be made in 7A.ll the reactor scram system as a result of the ACRS recommendation (DRL 16.1) contained in the Three Mile Island letter regarding potential failure to de-energize the scram bus.

ANSWER The output scram circuitry of the reactor protection system associated with the control rod scram bus will be revised as described in the reply to Question 5.3 in Supplement 1 of the Florida Power Corporation PSAR (Docket Nos. 50-302 and 303).

O ij b 0086 O

7A-12 Amendment 3