ML20011E010
| ML20011E010 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 12/31/1989 |
| From: | ARKANSAS POWER & LIGHT CO. |
| To: | |
| Shared Package | |
| ML20011E011 | List: |
| References | |
| NUDOCS 9002060010 | |
| Download: ML20011E010 (31) | |
Text
['
Id 1]
i
- L'.-
?-
4 ATWS' RULE.10CFR50.62 CONCEPTUAL DESIGN FOR A DIVERSE EMERGENCY FEEDWATER ACTUATION-SYSTEM I-(DEFAS)
FOR-ARKANSAS NUCLEAR ONE UNIT 2-s SUBMITTED BY ARKANSAS POWER & LIGHT COMPANY DECEMBER, 1989 9002060010 900115 PDR ADOCK 05000368 P
.i
4D, M
TABLE OF CONTENTS SECTION
. TITLE -
PAGE
1.0 INTRODUCTION
1.
2.0 EXISTING.PPS EFAS DESIGN 2
3.0 DIVERSE. EMERGENCY FEEDWATER ACTUATION SYSTEM' 10) 4 ~. 0 DETAILS OF OPERATION 18
- 5. 0' OPERATOR INTERFACES 20
- 6. 0 ~
TEST CAPABILITIES 21 i.0 CONFORMANCE TO 10CFR50.62 GUIDANCE 22 8.0
'CONFORMANCE TO GENERIC LETTER 85-06 27 9.0
SUMMARY
27-
~
10.0 REFERENCES
28' ATTACHMENT A-ISOLATION DEVICE INFORMATION
]
c i
i l
i
.I i
Ls
)
mw s l
I
.i t
- 1.O.-INTRODUCTION 1.1.-
Purpose This submittal describes the conceptual design of
- a. Diverse Emergency : Feedwater System (DEFAS) for ANO-2 in compliance ~ with
-10CFR50.62.
The. current Plant Protection System (PPS) and Emergency Feedwater Actuation System (EFAS)-
hardware configuration for ANO-2.are discussed along with the-applicable design criteria for these systems.
This information.is then used as a basis to generate a detailed functional design for a DEFAS.
The ANO DEFAS is a functionally NON-Q system that meets - the -
intent of ~ the. Commission's 10CFR50.62 guidance and the Quality Assurance requirements of Generic Letter 85-06.
-The DEFAS is diverse and independent from the existing Reactor Trip System (RTS) from transmitter output to final actuation device as required by 10CFR50. 62, thus, mitigating the consequences ~ of an ATWS'should the RTS fail. Tha DEFAS;is further designed to be a highly reliable system to avoid spurious Emergency Feedwater actuations.
Since the Diverse Scram System and inherently Diverse = Turbine Trip have previously been installed, installation of this system will bring ANO-2 into full compliance with 10CFR50.62.
1.2 Background
On June' 26, 1984 the Code of Federal Regulations was amended to include 10CFR50.62,
" Requirements for reduction-of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants".
The requirements of i
10CFR50.62 for a diverse Emergency Feedwater Actuation System are as follows:
...(c)
Requirements.
(1) Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system,- to automatically initiate-the. auxiliary (or emergency) feedwater system... under conditions' indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system."
Also provided with the Federal Register notification of the ATWS Rule was guidance from the Commission (49FR26042,26043) concerning the degree of diversity from the RTS to minimize the potential for common-mode failures.
Generic Letter 85-06 further addressed Quality Assurance requirements for ATWS equipment.
1 l
.h
y..
y a
c.
.2.0 EXISTING PPS EFAS DESIGN 2.1 Description j
The Plant. Protection System (PPS) maintains plant safety by monitoring various: plant parameters and initiating protective actions if -any parameter exceeds its. associated setpoint.
The PPS consj ntq of two separate but functionally sin.ilar systems:
the Reactw Trotective System (RPS) which trips the reactor and the Engineered Safety Features Actuation System (ESFAS ). which actuates. accident mitigation equipment.
The Emergency Feedwater Actuation. System (EFAS) is included in the ESFAS.
The EFAS initiates Emergency Feedwater (EFW) to the intact steam generator (s)
(SG) following a low-level signal.
This signal is derived from a two-out-of-four (2/4) logic and initiates EFW to a SG if that steam generator meets the following. conditions:
a)
A low water level is present in the SG without low pressure.
b)
A low water level is present in the SG and the SG pressure'is greater than the other SG pressure by a predetermined differential pressure trip setpoint.
(This is known as Feed i
Only Good Generator logic, or FOGG.)
Separate actuation signals are provided for each SG.
EFAS-1 corresponds ~to SG No. 1 and EFAS-2 corresponds to SG No. 2.-
The EFW pumps' discharge valves for each SG receive separate actuation signals from interposing relays in parallel with each EFAS-1 and EFAS-2 initiation circuit.
This insures that an intact SG will receive EFW, while the EFW to a ruptured SG will be isolated.
The EFAS uses four input signals:
SG-1 pressure, SG-2 pressure, SG-1 water level, and SG-2 water level.
Each input parameter is
^
i monitored on four isolated channels (A,B,C,&D) by bistable trip units.
The SG-1 and SG-2 pressures are also input to two additional bistables to determine SG differential pressure.
See Figure 1 for the existing PPS/EFAS bistables schematic.
Each EFAS input parameter is represented as a voltage level which is continuously-compared by the bistable to a pre-adjusted trip setpoint voltage.
If the input parameter voltage becomes equal to the trip setpoint voltage, the trip bistable generates a (bistable) trip output.
The bistable trip outputs, after passing through the FOGG logic, are then input to the PPS 2/4 coincidence logic matrices.
These matrices account for all possible 2/4 logic combinations of the monitoring channels and are designated as AB, AC, AD, BC, BD, &
CD.
Reference Figure 2 for the AB matrix schematic.
A matrix generates a trip only if a bistable trip receipt occurs on both matrix channels.
The trip is then recognized as valid and transmits an activation signal on each of the four PPS trip paths.
2
~
HOTE: All contacts shown No.
TRIP INPUTS I
r in tripped state.
7
$6 i LOW WATER LEVEL 8
SG-2 LOW WATER LEVEL II' SG-1 LOW PRESSURE BISTABLE RELAY POWER SUPPLY 12 SG-2 LOW PRESSURE 19 SG-1 PRESS. :6G-2 PRESS.
20 SG-2 PRESS.)SG-1 PRESS.
pf AII-6 A12-6pf
- * - ' = =
==^7~'
(EFAS-2)
(EFAS-1) 1_A19-6 A20-6::
A20 A19 OlFFERENTIAL 7_-___
BISTABLE 9
<e 9
f t
I f
8 I
f 8
8 9
{
9 9
f 9
f 1
8 t
BISTABLE d
e FELAYS-Y l
< f t----------
s 739997 3
EFAS BISTABLES CHANNEL A
a-S w
- f. '
1 DC power SUPPLY DC POWER SUPPLY PS-21 pg.24
^
s
(-)
(+)
(+)
(-)
W it W
si
,y as p
as A19-1::
B19 1::
~
\\
/
EFAS-1 W ev W
/%
M s A20-1::
B201::
1 BAB-l[ BAB 3[BAB-2 [ BAB-4[
\\
/
-EFAS-2 NOTE: All relays are de-energized to actuate (initiate)
FIGURE 2
Each PPS trip path includes six sets of relay contacts in series with each set controlled by a unique trip matrix.
See Figure 3 for ETAS-1 and EFAS-2 Channel A trip paths.
A trip path is activated by transferring (opening) any single contact set.
The trip path relays, known as Solid State Initiation Relays, contain two contacts, SSR(X)A and SSR(X)B where (X) is 1,
2, 3,
or 4 corresponding to channels A, B,
C, and D,
respectively.
The SSR(X) A and SSR(X)B contacts are located in the Auxiliary Relay cabinets (ARC's) where the Actuation Relays are also located.
These relays are normally energized and de-energize to trip.
The contact outputs from these relays are sent to the Motor Control Centers which control the valves and pumps in the EFW System.
ARC A initiates actions for SG-1 Train A EFW valves, SG-2 Train A EFW valves, and the EFW Train A pumps.
ARC B initiates actions for SG-1 Train B EFW valves, SG-2 Train B EFW valves, and the EFW Train B pumps.
Refer to Figure 4 for an EFAS Actuation Signal schematic.
Figure 5 is a Logic Diagram of the EFAS while Figure 6 is an EFAS Block Diagram.
2.2 Design Standards The PPS is a redundant Class 1E safety related protection system that has been designed to the following standards:
a)
" Criteria for Protection Systems for Nuclear Power Generating Stations".
b)
" General Guide for Qualifying Class 1 Electric Equipment for Nuclear Power Generating Stations".
c)
" Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems".
d)
IEEE Std. 344-1971, " Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations".
The Auxiliary Relay Cabinets have also been designed to the standards listed above.
l 5
TO PS-34 TO PS-34 r
8ABI 7ABI ~
BBC1 7BC1 8801 t
o 7801 REMOTE REMOTE MA'*l -
C 8ACI MANUAL r
7ACI I I
8CD1 7CD1 7^ '
EFAS-1 EFAS-2 8^
ff SSRIA SSRIB
}(
--+
.+
--+
- rr+
SSRIA SSRIB v
v v
v AUX.
AUX.
AUX.
AUX.
RELAY RELAY RELAY RELAY Cc,8itJET A CA8irJET B CABINET A CABINET B FIGURE 3
EFAS TRIP PATHS (TYPICALL
% 4 e
3 C f
I zi tv-nee y&
+-
sik agv et
('
e!
E-4, W g
E fai I
~
W e-E'jj i
ER a
lT h
5 M
t
---,l------i!E[
m.-
=
r-W 4
p-g-
~t.s' i'W m
E
W
_J <:
,v-y$
egg e
c I,4LwJ' t Z
t-u,
'd gg C
L e
=
~M ou 5
r-m e
7$
[
{<
o oo ou 4 y
i c _ _ _ _, g e <,,, ea e z
W lB
,e 4,e
,e L1J 3 L>
i.... _, _......,
cc
[ 6 %\\)
\\ % % \\\\\\
\\S\\\\\\l
,....... -,- - 3
]
)
o l
H r--
o o u oo i, y, a t--
g g
y n no oc o i
gg c
m n
E
.- s m :-
s TW,e r
o c
s kv.
$ +f 1:
d 1
M
- Q* a g
y ::_-_
g E
- b...,.
,lg e
o-k +
W y
'M&
A
+f g
- {..':.. :;..y : %. ^- :-]
<~
,---- g.
i
~
g in W,g
!W8s, g,E e
y 8
Mr 25 (6
E$e 2,! l 3
i kgW t
C5 E.
WW" Eq5 E!$
(("
SC 5
7
?.
ms, m,s te.a -
,,,,. ts
=tss ms, treet we * %2 We Ltme we Ltur W2* We
%2 tow W2 tem laisiciel laisitiol l a i s i c i_o ai'!c**l laisitiel la: *iciel l
l l
l
_v
_E_
e.
_e
_e T
T T
T 4
3 3
3
_. d b_
_d b_
l.
_l
_d 1_
T 7
7 7
m 7, g::
a:
-t 7, m
(g.ag
- 2.ag PPS CA81tET i-*= i-a :->
i-*=
AUXILIARY RELAY CABINET *A"
- -= :-2=
-> i+
=
wtscem v.
wtrcr m 2,.
t me wwr b
4 d
COMPONENT CONTROL 4
CIRCUITS p_
.G e>
e u= f i,,,,,,st r e -.. - -
os o,a=
ct - s.. ~ t ~
g 3
z,,- ~ ~ ~
,t e
,f..~....
~
~
~
t-s t-s
- "== ='.s it it ir j
96-9E8480 EMET tttpsm W tag.ggesty FEEDumfE8 W2 t'EWGE8ECT FTTOum'T8
- m. sow mew musew f9EE esOTE P ewt aseft 2 W 88f?E D FIGURE 5 EFAS I OGTC FITAGRAM
P l
SG-1 PRESSURE' SG-2 PRESSURE SG-1 LEVEL SG-2 LEVEL
'i TRANSMITTBRS TRANSMITTERS SENSORS SENSORS A
B C
D A
B C
D A
B C
D A
B C
D
[
l
(
i e
r PPS CHANNEL A CHANNEL 6 CHANNEL C CHANNEL 0 i
4 CABINET e
o o
BISTABLES BISTABLES BISTABLES BISTABLES i
1 l
f e
o o
f e
e p
f p
p 1
I e
o v
2/4 LOGIC 2/4 LOCIC 2/4 LOGIC 2/4 LOGIC l
,...... J
......,,...... J:......,
lNITIATION REl.AY' INITIATION RELAY' llNITIAT10N RELAY' ilNITIATION RELAYi i
i i
i i
i i
i l EFAS 1 EFAS 2 l EFAS1 EFAS 2 l l EFAS 1 EFAS-2 l [FAS1 EFAS 2 l
l $$RIA
$$R1B l
SSR2A SSR2B l
SSR3A SSR3B l
l SSR4A
$$R4B l
l6 l CONTACT CONTACT i
l CONTACT CONTACT i
l CONTACT CONTACT i
CONTACT CONTACT i..............' i..............' i..............' i.............'
y EFAS-2 EFAS-1 EFAS-1 EFAS-2 AUX. RELAY AUX. RELAY 1
CABINET A SELECTIVE CABINET B SELECTIVE 2/4 LOGIC 2/4 LOGIC v
v ACTUATION ACTUATION RELAYS RELAYS n
e MOTOR CONTROL CENTER MOTOR CONTROL CENTER TRAIN A TRAIN B m
e EFAS TRAIN A EFAS TRAIN A EFAS TRAIN B EFAS TRAIN B l
VALVES PUMPS VALVES PUMPS 1
L FIGURE 6
i EFAS BLOCK DI AGRAM 9
I i
3.0 DIVERSE EMERGENCY FEEDWATER ACTUATION SYSTEM 3.1 Functional Requirements The DEFAS consists of isolators, signal conditioning, trip recognition, coincident logic, initiation logic, and other j
circuitry and equipment necessary to monitor plant conditions and initiate EFW during conditions indicative of an ATWS.
The intent of the DEFAS is to mitigate ATWS event consequences during an Anticipated Operational Occurrence (AOO) requiring EFW coincident with a failure of the PPS.
The actuation of EFW through the i
DEFAS provides a diverse means of initiating EFW in compliance with 10CFR50.62c.l.
1 The DEFAS initiation signals result in actuation of the EFW pumps 1
and valves only if there is a demand for EFW and an EFAS signal has not been generated by the PPS.
The occurrence of an EFAS signal by the PPS, concurrent with the absence of a reactor trip signal from the Diverse Scram System (DSS),
indicates that conditions indicative of an ATWS have not occurred.
Consequently, EFW actuation by the DEFAS is not necessary.
Under these conditions, the DEFAS actuation will be blocked through logic in the Auxiliary Relay Cabinets.
The functional requirements for the DEFAS includes a)
DEFAS must initiate EFW flow for conditions indicative of an ATWS where the EFAS has failed to initiate EFW.
b)
DEFAS will not be required to provide accident mitigation such as isolating feedwater to a rupturad steam generator, c)
DEFAS will secure feeding the affected steam generator (s) after reaching a
pre-determined level setpoint (approximately 30 minutes after actuation) at which time manual operator intervention will be required, d)
DEFAS will utilize logic and redundancy to achieve a 2-out-of-4 initiation.
e)
DEFAS will utilize steam generator level as the parameter indicative of the need for EFW flow initiation.
f) DEFAS will interface with existing pumps and valves via the Auxiliary Relay Cabinet relays.
These relays are not used in the RTS and are considered to be the final DEFAS actuation device.
g)
DEFAS will be blocked by the EFAS to prevent control / safety interactions and to disable DEFAS when the EFAS actuates.
l I
h)
DEFAS will be blocked by the MSIS to prevent control / safety I
interactions and to disable DEFAS when conditions for MSIS terminate EFW flow to a ruptured steam generator, thus allowing the existing safety system to function normally.
10 1
l
[
1)
DEFAS will be enabled by a signal indicative of DSS actuation.
l i
j)
DEFAS will include testing capabilities that allow testing of the channel. logic at power.
k)
DEFAS will include features that provide annunciator, plant computer, and operator interfaces to indicate system status.
1)
DEFAS actuation setpoints will be lower than the PPS setpoints and the DEFAS time response will be longer than the PPS/EFAS time response so that race. conditions between the PPS and DEFAS will be avoided.
m)
The DEFAS will not be required to be sealed-in, or locked-out, at the system level due to EFAS and MSIS control interactions.
However, the 2/4 logic channels will be l
sealed-in upon receipt of a valid low steam generator level i
signal until a high steam generator level signal is received.
n) The DEFAS may be manually actuated from the Control Room.
It is intended that the DEFAS will be placed in service during Mode 1 operating conditions.
However, the DEFAS may be taken out of service during Mode 1
for corrective maintenance or surveillance testing purposes.
3.2 System Description
The DEFAS cabinet contains the 2/4 logic that determines if conditions exist for a DEFAS initiation.
The DEFAS interfaces with the Process Equipment Cabinet and the Auxiliary Relay cabinets.
The block diagram shown in Figure 7 depicts the overall configuration of the DEFAS and its interfaces while Figure 8 details the power distribution to the DEFAS and PPS.
The DEFAS receives eight inputs from the Process Cabinet consisting of four level sensor inputs from each steam generator.
These level inputs are the existing level signals used by the PPS and located in the Process Cabinet.
Each input signal is isolated by the use of a fiber optic transmitter module where it is converted from an analog voltage signal to an optical signal.
Each of the eight level signals is transmitted to the DEFAS cabinet on a separate fiber optic cable.
The input signals are received by fiber optic receiver modules in the DEFAS cabinet where they are converted to an analog voltage signal and provided as input to the 2/4 logic system.
The 2/4 logic system will compare the input signals to the DEFAS setpoints to determine if a DEFAS trip condition exists (refer to Figure 9).
If a trip condition exists, the 2/4 logic system transmits a trip signal for the 1-3 trip path across a fiber optic serial data link to an I/O System located in ARC A and across another fiber optic serial data link to an I/O System located in ARC B.
Likewise, a trip signal for the 2-4 trip path will be transmitted across a fiber optic serial data link to an 11
oe.
e PROCESS CABINET CnosesEL a EHas*EL 8 CNecesEL C CMassEL 0 SYSTEM Sitan STtap STEmM Sitan ENEmaTOR MosEsanTOR EDEstaT(st a wsamf0R LEVELS LEVELS LEVELS LEVELS Ea;;",
3..t a t
3..t 3 t
at 3.t at 3..t avuttlafat sIElay auwstfasty DEtav
' CaetNET a CaetMET 8 1,... < 't......<
L.. i 5......<
r..<,p..;p......
i a
!DEF"5 ra em ra en sa es en ra s.
a.
a.
a.
n.
n.
e.
n.
ll l
l l l l 5
~
t/0 tro I/O t/O to SYSTEM SYSTEM SYSTEM Sv5 FEM 1
I h
h k
k f
f.
2/4 LOGIC O 2/4 LOGIC e g
y g,aC o
,,,, sm
=
i c :t sc at ac 3t m.
5...
-t_
.u...
129 vaC 213 b
PtaseT appe#sCtaf0R FIGURE 7
DEFAS BLOCK DIAGRAM p...
g__
.w
,s
..e.
e m.e.r.-7+
+.m3
L 3
,o T
6 A
A -
e 2
o "n
s S
U B
l
" r-E, T
v C
e E
, R 9
P be.
.,e_
sE A w' 4
l m' s.
'8 s.,8 t 0 '
2 YB
's 8
'8 eP '
8 AT
_3
'l g,.
R 1
8 E
1 EE m
i R
R 5
J I'
G 7
(I 4
4 8 e
a CE 0
xB hs R
s 9
UA u
l Y
I e
C R
2 V
T AC N
Ar
/
I e
E C
I T A L
A I
2" T
SR A
s T
I l
W T
4 A
[p 0
S t
O S -
v 2 1,.l Z@
m 1
s2 I' _ _
ls T
S 4
C e i
R e' L 2v T
l B
- .J n
S I
Te 2
U V
Y A N
A l
A s
T I
I B
c,_
T L
a
_II LT v s SE t
C SR A v e
AN
- ,=_
O e
_I EE l T me D
T T
t R. B ur l
N
.=
v v 2 A
I T
5 8
, _ _ = = -
D x
2 UA a R C
=
1 l
AC v
T
= = = = _
8 T
e %
T 2
= = = = = -
C 1
1 2
C lm P
A
- r
===_
E T
=-
r
===_R n
===_
=
- -o
==
U l
- r
= = = = = _
G c
s T
3
= = _
C v
I r
b
===-
F l
2 t
===-
G s
s t
T u
T D
U e
sE
= = = = _ o E
1""ll s I' E
e B
SN e
==
3 P!
===_
n oB 4
C R
s Pe
/
D t
S
_I A
e v
l Ct t
R
-II C
C 8
= = = = = _
I r B 2 s
5 V
N Ts C
A t
a R 2
1
===_
r 4
1 2
l e
L a T c A
v I
f 2l E R
)
SR 1
E9 v
= = -
T e S 0
N P T lF l
0 e
= = = = _
2 N
2 II v 2 I
T
=
1 I
B R Ua T
1 o
Tl V
R
=
T T C D
'8 l
R U R l9 S 5 8
s== = 1_
e i..
3 I
T I
T 1
(
CE U R m
E
'e e e 8
..s
/
B2
^
,. _ = = ~ -
I
- w8 A
T V
Tr e's.
t s.. e A
C ST 2
A i
N
.:,.u=-
+
.e 8 e.
T l
Ta L A SE s.
s i.
R B
l SR A
4,%
.:,..=_
a.
v C
T e
EN T
8 e.
t e.
CI R
l[
t e,-
a v 2 OB 8 e..
g.,
s.
te8
,=
1 1
u 0
RA m' e s.. s g.,
C 0
PC e
,+8
- ..eg..,
'i.
2
)
I 5
l T
T 9
i 2
CE D
0 S
g(&
wm 0
U P
4 B
ww
/e v
R 41 e
6 0
4
\\
@ hP E
iI WO
$8 7
1 I
P A
R E 2
2 Ti r
EI A
x C
T (M')g vR IST 2 $8e A
I FO 2
2
~ ()4
e y.
"m.
-d TEST - X DEFAS CABINET AUXILIARY RELAY CABINET A
~
so.7 e-LEVEL I
CH.A
+
O=
yf,.
y EDIN-t y
t
{I 01 DENT t
o SG-I LOGIC LEVEL e
LEY T ' DEFAS I _
~
j SIGNAL '
y r
t DEFAS I HI SG-1 8
TRIP LEVEL RELAY SG-1 LEVEL g3 LO % 1 CH. C
-e.
r DE S
~
TEST t
ACT TION
~
LEVR so.,
,' ACTUATION _
v 81FASS-g
~
LE EL
~
FIGURE 9 l
DEFAS CONCEPTUAL LOGIC DIAGRAM
( T Y D. - D C' A)
[ [
I/O System located in ARC A and across another fiber optic serial data' link to an I/O System located in ARC B.
See Figure 10 for the DEFAS/EFAS ARC A schematic for DEFAS-1 which is also typical of DEFAS-2 in ARC A and DEFAS-1 & 2 in ARC B.
The EFAS actuation signal in the Aux. Relay Cabinets is designed such that the DEFAS 1-3 trip path is paralleled with the DEFAS 2-4 trip path. Both DEFAS trip paths must transmit a trip signal in order to initiate EFW.
The DEFAS cabinet will contain testing capabilities and local indication so that the state of the DEFAS can be easily determined. This is further discussed in Sections 5.0 and 6.0.
3.3 System Interfaces 3.3.1 Sensors / Isolators The DEFAS uses four narrow range safety channel level sensor inputs from each of the steam generators.
These level signals are input to an analog fiber optic transmitter module which converts the analog voltage signal to an optical signal suitable for transmission over fiber optic cables to the DEFAS.
These fiber optic transmitter modules provide the isolation between the Class lE input signals and the non-Class 1E DEFAS.
A total of eight fiber optic transmitter modules will be mounted in the Process Cabinett two for each channel A, B,
C,
& D.
These transmitter modules are to be powered from the existing 24 VDC power located in each channel of the Process Cabinet.
The fiber optic transmitter modules will meet or exceed the same standards and specifications developed for the existing PPS cabincts.
These modules have not been purchased and therefore a test report of the module's isolation characteristics is not available at this time.
See Attachment A for isolator information to be provided in the design change package once they are specified and test report (s) have been received.
3.3.2 DEFAS Logic The DEFAS logic equipment is non-Class lE control grade equipment that will be housed in a seismically qualified cabinet due to Seismic II/I concerns.
The DEFAS logic consists of fiber optic receiver modules, fiber optic modems, power supplies, uninterruptible power supplies, test / indicator panels, I/O modules, and a 2/4 logic system as shown in Figure 5.
The DEFAS logic cabinet contains eight fiber optic receiver modules that convert the optical input signals from the Process Cabinet fiber optic transmitter modules to analog voltage signals.
The eight analog signals from the fiber optic receiver modules are input to the 2/4 logic system which performs the logic necessary to determine if conditions for DEFAS actuation l
15
e VITAL VITAL
[pl20VAC 120VAC])
BUS B BUS A i
i VITAL 28vDC "T
28vDC 28vDC "I
' ^ ^
^
^
^
28VDC VITAL
<3 m
m 120VAC-O O-POWER POWER POWER POWER <> o-120VAC u
SUPPLY I
StFPLY
_' d SUPPLY BUS B BUS A StfPPLY.'
3E 3E 3E lf
\\
PPS TRIP PATH
~
PPS TRIP PATH INITIATION RELAY W
y IfilTIATION RELAY C0tJTACTS I4
.e&
COtJTACTS m
m
' ~ ~~
-) RESET RESETf-
+5 04 GND+5
~ ~~~
BY'kSS BYPASS l
l
,l
'(' "
SWITCH'
' SWITCH 5
+5
+5 5
~*
IA _=
e _ : 3A.
r-h h,
d
- _ 2A
- y;o?
y;oas;-
y(
yt a
r-----
5 5
e
, k p" M Th
- M, i E "3,
- ' TEST E;
$r Tj::
TEST ' _ -
e
==___e--.--
4-
A---::
l 4K519 ~ OC JT L
81 9 S
_ 1 astr _ __ _ 1 __- -- c0 cran _[{
---8 s
ERAS ---
g EFAS __
_L cvcu o c0ckOci cvcum l-anaY
==. 1 _ _ _
e g__
T-s 1
TO [FAS L--
'i TO D AS VALVE
-TEST RELAYS-TEST RELAYS-,
valve
,ib*
- ib F0wER O
POWER o>SuecRour,
.SuecRour,(O a+
e+
n+
+
+e
+-
, q qp._.___
qp _,
y p
p,
LOCKOUT +n us n--
n su
> u LOCROUT RELAY
(*
MECHANICAL M!
W! RELAY m
a
' VALVE GROUr BARRIER w CROUP RELAYS RELAYS FIGURE 10 ESFAS AUXILIARY RELAY CABINET GTMPI TFTFD FIIbirTInblol nIonpoM
Y exist. The fiber optic receiver modules contain fault detection i
capability that will detect a fault of the optical signal (i.e.,
severed fiber optic cable).
This fault indication will be provided on the DEFAS cabinet indicator / test panel to assist in troubleshooting any problems that may be encountered with the input signals.
The DEFAS contains two auctioneered power supplies which supply power to the fiber optic receiver modules, I/O modules, and the 2/4 logic system.
Each power supply is powered from an Uninterruptible Power Source (UPS) which receives power from separate 120 VAC non-safety related instrument buses.
Loss of power to the power supplies and the UPS's is alarmed locally and in the Control Room.
The UPS's supply power to the DEFAS for up to one hour following the loss of 120 VAC power.
This insures i
that the DEFAS will function for one steam generator fill cycle (approximately 30 minutes).
There are four channels used - in the DEFAS for the purpose of redundancy and testing capabilities at power.
Single channel testing will not result in valve cycling, pump starting, or EFW initiation as tv channels are required to trip the DEFAS.
The DEFAS 1-3 trip path is paralleled with the DEFAS 2-4 trip path in the Aux. Relay Cabinets.
Both DEFAS trip paths are required to be tripped in order to initiate EFW.
The 2/4 logic system interfaces with analog and digital input /
output modules which in turn interface with the test / indicator panel and fiber optic receiver modules.
The output signals from the fiber optic receiver modules are input to Analog Input modules which contain signal conditioning circuitry and will transmit the voltage signal to the A/D converter when accessed by the 2/4 logic system.
The 2/4 logic system outputs (trip channels) will interface with six RS232C serial data links that are connected to fiber optic modems for trip signal and data transmission to the Plant Computer and ARC's.
The serial data links communicate with the Plant Computer, the I/O Systems in ARC A, and the I/O Systems in ARC B.
The 2/4 logic system transmits the trip signals for DEFAS across the I/O System links and the I/O System then initiates EFW consistent with the enables and interlocks established.
In order to assure that the DEFAS computer-based control system will perform its function in a reliable manner, existing computer software control procedures will be used.
These software control procedures are currently used for safety related systems such as SPDS, CAPS, and CPC.
The DEFAS software will be fully tested as part of the post-installation functional te-ting.
Future changes of - the software will be accomplished per the existing safety related software control procedures.
L i
17 L
l
f l
l h I-3.3.3 Auxiliary Relay Cabinets Each ARC contains two I/O Systems, one interfacing with trip path 1-3 and the other interf acing with trip path 2-4.
These I/O l
Systems consist of fiber optic modems, an RS232C to RS422 converter, digital input and output modules, relays, and power i
supplies.
Each ARC will contain a test / indicator panel as l
necessary for the I/O systems. The I/O systems are qualified to t
meet or exceed the qualification requirements of the ARC so that they will not degrade the existing qualification of the ARC.
)
4 The I/O System interfaces with the current logic of each ARC as shown in Figure 6.
The I/O System receives inputs from DEFAS through a fiber optic serial data link and then generates digital outputs that control the DEFAS output actuation relays for EFAS 1 & 2.
Two other relays are installed in each ARC to provide a bypass function that will disable the DEFAS when desired.
i The I/O System receives inputs that are available to be read by the 2/4 logic system through the serial data link.
These inputs include relay status inputs, test inputs, and bypass inputs.
4.0 DETAILS OF OPERATION The DEFAS receives four level sensor inputs from each steam generator.
These eight signals are transmitted to the 2/4 logic system where they are compared to a trip setpoint to determine of the level in the steam generator is low.
This trip setpoint is set at a value below the existing PPS low steam generator' level trip used to initiate EFAS.
The intent of the lower setpoint is to prevent the DEFAS from initiating EFW before the PPS when the PPS is operating properly.
l Each of the DEFAS channels use a 2/4 logic function on the steam generator level signals.
If any 2 of the 4 SG-1 level' signals indicate low level and a DSS actuation has occurred, the DEFAS l
will generate a trip signal to the ARC's and initiate EFW to SG-1.
The same logic applies to the SG-2 level signals.
The DEFAS'2/4 logic system outputs are actually configured as a
2/2 logic system where a DEFAS signal from both trip paths (1-3 &
2-4) is required to initiate EFW.
A DEFAS trip signal generated l
by one trip path will only result in controlling the cycling 1-relays that control feedwater valves to the steam generators.
The DEFAS logic in the ARC's is designed such that the loss of both trip paths is needed to de-energize the subgroup relays, resulting in EFW initiation.
The DEFAS receives two digital inputs from the DSS which indicate that the DSS has actuated.
These inputs allow the DEFAS to initiate EFW only if a DSS actuation has
- occurred, thus l
preventing inadvertent DEFAS actuation.
18
o.
[
When a trip signal is received by the I/O System, the I/O System generates a digital output that energizes the DEFAS relay which causes EFW actuation to occur.
Each I/O System in the ARC generates two DEFAS trip signals, one for EFAS-1 and one for EFAS-2.
Two bypass switches are located near each I/O System to bypass the DEFAS trip signals.
When the switches are in bypass, an indicator on the test / indicator panel lights to annunciate the bypassing of the DEFAS outputs.
The logic for the DEFAS relays is shown in Figure 6.
The DEFAS relay will be energized only if the MSIS lockout and EFAS lockout relay contacts are closed (normal position).
If either the MSIS lockout or EFAS lockout relay contacts are open, the DEFAS can not initiate EFW.
The lockout relay contacts being open indicates that the PPS has already initiated EFW or isolated a ruptured SG and thus the DEFAS is blocked since the need for ATWS mitigation, if an ATWS is occurring, has been satisfied by the EFAS.
The MSIS initiates isolation of each SG to rapidly terminate blowdown and feedwater flow if a steam-line rupture occurs.
The PPS MSIS logic uses the SG pressure inputs to determine if conditions for MSIS are present.
The MSIS lockout relay is used as a blocking signal for the DEFAS so that if a steam-line rupture occurs, the DEFAS will be unable to initiate EFW to the ruptured SG.
Feedwater flow to a ruptured steam-line is an undesirable action which may result in the containment pressure exceeding its design basis.
If the MSIS and EFAS lockout relay contacts are closed (not initiated), then the DEFAS can initiate a one-cycle EFW signal.
This means that when the DEFAS initiates EFW the DEFAS initiation relay is energized and one of its contacts is wired to bypass the EFAS lockout relay contact.
This bypass is necessary because when a DEFAS is initiated the EFAS lockout relay will open and latch which, if not bypassed, would prevent the DEFAS from controlling EFW flow.
After the SG 1evel is restored to a pre-
' determined setpoint, the DEFAS initiation relay will de-energize and secure EFW flow to the steam generator.
This disables the bypass on the EFAS lockout relay,
- however, since this is a latching relay it must be manually reset by the operator.
This will prevent the DEFAS from initiating a second EFW flow cycle.
l One cycle will take approximately 30 minutes or more for the steam generator level to return to normal and an additional 30 i
l minutes for the level to again decrease to the low level H
setpoint.
Therefore, the operator has sufficient time to take manual control of the reedwater System and perform the necessary I
actions to continue operation of the system.
t t<
L 5.0 OPERATOR INTERFACES 5.1 DEFAS Status Indications and Alarms It is AP&L's intent to provide DEFAS TRIP and DEFAS TROUBLE / TEST alarms in the Control Room.
Local alarms and/or indications at i
the DEFAS Cabinet and the Aux. Relay Cabinets will include, as a minimum, the followingt
- Steam generator level indication
- DEFAS channel trip demand l
- DEFAS trip path trip i
- DEFAS system level trip
- DEFAS channel in test Loss of power _ to the system power supplies, UPS's, or critical components l
- System or component bypasses
- DEFAS I/O system status
- DEFAS initiation relay status The DEFAS Trouble / Test alarm in the Control Room will consist of the above-listed local alarms, as necessary, to provide the operator with indication of system limiting conditions that could potentially cause channel inoperability, require short-term corrective action, or otherwise degrade the system or render it.
t inoperable.
Furthermore, as a minimum, the DEFAS Trip alarm will be input to a SOER computer point in the Plant Computer which is available to the. operator.
The Control Room alarms will be designed, selected, and installed in accordance with the existing annunciator policies derived from the Control Room Design Review (CRDR) process.
This policy establishes criteria for the need, location, wording, etc.
in accordance with good Human Factors Engineering Practices.
Per the existing plant modification process, a Human Factors Review is required on all design change packages which specify changes to the Control Room.
During the Human Factors Review. for the DEFAS, the Control Room DEFAS alarms and indications will be coordinated with existing alarms and displays, t
5.2 Manual Operator Action Manual initiation of the DEFAS can be accomplished from the Control Room.
The operator will be supplied with a manual control switch to trip the DEFAS and initiate EFW flow provided the DSS has actuated.
This manual DEFAS trip is electrically independent from the RTS and the EFAS.
Once the DEFAS has actuated it will only provide EFW flow to the steam generator (s) until the steam generator (s) level has returned to a pre-determined setpoint.
This fill cycle will last for approximately 30 minutes, after which time the feedwater flow will be automatically terminated.
At this point, steam generator level may decrease until operator action is required to assume manual control of the EFW valves.
20
6.0 TEST CAPABILITIES The DEFAS has test capability at both the DEFAS cabinet and the Aux. Relay Cabinets.
The DEFAS cabinet testing involves testing of the 2/4 logic system which can be conducted for one channel at a time at full power.
Testing at the ARC involves verifying proper operation of the I/O Systems and the initiation relays.
Testing and calibration of the DEFAS will be performed prior to installation and operation to demonstrate that the NON-Q ATWS equipment conforms to its design specifications.
In ' addition, the DEFAS equipment will be periodically tested and calibrated to ensure that the surveillance requirements established in accordance with the QA operations Manual are satisfied.
The measuring and test equipment which will be used to determine the acceptability of work or process status will be controlled and calibrated or adjusted at specific intervals in accordance with existing procedures.
DEFAS testing at power will be performed on the same schedule as that currently used for the ESFAS.
This testing, known as channel functional testing, is done on one logic channel each week on a rotating basis designed to test all four channels every month while in Mode 1.
All four channels will be tested prior to each return to criticality after a forced outage or scheduled outage greater than seven days in duration.
AP&L does not intend to address DEFAS in the Unit 2 Technical Specifications since a NON-Q system does not meet the criteria for Technical Specification inclusion per the NRC's Technical Specification Improvement Program.
A DEFAS end-to-end test will be conducted each refueling outage and will consist of functional testing from the sensor output to and including the DEFAS initiation relay.
This surveillance will consist of recalibrating inputs, simulating the input and verifying DEFAS output actuations, alarms, indicators, and EFAS actuation.
Maintenance and test bypasses for the DEFAS will not involve installing jumpers, lifting leads, pulling. fuses, tripping breakers, blocking relays, or other circuit modifications.
These bypasses will be provided as control switches integral to the DEFAS design in conformance with the intent of Reg. Guide 1.47.
It is further assumed that daily channel verification checks will be conducted by Operations.
These daily channel checks will consist of verifying system availability and proper system status via local indications.
1 21
}
o i
J 7.0 CONFORMANCE TO 10CFR50.62 GUIDANCE The Commission's guidance provided with 10CPR50.62 established
{
the criteria for an ATWS design that they felt would comply with 10CFR50.62.
Although not formally required, these guidelines are j
integrated into the design for the ANO-2 DEFAS as discussed below.
1)
Safety Related (IEEE 279)
Commission-Not required but the implementation must be such I
that the existing protection system continues to meet all applicable safety related criteria.
l The DEFAS consists of three groups of equipment-the fiber optic transmitter modules, the DEFAS cabinet, and the I/O systems in the Auxiliary Relay Cabinets.
The DEFAS cabinet is design d as a non-safety related control grade system.
It is isolated from the Class 1E PPS and Class 1E Auxiliary Relay Cabinets to minimize control / safety interactions that could degrade the Class 1E systems.
The fiber optic transmitter modules in the Process Cabinet and the I/O systems in the Auxiliary Relay cabinets are considered safety related equipment since they interface directly with the Class 1E systems.
The DEFAS safety related equipment will be qualified to the same level of qualification as the PPS and Auxiliary Relay Cabinets.
Reference Section 2.2 for qualification standards for the PPS and Aux. Relay Cabinets.
Although acceptable isolation will be provided between the control grade (non-safety related) DEFAS output and the safety related EFAS inputs, inadvertent actuation of EFW can occur.
Per the Standard Review Plan (NUREG 0800 Sections 7.1,7.3, & 7.7) as well as IEEE 279 and IEEE 379, it is necessary to assume the i
DEFAS will fail to a mode which will generate a DEFAS actuation signal at the system level.
Concurrently, the above guidelines require the assumption of a single failure within the safety related protection system.
Design features have been included to assure that DEFAS will not actuate during main steam line breaks concurrent with a single failure within the MSIS initiation circuitry.
Installation of the DEFAS will not result in failure of the existing protection system (s) to meet the single failure criterion during accidents.
During normal power operation (Mode 1) the above failure of the control grade DEFAS will initiate the EFW System resulting in a significant secondary side transient along with an unnecessary challenge to a safety related protection system.
However, this DEFAS failure mode is bounded by the existing analysis of the " Excess Heat Removal Due to Secondary System Malfunction" Anticipated operational occurrence as contained in Chapter 15 of the SAR.
The implementation of this design will increase the probability of inadvertent EFW System actuations.
l'
{
22
d 2)
Redundancy Commission-Not required Redundancy alone does not _ preclude common mode failure occurrences.
Consequently, no requirements are made for redundancy of the DEFAS.
The design, however, is to be reliable and should minimize the possibility of spurious actuations.
Therefore, AP&L has elected to install a four channel DEFAS to increase system reliability and decrease the potential for spurious actuations.
The installation of a four channel system also allows testing during full power, at which time the DEFAS becomes a 2-out-of-3 system with one channel in test.
3)
Physical Separation From Existing Reactor Trip System Commission-Not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated.
The implementation must be such that separation criteria applied to the existing protection system are not violated.
Although not required, physical separation from the existing RTS is provided for the DEFAS.
The DEFAS logic will be housed in a separate cabinet located in the CEDM Equipment Room directly above the Control Room.
This room was chosen because it was outside the Control Room, it has air conditioning, and it is in the same general area as the Process Cabinet and Auxiliary Relay Cabinets.
The DEFAS is fiber optically isolated via qualified devices and physically and electrically separate from the existing RTS.
The DEFAS will not degrade the existing separation criteria of the PPS or the Aux. Relay Cabinets.
4)
Environmental Qualification Commission-For anticipated operational occurrences only, not for accidents.
The 2/4 logic system housed in the DEFAS Cabinet is located in a non-harsh environment and therefore environmental qualification per 10CFR50.49 is not required.
Therefore, the DEFAS logic equipment will not be included in AP&L's 10CFR50.49 EQ Program.
However, the cabinet and its components will be rated for the environment in which they are installed.
The fiber optic transmitter modules in the Process Cabinet and the I/O systems in the Aux.
Relay Cabinets will be rated for the environmental conditions at the cabinet resulting from AOO's and accident conditions and will not degrade the existing qualification of the cabinets. Since these cabinets are located in non-harsh environments, environmental qualification per 10CFR50.49 is not required. Therefore, this DEFAS equipment will not be included as part of AP&L's 10CFR50.49 EQ Program.
23
i
.o.
o 4
o 5)
Seismic Qualification Commission-Not required Although the DEFAS cabinet is not required to be seismically qualified, it will be qualified due to Seismic II/I concerns in the CEDM Equipment Room.
The fiber optic transmitter modules in the Process Cabinet and the I/o systems in the Aux. Relay Cabinets will be seismically qualified to meet or exceed the seismic qualification criteria of l
the existing Class lE cabinets in order to preserve the qualification of the existing systems and to maintain isolation capability during a seismic event.
i 6)
Quality Assurance for Test, Maintenance, and Surveillance Commission-Explicit guidance will be issued in a letter (Generic Letter 35-06) j Reference Section 6.0 for testing, maintenance, and surveillance i
requirements for DEFAS.
See Section 8.0 for compliance with Generic Letter 85-06.
l 7)
Safety-Related Power Supply 1
Commission-Not required, but must be capable of performing safety functions with loss of offsite power.
Logic power must be from an instrument power supply independent frem the power supplies for the existing reactor trip system.
Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented.
The DEFAS logic power supplies in the DEFAS cabinet are not required or considered to-be safety related.
These power supplies are powered from non-safety related 120 VAC buses.
Each-DEFAS logic power supply is interfaced with its own UPS that is capable of providing logic power for up to one hour following the loss of the 120 VAC buses.
This design provides power for the DEFAS which is separate and independent from the existing RTS.
Existing safety related channel power supplies in the Process Cabinet will provide power to the safety related side of the fiber optic isolators while power to the non-safety related side of the fiber optic isolators will be provided by non-safety related power.
The safety related input power to the isolator is provided from the vital 120 VAC power source (4 channels) while the non-safety related input power to the isolator is provided from the instrument 120 VAC power source.
The vital AC and instrument AC power are totally separate and independent from each other with the vital AC being fed from the safety related 125 VDC system and the instrument AC being fed from the safety related 480VAC MCC's.
Qualified isolation between the non-safety 24
o
)
V
-o.
[
o a
,g.
related instrument AC and the safety - related 480VAC MCC's is provided via safety related circuit breakers in the 480VAC MCC's.
Surge protection for the safety related power input to the isolators is accomplished via the existing charger / inverter surge protection circuitry.
i 1
Existing safety related power will be used in the Aux. Relay j
Cabinets for the I/O systems and the DEFAS initiation relay which is the DEFAS final interface device to the EFAS.
Power to the Aux. Relay Cabinets is provided by safety. related vital 120 VAC power.
Power supply faults such as overvoltage, undervoltage, 1
degraded frequency, and overcurrent will not compromise the RTS, EFAS, or safety related DEFAS equipment in the Aux.
Relay cabinets.
Aux. Relay Cabinet power supply faults will be alarmed in the Control Room.
Likewise, the 125 VDC system and vital 120VAC system faults are alarmed in the Control Room along with battery charger and inverter faults.
The Control Room alarms I
provide for early detection of degraded voltage and frequency l
conditions to allow for operator corrective action while the affected circuits / components are still capable of performing their intended functions.
1 I
8)
Testability at Power Commission-Required The DEFAS design allows for on-line functional testing of one selected-channel at a time.
With one channel in test the DEFAS becomes a 2/3 logic system.
Testing of the entire 2/4 logic will be conducted during plant shutdown or prior to startup. DEFAS testing occurs at the DEFAS Cabinet and at the Aux. Relay Cabinet.
Test capabilities of the system are discussed in 6.0.
9)
Diversity From Existing Reactor Trip System commission-Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required from the sensors to, but not including, the final actuation device, e.g.,
existing circuit breakers may be used for auxiliary feedwater initiation.
The sensors need not be of a diverse design or manufacturer.
Existing protection system instrument-sensing lines may be used.
Sensors and instrument-sensing lines should be I
selected such that adverse interactions with existing control systems are avoided.
Diversity can be achieved by incorporating as many of the l
following methods as possible:
1
- Use of components from different manufacturers.
- Use of electronic devices vs. electro-mechanical devices.
Use of energize-to-actuate vs. deenergize-to-actuate trip devices.
l
- Use of AC vs. DC power sources.
25 o
l
o.
.c J
The equipment used in the design of the DEFAS is entirely diverse from the existing PPS/RTS except for the sensors and the final actuation devices, both of which are not required to be diverse.
The DEFAS 2/4 logic system is a solid-state computer based control system that. is diverse from the bistable / electro-mechanical system of the PPS/RTS.
The DEFAS contains fiber optic technology to receive and transmit signals to and from.its distributed I/O systems.
The DEFAS final interface device to the EFAS is the DEFAS initiation relay located in the Aux. Relay Cabinet.
This relay energizes to actuate EFW flow while the existing EFAS is a deenergize-to-actuate system.
This relay will be of a different manufacturer from the existing EFAS solid state initiation relays and MDR relays.
The DEFAS and the EFAS use the same final actuation devices.
These final actuation devices are the cycling and subgroup relays used to control the pumps and valves in the EFW System.
These relays are Potter & Brumfield MDR rotary relays.
Although the RTS alco utilizes MDR relays, diversity of the DEFAS final actuation devices from the RTS is not required and therefore their use is acceptable.
- 10) Electrical Independence From Existing Reactor Trip System
^
Commission-Required up to final actuation device at which point non-safety related circuits must be isolated from safety related circuits.
The DEFAS is electrically independent from the existing PPS/RTS as it uses a separate power source for the logic system.
The DEFAS is isolated from the Process Cabinet and Aux. Relay 1
Cabinets through the use of qualified fiber optic isolation and therefore meets the intent of the guidance for isolation from safety related circuits.
See item 7 for discussion of the i
power supplies for the isolators in the Process Cabinet and the power source for the I/O systemt and DEFAS initiation relays in the Aux. Relay Cabinets.
The NRC has accepted this configuration as meeting the intent of the ATWS Rule (Ref 10.8).
- 11) Inadvertent Actuation Commission-The design should be such that the frequency of inadvertent actuation and challenges to other safety systems is minimized.
The DEFAS is designed with features to minimize inadvertent actuations and challenges to safety systems.
The DEFAS setpoints are set at levels below the existing setpoints in the PPS and the DEFAS response time will be longer than the PPS EFAS response time in order to prevent the possibility of the DEFAS initiating EFW flow before the properly operating PPS.
The DEFAS initiation relay initiates EFW flow upon energization while the EFAS initiates EFW flow upon de-energization of the subgroup / cycling relays.
The energize-to-actuate design of the 26
e t
Y DEFAS initiation relays will prevent the loss of relay power or I/O system power from causing an inadvertent actuation since these relays are normally de-energized.
The DEFAS is blocked by the EFAS and MSIS signals to minimize inadvertent DEFAS actuations.
When the PPS initiates EFAS or
- MSIS, indicating that the PPS is operating normally and that conditions for ATWS mitigation are not present, blocking logic is activated which disables the DEFAS initiation relay.
Thus, the DEFAS is unable to initiate EFW flow.
The DEFAS is further blocked by the DSS such that the DEFAS can operate only if a DSS actuation has occurred.
If an inadvertent actuation of the DEFAS were to occur, thus initiating EFW flow, an overcooling of the RCS or an overfilling of the steam generator secondary side could result at full reactor power.
Although these events have been considered in the analysis of the plant, they are very undesirable and the addition of-another EFW initiation system will increase the probability of the occurrence of these events.
8.0 CONFORMANCE TO GENERIC LETTER 85-06 Generic Letter 85-06 was released by the NRC to provide explicit Quality Assurance (QA) guidance required for non-safety related ATWS equipment.
The ANO-2 DEFAS will comply with the QA guidance provided in this letter by invoking the requirements of the ANO Station 10CFR50 Appendix B QA Program on the system and its equipment, with the exception that the DEFAS equipment need not be purchased from a vendor on AP&L's Qualified Vendor List (QVL).
However, it is AP&L's intent to procure ATWS equipment of the highest quality.
9.0
SUMMARY
The ANO-2 DEFAS is designed to be a highly reliable system that initiates EFW flow upon conditions indicative of an ATWS.
Although the probability of inadvertent EFW initiation has been increased, the effects and transient response of this event are bounded by existing analysis.
The DEFAS is designed to meet the intent of 10CFR50.62 and is diverse and independent from the existing Reactor Trip System.
The DEFAS design further complies with the Commission's guidance provided with 10CFR50.62 and the quality assurance requirements of Generic Letter 85-06.
Installation of the DEFAS will result in a reduction of the risk of-an ATWS event should the RTS fail during conditions indicative of an ATWS.
27
b
- 1r,
1
10.0 REFERENCES
i 1
10.1 NUREG 460, " Anticipated Transients Without Scram for Light j
Water Reactors", March 1980.
10.2 SECY-83-293, " Amendments to 10CFR50 Related to Anticipated Transients Without Scram (ATWS) Events", July 19, 1983.
j 10.3 10CFR50.62,
" Requirements for reduction of risk from anticipated transients without scram (ATWS) events for i
light-water-cooled nuclear power plants", June 26, 1984.
10.4 Federal Register 49FR26042 and 49FR26043, "ATWS Guidance Regarding System and Equipment Specifications",
June 26, 1984.
10.5 NRC Generic Letter 85-06, " Quality Assurance Guidance for 1
ATWS Equipment that is not Safety Related", April 15, 1985.
10.6 Letter from AP&L (Howard) to NRC (Calvo), 2CAN118801,
" Request for Partial Exemption for ANO-2 from the Requirements of 10CFR50.62", November 3, 1988.
10.7 Combustion Engineering, Inc. Report CE NPSD-384-P, " Design for a
Diverse Emergency Feedwater Actuation System Consistent with 10CFR50.62 Guidelines", April 1989.
10.8 Letter from NRC (Posluany) to AP&L (Campbell), 2CNA098901,
" Summary of Meeting with the Combustion Engineering Owners Group (CEOG)
Regarding the DEFAS Design Features to be Installed per 10CFR50.62 (ATWS Rule)", September 22, 1989.
i y
28
y.s:
ATTACHMENT A ISOIATION DEVICE INFORMATION The DEFAS qualified fiber optic isolators have not been specified at this time.
Once they are specified and test reports have'been obtained, the following information will be provided in the design change packaget a) A description of the specific testing performed to demonstrate that the device is acceptable for its application.
This description will include elementary diagrams, when necessary, to' indicate the test configuration and will describe how the maximum credible faults were applied to the devices, b) Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device will be
- exposed, and a
definition of how the maximum voltage / current was determined.
c) Data to verify that the maximum credible fault was applied to the non-Class lE side of the device in the transverse mode (between signal and return) and that other faults were considered (i.e., open and short circuits).
d) A definition of the pass / fail acceptance criteria used to qualify the device, e) A commitment that the isolation devices comply with the environmental and seismic qualifications that were the basis for plant licensing.
f) A description of the measures taken to protect the safety systems from electrical interference (i.e.,
electrostatic
- coupling, EMI, common mode and crosstalk) that may be generated by the ATWS circuits, g) Information to verify that the Class lE isolator is powered from a Class lE source.
i l
i o
-