Text

.**

'GARGENTQ.LUNDY-ENGINEERS e

C H IC AGO -

t."

-May 1988 Rev. 4

..3--

ATWS MITIGATION SYSTEM SPECIFIC DESIGN FOR BYRON /BRAIDWOOD STATIONS COMMONWEALTH EDISON COMPANY s

I

-i t

8807180221 880706 PDR ADOCK 03000454 Project Nos.

7725-52/53 0

PNV 7775-07/08

~

SARGENT Cz'LUNDY ENGINEERS

"~

1 C H IC AGO

^

9.

q

-MEy 1988

.Rev.~4

.j 1

+

(

- 1 TABLE OF-CONTENTS f

?

^

s t

Section Title Page

1.0 INTRODUCTION

1-1~

I 2.0 DESIGN' BASIS 2-1

.7

-. 3. 0 FUNCTIONAL REQUIREMENTS 3-1

- 4.0 PLANT SPECIFIC DESIGN DETAILS 4-1 i

5.0 REFERENCES

5-1 i

f

. 4 1

a 1-a.

i

(

i i.

i a

f I

d l

i e

t E

e I

s

..~..- - -.---

z SARGENT Q LUNDY: ~

.c

'~

ENGINEERS cHicAco May 1988 Rev. 4-c.

1

1.0 INTRODUCTION

The purpose of this document is to provide a description of the specific ATWS Mitigation System design proposed for implementation at the Byron and Braidwood Stations. The description is intended for the use of the Nuclear Regulatory Commission in evaluating the specific design for compliance to the ATWS rule of 10CFR S0.62(c)(1).

1-1

E SARGENT O LUNDY ENGINEERS CHICAGO -

May(1988 Rev. 4 2.0 ATWS ' MITIGATION SYSTEM DESIGN BASIS The Byron /Braidwood Stations' ATWS Mitigation System ( AMS) design is based on the following. requirements:

a.

The ATWS Rule (Reference 1) b.

ATWS Quality Assurance Requirements (Reference 2) c.

Westinghouse NiSAC Generic Design Guidance (Reference 3)

The foregoing documents provide the basis for the specific. AMS system design as described in Section 3.0.

In addition to the details provided in Section 3.0, plar.t specific information, as requested by the NRC in -their letter (Reference 4) stating acceptance of the Westinghouse AMSAC Generic Design, is included in Section 4.0.

2-1

C A RG E NT C

'.,0 N DY

[

E N G I N F. E R S CHIC /.no

'b May 1983 Rev. 4 3.0 ATWS MITIGATION SYSTEM FUNCTIONAL DESCRIPTION t

This section will functionally describe the proposed ATWS Mitigation System ( AMS) design for the Byron and Braidwood Stations.- The operation of the proposed AMS is defined in Figure 3-1 and by the following descriptions.

i 3.1 System Overview The required initiating actions of the AMS are as follows:

3 a.

initiate the aux'.ar, feedwater system, and b.

trip the main turbine The plant variable that is cunitored to determine loss of heat sink and provide for the actions described above _is Steam I

Generator (SC) level.

Each steam generator is monitored by four existi"3 sets of level instrumentation.

Any of the four level l'

. eaturements indicating low level is an indication of loss of i

l heat sink for that steam generator.

As shown in Figure 3-1, one N4S logic train is provided.

Both the main turbine trip and auxiliary feedwater actuation signals are initiated by this logic train.

3-1

CARGENT Q LUNDY ENGINEERS C HIC AGO May 1988 Rev. 4 The AMS logic monitors the RPS Ch.1 SG levet transmitter from each steam generator for a total of four level inputs.

A 3 out of 4 coincident logic scheme is employed to interrogate these SG level signals, therefore requiring three of the steam generators to indicate a loss of heat sink in order to actuate the AMS.

The AMS level setpoint ull be 37, of narrow range span below the RPS Steam Generate. level setpoint.

The-AMS logic will actuate the auxiliary feedwater system (i.e.,

motor driven and diesel driven auxiliary feedwater pumps and related equipment) and trip the main turbine (through the emergency trip).

A time delay (approximately 25 seconds) is provided to ensure the reac+,or protection system will provide the firct trip signal.

Arming of the AMS is automatic and is accomplished when both the C-20 power level (> 40T, of nominal full power) permissives are achieved (see figure 3-1).

Upon a decrease in power below the C-20 power level the AMS will be automatically bypassed.

The C-20 power level permissive is developed in the AMS system based on turbine impulse chamber pressure.

After an N4S initiation of the auxiliary feedwater system and tripping of the main turbine, the AMS will self reset. Tha t is, df ter x4S initiation as power decreases and af ter a time delay (approximately 360 seconds), the C-20 interlock will inhibit the logic thus allowing shutdown of the auxiliary feedwater system 3-2

l:

si SARGENT.O LUNDY u

ENG1NEERS

' CHIC AGO -

+

May 1938

'Rev. 4 and reset of the main turbine trip. The time delay allows the P

AMS to remain armed 'ong enough to perform its function in the event of a turbine trip.

The logic provides for one inhibiting signal which is manually implemented under administrative control and prevents the logic from initiating its intended functions (i.e., start the auxiliary feedwater system and trip the main turbine). This inhibiting signal results -from the requirement that the AMS must have the capability for testing during power operation. When the operator selects the AMS test mode, the final AMS actuation output devices (relays) are inhibited from operating and inadvertently initiating the auxiliary feedwater system or tripping the main turbine during power operation.

4

' Contaol of the auxiliary. feedwater system and main turbine are provided for by existing controls and are not in the scope of the AMS design.

i l

\\

l 3-3 l

~

3 ARGENT Cr LUNDY ENQlNEERS CHIC AGO May 1988 Rev. 4-3.2-

. Main Control Room Interface The control room interface between the AMS and the operator

-includes the following alarms and indications located at the main control boards:

4 AMS Initiated a.

Alarms AMS Inoperable

• 24VDC P/S Failure b.

Indications - N4S Initiated - Red Light t

N4S Armed Green Light AMS In Test Mode - Red Light.

c.

Bypass Permissive Light Box - ATWS Permissive C-20 i

• Inoperable alarm includes loss of power, AMS in test, and automatic bypass (C-20 < 405).

1

.i h

3-4

CARGENT Q LUNDY' E N GIN E E R S CHfCAGO May 1938 Rev. 4 3

I I

3.3 Termination of Steam Generator Blowdown Steam generator blowdown will not be automatically terminated by the AMS.

Since the inancdiate effect of steam geperator blowdown, in the event of an ATWS event, is to remove heat from the steam generator, automatic isolation is not necessary. 0nce AMS is initiated, steam generator inventory can be adequately satisfied I

with both trains of auxiliary feedwater operating.

Auxiliary feedwater flow per steam generator will be approximately 320 gpm with maximum blowdown flow per steam generator of 90 gpm.

r 3-5 y

\\./

O INHIBIT 1

ARM SYSTEM t

pykE l

TABOVE C-20 x

ET SG A SG B SG C SG D C-20 C-20 CONT l

LEVEL LEVEL LEVEL LEVEL

>40 %

>40 %

SWITCH l

3%(RPS 3%<RPS 31(RPS 3%<RPS I

i

.i l

j 1F 1F 1F 1F 9F 1F l

3/4 AND i

i i

1F 9F 360 25 SCC SEC i

1F 1 F, AND i

1F 1r APO 1F 1 F 1 F INITIATE AUX FW PUMPS TRIP MAIN TUR81NE AND RELATED COMPONENTS

( EMERGENCY TRIP )

FIGURE 3-1 ATWS MITIGATION SYSTEM MAY 1988 REV. 4 SIMPLIFIED LOGIC DIAGRAM

F a {..

CARGENT Q LUNDY i

4 o

ENG NEERS CHICAGO May 1988 Rev. 4 4.0 PLANT SPECIFIC DESIGN DETAILS The following section provides the plant specific desiP.i details as requested by the NRC.

Each topic is addressed in thr. order in which they are listed _in Reference 4.

4.1 Diversity The ATWS Mitigation System ( AMS) design for the Byron and Braidwood Stations uses equipment wt.ich is largely diverse f rom j

that used in the Reactor Protection Syst.em (RPS).

AMS inputi are derived from the existing SG 1evel and t.-20 instrumentation uhich is located in the RPS Westinghouse 7300 protection cabinets.

The AMS SG level and C-20 inputs arc iso' sated from the existing instrumentation loop signals by Technology for Energy (TEC)

Analog Signal Isoletus.

These isolators are classified as safety related.

Af ter isdation the signals are fed to Rosemount master trip units which generate the SG low level and C-20 logic inputs to the Rochester Solid State Logic System. The Rochester Solid State Logic System provides implementation of the coincidence logic, permissives, test inhibits, time delays and other AMS functions.

Outputs from the logic system are then used to trip the turbine and start auxiliary feedwater via a number of interposing relays.

The interposing relays interlocking safety 4-1

- CARGENT Cr LUNDY E N G'; N E E R S CHICACO May 1988 Rev. 4 related circui ts are classified as' safety related.

These relays are the same as other safety.related relays used in similar circuits elsewhere in the Byron and Braidwood Station designs.

Major components of the AMS are therefore 'provided by manufacturers who are diverse from those used in the Westinghouse 7300 protection cabinets and Westinghouse solid state logic, cabinets.

4.2 Logic Power Supplies The N4S logic will be powered from a new non-safety related 24 7

VOC battery with a dedicated battery charger purchased 5,aocifically to power the AMS cabinet.

The guidelines in 10CFR50.62 ( ATWS Rule) state that:

The AMS power supply is not required to be safety-related.

j The AMS must be capable of performing its safety-related i

function following a loss of offsite power.

The AMS logic power must be independent from tne power supply for the Reactor Trip System.

A new 24 VDC battery system, as the AMS power supply, complies 6

with the guidelines in 10CFR50.62 as discussed below:

i 4-2 l

c....-

s

-May 1988 4

Rev. 4 i

i a.

Safety Classification of AMS Power Supply The new battery shall be non-safety related.

b.

Operation Following Loss of Offsite Power Since the AMS cabinet is powered from a de source (i.e,. a 24 VOC battery), the system is capable of performing its function following a loss of offsite power.

9 c.

Independence From Reactor Trip System Power Supply Since the AMS Cabinet will be powered from a new battery, with its own battery-charger, the AMS logic power supply is totally independent from the Reactor Trip System power supply.

4.3 Safety-Related Interface Two safety-related interfaces exist between the AMS and

)

existing safety related circuits. The first is the interface between the AMS and the SG level and C-20 instrumentation circuits.

As previously discussed in Subsection 4.1, isolation is provided by the use of Technology for Energy Corporation analog signal isolators. The second is the interface between the AMS and the auxiliary feedwater circuits.

Isolation is provided by the use of Westinghouse relays.

The existing criteria for 4-3

4 May 1988 Rev. 4 physical separation between reactor protection, ESF, and non-safety system wiring will also be utilized.

4 4.4 Quality Assurance Safety-related components which are part of the AMS will be procured with the appropriate quality assurance required for safety-related equipment. All other components in the NiS design will be procured using the quality assurance requirements stated in Generic Letter 8S-06 (Reference 2).

4.5 Maintenance Bypasses Maintenance at power can be accomplished by tsking the AMS out of service administrative 1y (test switch) and removing 1

electrical power.

It is recommended that the main test switch located in the'NiS cabinet, be placed in the test

-j mode to ensure that maintenance activities do not result in spurious actuation of the AMS output relays.

Loss of power to the AMS or placing the AMS in test mode will result in an AMS inoperable main control alarm.

This alarm along with other AMS alarms and indicating lights will be grouped and located on the main control board utilizing human fictors engineering practices.

4-4

,,v-p-

,w..

w

'm

/*

@ ARGENT rir LUNDY E N GIN E E RS a

CHICAGO S

May 1988 Rev. 4 4.6 Operating Bypasses The NiS shall be automa;!cally armed coincident with power d

above C-20 (405 of nominal full power) as a permissive.

Bypass of the AMS shall-be automatically initiated if the L

power is reduced below C-20.

The C-20 power level is measured by two transmitters.

The transmitters will measure first stage impulse chamber pressure at the high pressure turbine. The basis for the 405 of full power.

setpoint is provided in 9G-87-10 (Ref. 5).

The automatic bywats of the AMS is alarmed as. AMS inoperable. The C-20 power level permissive will be indicated at the Bypass Permissive Light Box.

4.7 Means for Bypassing The main test switch as discussed in Se:tions 3.1 and 4.5 is a permanently installed selector suitch with two posi tions: normal and test.

The main test switch is located in the AMS cabinet and is the only means provided for bypassing the system.

Other means for bypassing as specifically excluded by the guidance are not used.

The main test switch will be included in the overall human factors engineering review of the system.

4-5

x GARGENTC LUNDY ENGINECRS CHICAGO i

May 1988 Rev. 4 4.8 Manual Initiation Manual actuation of the A'4S is not provided. Manual initiation of auxiliary feedwater and manual tripping of the turbine can be accomplished by the operator'at existing controls provided on the main control boards.

4.9 Electrical Independence From Existing Reactor Protection System And Other Safety Related Circuits The interface between the SG level and C-20 instrumentation loops and the AMS is made through Technology for Energy Corporation (TEC) Model 156 Nuclear Qualified Analog Isolators. These isolators, which are located in a mild environment, have been fully qualified by the vendor according to the guidelines set forth in the applicable IEEE Standards.

The results of the environmental qualification testing envelope the Byron /Braidwood Stations requirements.

In addition, the isolators were functionally tested for input isolation (i.e., signal degradation) during short circuits, open circuits and faults on the output side. The maximum credible voltage transient which the non-saf tey-related (output) side of the circuits would be exposed to is approximately 33 volts dc. The isolators were tested to a fault voltage of up to 2,000 volts de between terminals. For current transients, the 24Y 4-6

May 1988 Rev. 4 circuits will be appropriately protected (e.g., fuses and circuit breakers) in order to interrupt a f ault on the non-safety-related circuit side before the operability of the isolation function is affected. The isolators were tested at 20 amps, as applied to the non-safety-related side, without degrading the safety-related side below an acceptable level. The design of the isolators is based on an inherently fail-safe principle which ensures isolation, even if all power is removed from the device. The stainless steel case will be grounded which generally eliminates electromagnetic interferences. These isolators have been used in many other nuclear plants and have been evaluated by the NRC. More detailed documentation addressing qualification and testing is available in the qualification test reports.

The AMS output interface to the safety related auxiliary I

feedwater circuits is provided at the output relays via coil to contact separation. The output relays are Westinghouse auxiliary relay model number ARD 660LR. These relays, which are located in a mild environment, have been qualified by the vendor according to the guidelines set forth in the applicable IEEE Standards.

The results of the environmental qualification testing envelope the Byron /Braidwood Stations requirements.

In addition, the relays were functionally tested.

The maximum credible 4-7

.1 4

May 1988 Rev. 4 3

b voltsge transient which the non-safety-related side of the circuits would be exposed to is approximately 33 volts dc (i.e., the AMS cabinets where the relays are located, are t

powered from a 24 volt DC System.

For current transients, the circuits will be appropriately i

protected (e.g., fuses and circuit breakers) in order that a fault on the non-safety-related Circuit side will be interrupted by the protective devices before the e

I operability of the isolation funct<on is affected. The relays are rated 10 amps non-inductive and 6 amps inductive at 120VAC. The relays are rated 3 amps non-inductive and 1.1 amps inductive at 125VDC. The relays are inherently 4

fail-safe because power is not required for the relays to

~

function as isolation devices. Typically electromagnetic interference is not a problem with relays. These relays i

are used at the Byron /Braidwood Stations as isolstion devices and have been evaluated by the NRC. More-detailed documentation addressing qualification and testing is available in the qualification test reports.

t t

9 4-8

--c--

..,e,.

-,n,y

.,, -,~ -,

,.3

,--,,-n,-

c

'CARGENTQ LUNDY ENGINEERS

.e.

CHICAGO May 1988 Rev. 4 4.10 Physical Separation From Existing Reactor Protection System The AMS hardware is located in its own cabinet which is separate from the existing reactor protection system cabinets.

Actual isolation of the SG 1evel, C-20, and aux-feedwater circuits will be done in the AMS cabinet.

Isolators, safety related relays and. wiring within the AMS cabinet will be physically separated to meet all existing separation requirements. Likewise all existing criteria for physical separation of reactor protection, ESF, and non-safety system wiring external to the AMS cabinet will also be followed.

4.11 Environmental Qualification The AMS cabinet is located in a mild environment. The environmental parameters for the location, Zone A1, are listed in the Byron /Braidwood FSAR Table 3.11-2.

The four existing SG 1evel transmitters are located in a harsh environment. The environmental parameters for the location Zone C6, are listed in the Byron /Braidwood FSAR Table 3.11-2.

Tne two existing C-20 transmitters are located in a mild environment. The environmental parameters for the locations, Zones T1 and T2, are listed in the 4-9

CARGENTO LUNDY ENGINEER 3 CHICAGO May 1988 Rev. 4 Byron /Braidwood FSAR Table 3.11-2.

Both non-safety and safety-related components of the ATWS cabinet and the SG level and C-20 transmitters will be designed to meet the environmental conditions existing in the zones they are located.

Seismic qualification will be provided for the AMS cabinet and internal safety-related components which provide the input and output AMS interface to external safety related circuits.

4.12 Testability at Power The AMS is designed to allow testing of the master trip units, solid state and relay logic system, and final AMS output relays during power operation as well as below the C-20 power level permissive.

AMS testing at power will be perfnrmed once every 6 months.

AMS testing at power is subdivided into three areas which are described individually below, a.

Testing of master trip units (MTU) - The logic train requires six MTus (one per steam generator plus two C-20's) which are housed in a single MTU chassis.

A calibration unit with a dual readout assembly is provided to insert in the MTU chassis and calibrate 4-10

. SARGENT & LUNDY ENGINEERS CHICAGO

6 May 1938 Rev. 4 each individual MTU.

?

The calibration unit when placed into the MTU chassis allows testing or calibration of each MTU -(only one MTV can be tested at a time). The calibration. unit generates a calibrate command signal, calibration current, and a calibration status signal. Calibra-i tion of any selected MTU in the chascis is initiated by the calibrate command signal directed to that MTV, which causes the MTU under test to accept a calibra-tion current in place of the input signal. The input signal is switched to a fixed resistor (located in the MTU), while the MTU is under test, to prevent opening the input circuit. The calibrate command signal also causes the MTU under test to generate a calibration / gross failure output signal which energizes the cal / gross failure relay. While the HTU is under test en AMS inoperable alarm is annunciated in the MCR via the cal / gross failure relay.

During testing, the MTU receives a calibration current (continually adjustable) from the calibration unit which is simultaneously displayed on the readout assembly as the calibration status signal.

A second display on the readout assembly tracks the calibra-tion status signal until the MTU changes state (non-4-11

SARGENT 0 LUNDY t'

ENGlNEERS CHICAGO 6

May 1988 Rev. 4 trip to trip state or vice versa). The calibration current reading at that point is latched on the trip-current display by the trip status signal from the MTU under test.

This allows.an accurate determina-tion of the MTU trip setpoint setting.

When the MTV is returned to normal operation, the input signal is switched back to the MTU, and the cal / gross failure relay is de-energized (provided the input signal is within its normal range of 4-20 ma DC).

Each MTU is provided with a process indicator which will display the input process signal (SG level or turbine impulse chamber pressure) or the calibration current.

Although each MTU can be tested on an individual basis, the AMS actuation signal should be blocked from inadvertently actuating the final AMS output relays.

This is accomplished by placing the AMS test mode selector switch in the test position. This action will illuminate an indicating light both at the i4CR and NiS cabinet and also will activate the AMS inoperable annunciator alarm.

To return the AMS to normal service, a two step process is required since otherwise resetting the N4S test mode selector switch to normal during a test would inadvertently i

4-12 l

SARGENT & LUNDY.

ENGINEERS o

cMicaco May 1938 Rev. 4 actuate the final AMS output relays. Once testing is completed the operator would return the AMS test mode selector switch to normal and then press the test reset pushbutton, b.

Testin3

, e'em logic (solid state and relay) -

Since the MTUs are tested individually, it is not possible to force more than one MTU into a trip status simultaneously from the calibration unit.

To artificially f nitiate the system logic for testing, external MTV test switches are provided for each MTV.

The MTU test switch is a three position switch with each position accomplishing the following respective function:

MTU Test Switch Position Function Norm Allows the MTU to directly operate the MTU trip relay MTV Test Switch Posi tion Function Test-Trip Disconnects the MTU trip relay from the MTV and energizes the trip relay creating an artificial "trip si tua tion. "

Test-Norm Disconnects the MTU trip relay from the MTU and de-energizes the trip relay l

creating an arti ficial "non-trip or normal situation."

4-13

.SARGENT & LUNDY r

EMGINEERS 6

CHICOGO 1

May 1938 Rev. 4 J

This position allows logic testing during maintenance.

1 outages when the input signal would normally maintain.the-

.MTU in a tripped state.

Placing the MTV in either test mode from the MTV test switch causes the AMS inoperable alarm to be annunciated in the MCR.

An indicating light for each MTU at the AMS cabinet alerts the operator when the MTV trip relay is artificially energized by the MTV test switch.

To test system logic, the AMS test mode selector switch would be placed in the test mode.

As described previously this action would prevent the actuation of the final NiS output relays during l

te s t. The AMS test-mode Indicating light would filuminate in the MCR and at the AMS cabinet and the AMS inoperable annunciator alarm would be a c ti va ted.

Successful generation of the AMS actuation signal by the system logic is verified when the AMS initiated indicating lights are illuminated in the MCR and at the N45 Cabinet and also by actuation of the AMS initiated annunciator alarm.

Prior to returning under test to the normal mode by the N45 test mode selector switch and pushbutton, each MTU test switch should be placed in the normal 1

mode.

4-14

~

F SARGENT & LUNDY E N GIN E E R $

6 C H tC AGO May 1988 Rev. 4 c.

Testing of final Nis _ output relays - The testing circuits *: sed for the final AMS output relays and final actuated devices at power will be similar to the testing schemes used in the Byron /Braidwood Safeguards Test Cabinets.

However, for the purpose of the A45, testing of the final AMS output relays and final actuated devices will be limited to a continuity test only of the circuits and not full actuation of the final devices (control rela./ hich cperates the auxiliary feedwater pump, for example).

Continuity testing of the circuits will be used

because, the AMS is not safety-related, any additional periodic c] cling of safety related system componente in 6he auxiliary feedwater system as a result of AMS testing should be limited in order to maximize the qualified life 1

of those components, and tripping of the turbine at power is obviously unacceptable.

4-15 i

I

' SARGENT & LUNDY

?-

ENGINEERS CHIC AGO 6

May 1938 Rev. 4 A complete off-line end to end test will be performed once each refueling outage. This test will simulate inputs to transmitters.and mo-itor proper actuation of output relays._ A test pr;cedure will be prepared once the system hardware is purr.1ased.

4.13 Completion of Mitigative Action Once initiated the AMS actuation signal will go to completion except as delayed by the 25 second time delay.

The C-20 permissive is delayed from de-energizing for 360 seconds to ensure that the C-20 permissive is present so that AMS operates.-

Seal-in of the A'4S actuation signal is not necessary at the logic level, since the final actuated or tripped equipment control circuits (auxiliary feedwater and turbine trip) will remain in that condition until stopped or reset by the I'

main control room operator.

4.14 Technical Specification No specific technical specification is proposed at this time.

4-16

3 SARGENT & LUNDY.

'r'

'E EM GlM E ER S CHIC AGO Ma, 1988

.1 Rev. 4 5.10 References 1.

ATWS-Final Rule - ' Code of Federal Regulations 10CFR50.62 and '

Supplementary Information Package, "Reduction of Risk. from Anticipated Transients Wi hout Scram ( ATWS) Events for Light-Water-Cooled Nuclear t

Power Plants".

2.

"Quality Assurance Guidance for ATWS Equipment That is Not Safety-Related", Generic Letter 85-06; April 16,' 1985.

3.

"AMSAC Generic Design Package", WCAP-10858 Rev. 1.

4.

Rossi, C. E., "Acceptance for Referencing of Licensing Report", NRC Letter to L. D. Butterfield, Chairman of ATWS Subcommittee, Westinghouse Owner's Group, July 7, 1986.

5.

Westinghouse Owners Group Letter OG-87-10, dated February 26, 1987.

4 5-1

~ - -