ML20151X258
| ML20151X258 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 04/22/1988 |
| From: | Musolf D NORTHERN STATES POWER CO. |
| To: | NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM) |
| References | |
| NUDOCS 8805040096 | |
| Download: ML20151X258 (18) | |
Text
o I
Northern States Power Company 414 Niconet Mall MinneaAks, Minnesota 55401 Telephone (612) 330 5500 April 22, 1988 10 CFR Part 50 Section 50.62 Director of Nuclear Reactor Regulation U S Nuclear Regulatory Commission Attn:
Document Control Desk Washington, DC 20555 PRAIRIE ISLAND NUCLEAR GENERATING PLANT Docket Nos. 50-282 License Nos. DPR-42 50-306 DPR-60 Description of Final AMSAC Design The purpose of this letter is to provide a consolidated description of the design that will be implemented at the Prairie Island Nuclear Generating Plant for the ATWS Mitigation System Actuation Circuitry (AMSAC) required by 10 CFR Part 50, Section 50.62.
This letter and attachments supersedes all of our previous submittals on this subject.
Attachment I provides a description of the AMSAC design that will be implemented on both units at Prairie Island. Attachment II provides a response to the plant-specific questions contained in the NRC Safety Evaluation of WCAP-10858.
The AMSAC design we will implement meets the requirements of WCAP-10858.
The design also incorporates changes and commitments made by Northern States Power Company in response to NRC review of our earlier submittals on this subject.
AMSAC implementation in Unit 1 is scheduled prior to startup for Cycle 14 (about November, 1989). AMSAC irnplementation in Unit 2 is sched-uled prior to startup for Cycle 13 (about March, 1989).
We will make every reasonable effort to meet this schedule and will inform the Commission of the need for any changes in it.
8805040096 880422 00 PDR ADOCK 05000282 P
PDR j 'd g I
I
b I
Director of NRR Northem States Power Company April 22, 1988 Page 2 Please contact us if you have any questions related to the information we have provided.
O M-s David Musolf Manager Nuclear Support Services c: Regional Administrator, Region III, NRC NRC Sr Resident Inspector NRC Project Manager G Charnoff Attachments l
l I
k
7 ATTACHMENT I
1.0 INTRODUCTION
This submittal describes the design of AMSAC for Prairie Island Units 1 & 2.
This design is based on the functional requirements of the generic Westinghouse owner's Group-(WOG) design described in WCAP-10858P-A Revision 1, Section 4 Included in this submittal are discussions of design basis, hardware design, and testing procedures. Responses to the plant-specific questions contained in the NRC Safety Evaluation Report of WCAP-10858P-A Revision 1 are discussed in Attachment II.
2.0 DESIGN BASIS The purpose of AMSAC is to mitigate the effects of a failure to trip the reactor in the event of a loss of normal feedwater or a loss of load.
This is required to prevent reactor coolant system pressure from exceeding 3200 psig.
The mitigation is accomplished by tripping the turbine and initiating auxiliary feedvater flow, anticipating a loss of heat sink, after the reactor protection system has been given sufficient time to trip the reactor.
The criteria for AMSAC are based on the ATWS rule (10CFR50.62 and supplementary information, published 6/26/84), previous Westinghouse analyses (WCAP-8330), WOG guidance, and good engineering practice.
The specific design proposed for the Prairie Island units satisfies the design criteria discussed in WCAP-10858P A, Revision 1.
3.0 DESIGN General Description The AMSAC system for Prairie Island is based on the WOG generic Loss of Feedwater Flow logic (see Figure 1), which senses the impending loss of heat sink by monitoring feedwater flow directly.
AMSAC initiates a turbine trip and actuates auxiliary feedwater (AFW), which in turn isolates steam generator blowdown, when a loss of feedwater is anticipated.
AMSAC actuates on low feedwater flow sensed on 3 of 4 flow transmitters (two transmitters per loop).
Short term protection against reactor coolant system overpressure is not required at low loads, thus a load permissive is included in the AMSAC design. However, in order to minimize the amount of reactor coolant system voiding during an ATWS, AMSAC should operate above 40% of nominal power.
This permissive (called C-20) is formed by a 2 of 2 logic based on turbine impulse pressure. Operator manual action is required to protect the reactor coolant system for an ATWS occurring below 40% power, using the controls presently available.
A time delay on the power permissive removal ensures that the permissive is in effect long enough to provide for actuation I-1
during decreasing load situations. A variable time delay for AMSAC actuation is intended to provide for both control system and reactor protection system response prior to ATUS mitigation. This time delay was specified by the Westinghouse Owners Group (WOG) and is an inverse function of turbine power level prior to the ATWS conditions.
Setpoints for bistable functions and timers will be in accordance with WOG guidance.
The proposed AMSAC design consists of power sources, system electronics, analog inputs, system status outputs, and actuation outputs interfacing with the auxiliary feedwater system and the turbine control system.
The transmitter and instrument AC bus numbers referenced below apply to each unit (e.g., transmitter PT-485 is 1PT-485 for Unit 1, and 2PT-485 for Unit 2).
Power Sources The AMSAC electronics will be powered from a nonsafeguards uninterruptible power supply (UPS) in the Service Building (Computer) power distribution system. This UPS is totally diverse from the reactor protection system, with a nonsafeguards DC supply backup, and is powered from an AC bus which can be supplied from a nonsafeguards diesel generator.
This results in a power supply system for AMSAC which is very secure and is diverse from power sources used in the reactor protection system.
AMSAC output relay power will also be Service Building power,
)
with relay actuation via the AMSAC outputs.
The Turbine Impulse pressure transmitters to be used for AMTAC are PT-485 and PT 486. This design requires the use of reactor protection system instrument AC sources for the transmitter and existing isolation amplifier power supplies for the impulse pressure signals (see Figure 5).
Transmitter PT 485 and isolation amplifier which will provide an impulse I
pressure signal to the feedwater rack from PT-485 is powered from instrument AC bus II.
Transmitter PT-486 and its isol': ion amplifier are powered from instrument AC bus III.
The feedwater flow transmitters (PT-466, 467, 476 and 477) are presently used in the reactor protection system.
Prairie Island intends to upgrade the feedwater control system with Westinghouse Distributed Process Family (WDPF) microprocessor j
based instrumentation. This will result in the removal of any feedwater instrumentation presently located in the reactor protection racks.
The existing cables from the transmitters to the protection racks will be abandoned and new cable will be pulled from the transmitters directly to the feedwater rack, with transmitter power supplied by the reactor protection system power presently supplied to the feedwater cabinet.
The result will be that feedvater flow signals will no longer have any interface with the reactor protection system functions.
I-2
a Power to the feedwater flow transmitters is summarized in the table below:
TRANSMITTER LOOP AC POWER SUPPLY FT-466 A
RPS instrument bus -I- & III (redundant)
FT 467 A
RPS instrument bus I & III (redundant) l FT-476 B
RPS instrument bus I & III (redundant)
FT-467 B
RPS instrument bus I & III (redundant)
System Electronics and Software Configuration.
The Prairie Island AMSAC system is to be built around Westinghouse Automation Division (WAD) microprocessor-based instrumentation. This instrumentation is similar to that used successfully in many diverse industrial applications.
The system electronics for WDPF and Numa-Logic instrumentation are diverse in design from the existing Prairie Island reactor protection system electronics manufactured by the Foxboro Company.
All feedwater control system inputs, including the signals pertinent to AMSAC, undergo D/A conversion in the WDPF instrumentation as shown in Figure 4.
The signals are then available for use, via a redundant data highway, by AMSAC, which is implemented in a Westinghouse Numa-Logic programmable logic controller (PLC). The PLC performs all AMSAC logic functions, including providing output signals for the AMSAC actuation relays.
Prairie Island has chosen to implement the WOG actuation lo5 c in the manner shown in Figure 2.
This results in a i
system which minimizes actuation due to spurious trips while still maintaining a high reliability for system actuation.
Acutation of AMSAC will not occur unless the both of following conditions are present:
- 1. Two trains of software actuation logic occur
- 2. Two output cards supply an actuation signal This system will be immune to actuation from a single point sof tware failure (due to spurious syntax or logic errors, human error, etc.) or a single point hardware failure.
System reliability has not been compromised due to the following aspects of the design:
- 1. The integrity of input signals is maintained through the use of the WDPF feedwater system, utilizing redundant microprocessors, redundant power supplies, and self-monitoring to assure the signals are proporly input to AMSAC via the redundant data highway.
Failure of input signals or the integrated WAD instrumentation system is immediately flagged and initiates an alarm.
- 2. The WAD instrumentation has a documented history of highly reliable operation.
I-3
]
- 3. Output actuation occurs in separate trains of relays, minimizing the effects of a relay failure.
- 4. Tha WAD equipment (including data highway integrity) has self-monitoring functions for its hardware and software operations. Malfunctions will be immediately flagged and give an alarm.
- 5. The design philosophy of AMSAC is based upon its function as a backup to the reactor protection system. The simultaneous failure of both systems is extremely unlikely.
The analog input signals will be monitored for loss of signal, signal deviation, or signal levels beyond normal operating range.
The PLC microprocessor unit software provides signal conditioning for the input signals and the logic and timing functions of the system (including calculation of che actuation timer variable setpoint). The system output energizes actuation relays, which drive the 1
final acutuation logic.
The complete system is designed on an energize-to-actuate basis, minimizing inadvertent actuation due to the loss of signal, loss of power, the loss of an output module, or the loss of the microprocessor unit.
Analog Inputs The signals from the feedwater flow transmitters (FT-466, 467 476, and 477) and the turbine impulse pressure signals j
(PT 485 and 486) will be input to separate input cards in the 1
feedwater rack, where analog to digital conversion takes i
place.
Signal input to AMSAC occurs via the redundant data highway.
The turbine impulse pressure signals are from existing safety related transmitters, which are used for reactor protection and control.
Each transmitter, with its power supply, forms a current loop providing an input signal to bistables and signal isolation amplifiers (see Figure 5).
The signal isolation amplifiers are Foxboro type M/66 BC.
This equipment is used throughout the reactor protection and control system to isolate protection from potential failures in the control systems.
Failure of the instrument AC bus serving either the transmitter power supply or the signal isolation amplifier would result in the signal dropping below the nominal live zero level and would be detectable as a signal failure.
The feedwater flow transmitters will be powered from the feedvater cabinet as described earlier.
System Status Outputs The AMSAC system will provide outpu*,s for control room information and annunciation.
This will incluce a control board status alarm and plant process computer-based slarms to indicate system hardware / software trouble or AMSAC actuation.
I-4
The requirement to provide continuous indication in the control room when the system is bypassed for surveillance is addressed by installation of a control room status panel alarm to indicate that the AMSAC system is unavailable (see Figure 6).
This status panel alarm will also actuate whenever the C-20 operating permissive is not satisfied (AMSAC not armed).
The plant process computer alarm screen will be used for three alarms (see Figure 7). The first alarm is a general hardware /sof tware system trouble alarm.
The second alarm will occur in anticipation of system testing. The third alarm will actuate upon AMSAC actuation (there will also be an output to the sequence-of events daea logger).
The plant process computer alarm CRT is continuously displayed in the control room.
Since AMSAC actuation should not affect operation of the reactor and turbine until there has been a failure of both normal control and protection systems, this level of control room indication will provide adequate information to the operator while allowing Prairie Island to conserve the scarce annunciator spare positions for future needs.
l Actuation Outputs The AMSAC system is required to trip the turbine and initiate l
auxiliary feedvater flow. When the actuation logic formed in I
the microprocessor unit is satisfied, a logic "1" is supplicd to both output cards. Actuation of both output cards will energize two separate relay trains, of which either can supply the AMSAC function.
The auxiliary feedwater actuation relay will provide the 1E interface required by this circuit.
All of the AMSAC relays are configured on an energize-to-
{
actuate basis to avoid inadvertent actuation. The specific interface design will insure that when AMSAC actuation occurs the action goes to completion.
Steam generator blowdown secures on any actuation of auxiliary feedwater, therefore no AMSAC output is necessary for this function.
4.0 TESTING CONSIDERATIONS The ATWS Rule and the NRC SER for VCAP 10858P A, Revision 1, require the AMSAC system to be testable at power, and to be a
tested prior to installation and periodically during j
operations.
The proposed AMSAC system will be tested prior to completion of installation, consistent with the modification process used by Northern States Power.
This testing will verify that the installation has been accomplished as designed, and that the system is operating properly.
I-S
Periodic testing of the system hardware will be accomplished at power, at intervals determined using WOG recommendations.
A conceptual outline of test to be done at power follows:
- 1. Inform operations about testing.
- 2. Operate Block Switch to preclude relay actuation.
- 3. Using a personal computer to interface with the system, enter a password to begin testing of the system.
- 5. Operate Test Switch to enable signal injection.
- 6. Inject signals into the impulse pressure sof tware database points via an analog input test card.
Varying these database points, verify the proper operation of the C-20 permissive bistable function.
- 7. Inject signals into the feedwater flow signal database points via an analog input test card.
Varying these database points, verify the propor operation of the individual feedwater flow bistable functions.
- 8. Verify proper operation of the 3/4 Low feedwater flow logic, the 2/2 Impulse Pressure C 20 lo5 c, the i
actuation logic, and the proper operation of the two time delay functions,
- 9. Return test switch to normal operating position to preclude signal injection.
- 10. Using the AMSAC display on the personal computer, verify that the system is restored to normal operation.
- 11. Operate block switch to unblocked position.
Calibration and functional testing of the AMSAC system, including output relays, is to be done during refueling outages. This testing will be similar to that described above, except that the Block Switch will be unblocked to allow relay actuation and resulting operations to be verified.
1-6
....A m.- a a
V A; \\
rEEDWK~ER r 0W
~U R 3 s E
_0AJ LOOP A LOOP A LOOP B LOOP B (IMPULSE PRESSURE)
B/S
= BISTABLE FUNCTION o
u o
u o
o B/S B/S 8/S 8/S 8/S B/S
= ACTUATES ON 1
DECREASING SIGNAL
~
= ACTUATES ON INCREASING SIGNAL k = TIME DELAY PICKUP
" " 4 "
7 3/4 2/2 k = TIME DELAY DROPOU NOTE NOTE:
TIME DELAY FOR FW FLOW IS DEPENDENT UPON TURBINE LOAD.
u o
2/2
REFERENCE:
WCAP-10858P-A REV.1 o
o TURBINE TRIP INITIATE AUX. FDWTR WOG G E\\ E R C AC~
A~~ 0 s
_0G C TG RE'
l Il
', > CONTROL
/
DATA HIGHWAYf, INSTRUMENTATION j
j B/S
= BISFABLE FUNCTION
/A B
C D
E F
1/0BUSf i SEE FIG. 3 X
= DIGITAL SIGNAL MONITOR POINT VIA PERSONAL a
.4.
9 COMPUTER (typical for all l
B/S B/S B/S, B/S
'B/S B/S, NOTE inputs) l x
- c r
= TEST LAMP NOTE; 7
[~
t e
u uu o u y oo l
~~~~~
SEE FIG.1 FOR B/S 3/4 2/2 2/2 3/4 ACTUATION.
7 e
n x
m e
e e
se INPUTS:
SEE yK (g
(g CQ SEE FIG. 3 i
t t
t FIG. 3 A FT-466 B: FT-467 2/2 2/2 C: FT-476 OUTPUT D: FT-477 0UTPUT CARD J
CARD E: PT-485 o
F: PT-486 POWER POWER BLOCK
_ _ _ _ _[ ~
m en M
'vN,-
TRAIN A TRAIN A
=
TRAIN 8 TRAIN 8 J
TURBINE (-h 7.AFW g
AFW 7 TURBINE START TRIP TRIP START AC~~UK~ 0 N
_0G C v
T GUE 2
=
(FIGURE 2)
IMPULSE PRESSURE INPUTS PT-485 PT-486 o
e PRESSURE SIGNAL HIGH SELECTOR N
VARIABLE TIME DELAY VARIES I
TIMER FUNCTION INVERSELY WITH CALCULATOR TURBINE POWER 3
FDWTR LOW FLOW LOGIC 3/4 VARIABLE SETPOINT
_i FOR TIMER
\\
p SEE NU FIGURE 2 o
ACTUATION s
LOGIC I
AW SAC ACT K 0 \\
~~
V \\ G r.NC-~0\\
rG E 3
r,
,m
/
REDUNDANT DATA HIGHWAY
/
TO OTHER !
TO l
4
> LOOPS l
AMSAC (FUTURE) l u./
DATA HIGHWAY
./
l
\\
l l
DPU A DPU B 1
CO G OL COBOL SHARED DATA HIGHWAY DATA HIGHWAY SHARED MEMORY A CONTROLLER A CONTROLLER B MEMORY B PROCESSOR A PROCES OR 8 h
o o
a o
n o
e o
o o
u
- f MUQBUS A
[
[
MUGBUS A
/
2 1/0 INTERFACE WATCHDOG TIMER 1/0 INTERFACE
=
A A
a n
v
~
./
l/0 BUS
./
o II ANALOG INPUTS
\\ 3 J S
~~0 E E JWK~E R C0 N ~~ RO rGJRE L
f ISOI.ATION FEEDWATER ANALOG
" TO AMSAC AMPUFIER RACK TRANSMITTER h
l 8
88
?
TRANSMITTER LOOP POWER SUPPLY PS = POWER SUPPLY FROM VARIOUS RPS INVERTERS pg
~Y3 CA A \\ A _0G S G N A J EV E _0 3 V E \\
~~
O R
~~
R 3 \\ E V 3 J _S E 3 R ESS R E
- GJRE 5 i
l..-....
C-20 PERMISSIVE BLOCK SWITCH NOT SATIFIED IN BLOCK POSITION b
3 u
u l
!s V
u AMSAC INACTIVE CO \\~~RO 30AR J SYS~~EV S~~A~
S 3AN EL W \\ 20W t
GJRE 6
I SIGNAL RACK POWER SUPPLY MICROPROCESSOR FAILURE FAILURE / LOSS FAILURE
. m,
~
O m
AMSAC SYSTEM TROUBLE TEST SWITCH IN BLOCK SWITCH IN TEST POSITION BLOCK POSITION I
w u
u O
AMSAC SYSTEM IN TEST ACTUATION CONTACTS u
o SEQUENCE OF AMSAC EVENTS LOG OPERATION 3 As~
3ROCESS COV 3J ER AARVS rG RE 7 L
ATTACHMENT II PRAIRIE ISLAND RESPONSE TO GENERIC NRC SER QUESTIONS The following items are the plant-specific responses to the fourteen questions unresolved by the generic SER:
1.
Diversity---The proposed AMSAC system is diverse from the reactor protection system to the extent practicable.
The AMSAC control electronics are completely different in design and operating principles from both those used presently in the reactor protection system and proposed candidates for system replacement.
The analog signals for the turbine impulse pressure are isolated within the reactor protection instrument racks (existing isolation corresponding to other functions the signals provide).
The feedwater flow signals will be removed from the protection system and have no protection functions. The outputs to plant systems are in the form of relay contacts to be wired into existing system circuitry to provide the system actuation.
i 2.
Logic Power Supplies---The logic power is an AC source which is totally diverse from the power source used in the reactor protection system. The AMSAC power source is a
a nonsafeguards uninterruptible power supply with battery backup, which can receive power from a diesel generator which is separate from those used for safety functions.
3.
Safety-Related Interface---The existing reactor protection system will be unaffected by the AMSAC installation. The turbine impulse pressure analog signals used in reactor protection system are isolaped prior to being routed to the feedwater rack.
The use of these isolators is discussed in WCAP 7685 "Isolation Amplifier" (June 1971), and in the Prairie Island USAR i
]
(page 7.4 4).
j The system interface for actuation is accomplished by use 3
of energize to-actuate relay logic.
The actuation relays
{
will be wired into the device actuation circuit to trip the turbine and initiate auxiliary feedwater.
The auxiliary feedwater actuation circuit relays will meet 1E requirements for an isolation device.
{
4.
Quality Assurance- -The quality assurance requirements for AMSAC were described in Generic Letter 85-06.
This guidance has been discussed with the Prairie Island Quality Assurance organization, The quality controls imposed in the plant modification process and the testing i
and calibration programs applied to plant instrumentation and control systems will be sufficient to satisfy the guidance expressed in G.L. 85 06.
4 5.
Maintenance Bypasses---The AMSAC syst em can be maintained j
i 1
i l
i 11-1 O
at power with the system in the Bypass mode, in which the logic output Block Switch placed in the Block position.
With the output blocked, it will be possible to test, calibrate, or repair the software logic and analog portions of the system without affecting_ plant operations.
When the system is in the Bypass mode, the system status annunciator panel in the control room will continuously indicate that the AMSAC system is inactive.
In addition, there will be a plant process computer alarm to indicate that the system is in test.
6.
Operating Bypasses---The operating permissive consists of 2 of 2 logic in which the permissive is satisfied whenever the power measured by Turbine Impulse pressure exceeds 40%. This setpoint is based on generic work by the Westinghouse Owners Group, involving a concern over the potential for bulk boiling in the core.
The operating bypass consists of 1 of 2 logic for the operating permissive removal (i.e., 2 of 2 not present),
subject to time a delay specified by the WOG generic design. The analog signals upon which the C-20 permissive is based are created using transmitters used in the reactor protection system, but using a signal which is isolated electronically from that system. The AMSAC system monitors signal quality for these analog inputs, causing a plant process computer alarm upon signal failure.
The operating bypass causes the system status annunciator panel in the control room to continuously indicate that the AMSAC system is inactive (i.e., the permissive conditions are not satisfied).
7.
Means for Bypassing---The means for bypassing the AMSAC system is a keylock switch under administrative control.
The bypass means discussed and disallowed in the generic SER are not involved in tha proposed design for Prairie Island.
8.
Manual Initiation---Manual turbine trip is accomplished by use of a pushbutton on the control board. The auxiliary feedwater actuation is done by use of control switches on the control board. Their use is directed in the plant emergency operating procedure for response to i
ATVS.
9.
Electrical Independence---AMSAC logic is powered from an AC Power source which is totally diverse from the reactor protection AC source. The AMSAC source is very secure, using a nonsafeguards uninterruptible power supply which has nonsafeguards battery and diesel generator backup.
The proposed design does require the use of reactor protection system power supplies to support existing II-2
instrumentation; transmitters and signal isolators for l
turbine impulse pressure, and power to the feedwater control system.
i The existing isolators for the turbine impulse pressure were subjected to testing and failure analysis prior to completion of plant construction. The use of these isolators is discussed in WCAP-7685 "Isolation Amplifier" (June 1971).
- 10. Physical Separation-- The implementation of the AMSAC system does not degrade the physical separation of the existing reactor protection system. Any analog inputs entering the AMSAC system which are derived using equipment from any channel of reactor protection will be isolated before proceeding to AMSAC. The viring of those signals from the reactor protection system to AMSAC will use cable tray or conduit other than that used for reactor protection system eiting. The AMSAC instrument rack will be physically separated from the reactor protection instrument racks.
- 11. Environmental Qualification.--The Westinghouse system is designed to operate in the mild environment which is found in the control room and relay room.
- 12. Testability at Power --The testing of the AMSAC system during installation, at power operation, and during refueling outages will be as described in this submittal under SECTION 4.0 "TESTING CONSIDERATIONS". The AMSAC r
actuation signal is sensed as an input for an alarm which will be part of the control room computerized alarm display. Testing frequency will be determined based on WOG guidelines and present Prairie Island Surveillance Program guidelines.
- 13. Completion of Mitigative Action---The AMSAC design for actuation output interfaces is such that, upon actuation, the completion of mitigating actions shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. Once actuated, there is no mechanism to prevent completion of the mitigative action. Return to normal power operation will be accomplished in accordance with normal operations manual procedures, which require deliberate operator action.
- 14. Technical Specifications. Northern States Power is a member of the Westinghouse Owners Croup Technical Specifications Subcommittee, which has been negotiating with the NRC on the issue of Technical Specifications for the AMSAC system. That question is understood to be unresolved at this time. Northern States Power intends to continue to participate in that forum to resolve the issue of what Technical Specifications, if any, are appropriate for the AMSAC system.
II-3
. _ _.