ML20196B911
| ML20196B911 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 02/08/1988 |
| From: | Musolf D NORTHERN STATES POWER CO. |
| To: | NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM) |
| References | |
| NUDOCS 8802120184 | |
| Download: ML20196B911 (17) | |
Text
__
/
Northem States Power Company 414 N co et Mau n
Minneapoks. M.nnesota 55401 Tehephone (612) 330-550o February 8, 1988 Director Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission Attn:
Document Control Desk l Wishington, DC 20555 PRAIRIE IS1AND NUCLEAR GENERATING PLMIT DOCKET NOS. 50-282 LICENSE NOS. DPR 42 50-306 DPR 60 Data Related to Piping Erosion / Corrosion
Reference:
(a) Letter dated December 1, 1987 from D M Musolf, NSP, to Director of NRR, NRC, "Revision to Plant Specific AMSAC Design" Reference (a) provided a revised description of the design we propose to use to meet the requirements of 10 CFR Part 50, Section 50.62, for an AMSAC system at the Prairie Island Nuclear Generating Plant.
It has come to our attention that the attachments to this letter, through an error in printing, were partially or completely missing.
The purpose of this letter is to provide replacement copies of Attach-ments I and II to our original December 1, 1987 letter.
The replacement material is attached.
We apologize for any inconvenience this error may have caused.
Please call me if you have any questions related to this information.
DM David Musolf Manager Nuclear Support Services c:
Resident Inspector, NRC Regienal Administrator, Region III, NRC G Charnoff Attachments
' I 8802120184 880208 PDil ADOCK 05000282 P
f~
e Dir:ct'r cf NRR ATTACHMENT I December 1, 1987 Revised AMSAC Coneeetual Desien Rerort for Prairie Island
1.0 INTRODUCTION
This submittal describes the design of the AMSAC system for Prairie Island Units 1 & 2.
This design is based on the functional requirements of the generic Westinghouse Owner's Group (WOC) design described in WCAP 10858P A Revision 1, Section 4 Included in this submittal are discussions of design basis, hardware design, and testin5 procedures. Responses to the plant specific questions contained in the NRC Safety Evaluation of WCAP-10858P A Revision 1, are discussed in Attachment II, 2.0 DESIGN BASIS The purpose of installing an AMSAC system is to mitigate the effects of a failure to trip the reactor in the event of a loss of normal feedwater or a loss of load.
This is required to prevent reactor coolant system pressure The miti ation is accomplished by tripping the from exceeding 3200 psig.
5 turbine and initiating auxiliary feedwater flow in the event of an anticipated loss of heat sink, after the reactor protection system has been given sufficient time to trip the reactor.
The criteria for AMSAC are based on the ATWS rule (10CFR50.62 and supplementary information, published 6/26/84), previous Westinghouse analyses (WCAP-8330), WOG guidance, and good en8 neering practice.
The 1
specific design proposed for the Prairie Island units satisfies the design criteria discussed in WCAP 10858P A, Revision 1.
3.0 DESIGN Ceneral Descrietion The AMSAC system for Prairie Island is based on the WOG generic Loss of Feedwater Flow logic (see Figure 1), which senses the impending loss of heat sink by monitoring feedwater flow directly. AMSAC initiates a turbine trip and auxiliary feedwater (AFW) actuation, which in turn isolates steam generator blowdown, when complete loss of feedwater is anticipated. AMSAC actuates on low feedwater flow sensed on 3 of 4 flow transmitters (two transmitters per loop). Short term protection aSainst reactor coolant system overpressure is not required at low loads, thus a load permissive is included in the AMSAC design. However, in order to minimize the amount of reactor coolant system voiding during an ATUS. AMSAC should operate above 40% of nominal power.
This permissive (called C 20) is formed by a 2 of 2 logic based on turbine impulse pressure. Operator manual action is required to protect the reactor coolant system for an ATWS occurring below 40% power, using the controls presently availabl.
A variable time delay on the power permissive removal ensures that the permissive is in effect long enough to provide for actuation durins decreasing load situations. A time delay for AMSAC actuation is intended to provide for both control I-1
syst a cnd r :ct:r pret:cticn systco resp:nsa prier ts ATVS citig;ticn.
This time d31cy una supplicd by tho U:stinghtuso ownars Grtup (UOG) cnd la an_ inverse function of turbine power level prior to the AWS.
Setpoints for bistable functions and timers will be in accordance with WOG guidance.
The proposed AMSAC design consists of power sources, system electronics, analog inputs, system status outputs, and actuation outputs interfacing with the auxiliary feedwater system and the turbine control system.
The transmitter and instrument AC bus numbers referenced below apply to each unit (e.g., transmitter PT 485 is IPT 485 for Unit 1, and 2PT 485 for Unit 2).
Power Soure,u The AMSAC system electronics will be powered from dual power supplies c.ounced in the feedwater cabinet. Either power supply is capable of providing for all power requirements for the rack mounted equipment.
The two rack mounted power supplies will receive instrument AC from two separate sources, one being a nontafeguards uninterruptible power supply (UPS) and the other being an existin$ instrument power supply already in the feedvater cabinet (see Figure 5).
Both AC sources are continuously supplied, with either capable of supplying the power requirements of the cabinet. The U/S source is totally diverse from the reactor protection system, with a dedicated nonsafeguards DC supply, and the instrument power source is the same as the reactor protection system.
The nonsafeguards UPS is powered from an AC Sus which can be supplied from a nonsafeguards diesel generator. This results in a power supply system for the AMSAC electronics which is redundant, very secure, and, in conjunction with the nonsafeguards UPS, is diverse from the source used in the reactor protection and control system.
The Turbine Impulse pressure transmitters to be und for AMSAC are PT-485 and PT 486. This design requires the use of reactor protection system instrument AC sources for the transmitter and existing isolation amplifier power supplies fo. the impulse pressure signals (see Figure 4).
Transmitter PT 485 is powered from instrument AC bus 2.
The isolation amplifier which will provide an impulse pressure signal to the feedwater rack from PT 485 is powered from instrument AC bus 1.
Transmitter PT-486 and its isolation amplifier providing the signal to the feedwater rack are powered from instrument AC bus 3.
The feedwater flow transmitters (FT-466, 467, 476 and 477) are presently used in the reactor protection system. Prairie Island intends to upgrade the feedwater control system with Westinghouse Distributed Process Family microprocessor based instrumentation (WDPF) and implement AMSAC actuation logic within the same control system. This will result in the removal of any feedwater instrumentation presently located in the reactor protection racks. The existing cables from the transmitters to the protection racks will be abandoned and new cable will be pulled from the transmitters directly to the feedwater rack, with transmitter power supplied by power supplies in the feedvater cabinet. The result will be that feedwater flow signals will no longer have any interface with the reactor protection system.
I-2
c q
Power t; tho f :dv ccr fitw trcnsriccars will bo fr:0 tho upgrcd:d ferdwnter ccntrol c: bin t:
TRANSMITTER LOOP AC POWER SUPPLY R 466 A
Protection Instrument bus and UPS H 467 A
Protection Instrument bus and UPS n 476 B
Protection Instru=ent bus and UPS n 477 5
Protection Instrument bus and UPS Svstem Electronies and Softvare Confituration The Prairie Island AMSAC system is to be built around the Westinghouse Distributed Process Family (WDPF) redundant microprocessor control system.
This hardware is similar to that used successfully in over 225 diverse industrial applir,ations. The system electronics are diverse in design from the existing Prsirie Island reactor protection system electronics manufactured by the Foxboro company.
Prairie Island has chosen to implement the WOG actuation logic in the manner shown in Figure 2.
This results in a system which minimi:es actuation due to spurious trips while still maintainin5 a high reliability for system actuation. Feedwater cabinet input signals are i==ediately assi ned separate AMSAC and feedwater control addresses following signal 5
analog to digital conversion. Actuation of AMSAC will not ocevr unless both of the following conditions are present:
- 1. Two trains of software actuation logic occur
- 2. Two output cards supply an actuation si nal This system will be i=mune to actuation from a single point software failure (due to spurious syntax or logic errors human error, etc.) or a single point hardware failure. System reliabij.ity has not been compromised due to the followin5 aspects of the design:
- 1. A backup microprocessor unit will provide actuation logic and output card actuation in the event of a failure of the primary unit.
- 2. The WDPF hardware has a documented history of highly reliable operation. The output cards shown in Figure 2 hr.ve a =ean time between failure of 100,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />.
- 3. Output actuation occurs in separate trains of relays, minimi: ins the effects of a relay failure.
- 4. The WDPF has self monitorin5 functions for its hardware and sof tware. Malfunctions vill be immediately fla5ged and Sive an alarm.
- 5. The design philosophy of AMSAC is based upon its function as a backup to the reactor protection system.
The simultaneous failure of both systems is extremely unlikely.
- 3
t The cnalsg input signnis will bs monitsr:d fer icss of signal, signni deviation, or si nal icvols bayond nsrmal cp rcting rcngo. Tho WDPF 5
microprocessor unit software provides signal conditioning for the analog input signals and the logic and timing functions of the system (ine'vJtn5 calculation of the actuation timer variable setpoint). The system vutput energi:es actuation relays, which drive the final actuation logic.
The microprocessor operation includes a self monitoring function which will cause an alarm and switch over to the backup mis J@rocessor unit in the event a malfunction is detected. The complate system is designed on an energize-to-actuate basis, minimi: int inadvertent actuation due to the loss of signal, loss of all power, t.he loss of an output module, or the loss of a microprocessor unit.
Analoe Incuts The signals from the feedwater flow transmitters (FT-466, 467 476, and 477) and the' turbine impulse pressure signals (PT 485 and 486) will be input to separate input cards in the feedvater rack, where analog to digital conversion takes place.
The digital signal will be sent to different addresses in the microprocessor. One set of addresses will be for the feedwater system and the other set of addresses will be for the AMSAC system (see Figure 2).
The turbine impulse pressure signals are from existing safety-related transmitters, which are used for reactor protection and control.
Each transmitter, with its power supply, forms a curre'c loop providing an input signal to bistables and signal isolation amplifiers (see Figure 4).
The signal isolation amplifiers are Foxboro type M/66 BC.
This equipment is used throughout the reactor protection and control system to isolate protection from potential failures in the control systems.
Failure of the instru=ent AC bus serving either the transmitter power supply or the signal isolation amplifier would result in the signal dropping below the nominal live zero level and would be detectable as a signal failure.
The feedvater flow transmitters will be powered from the feedvater cabinet as described earlier.
Svstem Status Outeuts The AMSAC system will provide outputs for control room information and annunciation.
This will include a control boatd status alarm and plant process computer based alarms to indicate system hardware /sof tware trouble or AMSAC actuation.
The requirement to provide continuous indication in the control room when the system is bypassed for surveillance is addressed by installation of a control room status panel alarm to indicate that the AMSAC system is unavailable (see Figure 6).
l The plant process computer alarm screen will be used for three alarms (see Figure 7).
The first alarm is a general hardware system trouble alarm.
The second alarm will appear if AMSAC actuation occurs (there will also be an output to the sequence-of events data logger). The third alarm will occur when the actuation output block switch is in the block position, or if any AMSAC database point is re=oved from scan for any reason.
I4 i
The plant prtcess c:mput:r alcrm CRT is etntinu:usly dispicy:d in tha control room.
Since AMSAC actuation should not affect operation of the reactor and turbine until there has been a failure of both normal control and protection systsas, this level of control room indication will provide adequate information to the operator while allowing Prairie Island to conserve the scarce annunciator spare positions for future needs.
Actuation Outouts The AMSAC system is required to trip the turbine and initiate auxiliary feedwater flow. When the actuation logic formed in the microprocessor unit is satisfied, a logic "1" is supplied to both output cards. Actuation of both output cards will energize two separate relay trains, of which either can supply the AMSAC function. The auxiliary feedwater actuation relay will provide the safety related interface required by this circuit. All of the AMSAC relays are configured on an energize to actuate basis to avoid inadvertent actuation.
The specific interface design will insure that when AMSAC actuation occurs the action goes to completion.
The actuation interface between AMSAC and auxiliary feedwater will meet 1E requirements.
Steam generator blowdown secures on any actuation of auxiliary feedvater, therefore no AMSAC output is necessary for this function.
4.0 TESTING CONSIDERATIONS The ATWS Rule and the NRC SER for VCAP 10858P A, Revision 1, require the AMSAC system to be testable at power, and to be tested prior to installation and patiodically durin5 operations. The proposed AMSAC system will be tested prior to completion of installation, consistent with the r
modification process used by Northern States Power. This testing will verify that the installation has been accomplished as designed, and that the system is operating properly.
Periodic testing of the system hardware will be accomplished at power.
The following is a conceptual outline of test to be done at power:
- 1. Inform operations about testin5-
- 2. Operate Block Switch to preclude relay actuation.
- 3. Using a personal computer to interface with the system, enter a password to begin testing of the
- system,
- 4. Remove the database points-from scan and enter values into the impulse pressure software database points.
Varying these database points, verify the proper operation of the C 20 permissive bistable function.
- 5. Remove the database points from scan and enter values into the feedwr.cer flow signal database points.
Varying these database points, verify the proper operation of the individual feedwater flow bistable functions.
I-5 l
e
~?
e 6.'V rify prIp;r operstian cf th) 3/4 Low fecdw: tor fitw; logic, the 2/2 Impulse Pressure C.20 logic..the actuation logic, and the proper operation of the two time delay functions.
- 7. Return all database points to scan and exit from the test program.
- 8. Using the ANSAC display on the personal computer, verify that the system is restored to normal operation.
- 9. Operate block switch to unblocked position.
Calibration and functional testing of the AMSAC system,- including output relays, is to be done during refueling outages. This testing will be similar to that described above, except that the Block Switch will be unblocked to allow relay actuation and resulting operations to be verified.
l i
l I.6 L
MAIN FEEDVATER FLOV TURBINE LDAD
~
B/s-BiSTAalt ruNcTiaN (INE NIN LO[F A LII)P A LOOP B LOOP B DECREASING SIGNAL ACTUATES'ON u
<r y
o y
y INCREASING SIGNAL -
B/I B/S B/S B/S B/S B/S
~
S TINE DELAY PICKUP TIME DELAY irl' i'I DROPOUT cL 3/4 o e 2/2 NOTE: TIME DELAYS ARE DEPENDENT UPI)4 TURBitC LDAD "t
g/g RErERENCEs VCAP-10858P-A REV.1 4
y TURBINE TRIP INITIATE AUX. FDVTR V0G GENERIC AMSAC ACTUATION LOGIC FIGURE 1
L!I)P A LII]P B TURB. IMPULSE FV FLOV FV FLDV PRESSURE FT FT FT FT PT PT 466 467 476 477 485 486 NOTD PT-406 IS TYPICAL h
FIR ALL INPUTS. SEE f]
gl{
FIG 1 FIR B/S ACTUATM]N u
A/B-ANALDG TO DIGITAL
['
ZE
{f]
SIGNAL EONVERSION x
B/5-BISTABLE FUNCTION X-DIGITAL SIGNAL INSERTION /M)NITOR
~~
POINT VIA PERSONAL m bi
'f f
i ' 1 1
COMPUTER M
o 3/4 2/2 2/2 3/4
- TEST LAMP
~
SEE 3
y e
n p'
FIG. 3 D'R tl
- SEE D 4 ria 3 F'
2/2 2/2 (11TPUT T
n
=
CARD it POVER PDVER b -. i 4
%- y "= [= p _ %
- a TRAIN A TRAIN A TRAIN B TRAIN B TURBINE TRIP VV TURBINE TRIP AFV START START V P.I. AMSAC ACTUATION LOGIC'T' FIGURE ' 2 i
o
,,-,w-<-
r-w r-
,--e,,n=~m---yr
-py a
n
FIGJRE 2)
DfULSE PRESSI.5tE INPUTS PT495 PT486 i
o o
PRESSURE SIGNAL HIG4 SELECTOR Jc g
l' VARIABLE TINER FUNCTIED4 TIDC DELAY VARES
~
CALCULATOR INVERSELY VITH TtRBNC POVER FDWTR LDW FLDV LOGIC 3/4 VARIABLE SETPOINT N
dN
'2 FIGURE 2 FDR TI8ER o
ACTUATION LOGIC l
- ACTUATID14 TIMING FUNCTION FIGURE 3 i
1 i
.,.. -.... - ~. _..
y isa_arim rctoVATER unos T RNGMIT TER AffLITIER RACK N
h P,..
h N
TRAPGMIT TER LMP POVER SUPPLY PS-POVER SUPPLY Pss!
TYPICAL ANALOG SIGNAL DEVELOPMENT FDR TURBINE IMPULSE PRESSURE FIGURE 4
D1010 AUCi1074ErPED AT I/O CARDS 13 VDC 13 VIC PRIMARY SEC0t3DARY j,
MICRDPROCESSN Utili MICROPROCESSDR Utili n
PRI SEC PRI SEC PRIMARY SEC0tabARy AC AC AC AC I/O CARD I/O CARD SUPPLY SUPPLY j
I H
A Ao A
,,o B
B PRI SEC AC. DISTRIWTimJ Parit _
FEEDVATER 1
RACK 7
Y
?
7 f
V E
E E
S S
S.4j a
=
a g
f ym v
v PROTECTIG4 ups INST WS RACK POVER DISTRIBUTION FIGURE 5
.s 9
N g
, ;. 8, cr c-ze rtmessivt
^
'M
.2 NOT Sail 5FEB KDCK POSITION I
._,..^
1I II m
I w~
. ::=
.^[ ^
m sac 2:=;
ENACTIVE
~
d' 1
CONTROL BOARD SYSTEM STATUS PANEL VINDOV FIGURE 6
. ~...
=_-,-_.;-..
~..
,'r RACK POVER MICROPROCESSOR SIGNAL SUPPLY FAILURE / LOSS FAILURE FAILURE
.,I-8,,
3 wi i
MSAC SYTTEM ' ROUE l
~
SOFTVARE BLOCK SVITCH DATABASE POINT IN.
8 H
8 BLOCK PC$ilION U
l l
J (L._
)
i
, - $,~?i AMSAC SYSTEM
~
IN TrST ACTUAT10M CfETACIS 4
u SEQUENCE OF J
EVENTS LOG l
PLANT PROCESS COMPUTER ALARMS FIGURE 7 l
J
. '.. 'Dirdctor of NRR' Attichm:nt II December 1, 1987 Revised Resoonse to Generic AMSAC SER Ouestions
' Plant-Soecific Licensinz The following items are the plant-specific responses to the fourteen questions unresolved by the generic SER:
- 1. Diversity The' proposed AMSAC system is diverse from the reactor protection and control system to the extent practicable. The AMSAC control electronics are completely different in design and operating principles than those used ~
in the reactor protection and control system. The analog signals for the turbine impulse pressure are isolated within the reactor protection and control instrument racks (existin5 isolation corresponding to another function the signals provide). The feedwater flow signals will be removed from the protection system and have no protection functions.
The outputs to plant systems are in the form of relay contacts to be wired into existing system circuitry to provide the redundant actuation.
- 2. Loric Power Sunolies The logic power is supplied from two AC power sources, one of which is totally diverse from the power source used in the reactor protection system.
One of the AMSAC power sources is from,' r.onsafeguards uninterruptible power supply with a dedicated bat ery.
It can receive power from a diesel generator which is separate ' om those used for safety functions.
- 3. Safety-Related Interface The existing reactor protection system will be unaffected by the AMSAC l
installation. The turbine impulse pressure analog signals used in reactor protection system are isolated prior to being routed to the feedwater rack.
The use of those isolatort is discussed in WCAP-7685 "Isolation Amplifier" l
(June 1971), and in the Prairie Island USAR (page 7.4-4).
The system interface for actuation is accomplished by use of energize-to-actuate relay logic, The actuation relays will be wired into the device actuation circuit to trip the turbine and initiate auxiliary feedwater.
(
The auxiliary feedwater actuation circuit relays will meet lE requirements.
l
- 4. Ouality Assurance The quality asnurance requirements for AMSAC were described in Generic Letter 85-06.
This gaidance has been discussed with the Prairie Island Quality Assurance orgatization. The quality controls impoe,d in the plant modification process and the testing and calibration programs applied to plant instrumentation and control systems will be sufficient to satisfy the guidance expressed in G.L. 85-06.
II-l
-5. Maintenance Bvoasses The. AMSAC system can be maintained at power with the system in the Bypass mode, in which the logic output Block Switch placed in the Block position.
With the output blocked, it.will be possible to test, calibrace, or repair the sof tware logic and analog portions of the system without affecting plant operations'.
When the system is in the Bypass mode, the system status annunciator panel in the control room will continuously indicate that the AMSAC system is inactive. In additicn, there will be a plant process computer alarm to indicate that the system is in test.
- 6. Overatine Bveasses The operating bypass consists of the 2 of 2 logic in which the actuation permissive is satisfied whenever the power measured by Turbine Impulse pressure exceeds 40%.
The setpoint is based on generic work by the Westinghouse owners Group, involving a concern over the potential for bulk boilin8 in the core. This permissive is subject to time delay in removal during power decreases. The analog signals upon which the C-20 permissive is based are created using transmitters used in the reactor protection and control system, but using a signal which is isolated electronically from that system. The AMSAC system monitors signal quality for these analog inputs, causing a plant process computer alarm to the operators uoon signal failure.
The operating bypass causes the system status annunciator panel in the control room to continuously indicate that the AKSAC system is inactive when the permissive conditions are not satisfied.
- 7. Means for Bvnassine The means for bypassing the AMSAC system is a keylock switch under administrative control. The bypass means discussed and disallowed in the generic SER are not involved in the proposed design for Prairie Island.
- 8. Manual Initiation Manual turbine trip is accomplished by use of a push-button on the control board.
The auxiliary feedwater actuation is done by use of control switches on the control board. Their use is directed in the plant emergency operatin8 procedure for response to ATVS.
- 9. Electrical Indeoendence The AMSAC system is powered from two AC Power sources, one of which is totally diverse from the reactor protection AC source. The AMSAC power sources are secure, involving the use of one nonsafeguards uninterruptible power supply which has a dedicated battery and nonsafeguards diesel generator backup for battery chargin5 power. The other power supply is one of the existing power sources in the feedwater rack. The proposed design does require tbs use of reactor protection system power supplies to support existin5 transmteters and signal isolators for the turbine impulse pressure.
The existing isolators for the turbine impulse pressure, which are powered II-2
/
by recctsr.pretsetien systra scurces, waro subjoet:d to tacting cnd failurs (n31ysic pricr to complstion of pient construction. Tha ute of thasa isolators is discussed in WCAF-7685 "Isolation Amplifier" (June 1971).
- 10. Physical Seoaration The-implementation of the AMSAC system does not degrade the physical separation of the existing reactor protection system. Any analog inputs entering the'AMSAC system which e.re derived using equipment from any channel of reactor protection are isolated before proceeding to AMSAC. The wiring of those signals from the reactor protection system to AMSAC will use cable tray or conduit other than that used for reactor protection system wirin5 The AMSAC instrument rack is physically separated from the reactor protection instrument racks.
- 11. Environmental Oualification The Westinghouse system is designed to operate in the mild environment which is found in the control room.
- 12. Testability at Power The testing of the AMSAC system durin5 installation, at power operation, and curing refueling outages will be as described in this submittal under SECTION 4.0 "TESTING CONSIDERATIONS". The AMSAC actuation signal is sensed as an input for an alarm which will be part of the control room computerized alarm display.
- 13. Comoletion of Mitirative Action The AMSAC design for actuation output interfaces is such that, upon ac tuatio"., the completion of mitigating actions shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. Once actuated, there is no mechanism to prevent completion of the mitigative action.
Return to normal power operation will be accomplished in accordance with normal operations manual procedures, which require deliberate operator action.
- 14. Technical Soecifications Northern States Power is a member of the Westinghouse owners Group Technical Specifications Subcommittee, which has been neSociating with the NRC on the issue of Technical Specifications for the AMSAC system. That question is understood to be unresolved at this time.
Northern States Power intends to continue to participate in that forum to resolve the issue of what Technical Specifications, if any, are appropriate for the AMSAC i
system.
I i
II 3
.