ML20203J953

From kanterella
Jump to navigation Jump to search
Application for Amends to Licenses DPR-42 & DPR-60,modifying AMSAC W/Addition of Diverse Scram Feature as Described in Exhibit A.Nrc Approval Is Requested by 980907
ML20203J953
Person / Time
Site: Prairie Island  Xcel Energy icon.png
Issue date: 02/27/1998
From: Sorensen J
NORTHERN STATES POWER CO.
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
NUDOCS 9803040370
Download: ML20203J953 (27)
v  d  e


Text

___- _-__ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .

Northern States Power Company Prairie Island Nuclear Generating Plant ,

1717 Wakonado Dr. East Welch. Minnesota $5009 February 27,1998 10 CFR 50.59 U S Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 PRAIRIE ISLAND NUCLEAR GENERATING PLANT Docket Nos. 50 282 License Nos. DPR-42 50 306 DPR-60 License Amendment Request Dated February 27,1998 ATWS Mitigating System Actuating Circuitry / Diverse Scram System NSP commits to modify the ATWS Mitigating System Actuating Circuitry (AMSAC) on Pralrle Island Units 1 and 2 with the addition of a diverse scram feature as described in Exhibit A. Because this modification has been determined to involve an unreviewed safety question, NSP requests prior NRC review and approval of this modification in accordance with 10CFR50.59. This work will be completed during the next refueling outag., for each unit that begins after NRC approval of this modification.

The subn.ittal provides a detailed description of the design basis for the ATWS Mitigating System Actuating Circuitry / Diverse Scram System (AMSAC/ DSS) and a description of physical design. This submittalls provided to start the review process and NSP is aware that more details describing the physical design will be required to complete the NRC review. This submittal will be supplemented with additional details as they becotne available and are necessary.

I

$ d

g3oiga n 3 888 6 lilliIlIllylliEllllllllll

To provide sufficient time to prepare for Installation of the proposed modification prior to the fall 1998 Unit 2 refueling outage, NRC approval is requested by September 7,1998.

If you have questions regarding this submittal, please contact John Stanton at 612-3881121 ext. 4083.

k.

Joel P Sorensen Plant Manager Prairie Island Nuclear Generating Plant c: Regional Administrator - Region Ill, NRC NRR Project Manager, NRC Senior Resident inspector, NRC Kris Sanda, State of Minnesota J E Silberg Affidavit Attachment 4

1 UNITED STATES NUCLEAR REGULATORY COMMISSION i I NORTHERN STATES POWER COMPANY PRAIRIE ISLAND NUCLEAR GENERATING PLANT DOCKET NO. 50 282 l 50 306 l I

License Amendment Request Dated February 27,1998 l ATWS Mitigating System Actuating Circuitry / Diverse Scram System l Northern States Power Company, a Minnesota corporation, with this letter is submitting information to support a requested license amendment.

This letter contains no restricted or other defense information.

NORTHERN STATES POWER COMPANY BY mm~~

[Joel P'Sorensen~

Plant Manager Prairie Island Nuclear Generating Plant On this O ay o6 aJ lldd_ /b~

efore me a notary public in

! and for said County, personally appeared [pel FSorensen, Plant Mcnager, Prairie Island Nuclear Generating Plant; and being'first duly sworn acknowledged that he is authorized to execute this document on behalf of Northern States Power Company, that he knows the contents thereof, and that to the best of his knowledge, Information, and belief he statements made in it te tru}e\ nd that it is not interposed fo hh Y 7 ,h -

l '

3 3 =3 It}TARf MN11C430EMNE '  ;

, HDelEPM CXKMTV ,

l

f. . 8r.c-=pMt.um ,

l

4 Exhibit A License Amendment Request Dated February 27,1998 ATWS Mitigating System Actuating Circuitry / Diverse Scram System i

1.0 Background Following issuance of Code of Federal Regulations 10CFR50.02

  • Reduction of Risk From Anticipated Transients Without Scram (ATWS) Events for Light Water Cooled Nuclear Power Plants" on 7/26/84, an ATWS Mitigating System Actuation Circuitry (AMSAC) system was installed in both Prairie Island units in 1989. The Prairie Island AMSAC system design was based on the Westinghouse generic designs described in WCAP 10858. These generic designs relied upon the generic analysis documented in WCAP 8330 and Westinghouse letter NS TMA 2182, which showed acceptable plant response provided that the turbine is tripped and that auxillary feedwater (AFW)is initiated and continues to run throughout the event.

In early 1996 a review of the design basis for the Prairie Island AFW system runout protection revealed that the existing low discharge pressure setpoints did not adequately protect these pumps from runout conditions', During the review of the AFW system design bases in preparation for this setpoint change, it was identified that the setpoint change impacted the operability of the AFW pumps during an ATWS transient.2.s A modification to the controls for the turbine driven AFW pump along with additional analysis provided a basis for operation in a degraded condition while design work continued on plant modifications to resolve this issue. The basis for a determination of continued operability was the combined impact of the following: (1) the probability of an ATWS occurring is very small, (2) the demonstrated reliability of the reactor trip system is very high, (3) the existence of several conservatisms in the Westinghouse generic ATWS analysis, (4) the best estimate response of the plant, and (5) credit for operator response after ten minutes.

A design for the AN/S Mitigating System Actuation Circuitry / Diverse Scram System (AMSAC/ DSS) was identified that would retain the

  • turbine trip" and *auxilary feedwater start" features of the old AMSAC system and provide three fundemental changes. First, a diverse reactor scram would be added. Second, different plant parameteis from those used in the old AMSAC system would be monitored to detect conditions indicative of an ATWS. Third, the time delays between detection and actuation will be changed.

' LER 19610.

8 LER 107 03.

  • It was identified that this setpoint change impacted the operation of the AFW numps during all transients which resulted in low SG pressure, however a trip and restart of these pumps for all transients except ATWS was already acknowledged in the USAR 1

4 2.0 Dardgn.Banis d

The design basis is that information which identifies the specific functiuns to be performed by a structure, system, or component of a facility and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted " state of the art" practices for e;hieving functional goals or (2) requirements derived from analysis (calculations / experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.

The design basis for the Prairie Island ATWS Mitigating System Actuation Circuitry and Diverse Scram System (AMSAC/ DSS)' has been establithed by analytical calculations based upon NSP's approved Reload Safety Evaluation (RSE) methods and mote conservative acceptance criteria than those applied in the Westinghouse generic ATWS analysis.

2.1 Functional Goals The purpose of AMSAC/ DSS Is to mitigate the effects of an ATWS, which is an anticipated i

operational occurrence followed by the failure of the reactor trip portion of the protection system. An unmitigated ATWS could result in conditions which may directly reduce the safety margin associated with the first two of the three fission product barriers at Prairie Island, fuel cladding and reactor coolant system boundary. An unmitigated ATWS could produce heat flux at the cladding surface sufficient to cause the clad-coolant surface to depart from nucleate boiling conditions. When departure from nucleate boiling occurs the clad surface temperature rises rapidly and in time could reach a magnitude that leads to a breach of the clad wall. An unmitigated ATWS also could produce pressures in the reactor coolant system (RCS) sufficient to cause stresses in the RCS boundary in excess of the ASME Boller and Pressure Vessel Code Level C Service Limit stress criteria. Stresses could reach a magnitude sufficient to produce cracking in the RCS boundary, which might lead to a rupture of this barrier.

To protect the safety margin associated with the fuel cladding fission product barrier and provide a conservative demonstration that a cootable core geometry will be maintained, tne analytical limit for the Minimum Departure from Nucleate Bolling Ratio (MDNBR) will be 1.17 throughout any ATWS event.

- To protect the safety margin associated with the RCS boundary fission product barrier, the analyticallimit for RCS maximum pressure will be 3200 psig throughout any ATWS event. The

  • Pralrie Island already has an AMSAC pursuant to the requirements of 10CFR50.62. Preliminary calculations identified that more detailed calculations should proceed assuming changes to AMSAC input sensors, changes to AMSAC response time delays, and the addition of a dNorse scram system (DSS) -

functional capability.

2

equivalence of 3200 psig to the Service Limit C' stresses was established by Westinghouse in 7

Section 0.0 of the 1979 ATWS Analysis attached to letter NS TMA 2182.

2.2 Analysis Methodology The methods employed to analyze each selected ATWS event are essentially identical to the RSE methods [5.1) and observe all code limitations identified and employed in the RSE methods. These ATWS methods assume that AFW flow is evenly split between the two steam generators (SG), assume that the steam dump system is operable, and assume nominal plant initial conditions. The RSE based ATWS methods are more conservative than the methods used in the Westinghouse genelle analysis; therefore, the ensuing results for identical ATWS events are different.

In the Northern States Power (NSP) Prairie Island specific ATWS analysis, the two principle computer codes used are DYNODE P and VIPRE 01. The DYNODE code [5.1, App. B) was granted an SER [5.2) to model the tnermal hydraulic response of primary and secondary systems under transient conditions. DYNODE supplies time dependent values of core avcrage heat flux, core average pressure, core inlet flow and core inlet temperature to VIPRE. The VIPRE coda [5.1, App. F) was granted an SER [5.8) to calculate the MDNBR during a transient.

2.3 Selection of Transients To De Evaluated An ATWS is an anticipated operational occurrence followed by the failure of the reactor trip portion of the protection system. Anticipated operational occurrences is defined in 10CFR50 Appendix A as meaning those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to lov of power to all recirculation pumps, tripping the turbine generator set, isolation of the main condenser, and loss of all offsite power.

All USAR Condition 2 transient events were evaluated with consideration towards explicitly analyzing each under ATWS conditions. For many of these Condition 2 events NSP performs explicit RSE analyses [5.1), as noted below. Events were not explicitly analyzed for ATWS conditions if the transient either (1) does not require reactor trip to mitigate the consequences of the event in an RSE analysis, (2) does not require reactor trip to mitigate the consequences of the event with the less restrictive assumptions applicable to the analysis of "non-design basis" ATWS events, or (3) results in consequences bounded by either an analyzed RSE transient or an ATWS event transient selected for analysis. The disposition of Condition 2 transients is as follows;

  • Service Umit C is defined in ASME Section 111 Division 1 dated Decernber 30,1979 3

I

Translent Addressed Discosition  %

(a) Uncontrolled RCCA Withdrawal RSE- bounded by (e)-

from a Suberitical Condition (b) Uncontrolled RCCA Withdrawal RSE- bounded by (e)-

at Power (c) Control Rod Misalignment RSE- Rx trip not required in RSE-(d) Dropped Rod RSE- -bounded by (e).

(e)- Uncontrolled Boron Diivt.on RSE- selected for ATWS analysis-(f) Startup of an inactive Loop RSE- Rx trip not required in RSE-(g)- Feedwater System Malfunction RSE- Rx trip not required in RSE-(h) Excessive Load increase RSE. Rx trip not required in RSE-(1) Loss of External Load / Turbine Trip RSE. -selected for ATWS analysis.

(j) Loss of Normal Feedwater Flow RSE- selected for ATWS enalysis-(k) Loss of RC Flow - 1/2 Pump Trip RSE- selected for A1WS analysis-(l) Loss of AC to the Station Auxiliaries -- selected for ATWS analysis.

(m) Isolation of Main Condenser -

. selected for ATWS analysis- i 2.4 Initial Conditions and Assumptions (Design Requirements)

The NRC approved Reload Safety Evaluation Methods (5.1) were utilized for the AMSAC/ DSS analyses with only a few deviations to the assumed conditions as stated below. Since ATWS transients are classif'ad as beyond Design Basis events and the objective is to reduce the risk of core damage due to ATWS events, nominal plant conditions were assumed as boundary conditions and instrument uncertainties were not included. The following summarizes the important differences in boundary conditions between the RSE and AMSAC/ DSS analyses,

__ = = = = = = = = = == ==

4

Initial Conditions and Assumptions Parameter h3E applications AMSAC/ DSS app!! cations Core Power 100% + 2% unc. 100 %

RCS Ficw Thermal Design Flow Actual Plant Flow RCS Tm Program + unc. Program RCS Pressure Program i unc. Program SG % tube plugging 15% (actual = 4% 9%) 15% (actual = 4% 9%)

Auxiliary Feedwater Flow 200 gpm/ pump 160 gpm/ pump Moderator Temp. Coeff, as per NSPNAD-8101.A bounds 100% of core life for full power operation Physics Parameters (other) as per NSPNAD 8101.A as per NSPNAD 8101.A

  • Pressurizer & SG PORVs ' Conservatively modeled Nominal Setpoint Pressurizer & SG SRVs
  • Setpoint i unc. Nominal Setpoint Decay Heat 120% ANS 1971 [5. 3) 103% ANS 1971 [5. 3)

Reactor Protectic, System Setpoints + unc. Disabled Time Delay " as per NSPNAD 8101.A 10.5 sec 2,5 Initiation Triggers The existing AMSAC system controllogic uses feedwater flow as the analog input with a var!able time delay and low power bypass that are both controlled by turbine impulse pressure.

The new AMSAC/ DSS will use steam generator wide range level and the Reactor Coolant Pump's (RCP) breaker position as the actuation inputs to its control logic. The existing feedwater flow and turbine impulse pressure are no longer required as system inputs.

Selection of these actuation signals provides for simple controllogic while adequately sensing ATWS conditions and providing mitigating actions. Conservative analytical setpoints have been selected, which are high enough to protect the reactor from the consequences of an ATWS event, but are low enough to give the reactor protection system (RPS) the opportunity to activate prior to AMSAC/ DSS actuation.

AMSAC/ DSS will actuate on SG Wide Range Level s40% in either steam generator or either reactor coolant pump breaker open.

  • Nominal values calculated per RSE methodology without the uncertainty factor (95/95 multiplier) applit d.

' Power Operated Relief Valves are disabled for overpressurization analyses and enabled for CHF analysis.

" Time from monitored parametor reacb!ng trip point until rods at bottom, s

2.6 Calculation Results and Margins to Functional Goals The results of the AMSAC/ DSS analysis demonstrate that (1) the limiting reactor coolant system pressure occurs durir'g the ATWS Loso of Condenser transient, and that (2) the limiting minimum departure from nucleate boiling ratio (MDNBR)" occurs during the ATWS Loss of AC Power to the Station Auxiliaries transient. For all events, the RCS pressure remains below 3200 psig thus not reducing the safety margin associated with the integrity of the Reactor Coolant Pressure Doundary, and the MDNBR remains higher than 1.17 thus not reducing the ,

safety margin associated with the integrity of the fuel clodding and ensuring that a coolable geometry is maintained. The following table demonstrates that ine analytical acceptance criteria for all functional goals were met in each ATWS transient that was explicitly analyzed:

Maximum RCS MDNDR pressure (psig)

Loss of Normal Feedwater 2360 N/A l Loss of External Lond/ Turbine Tnp l 2447 1,64 l 1 of 2 Reactor Coolant Pump Trip l 2405 1.41 l Loss of AC l 2427 1.25 l Loss of Condenser l 2453 1.61 l Uncontrolled Doron Dilution l 2371 1.20 2.6.1 Loss of Normal Feedwater A loss of normal feedwater (FW) results in a loss of the secondary side capability to remove the heat generated in the reactor core, if the reactor were not tripped during this transient, the safety margin associated with the integrity of the RCS boundary could possibly be exceeded due to a rapid increase in RCS pressure produced by the large mismatch between heat production and heat removal resulting from the loss of heat sink. Even after reactor trip if an alternate supply of feedwater were not supplied to the steam generators, residual decay heat from the reactor core would heat and expand the primary system water to the point where water relief from the pressurizer occurs. A significant loss of water from the RCS could uncover the core and lead to fuel damage. For this event, the AMSAC/ DSS is assumed to start the AFW ptimps, actuate a turbine trip, and actuate a diverse reactor trip after receiving a SG Wide Range Level s40% signal.

" The ATWS t.oss of AC Power to the Station Auxiliaries transient has the rnosting limiting MDNBR among transients which require a diverse scram to mitigate the consequences. The ATWS Uncontrolled Boron Dilution transient has tho smallest DNBR, but it is terminated by operator action.

6

In addition to the aforementioned changes to the initial boundary conditions (2.4), the following changes were applied to the USAR description of the Loss of Noimal Feedwater event (5.4) to model this ATWS event:

  • Pressurizer pressure control systems are operable e initial Pressurizer water level at nominal programmed level A Critical Heat Flux analysis to calculate MDNBR was not performed for this transient. Then AMSAC/ DSS system trips the reactor before a loss of heat sink could occur; hence there would be no reduction in the thermal margins from steady state full power conditions.

2.6.2 Losa of External Load / Turbine Trip A turbine trip results in a reduction in the secondary sido capability to remove the heat generated in the reactor core. f feedwater or an alternative feedwatar source were not available, a loss of heat sink could occur. However, this reduction in heat removal capacity is bounded by the ATWS Loss of Normal Feedwater transient because reduced feedwater flow is still available from the powered FW pump." If the reactor were not tripped during this transient, the mismatch between heat production and heat removal would eventually boll the steam generatora dry leading to consequences identical to those in the ATWS Loss of Normal Feedwater transient. For this event, the AMSAC/ DSS is assumed to start the AFW pumps and actuate a diverse reactor trip after receiving a SG Wide Range Level c40% signal, in addition to the aforementioned changes to the initial boundary conditions (2.4), the following changes were applied to the USAR description of the Loss of External Load event (5.5) to model this ATWS event:

The loss of electrical power to one of the two reactor coolant pumps (RCPs) results in a reduction of coolant flow through the core. This decrease in flow rate is retarded by the inertia of the flywheel on the pump motor. If the reactor were not tripped during this transient, the core flo.y would decrease to the point where thermal hydraulic conditions in the core were

" Westinghouse genoric ATWS analysis assumed all FW pumps were turbine driven and that therefore a loss of FW would occur during an ATWS Loss of Extemal Load event. Prairio Island has two motor driven FW pumps. The 11 FW pump will lose power during this transient but the 12 FW pump will switch to an alternate power source.

7

t inadequate to remove heat from the surface of the fuel cladding without producing large incicases in cladding surface temperatures. High fuel cladding temperatures will result in damage to the fuel. For this event, the AMSAC/ DSS is assumed to actuate a diverse teactor trip after recolving a RCP brec'ter open position signal.

In addition to the aforementioned changes to the initial boundary conditions [2.4), the following chango was applied to the USAR description of the Loss of RCP Flow (1/2 RCPs) event (5. 6) to model this ATWS event:

e Pressurizer pressure control systems are operable 2.0.4 Loss of AC A complets loss of normal AC power to the station auxiliaries would result from a loss of off site power combined with a trip of the turbine / generator. If there was a complete loss of normal on-site and off-site power, plant components would lose their normal pwer source. These main components would include the reactor coolant pumps, condensate pumps, and main feedwater pumps. The M/G sets would also lose power causing power to be lost to the rod drive mechonism gripper coils." This will release the rods into the core, and provide sufficient negative reactivity to terminate power operation. For this event, the AMSAC/ DSS is assumed to, start the AFW pumps, actuate a turbine trip, and actuate a diverse reactor trip after receiving a reactor coolant pump breaker open position signal. The steam-driven AFW pump would be fed by the boll-off steam, and the motor-driven AFW pump would draw current froin the emergency diesel generators (DG) after DG startup and bus restoration.

Only tne aforementioned changes to the initial boundary conditions [2.4) were applied b the USAR description of the Loss of All AC Power to the Stat;on Auxiliaries (LOOP) event [5.7) to model this ATWS event.

2.0.5 Isolation of Main Condenser The isolation of the main condenser results in a turbine trip and a loss of the steam dump to the condenser. With condensed steam no longer feeding the hotwell, tne condensate and feedwater pumps soon trip on insufficient net positive suction head (NPSH) once the condensate in the hotwellis depleted. This results in a loss of the secondary side capability to remove from the steam generators the heat generated in the reactor core. If the reactor were not tripped during this trcnsient, the safety margin associated with the integrity of the RCS boundary couid possibly be exceeded due to a ropid increase in RCS pressure produced by the large mismatch between heat production and heat removal resulting from the loss of heat sink.

Even after reactor trip if an alternate supply of feedwater were not supplied to the steam generators, residual decay heat from the reactor core would heat and expand the primary

" This arialysis does not credit any reduction in reactor power that might occur from rods tripping into the core after the M/G set loses power.

8

system water to the point where water relief from the pressurizer occurs. A significant loss of water from the RCS could uncover the core and lead to fuel damage. For this event, the AMSAC/ DSS is assumed to start the AFW pumps and actuate a diverse raactor trip after receiving a SG Wide Range Level 540% signal.

in addition to the aforementioned changes to the Initial boundary conditions [2.4), the following changes were applied to the USAR description of the Loss of External Load / Turbine Trip event (5.5) to generate the Isolation of Main Condenser ATWS case:

  • Dump to Condenser is not available e FW pumps are isolated on loss of suction e Pressurizer pressure control systems are operable 2.6.6 Uncontrolled Boron Dilution (Chemical and Volume Contml System Malfunction)

A dilution rate based on nominal charging / letdown flow rates during normal 100% reactor power conditions was considered for this event. With Rod Control (RC)in automatic, the increase in core average temperature results in the insertion of Rod Control Cluster Assembly (RCCA) groups, which provide adequate negative reactivity to ensure no loss of thermal margins. For the AMSAC/ DSS analysis, Rod Control is assumed to be in manual control; thereby maximizing the power excurrfon and the subsequent reduction of thermal margins, if the reactor were not tripped during this transient, the safety margin associated with the integrity of the fuel cladding could possibly be reduced due to an increase in total reactor power above 102% of rated power. AMSAC/ DSS is not required to mitigate the consequences of this ATWS transient. The safety margin associated with the integrity of the fuel claddinc !? maintained by operator action at 10 minutes into the event. The operator is asumed to eMe initiate a manual reactor scram or isolate the source of unborated water.

In addition to the aforementioned changes to the initial boundary conditions (2.4), the following changes were applied to the USAR description of the Chemical and Volume Control System Malfunction at Power ovent (5.10) to model this event:

. Maximum dilution rate assuming pure water at 60.5 gpm e Pressurlzer pressure control systems are operable 9

3.0 Das]ga The AMSAC/ DSS design consists of power sources, system electronics, analog inputs, digital inputs, system status outputs, actuation outputs, and operator controls interfacing with the control rod drive system, auxillary feedwater system, and the turbine control system.

3.1 AMSAC Changes This design of the AMSAC/ DSS for Prairie Island Units 1 and 2 revises the original AMSAC system which was installed In 198g in response to the ATWS Rule. The new AMSAC/ DSS adds a Diverse Scram System output, changes the actuating inputs to the system, and changes the internallogic, The new system retains from the original system the independence of the power supply, the diversity and independence of actuation outputs, and the environmental qualifications.

The existing AMSAC system uses feedwater flow and tarbine impulse pressure as the inputs for the control logic. The AMSAC/ DSS will use steam generator wide rarige level and RCP breaker position as the inputs for the control logic.

3.2 Power Supplies Four steam generator wide range level transmitters are used for AMSAC/ DSS. Two of the level transmitters receive power from Event Monitoring Racks which are powered from safety related Event Monitoring instrument inverters. These sources of power are separate from the reactor protection system instrument inverters. The remaining two level transmitters are powered from the Feedwater Control System rack, which receives its main AC power from the Service Building power distribution system and an alternate feed from a safety related AC instrument bus.

The teactor coolant pump breaker status is determined from auxiliary contacts on the RCP breakors. The interrogation voltage to determine contact status is supplied from the AMSAC/ DSS cabinet.

The AMSAC/ DSS electronics cabinet is powered from a non safeguards uninterruptible power supply (UPS)in the Service Building (Computer) power distribution system. This UPS is totally independent from the reactor protection system. The UPS has a non safeguards DC supply backup, and is powered from an AC bus which can be supplied from a non safeguards diesel generator.

AMSAC/ DSS output relay power and the operator manual actuation switch power are also supplied from Service Building power.

10 I

_ l

3.3 Electronics and Software The Prairie Island AMSAC/ DSS is built around c digital control system (DCS). The AMSAC/ DSS Interfaces with the digital feedwater control system via a redundant data highway for the transfer of input data. The AMSAC/ DSS digital electronics is diverse in design from tne existing Prairie Island reactor protection system analog electronics.

The wide range steam generator level transmitters are inputs to the feedwater control system.

All feedwater control system inputs, including thce signals pertinent to AMSAC/ DSS, undergo Analog to-Digital conversion in the feedwater electronics. The signals are then available for use, via a redundant data highway, by the AMSAC/ DSS DCS. The DCS performs all AMSAC/ DSS logic functions, including providing output signals for the AMSAC/ DSS output actuation relays.

The revised software for the AMSAC/ DSS will be developed, tested, and implemented in accordance with the Prairie island procedure for software quality assurance requirements. This procedure addresses requirements for the management, development, maintenance and use of software.

The analog input signals are conditioned and monitored for validity. The system output energizes actuation relays, which drive the final actuation devices. The complete system is designed on an energize to-actuate basis, minimizing inadvertent actWon due to loss of signal, losJ of power, loss of an output module, or loss of the DCS unn.

The implementation of the AMSAC/ DSS does not degrade the physical separotion of the

, existing reactor protect'on system. The AMSAC/ DSS rack is physically separated from the reactor protection system instrument racks.

3.4 Input Signals AMSAC/ DSS actuates either on low steam generator level sensed on 2 of 2 channels in either SG, or on loss of one reactor coolant pump sensed from 1 of 2 motor breaker position switches.

The setpoint for the steam generator level trip has been chosen such that operational transients will not cause spurious trips.

The steam generator level signals are taken from existing wide range level transmitters, two safety-related Event Monitoring transmitters and two non safety related feedwater control transmitters. Each safety related SG wide range level signalloop in the Event Monitoring System contains signalisolators to isolate the non-1E section of the loop from the safety-related portion of the loop. The revised AMSAC/ DSS will utilize the same type of signalisolators for isolation of the two steam g' mtor level signals before they are sent to the feedwater control system. The four signals frcn, toe steam generator wide range level transmitters are supplied to 11

l analog input cards in the feedwater rack, where analog-to-digital conversion takes place. Signal input to AMSAC/ DSS occurs via a redundant data highway.

The digital inputs from the Reactor Coolant Pump breakers are input to separate cards in the AMSAC/ DSS DCS. The breaker position inputs will utilize spare auxiliary contacts in the switchgear cubicles for each pump. The contacts will be open when the breaker is closed such that a loose or broken wire in the circuit will not cause spurious AMSAC/ DSS actuation. These contacts will be Interrogated by the 120 vac power from the AMSAC/ DSS cabinet.

All wiring for signals to the AMSAC/ DSS racks use cable tray or conduit separate from those used for reactor protection system wiring.

The existing reactor protection system is unaffected by the AMSAC/ DSS Installation. The steam generator wide range level analog signals do not input to the reactor protection system. The RCP digital signals originate from an auxillary contact in the RCP motor breaker cubicle. The l

system interface for actuation of the AMSAC/ DSS function is accomplished by use of energize. 1 to actuate relay logic. The actuation relays are wired into the device actuation circuit to trip the  !

reactor, trip the turbine, and initiate auxiliary feedwater. The auxillary feedwater actuation circuit relays are unchanged and meet 1E requirements for an isolation device.

3.5 System Status Output Signals The AMSAC/ DSS provides outputs for Control Room information and annunciation. A control board status window, AMSAC/ DSS Inactive, is illuminated whenever the main control board AMSAC/ DSS control switch is in the BLOCK position. The plant Process Computer alarm screen is used for three alarms: (1) a general alarm to indicate hardware / software system trouble, (2) an alarm indicating the AMSAC/ DSS is undergoing testing, and (3) an alarm to indicate AMSAC/ DSS actuation. These alarms are also displayed on the Sequence of Events (SOE) data logger. i The requirement to provide continuous indication in the Control Room when the AMSAC/ DSS is bypassed for surveillance testing is retained in the existing control room status panel alarm to indicate that the system is unavailable.

The plant process computer alarm CRT is continuously displayed in the Control Room. Since AMSAC/ DSS actuation should not affect operation of the reactor and turbine until there has been a failure of both normal control and protection systems, this level of control room indication provides adequate information to the operator while allowing Prairie Island to conserve the scarce annunciator spare positions for future needs.

12

3.0 Actuation Outputs The AMSAC/ DSS is required to trip the turbine, initiate auxiliary feedwater flow, and provide a diverse reactor trip. When the actuation logic is satisfied, an actuation signal is supplied to the output cards. Actuation of the output cards will energize two separate relay trains. The auxillary feedwater actuation relay provides the 1E isolation required by this circuit. The AMSAC/ DSS relays are configured in an energize to actuate format to avoid inadvertent actuation. The specific interface designs ensure that when AMSAC/ DSS actuation occurs, the action goes to completion.

The actuation outputs from the AMSAC/ DSS for turbine trip and auxillary feedwater actuation remain unchanged from the original AMSAC design. A new actuation output for a diverse reactor trip provides control relay contacts to the rod control system. During normal operations the rod control system maintains power to at least one gripper per control rod to keep the centrol rods from dropping into the reactor core. AMSAC/ DSS will input to the rod control system to de-energize all control rod gripper coils. This releases the control rods, allowing them to drop into the reactor core.

A control switch on the control board is provided to manually actuate the AMSAC/ DSS function.

The control switch causes a diverse reactor trip, a turbine trip, and an initiation of auxillary feedwater flow Use of the manual actuation control switch will be directed in the plant emergency operating procedure for response to an ATWS event.

The system interface for actuation of the AMSAC/ DSS function is accomplished by use of energize to-actuate relay logic. The actuation relays are wired into the device actuation circuit to trip the reactor, trip the turbine, and initiate auxillary feedwater. The auxiliary feedwater actuation circuit relays are unchanged and meet 1E requirements for an isolation device.

The outputs to the plant systems are in the form of relay contacts, using existing diverse relays, to be wired into existing circuitry which provide the system actuation.

The method of tripping the reactor with the AMSAC/ DSS is diverse from the existing reactor protection system. The reactor protection system utilizes circuit breakers to trip the reactor by removing power to the rod control system. The AMSAC/ DSS diverse reactor trip function utilizes relay contacts to send a signal to the rod control system to release the control rod grinpers.

3.7 Bypass (Automatic and Manual)

AMSAC/ DSS will have a new four position switch on the control room main control board with the functions: Manual Actuation, Normal Operation, Reset, and Block. The AMSAC/ DSS system can be maintained at power with the system in the bypass mode, by placing the control 13 1 1

switch in the Block posita.n. With the output blocked, it is possible to test, calibrate, or repair the software logic and analog portions of the system without affecting plant operations.

When the system is in the bypass mode, the system status annunciator panelin the Control Room will continuously indicate that the AMSAC/ DSS is inactive, in addition, a plant process computer alarm will Indicate that the system is in test.

There is no automatic bypass of the AMSAC/ DSS function during operation. The AMSAC/ DSS function can be blocked only by an administratively controlled manual operating bypass. Once the manual bypass is engaged, the AMSAC/ DSS functionality is disabled. This bypass is controlled using the same control switch as described for the Maintenance Bypass.

The means for bypassing the AMSAC/ DSS is a control switch on the main control board, under administrative control. Bypass capability is provided without the use of lifted leads, pulled fuses, tripped breakes, or physically blocked relays.

The new control switch for AMSAC/ DSS actuation on the main control board will be diverse from the existing Reactor Trip control switch used in the Control Room. The new switch will be of different manufacture from the Westinghouse W2 switch used in the reactor protection system.

3.8 Roset The AMSAC/ DSS design for actuation output interfaces is such that, upon actuation, the completion of mitigating actions is consistent with diverse reactor trip, turbine trip, and auxiliary feedwater circuitry. Once actuated, there is no mechanism to prevent completion of the mitigating action. Return to normal power operation is accomplished in accordance with normal operations manual procedures which require delit,erate operator action. Part of this deliberate action will be to momentarily pace the three position AMSAC/ DSS switch on the control room main control board in the R'dSET position, which will reset the AMSAC/ DSS logic following an automatic initiation.

3.9 Quality Assurance The quality assurance requirements for AMSAC/ DSS are de eribed in Generic Letter 85 06.

The quality controls imposed in the plant design change process and the testing and calibration programs applied to plant Instrumentation and control systems are sufficient to satisfy the guidance expressed in Generic Letter 85 06.

14

3.10 Environmental Qualifications The AMSAC/ DSS rack and internals are designed to operate in the mild environ. ment of the relay room area in which the rack is located, 15

4.0 Insting 4.1 Preoperational Testing The AMSAC/ DSS will be tested prior to placing it in service, consistent with the Design Change process used by Northern States Power. This testing will verify that the installation has been accomplished as designed, and that the system is operating properly. This preoperational testing will include dropping the control rods into the reactor core as a final verification of operability. The test will also verify that tirne delays from the signal isolation devices to the DSS actuation device are consistent with the design and with the rod insertion times assumed in the transient analysis.

4.2 Periodic At Power Testing Periodic testing of the sistem hardware and software will be accomplished at power using an output Block Switch to prevent the syst0m output from initiating turbine trip, reactor trip, and auxillary feedwater flow, in this mode, test signals can be injected into the system to verify correct blatable operation and actJation logic functions. The test will verify operation of the system up to, but not including, the actuation relays.

Testing is alarmed in the Control Room, and the frequency of testing is in accordance with present Prairie Island Surveillance Program guidelines.

4.3 Refueling Outage Survr!Ilance Calibration and functionalit. sting of the AMSAC/ CSS, including output relays,i,. to be done during each refueling outage. This testing will be performed with the Block Switch in the unblocked position to allow relay ac;uation and resulting operations to be verified. This testing will not drop control rods, but the control rod control system will be monitored to verify proper performance of rod control system electronics by the test.

4 16

5.0 fiefcicaces 5.1 *Pralrie Island Nuclear Power Plant Reload Safety Evaluation Methods for Application to PI Units", NSPNAD 8102 A.

5.2

  • Safety Evaluation by the Office of Nuclear Reactor Regulation of the Reactor Physics and Reload Safety Evaluation Methods Technical Reports NSPNAD 8101P and NSPNAD 8102P", February 17,1983.

5.3 American Nuclear Society Proposed Standard, ANS 5.1

  • Decay Energy Release Rates Following Shutdown of Uranium Fueled Thermal Reactors," October (1971), Revised October (1973).

5.4 Prairie Island Updated Safety Analysis Report, Section 14.4.10 5.5 Psalrie Island Updated Safety Analysis Report, Section 14.4.9 5.6 Prairie Island Updated Safety Analysis Report, Section 14.4.8.1 5.7 Prairie Islano Updated Safety Analysis Report, Section 14.4.11 5.8 'Safaty Evaluation by the Office of Nuclear Reactor Regulation related to the VIPRE-01 Code and WRB 1 Correlation for Facility Operating Ucense Nos. DPR-42 and DPR 60, Northern States Power Company, Prairle Island Units 1 and 2, Docket Nos. 50 282 and 50 306", May 30,1986.

5.9 ANSI Standard N18.2 1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, approved August 6,1973.

5.10 Prairie Island Updated Safety Analysis Report. Section 14.4.4 17 I- _ .

0.0 Slanificant Hazards Considerall0D 0.1 Does operation of the facility with the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

The proposed changes affect two systems which are contributors to initiating events for previously evaluated anticipated operational occurrences. These systems are rod control and turbine generator. The AMSAC also affects the auxilary feedwater system.

The interaction of the AMSAC/ DSS with these systems will not significantly increase the probability or consequences of an accident previously evaluated.

The addition of another means of initiating a signal to cause rods to drop into the core introduces an increased probability for an RCCA Misalignment event (USAR 14,4.3).

Because the AMSAC/ DSS circuitry has been designed to minimize spurious actuations,

, this increased probability is not significant, in addition, because the AMSAC/ DSS circuitry is designed to provide a signal to each rod control power cabinet resulting in the cancellation of gripper coil current for all rods powered from that cabinet, the probability of dropping a single rod of sufficiently small worth not to trigger the negative rate reactor trip is not significant. Previous analysis has indicated that more than one rod dropping into the core at the same time will trigger the negative rate reactor trip.

The adoition of another means of initiating a signal to cause a turbine trip introduces an increased probability for an event nearly identical to a Loss of External Electrical Load event (USAR 14,4.9), Because the AMSAC/ DSS circuitry has been designed to minimize spurious actuations, this increased probability is not significant.

The addition of another means of initiating a signal to start auxiliary feedwater flow to the steam generators introduces an increased probability for an event similar to an Excessive Heat Removal Due to Feedwater System Malfunction event (USAR 14.4,0) though greatly reduced in magnitude, Because the flow capacity of the auxiliary feedwater system is much less than the flow capacity of the main feedwater system, the consequences of any spurious actuation of the auxillary feedwater system are bounded by the Feedwater System Malfunction event. In addition, because the AMSAC/ DSS circuitry has been designed to minimize spurious actuations the increased probability of this " event of negligible consequence'is not significant.

0.2 Does operation of the facility with the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

The AMSAC/ DSS is an instrumentation system that is separated and isolated from the reactor protection system. The AMSAC/ DSS may initiate a spurious signal which results

  • 8

In tripping the turbine generator, dropping some or all control rods into the core, starting auxiliary feedwater flow to the steam generators, or any combination of those events.

Individually and in combination these events ar , *aall sinderstood and have been previously analyzed. Revlew of this modification does not indicate uso!!!"':' create the possibility for a new or different kind of accident from any accident previously evaluated.

6.3 Does operation of the facility with the proposed amendment involve a slgnificant reduction in a margin of safety?

Deterministic analyses have demonstrated that the proposed AMSAC/ DSS will preserve all safety margins inherent in the fuel cladding and the RCS boundary during postulated ATWS events.

19 l

f

  • 7.0 Enykonmental Assessment Northern States Power Company has evaluated the proposed change and determined that:

1 The change does not involve a significant hazards consideration,

2. The change does not involve a significant change in the types N 'gnificant increase in the amounts of any effluents that may be released offsite, and
3. The change does not involve a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth in 10CFR51.22(c)(9). Therefore, pursuant to 10CFR51.22(b), an environmental assessment of the proposed changes is not required.

20

ll'f il)jI)j Iflj l l l S Y Y C A A D a. ._ e M

I G

1 M

f Q

I s.rt

?

r s

e s

N H ne p *D l

A e A r T T T s A A s- is D D .l D e ;2 o

r T T T N

A D

N 4

D

.a T0

.e s

e 3

t T

t 1

8 3 r i o f ,

wFsog$ e r t

t D D (-

E R

F R

o t

tw D ',1 m '

mes a TSTr t

e ne e i.

B= =

. 7 1 H

dr 4FLM a TATD C

G I

6 a r 2 1 F l z

r ol r I

F 1 d 4 r

a a ym ie 2

E u l C

T o

r r

A e

1 2 .

' ms e t s E a

l E

y F

}/

h ' , - ;

,5 Td e F

s

=

e e

T c

r s

e u

r R

U

_ 1 TsnS G 1 (\ . ug AiL w I h.s t r ts w F D = a eh 7STD t

l al 2

r

==

l I A

/

,S A

C ' 4N 1 S

' TATD l wtss e t

s 1 2

B uP o r c

a t

s se n d r

2 = e a 1 r we

,r C k

c r r e ** e s

A = *

  • ** **nn
    • l B  %

l l l l l l l e e c e pp e e e ht m

e 3 sencOO t v t X d hc S n~ I

'F E LI I r e e

g ge e gkk ee e aeea nt w or a, i l

t e

a naNs am r r i pS t n

r a

p R2RI BB t r me e ee eeI dddd 2 pp*

Tor o C s

o i i ii eR r e w W W W W e m *te t

) sl t t D I I 22 PPeus o G

S E r r r e re pt or a w d

t I K o - o et t R n d o ee e RC) J t a

t s

t n n O, C r r e. la la m i

F DEMC I ' r e .. e o o oo rc a e n w UW naCCS Tmi I

n .

. s I e e i BOR C GCGGr oewt r

a s l y* t c

E PE A e )5, t

a TB mmmmt ph e s wg wno t r t CC l A R 4 a a a a c c a a v e

I nt e l

V V/

ED e c e t e e ei n e c SSSSRR D : e e P N r t e t R I E15N 3  : : : : : : :

t o er S1 ( ( D I

ABCDEFG N a

  • a lll! l l

e ,

Non Safegue'os Diesol Generstor Tl Q;'

Non Sa reguards Norv$atepuerds ACBut Battery

.c [i;,,

w_

Soroce building inverter Arw J L-Output s 'f -

3

~ ~' A AMSAC ID$$ RCP Breaker Rara [ 6tatus Turtane / DSS -g Output 4-l Data

  • ] Hghway i

1 2 Steam Gen v 1r Wide Range )

Level Transmeets 1 J

l 2 Steam Gen Wide Range teven ,.nsemer. .

Feed

  • ster Control System *

--v *] I 1

<% Event Monttonng

~*

lsolated Output Memate Power Feed sarety-neiated n

AC instrument  ;) instrument trivener gp I

g-Safety-Rei.ted su rety Related

.' instrument AC instrument Battery Dus Service Building e inverter

  • 1 f 4p Sp satety.nsiaiad Dieset Generator Non Safeguards Non-$afeguards AC Bus Battery Non Safeguards m instrurrent Sgnal D s iGenerator -

-~

Power Feed s _ .a,so...d .

N Reaciar Protection Power Distribution Diagram FIGURE 2 22 i

i

d f

i

l BLOCK SWITCH  !

IN BLOCK POSITION l

\

l I

1 1 P i AMSAC/ DSS 1

INACTIVE Control Board System Status Panel Window FIGURE 3 23

4 3 Rack Power Supply Microprocepsor Signe Failure Failure / Loss Failure 7<,4 u

AMSAC/ DSS TROUBLE

~

R Block Switch in '

BLOCK Position I

t u

AMSAC / DSS BLOCKED Actuation Conta:ts l

E 4 Sequence of AMSAC/ DSS Events Log OPERATION Plant Process Computer Alarms FIGURE 4 24

Retrieved from "https://kanterella.com/w/index.php?title=ML20203J953&oldid=3066852"