ML20206M125
| ML20206M125 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 11/18/1988 |
| From: | Hukill H GENERAL PUBLIC UTILITIES CORP. |
| To: | NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM) |
| References | |
| C311-88-2158, GL-83-28, NUDOCS 8811300430 | |
| Download: ML20206M125 (26) | |
Text
e.
4 QPU Nuclear Corporation NggIgf Post Office 8a 480 Rou*.e 441 South Middletown, Pennsylvania 170$7 0191 717 944 7621 TELEX 84 2386 Writer's Direct Olal Number:
November 18, 1988 C311-88-2158 U. S Nuclear Regulatory Comission Attn: Document Control Desk Washington, DC 230555
Dear Sir:
Three Mile Island Nuclear Station, Unit 1 (TMI-1)
Operating License No. OPR-50 Docket No. 50-289 ATWS Irplerentation (10 CFR 50.62)
GPU Nuclear Corporation is submittino the attached "Review Summary" (Attacheent A) as the pla.t specific submittal requested in the ATWS Safety Evaluation Report (SER)
(Peference 1).
Tha design of the ATWS system at Three Mile Island Unit I will be based upon the design described in B1W document 47-1159091-00, "Design Requirements for Diverse Scran System (DSS) and ATVS Mitigation System Actuation Circuitry (AMSAC)" (Reference 2) ?s augnented by the discussion in the Review Sumary. The Review Sumary ties the SER paragraphs, the ATWS concep+ual design, and BAW generic submittal together. As discussed in the SER, the MW generic submittal presents a generic proposal acceptable for the nost nart to the staff. However, several items were identified as requiring discu.. ion in the plant specific submittals.
Each of these items is included in the Attachrent A discussion.
One (,f these iterrt, the issue of diverse power supplies discussed in SER Section 5.6, was the subject of an August 17, 1988 NPC/BdOG reeting.
In this reeting and in a subsequent NPC letter (Reference 3), the NRC described three options which they considered acceptable for the BWOG licensees to resolve the power supply 1swe, CPUN endorses the design as presented in the generic BWOG submittal. We conclude that this design reets the letter and intent of the ATWS rule and provides a system as reliable as the options suggested by the NRC.
For this reason, we have taken this opportunity to include in Attachrent A a detailed discussion of the generic design cor'pliance with 100FR50.62.
As docueented in Peference 3, CPUN intends to install ATWS nodifications during the 9R refueling outage as shown on the Integrated Schedule.
The design as described is conceptual in nature.
Changes which result as the design is finalized will be evaluated, and C90N will advise the NPC of any changes which invalidate the inform tion in this subnittal.
Per reference 3, we understand that NRC will review the attached conceotual design package within 30 days of receiot.
8911300430 0011 0
- [g PDR ADOCK 0500 209
[
P puu GPU Nuclear Corporation is a subsidiary of the General Public Utilities Corporatic'
\\
7567f/0170f
..t f.
C311 2158
-2 flovember 18, 1988 As discussed by the NRC in the ATWS SER, the ATWS Rule requires specific modifications in design and operation of nuclear power plants to reduce the likelihood of failure to shut down the reactor fol?owing anticipated transienti and mitigate the consequences of an ATWS event, in the unlikely event that it occurs.
The NRC issued Generic 1.ettar 83-28 following the Salem ATWS event.
Item 4.2 of Generic Letter 83-28 required that licensees have a progrom to ensure reliable trip t reaker operation.
The BWOG elected to address the rcquirements of Item 4.2 by undertaking a Reactor Trip Breaker Reliability Monitoring Program.
The original purpose of the Reliability Monitoring Program was to trend and analyze key breaker paraneters to identify changes that indicate a i'eed for breaker repiacement, refurbishment or maintenance.
Over time, the focus of the Reliability Monitoring Program has shifted from the prediction of performance degradation to the confirmation of the effectiveness of corrective act.ons. The Reliability Fbnitoring Program provides for the collection and analysis of data to confirm the effectiveness of modifications made to improve the reliability of the breakers.
Data which has been compiled through 1987 supports the hypothesis that the modifications to tl.e trip breakers are effectivt in achieving consistently high performance and that breaker response tims are well below acceptance criteria.
In addition, the BWOG undertook in the Safety Performance and Irrprovement Program to impra performance of B&W designed reactors.
The goals of the Safety Performance and Improvement Program are to improve safety reduce the number of trips and complex transients on BWOG plants, and ensure acceptable plant response during those trips and transients whien do occur.
Modi fica tions installed to date have prevented at least one unnecessary trip at TMI-1.
In summary, GPUN has determir.ed that the BWOG generic design for ATWS modifications, as applied to THI-1, satisfies the letter and intent of the ATWS rule.
In addition, the Reliability Ponitoring Program and the Safety Performance and Improvement Program will improve proper recctor trip system operation, reduce the number of trips and conplex transients, and promote improved plant response to trips and transients which do occur.
Sincerely, N
'H'. D. H k' 11 Vice President and Director, TMI-l cc:
W. Russell, USNRC R. Hernan, USNRC R. Conte, USNRC 7567f/0170f e
~
jg
.. ?
References:
1.
NRC Letter C311-88-3148, J. F. Stolz to H. D. Hukill (GPUN)
"NRC Evaluation of BWOG Generic Report Design Requirements for
. DSS ~ and AMSAC -(TAC No. 59151 )," dated July 7,1988.
2.
B&W Owners Group Letter, J. Ted Enos to Hugh L. Thompson Jr.
(NRC), "B&W Owners Group (BWOG) ATWS Design Basis", dated October 9,1985.
3.
NRC Letter C311-88-3245 Ronald W. Hernan to H. D. Hukill (GPUN), "NRC Response to the B&W ATWS Dwners Group on DSS and AMSAC (TAC No.59151)", dated October 6,1988.
i i
p
?
l t
l I
[
i r
f f
[
i 7567f/0170f
Attachment A REVIEW
SUMMARY
OVERVIEW In response to 10CFR 50.62 "Requirements for Reduction of Risk from Anticipatted Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," Babcock and Wilcox, on behalf of the B&W Owners Group (BWOG) ATWS Committee, submitted to NRC B&W Document 47-1159091-00, "Design Requirements for DSS (Diverse Scram System) and AMSAC (ATWS Mitigation System Actuation Circuitry)" (Reference A.1), which discusses the BWOG generic DSS and AMSAC. GPUN endorses the BWOG design, with exceptions as noted herein.
The purpose of the Review Sumary is to provide the paragraph to paragraph relationship between Section 5 of the ATWS SER (Reference A.2) which is entitled "Design Requirements", the BWOG generic ATWS design (Reference A.1),
i and the GPUN conceptual design for TMI-1 (Figure 1).
The Review Summary also provides additional design details as requestod in Section 6 of the ATWS SER which is entitled "Conclusions".
For simplicity, the format of the ATWS SER has been followed.
Tne Review Summary also addresses the adequacy of the BWOG generic ATWS design in terms of satisfying the requirements of 10CFR 50.52 for power supply independence and diversity.
Block diagrams of the GPUN conceptual design are provided as Attachnent B.
DSS is initiated on high reactor coolant system pressure. The BWOG generic 3
DSS is designed to trip control rod roups 5, 6 and 7 on a high reactor coolant system pressure signal. GPUN is investigating the need for all of the control rod groups to be dropped on this signal as part of our consideration of extended fuel cycles. GPUN will advise the NRC if and when a change is made in this area.
AMSAC is initiated on low control oil pressure in the turbine driven main feedwater pumps, which provides rapid indication of loss of feedwater flon and results in initiation of the emergency feedweter system via the existing heat sink protection system circuitry and main turbine trip via the main turbine trip system.
The TMI-1 FSAR in Section 7.1 defines the Protection Systems as consis?Ing of the Reactor Protection System and the Engineered Safeguards Actuation Systems. The Reactor Protection System monitors parameters related to safe operation and trips the reactor to protect the reactor core against fuel rod y
cladding damage.
It also assists in protecting against reactor coolant system i
damage caused by high system pressure by limiting energy input at the system through reactor trip action.
The ATWS Rule specifies requirenents for diversity and independence from the scactor trip system, and the Supplemntary Information published with the Rule defines the reactor trip system and identifies it as a part of the reactor protection system.
The ATWS SER, in contrast to the Rule, refers to the reactor protection system when specifying diversity and independence requirene:nts, and appears to intend "reactor protection system" to be comprised of the reactor trip system and engineered safeguards actuation t
system.
J 7567f/0170f., _ -
J5 To eliminate further confusion in this area, GPUN refers to "reactor trip' system" throughout the following discussion as defined in the Supplementary Information published with the ruleraking:
"The reactor trip system consists of those power sources, sensors, initiation circ' tits, logic matrices, bypasses, interlocks, racks, panels and control boards, and actuation and activated devices that are required to initiate reactor shutdown; this includes circuit breakers, the control rods and control rod nechanisms..."
l I
4 4
1 P
I i
t t
I l
I l
i l
I i
i i
i 7567f/0170f l i
I
,,_-... ~ - - -,.---_.... _. -.,_.-- -
DESIGN REQUIREMENTS 5.1 Diversity from Existing RP3 10CFR 50.62 specifies diversity from sensor output to interruption of power to the control rods.
The Supplementary Information (Reference A 3) published with the ATWS Rule specifies requirements for diversity from the existing reactor trip system.
The sensors (pressure transmitters) utilized for the TMI-1 Diverse Scram System (DSS) are associated with Regulatory Guide 1.97 indication.
There are no interconnections between these Foxboro SPEC 200 R.G.1.97 loops and RTS Bailey 'ype 880 equipment.
DSS logic will be of a diverse type from the Bailey type 880 equipment.
Silicon controlled etetifier gate drive interruption will utilize a relay which is diverse from that which is now utilized for the RTS/ rod drive control system.
10CFR 50.62 specifies that each pressurized water reactor have equipment from sensor output to final actuation device that is diverse from the reactor trip system to automatically initiate the emergency feedwater system and initiate a turbine trip uader conditions indicative of an ATWS.The TMI-1 ATWS Mitigation System Actuation Circuitry (AliSAC) logic will be of a diverse type from the RTS. The THI-1 AMSAC design utilizes equipment diverse from the RTS. AMSAC uses sensors (pressure transmitters) to monitor feed pump turbine trip, while the RTS uses separate pressure switches.
AMSAC main turbine trip utilizes a General Electric electro hydraulic control system that is diverse from the RTS. AMSAC emergency feedwater initiation utilizes Heat Sink Protection System (HSPS) Foxboro SPEC 200 equipment, which is diverse from the RTS Bailey 880 equipment, as the final actuation device.
The BWOG generic submittal describes this requirement in Paragraph 3.A.3. The NRC SER concludes that the BWOG generic design reets the design criteria for this item and is in compliance with this requirement.
No open issues were identified as requiring discussion in plant specific submittals.
5.2 Electrical Independence from Existing RPS The Supplementary Information (Reference A.3) associated with the ATWS Rule specifies requiremnts for electrical independence from the existing RTS, which is a portion of the reactor protection system.
The TMI-1 DSS cad AMSAC designs provide electrical independence from the RTS via Class 1E circuit breakers, nultiple power sources, and coincidence logic.
(See Figure 2)
The sensors, signal conditioning and isolation nodules used to provide RC pressure to the DSS logic are powered from the same vital buses used to pr3 vide power to the RTS, but are electrically independent from the RTS circuitry via Class 1E circuit breakers, multiple power sources, and coincidence logic.
7567f/0170f _
The sensors and signal conditioning associated with main feedwater pump turbine trip are powered from the same vital buses used to provide power to the RTS, but are electrically independent from the RTS circuitry via Class lE circuit breakers, multiple power sources, and coincidence logic.
The DSS and AMSAC logic circuitry is powered from the same vital buses used to provide power to the RTS, but is electrically independent from the RTS circuitry via Class 1E circuit breakers, multiple power sources, and coincidence logic.
The AMSAC final actuation device, HSPS, is powered from the same vital buses used to provide power to the RTS circuitry but is electrically independent from the RTS circuitry via Class 1E circuit breakers, multiple power sources, and coincidence logic.
Non-Class 1E portions of DSS and AMSAC are isolated from Class 1E circuits via existing isolators or isolators identical to those currently in use.
Further discussion is contained below in Paragraph 6.2.
The BWOG generic submittal discusses this requirement in Paragraph 3.A.4 The NRC SER concludes that the BWOG generic design is acceptable in this area.
5.3 Physical Separation from Existing RPS The Supplementary Information (Reference 3) associated with the ATWS Rule specifies that fi@lementation must be such that separation criteria applied to the existing protection system are not violated.
None of the TMI-1 DSS or AMSAC equipment will be located in the RTS cabinets.
Therefore, separation between RTS channels will not be compromised. The BWOG generic submittal discusses this requirement in Paragraph 3. A.5.
The NRC SER concluces that the BWOG meets the design criteria in this area.
5.4 Environmental Qualification The Supplementary Information (Reference 3) associated with the ATWS Rule specifies that envi.onmental qualificatior, is required for anticipated operational occurrences, not for accidents.
None of the DSS or AMSAC equipment will appear on the THI-1 EQ Master List.
All equipment will be designed for its environment.
The BHOG generi submittal discusses this requiremnt in Paragraph 3.A.6 and 3.A.7.
5.5 Quality Assurance for Test, Maintenance and Surveillance The Tli!-l DSS and N! SAC systems will be controlled in accordance with the TMI-1 QA program. Testing, maintenance and any specified surveillance will be conducted per approved procedures. 0A controls applied to DSS and NtSAC will meet or exceed the "Quality Assurance Guidance for ATWS Equipnent that is not Safety-Related" as set forth in Generic Letter 85-06 (Reference A.4).
7567f/0170f 5.6 Safety Related (1E) Power Supplies The Supplementary Information (Reference 3) to the ATWS Rule specifies that safet.y related (Class 1E) power supplies are not required; however DSS and AMS~c must "be capable of performing their safety functions with loss of offsite power. Logic and actuation power must be from an instrument power supply independent from power supplies for existing reactor trip system.
Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented".
The RC pressure signal supplied to the DSS logic from isolation modules in the signal conditioning cabinets is powered from vital buses, which are battery backed.
(See Figure 2)
The DSS logic is powered from vital buses.
Independence from the RTS power supplies is achieved by use of Class 1E circuit breakers, multiple power sources, and coincidence logic.
The DSS trip input to the rod drive control system is from the DSS logic, and therefore the vital bus is the power source.
DSS circuitry within the rod drive control cabinets is supplied from rod drive control power, derived from mechanism power.
Loss of this power is equivalent to de-gating the SCRs.
Feedwater pump turbine trip input signals to the AMSAC are powered from vital buses.
The AMSAC logic is powered from vital buses.
Independence from the RTS power supplies is achieved by the use of Class 1E circuit breakers, multiple power sources, and coincidence logic. The AMSAC turbine trip coils are powered from the vital buses.
The HSPS and HSPS input circuitry associated with the AMSAC logic are powered from vital buses.
Existing RTS sensor and instrument channel supplies (Bailey 880) are not used. Furthermore, the potential for common mode failure is remote as demonstrated by the following:
(1) SER Section 5.6 raises a concern that faults / failures in the non-Class 1E ATHS mitigation system could degrade the RPS buses.
This condition is precluded by the use of Class 1E ciNuit breakers, multiple power sources, and coincidence logic.
5 (2) Due to vital bus power supply, both DSS and AMSAC would remain operable duri:.g a loss of offsite power event.
(3) Vital power reaulation is + 2% voltage and + 1.6% frequency.
For significant voltage variatTons (+8%, -20% typical) or frequency i
variations (+ 5%, -2% typical) there would be no effect on instrument power supplies.
Greater frequency or voltage variations could affect instrument power supply outputs and could cause misoperations in the nonconservative direction of instruments supplied from these power supplies.
For such severe variations the demonstrated high i
reliability of the multiple inverters and protection system coincidence logic make coincident misoperation of the entire system in the nonconservative direction very unlikely.
7567f/0170f ;
m
a It should be noted that loss of more than one vital source to the RTS results in reactor trip. Loss of mechanism power, such as caused by loss of offsite power, results in reactor trip.
It must be recognized that the BWOG generic design as endorsed by GPUN is intended to provide a highly reliable system. As demonstrated in the discussion below of the adequacy of the BWOG generic design, the existing configuration, in which input signals and logic power are supplied f t a the same power source, provides a more reliable design than would a configuration in which logic power to DSS /Ar
' is provided from a source different from that to the input signals.
Section 5.6 of the ATWS SER appears to add a new requirement for diversity, by concluding that since logic and actuation device power for DSS and logic power for AMSAC must be from an instrument power supply independent from the power supplies for the existing RPS, that power should be from a source such as a station battery, other than those used in the existing RPS. SER Section 5.6 states that the power supplies being used for the DSS and AMSAC logic are part of the RPS. The power supplies used for the DSS and AMSAC are independent of those used for the RTS, as demonstrated by Figures 1 and 2.
Section 5.6 of the SER states that "It is clearly stated in the Part 50 Statements of consideration to the ATWS Rule that the power supplies for the DSS and AMSAC logics and the DSS actuation cf rcuitry should be independent (and separate) from the existing RPS power supplies".
The exact quote from the Supplementary Information for DSS is "Logic and actuation supply must be from an instrument power supply independent from the power supplies for the existing reactor trip system." For AMSAC, the exact quote is "Logic power must be from an instrument power supply independent from the power supplies for the existing reactor trip system." Section 6.1 of the SER states that "power supplies used for the ATWS systems must be diverse from the power supplies used in the RPS at B&W plants." As demonstrated by the discussion above, the Supplementary Information refers to independence from the R7S power supplies.
This independence is achieved as shown in Figures 1 and 2.
See Paragraphs 5.2 and 6.2 for discussion of Class 1E isolation.
Refer to Paragraph 6.1 below for discussion of power sources for DSS and AMSAC logic, and to the discussion below of the adequacy of the generic BWOG design, which addresses compliance with the ATWS Rule, 4
The BWOG discusses this requirement in Paragraph 3. A.8.
5.7 Testability At Power The DSS and AMSAC will be completely tested, including final actuation, prior to plant operation and at each refueling.
l The DSS and AMSAC design will incorporate surveillance testability at power, l
up to but not including the isolatfon of gate drives or actuation of turbine 4
trip relays.
This capability is being provided to support maintenance activities rather than for routine surveillance at power.
I I
7567f/0170f S.8 Inadvertent Actuation The Supplementary Information specifies that the design should be such that the frequency of inadvertent reactor trips and challenges to other safety systems is minimized.
The THI-1 DSS, AMSAC turbine trip, and AMSAC emergency feedwater initiation are not prone to inadvertent initiation as they are energize tu.11ciata and appropriate setpoints 3rc chosen so as to avoid inadvertent actuation.
l t
In addition, the final actuation logic for DSS and AMSAC turbine trip is 2 out i
of 2, and testing disables outputs.
The final actuation logic for AMSAC emergency feedwater is on an individual i
train basis, with either train capable of starting a sufficient number of i
emergency feedwater pumps, and programming the auto control loops to maintain desired water level in the Once Through Steam Generators (OTSGs). This i
differs from the BWOG generic design (Paragraph 3.A.10) which states that 2 out of 2 logic is utilized for AMSAC. The train basis of AMSAC emergency feedwater was selected to be consistent with existing plant functional design.
Starting emergency feedwater punps does not affect plant availability and thus challenge plant safety systems.
The only result of an inadvertent initiation is exercising of emergency feedwater purps and circuitry, which would constitute a reportable condition per agreement with the NRC. This is consistent with the existing plant design criteria.
5.9 Maintenance Bypasses TMI-1 DSS and AMSAC will utilize surveillance approaches consistent with existing surveillance approaches.
The surveillance testing ' node of either channel of DSS or AMSAC logic will disable both DSS and AMSAC turbine trip channels and continuously alarm to the control room.
Bypass of the emergency feedwater actuation on loss of feedwater will also be required. Administrative controls will require that any work performed on the DSS / AMSAC logic, or existing plant instrumentation providing signals to DSS /AMSAC require monitoring via the surveillance testing mode at DSS /AMSAC.
4 The BWOG generic submittal discusses this item in Paragraph 3.8.6.
5.10 Operating Bypasses The DSS does not require any operational type bypasses.
The AMSAC turbine trip does not require any operational type bypasses.
When feedwater pumps are secured per normal shutdown, the main turbine is already tripped.
I 7567f/0170f The AMSAC energency feedwater init#ation will utilize the existing bypass provided for the existing plant anticipatory initiation of emergency feedwater on feedwater pump trip.
This bypass is utilized when secu.ng the feedwater pumps and as such does not constitute an operational type bypass. This bypass is, however, alarmed to the operator per the existing plant derign.
The BWOG generic submittal discusses this item in Paragraph 3.B.8.
5.11 Indication of Bypasses As per paragraph 5.9 and 5.10, a single DSS /AMSAC maintenance bypass is provided.
This is indicated in the control room via annunciat4n.
The AMSAC emergency feedwater initiation manual bypass is alarmed as an existing emergency feedwater bypass.
The BWOG generic submittal discusses this requirement in Paragraph 3.8.7.
5.12 Means for Bypassing Surveillance testing of DSS and AMSAC logic will require obtaining access to the surveillance mode using built-in test mode hardware. Accessing this test mode actuates the bypass alarm.
As such, the use of DSS or AMSAC system maintenance bypasses does not involve installing jumpers, lifting leads, pulling fuses, tripping breakers or blocking relays.
This item is not specifically addressed in the BWGG ceneric submittal.
5.13 Completion of Protective Act hel Completion of the protective action for DSS occurs via bck-up/ seal-in of the DSS.
Reset is acconplished via manal reset.
AMSAC emergency feedwater initiation is locked-up/ sealed in via the existing emergency feedwater b,JatIon Circuitry.
The BWOG generic submittal discusses this requirement in Paragraph 3.B.5.
5.14 Information Readout Status indication of DSS and P4 SAC includes the above described bypass alarm and an alarm for any partial.or full) DSS /AMSAC turbine trip. AMSAC emergency feedwater initiation alarm is existing.
Refer to Table 1.
Local status light indication on a channel / function basis is provided at the DSS /AMSAC logic and the DSS rod drive portion of DSS.
This item is not specifically addressed in the BWOG generic submittal.
7567f/0170f ------_-
5.15 Safety Related Interfaces No possibility exists of compromising the existing RTS and ESAS safety criteria via interfaces since there are no interfaces between DSS /AMSAC and the RTS or ESAS systems.
Safety-related interfaces are provided with the R.G.1.97 RC pressure and the emergency feedwater actuation circuitry.
The isolation aspects of thcae interfaces are described in Paragraph 5.2 and 6.2.
The SWOG generic submittal discusses this item in Paragraph 3. A.1 5.16 Technical Specifications The DSS and AMSAC will be surveilled as described above in Paragraph 5.5.
GPUN expects that any position on Technical Specifications requirements for DSS and AMSAC will be developed by the Technical Specifications improvement Program as discussed during the August 17, 1988 meeting between the NRC and the B&W Dwners Group.
6.
CONCLUSIONS 6.1 Power Supplies Paragraphs C (1) and C (2) of the ATWS Aule specify that DSS and AMSAC must be independent from the existing reactor trip system, which is a portion of the RPS. The Supplementary Information specifies that "Logic and actuation device power must be from an instrunent power sunply independent from the power supplies for the existing reactor trip system.
Existing RTS sensor and instrument channel power supplies may be used provided the possibility of common mode failure is prevented".
The power source for the DSS logic / actuation equipment and the AM3AC logic circuitry will be independent from the power source utilized for the reactor trip system, as per the existing ifcensing basis, relating to independence / isolation.
This power source will be battery backed.
6.2 Isolation Devices Electrical isolatir; (Class 1E to non-Class 1E) is required in one application each in THI-l's DSS and AMSAC.
The DSS application is between existing Class 1E instrucent loops for RC pressure and the input to the DSS logic.
This application will ut',lize additional Foxboro N-2A0-VAI modules as used throughout the Foxbo"o equipment at THl.
Use of this device at TMI-1 received NRC review and app' oval for SPDS appiteation.
1567f/0170f
-9
The AMSAC application is the AMSAC input to the Emergency Feedwater System (HSPS).
Existing emergency feedwater actuation from feedwater pump trip utilizes isolation relays (Clark PM5U6-l) for existing HSPS isolation requirements. The output from the AMSA; logic will now be routed to these same relays in place of the existing f(edwater pump trip signal. Thus, ATWS requiremnts for isolation are bounded by existing isolation requirements.
The SER suggests that the plant specific submittal should use Appendix A of the SER to provide information that the identical / existing Class lE to non-Class 1E electrical isolators will function under the maximum worst case fault conditions. TMI-1 will use identical / existing isolation devices now in use with the Foxboro signal conditioning and HSPS. GPU believes that this commitment, fully consisterit with the TMI-l licensing basis, satisfies the requirement of 10CFR 50.62.
6.3 Bypasses and Displays DSS and AMSAC bypasses are described in Paragraphs 5.9,5.10,5.11 and 5.12 above.
The parameter w,nitored by DSS is RC pressure and this is continuously indicated via control room indication.
The parameter monitored by AMSAC is feedwater pump turbine control oil pressure.
This parameter is not indicated in the control room.
However control oil pressure is directly related to feedwater turbine inlet control valve position which is related to turbine speed. Turbine speed is provided in the control room as are feedwater pump pressure and feedwater flow. Low control oil pressure is alarm d.
6.4 Surveillance and Testing DSS and AMSAC surveillar.ce is described above in Paragraph 5.7.
Surveillance requirements will be controlled as a part of existing plant administrative controls.
6.5 Input P6cameters DSS nonitrs RC pressure via existing Class lE R.G.1.97 RC pressure in,trumnt loops.
The TMI-l option for DSS input signal is the hot leg pressure.
TMI-1 spec,fic ATWS analyses were performed to establish a high pressure setpoint to meet all the functional requiremnts for the DSS.
The optimum OSS high pressure setpoint was determined to be approximately 2460 psig.
ANSAC monitors feedwater pump turbine control oil pressure as indicative of loss of feedwater.
This is the fastest parameter for measuring loss of feedwater resulting from a feedwater trip. Any other 'aas of feedwater condition would require multiple failures. Trip setpoiris is approximately the came as the existfug plait setpoint (70 psig).
7567f/0170f -
c-
'Dt:00ACY OF GENERIC BWOG DESIGN The NRC Safety Evaluation Report on the generic ATWS design identifies an area of disagreement with respect to the need for Safety-Related (Class 1E) power supplies. The concerns expressed relate to DSS and AMSAC power supply diversity and independence.
A BWOG/NRC meeting was held on August 17, 1988 to discuss these and other open issues in the SER. At the conclusion of that meeting, the NRC staff identified three options which were considered acceotable for resolving their concern with respect to the power supply issue.
These options were formalized in a letter to the BWOG dated September 7,1988.
Option 1 it,:
"Provide a DSS /AMSAC design... powered via a 480 volt bus with its own independent (i.e. not associated with the RTS) non Class 1E battery, rectifier and charger that provide 120 VAC to the ATWS circuitry".
The letter goes on to specify that "Option 1 will provide the most expeditious resolution and would clearly meet the power supply independence guidance published with the ATWS rule".
Subsequent to the October 17 meeting, GPUN has closely reviewed the generic BWOG submittal, the TMl-1 conceptual design, the requirerents of 10CFR50.62, the guidance published with the rule, and historical documentation leading to the rulemaking. We continue to believe that the design as proposed in the BWOG submittal meets the intent and letter of 10CFR50.62. Furthermore, we have concluded that the provision of a new ststion battery would provide no enhancement to safety or system reliability.
The purpose of this attachment is to provide the bases for these evnclusions.
10CFR50.62 COMPLIANCE
[
10CFR50.62 gecifies the following:
(C)
Requirements (1)
Each pressurized water reactor must have eqttipment from sensor output to final actuation device, that is diverse from the reactor trip system to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbire trip under conditions indicative of an ATWS.
This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.
(2) Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods.
This scram system must be designed to perform its function iri a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the i
i l
l l
t I
7567f/0170f.
4 The BWOG design for AMSAC includes equipment from sensor output to final actuation device, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an
- ATWS, The THI-1 implementation of the generic BWOG design for AMSAC results in initiation of the emergency feedwater system within the existing heat sink protection circuitry and main turbine trip via the main turbine trip system.
AMSAC is initiated on low control oil pressure in the turbine driven feedwater pump.
The equipment is designed to perform its function in a reliable manner and the independent (fro;n sensor output to the final actuation device) from the existing reactor trip system.
Feedwater pump turoine trip input signals to the AMSAC are powered from the vital buses.
The AMSAC turbine trip coils are powered from the vital buses.
The HSPS and HSPS input circuitry associated with the AMSAC logic are powered
[
from vital buses.
Independen,:e from the RTS is achieved by the use of Class 1E circuit brJakert multiple power sources, and coincidence logic.
The BWOG design includes diverse scram system from sensor output to interruption of power to the control rods.
This scram system is designed to perform its function in a reliable manner, and is independent.~ rom the existing reactor trip system (fron sensor output to interruption cf power to t
i the control rods),
a l
The TMI-l inplemer.tation of the generic BWOG design for DSS results in tripping control rod groups 5, 6 and 7.
Although not explicitly required by 10 CFR 50.62, automatic initiation is provided.
DSS is initiated on high l
reactor coolant system pressure. Although not required by the ATWS rule, the l
RCS pressure sensors used for DSS initiation are different from those associated with RTS initiation.
No interconnections exist between the DSS i
i logic and actuation circuitry and the diverse RTS logic and actuHion ci rcuitry.
[
The DSS logic is powered from the vital buses.
Independence from the RTS f
power supplies is achicved by use of Class 1E circuit breakers, multiple power sources, and coincidence logic.
The DSS trip input to the rod drive control system is from the DSS logic, and therefore, the vital bus is the power source.
i i
The BWOG generic submittal complies with the requirements of the ATWS Rule regarding independence.
Independence is understood to mean "the state in t
j which there is no mechanism by which any single design basis event, such as a
[
l flood, can reduce redunriant equipment to be inoperable" (IEEE 384-1981).
l l
The physical separation of circuits and equipment shall be achieved by the use of safety class structures, separation disence, or barriers or i
any combination thereof.
Electrical isolation shasi be achieved by i
i the use of separation distance, isolation devices, shielding and
(
wiring, or combinations thereof".
l i
)
}
7567f/0170f !
The ATWS Rule requires systems independent of the RTS to initiate auxiliary feedwater flow and to initiate turbine trip.
The design of the BWOG generic submittal satisfies this requirenent using the IEEE 384-1981 concept of independence. Figure 2 demonstrates that the instrument power supply is independent of that for the existing RTS by the use of qualified isolation devices.
Furthermore, the BWOG could have used existing RTS instrument channel power supplies and satisfied the ATWS Rule.
Reliability is described in the following paragraphs.
EFFECTS OF ADDING A DIVERSE / SEPARATE SOURCE OF POWER The discussion below describes the effect, in probability of success terms, of adding a diverse / separate source of power for certain portions of the DSS /AMSAC, as suggested by the NRC sta'f.
The diverse / separate source would power DSS /AMSAC logic and actuation, but not signal input.
1.
Definition of Success DSS: Interruption of all SCRs in GP 5, 6,7 (both channels of DSS logic).
EF Initiation / Control:
Either train of EF Actuation and control constitutes success. For ease and consistency of presentation, one channel of EF Actuation and Control is described below.
Turbine Trip: Both channels of AMSAC logic.
2.
Successful functioning of each cnmpeoent is defined as Pxxx.
Power availability is defined as Vyyy.
Note from Figure 3 that DSS and AMSAC functions are arranged with components in series with each downstream coapenent dependant upon successful functicning of the upstream component.
Note also that ATWS circuitry is power to actuate, such that if component 1 is de-energized, component 2 will see a non-trip input signal. Loss of power is the most likely failure.
However, any type of failure which causes misoperation of component 1 will prevent component 2 and other downstream components from operating.
3.
Success:
DSS per Figures 3 and 4 Pdss=PixP2xP3xP7xP8xP9xV13xV14 per Figures 3 and 5 Pdss=PixP2xP3xP7xP8xP9xV13xy14xy15 4
i 756)f/0170f }
e
~
' c.
cn
' 4.50 EF per Figures 3 and 4 Pef =P4xP2xP5xP6xV13
.n per Figures 3 and 5 Pef =P4xP2xP5xP6xV13xV15 Turbine Trip per Figures 3 and 4 Ptt=P4xP2xP10xP8xV13xV14 r
per Figures 3 and 5 Ptt=P4xP2xP10xP8xV13xV14xV15 t
Review of the 'above simplified equations illustrates the effect of adding a new "independent" power source.
For DSS Ari3AU emergency feedwater actuation, or AHSAC turbine trip, the overall probability of success with the new r
"independent" power source is decreased unless the availability of that power source (Y15) is 1.0.
The probability of success can not be increased with the addition of the new "independent" power source.
The benefit of the NRC recommended design per Figures 3 and 5 is zero. The cost / benefit ratio would be very high.
1 CONCLUSIONS 1
[
The BWOG generic design is in accordance with the letter and intent of the ATWS Rule with respect to requirements for power supply.
No safety benefit would result from the addition of a new power source as recor.: mended by the NRC staff.
7567f/0170f
~
References A.1 B&W Owners Group Letter, J. Ted Enos to Hugh L. Thorpson Jr. (NRC),
"B&W Owners Group (BWOG) ATWS Design Basis", dated October 9,1985.
A.2 NRC Letter C311-88-3148, JF Stolz to HD Hukill (GPUN) "NRC Evaluation of 3WOG Generic Report Design Requirements for DSS and AMSAC (TAC No.
59151)", dated July 7,1988.
A.3 Federal Register /Vol. 49 No.124/ Tuesday, June 26,1984/pp.
26036-26044, "Final Rule - 10 CFR Part 50, Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants".
A.4 NRC Letter, Hugh L. Thompson to All Power Reactor Licenses and All Applicants for Power Reactor Licenses, "Quality Assurance Guidance for ATWS Equiprent That Is Not Safety-Related (Generic Letter 85-06)",
dated April 16, 1985.
A.5 NRC Letter, G. Holahan to LC Stalter (Chairman, BWOG/ATWS Committee),
"August 17, 1988 B&W/NRC ATWS Meeting" dated September 7,1988.
A.6 NRC Letter C311-88-3245, Ronald W. Hernan to H. D. Hukill (GPUN), "NRC Response to the B&W ATWS Owners Group on DSS and AMSAC (Tac No. 59151)"
dated October 6,1988, i
l ll 9
l i
1 i
I 7567f/0170f
TABLE 1 CONTROL ROOM OPERATOR INTERFACE RELATED TO DSS /AMSAC f
i ANNUNCIATOR ALARMS:
DSS /AMSAC Turbine Trip Bypassed NEW DSS /AMSAC Trouble / Actuate NEW EF Train A/B Defeated (includes AMSAC EXISTING related bypass of FW pump trip)
EF Actuated OTSG A EXISTING EF Actuated OTSG B EXISTING Reactor Tripped (Includes SCR Degate)
EXISTING Turbine Generator Tripped EXISTING FW PlA Tripped EXISTING FW PIB Tripped EXISTING FW Pump Turbine Low Control Oil Pressure FXISTING 1
STATUS LIGHTS:
EF Train A Actuated on Loss of FW Pumps EXISTING EF Train B Actuated on Loss of FW Pumps EXISTING 4
PROCESS VARIABLE INDICATION:
RC Press (Channel I)
EXISTING RC Press (Channel II) - Computer EXISTING FWPlA Speed EXISTING FWPl0 Speed EXISTING FW Flow OTSG A EXISTING FW Flow OTSG B EXISTING I
7567f/0170f
i*
3
- OTHER INDICATIONS:
Rod Position EXISTING-l t
' BYPASSES:
8 Bypass EF Actuation on EXISTING Loss of FW Pumps - Train A Bypass EF Actuation on EXISTING Loss of FW Pumps - Train B l
I t
t l
l t
i i
?
l t
i i
1 l
I h
l
?'
r 7567f/0170f
~,
-.y-wv,
,,,.-.-p--
,m-gm.-m--,w-,,,.--,mewy,,,-wpe m, w. - w w w w.e-w y n m vc
~,n e-s w rs w-=
- f -
3 Attachment B g
FIGURES 1.
BWOG ATWS Design Applied to TMI-1 t
.2..
Power arrangement-3.
ATWS signal / actuation 4.
ATWS power sources f
S.
ATWS power sources, including "independent" source t
I 1
i i
a 0
i n
t i
j f
4 i
h L
s i
L 8
j t
V i
l 4
t i
i i
k 7567f/0170f O
~
t FICURE 1 BWOC A1WS DESIGN APPLIED TO TMI-l EXISTING SIC.
FW-P-1A FW-P-1B EXISTING SIC.
FW-P-1A FW-P-1B CC~D. CAB. Al CONTROL CONTROL COND. cab. Al CONTROL CONTROL RC PRESS OIL PRESS OIL PRESS RC PRESS OIL PRESS OIL PRESS 0-3000 PSIC 0-200 psig 0-200 psig 0-3000 PSIC 0-200 psig 0-200 psig (4-20 made)
(20-4 made)
(20-4 made)
(4-20 made)
(20-4 madc)
(20-4 made) h
[
Y Y
Y Y
Y Y
AMSAC/ DSS AMSAC/ DSS AMSAC/ DSS m
LOGIC 1 CONTROL ROOM LOGIC 2 n
STATUS IND.
DECATE CP PRIMARY 5, 6, 7, AUX SECONDARY m
SCRs PWR SUPPLY, SCRs EXISTING RELAY EXISTINC RELAY LOGIC /ISot PRI. SCRS.
+
LOGIC /ISOL (IE)
(ig) j u
EXISTINC
+
_ Trip Main EXISTINC EOTil MFW Turbine BOTil MFW PUMPS PUMPS TRIPPED TRIPPED V
y g
EXISTING EF EXISTING CONTROL R90M EXISTING HSPS BYPASS /STAfUS q
llSPS TRAIN A TRAIN B INDICATION NOTES:
- 1. Control oil press 0-120 psig (4-20 madc) replaces existing pump AP and Control oil press.
switches.
- 2. FW pump trip defined as Control oil press <70 psig.
Legend:
- 3. Mein turbine now tripped using Control oil press. switches
Analog 4 EF now initiated using pump AP press. switches.
On-Off
- 5. Ot her design approaches to reactor trip are under consideration.
O FICURE 2 POWER ARRANCEMENT INTEWDED FOR TMI-I OFFSITE POWER %
l I
C11ARCER CHARCER I
RECTIFIER RECTIFIER RECTIFIER RECTIFIER
~
II I I I I I I INVERTER INVERTER INVERTER
~ INVERTER VITAL VITAL VITAL VITAL I I E
II E
y I I E
I R l l E
3r SENSOR SENSOR 1r SENSOR SENSOR if I
fl REACTOR TRIP SYSTEM DSS /ANSAC SILICON CONTROLLED RECTIFIERS 4
l
.......... INITIATE l
l EFW/AFW t
I CRDMS
-. -.. - SICNAL POWER
-tsy
~
,o"..
.c 4
FICURE 3 ATWS SICNAL/ ACTUATION DSS AMSAC DSS AMSAC SENSOR /SICNAL SENSOR / SIGNAL SENSOR / SIGNAL SENSOR / SIGNAL CONDITION CONDITION CONDITION CONDITION
(
P7 P10 P1 P4 l
J I
If i f if if AMSAC/ DSS AMSAC/ DSS LOGIC LOGIC P2 P8 if if ISOLATION ISOLATION P3 Pil y'
if EF F.F ACTUATION ACTUATION AND CONTROL AND CONTROL P6 P12 if if DE-CATE DE-CATE
?RIMARIES SECONDARIES i
P3 P9
+
I TURBINE l
l TRIP l
l t
o
,f
- a FICURE 4 ATWS POWER SOURCES VOLTAGE 13 VOLTAGE 14 mmmmm V13 V14 mm m m m.
If if DSS AMSAC DSS AMSAC SENSOR / SIGNAL SENSOR / SIGNAL SENSOR / SIGNAL SENSOR / SIGNAL CONDITION CONDITION CONDITION CONDITION P1 P4 P7 P10 AMSAC/ DSS AMSAC/ DSS m
m LOGIC LOGIC P2 P8 ISOLATION ISOLATION m
m PS Pil EF EF I
ACTUATION ACTUATION m
m AND CONThG'.
AND CONTROL P6 P12 DE-CATE DE-CATE PRIMARIES SECONDARIES P3 P9 TURBINE TRIP
o e.
FIGURE 5 AWS POWER SOURCES INCLUDINC "INDEPENDENT" SOURCE VOLTACE 13 VOLTAGE 14 V13 V1T If if DSS AMSAC DSS AMSAC SENSOR /SICNAL SENSOR / SIGNAL SENSOR / SIGNAL SENSOR / SIGNAL CONDITION CONDITION CONDITION CONDITION P1 P4 P7 P10 VOLTACE 15 AMSAC/ DSS AMSAC/ DSS m
m LOGIC LOGIC P2 P8 ISOLATION ISOLATION P5 P11 EF EF I
ACTUATION ACTUATION m
m AND CONTROL AND CONTROL
^
P6 P12 i
DE-CATE DE-CATE PRIMARIES SECONDARIES l
P3 P9 TURBINE TRIP l
l l
7
_ _, - _ _