ML20212E844
| ML20212E844 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 02/26/1987 |
| From: | Musolf D NORTHERN STATES POWER CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NUDOCS 8703040543 | |
| Download: ML20212E844 (14) | |
Text
.
o i-Northem States Power Company 414 Nicollet Mall Minneapohs, Minnesota $5401 Telephone (612) 330-5500 February 26, 1987 10 CFR 50.62 U S Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 PRAIRIE ISIAND NUCLEAR GENERATING PLANT Docket Nos. 50-282 License Nos. DPR-42 50-306 DPR-60 Plant Specific AMSAC Design In our letter dateo October 24, 1986 we committed to submit the plant specific AMSAC design for NRC review and approval by March 1, 1987. This letter is being provided in response to that commitment.
The following information is attached:
Attachment I AMSAC Preliminary Conceptual Design Report for Prairie Island Attachment II - Response to Plant Specific Questions Contained in NRC Safety Evaluation of WCAP-10858 This submittal is based on utilization of the Low Feedwater Flow actuation logie presented in WCAP-10858. An unresolved timing problem regarding AMSAC actuation exists and is being addressed by Westinghouse.
The installation of the design described in Attachment I is contingent upon successful resolution of this timing problem within a reasonable time frame.
If it becomes necessary to select an alternate actuation logic, that decision would not affect the selection of vendor equipment, concept for control room annunciation and display, conceptual handling of analog input interfaces, output actuation relay logic design, or implementation schedule.
Please contact us if you have any questions related to the information we have provided.
l David Musolf Manager - Nuclear Support rvices DMM/EFE/efe c: Regional Administrator-III, NRC g
g NRR Project Manager, NRC I I Resident Inspector, NRC G Charnoff 8703040543 870226 PDR ADOCK 05000282 P
PDR L
]
c w
ATTACHMENT I 1
+
~
- AMSAC Preliminary Conceptual.' Design Report for Prairie ' Island 11.0L LINTRODUCTION' I
This submittal.dsscribes the design of the AMSAC_ system for. Prairie F
Isla'nd: Units'112. ~ The design is based on the generic Westinghouse AMSAC design, described in'WCAP-10858 "AMSAC Generic Design Package",
'SECTION.4.0 " LOGIC 2 FUNCTIONAL REQUIREMENTS".
Included in this'sub-
.mittal are discussions.of design basis, hardware design, and testing.
- proceduresi Responses to the plant-specific questions contained in the:NRC Safety Evaluation of WCAP-10858 are discussed in Attachment II.
~
c2.0-DESIGN BASIS:-
The purpose of the AMSAC' system is to-mitigat.e the effects..ofia fail'ure
]
i
' to trip the reactor in the event of a loss of normal feedwater or a loss j
. of-load. This is required to prevent reactor coolant system pressure from exceeding 3200 psig. The mitigation is accomplished by tripping the turbine and initiating Aux Feedwater flow in the ev'ent of an anticipated
' loss of heat sink. after the reactor protection system has been given sufficient time to trip the reactor.
-As discussed in detail in WCAP-10858 SECTION 2.0 " DESIGN BASIS", the criteria for AMSAC are based on the ATWS rule (10 CFR 50.62 and supple-
-mentary information, published 6/26/84), previous Westinghouse ^ analyses (WCAP-8330), and good engineering practice. The specific design proposed for the Prairie Island units satisfies the design criteria discussed in WCAP-10858.
3.0 HARDWARE DESIGN General - The AMSAC system for Prairie Island is based on the Loss-of-Feedwater Flow logic, which senses the impending loss of heat sink by i
monitoring feedwater_ flow directly.
It initiates Auxiliary Feedwater flow, provides a turbine trip, and isolates steam generator blowdown-and sampling when a complete loss of feedwater is anticipated. AMSAC actuates on. low feedwater flow on 3 of 4 flow transmitters (two trans-mitters per loop). Short-term protection against reactor coolant system overpressure is not required at low loads, thus a load permissive is included in the AMSAC' design. The setpoint for this permissive has been reduced from the value specified in WCAP-10858 because analyses performed by Westinghouse subsequent to the issuance of WCAP-10858 indicated that the original setpoint would not preclude bulk boiling in the core. This permissive (called C-20) is formed by a 2 of 2 logic based on turbine impulse pressure. A time delay on the load permissive removal insures that the permissive is in effect long enough to provide for actuation during decreasing load situations.
I-1
a L
A time delay for AMSAC actuation is intended to provide for both control system and reactor protection system response prior to ATWS mitigation.
This time delay is presently being revised by Westinghouse, but is expected to be an inverse function of turbine power level prior to the ATWS. Setpoints for bistable functions and timers will be in accordance with Westinghouse guidance.
The proposed AMSAC design consists of power sources, system elec-tronics, analog inputs, system status outputs, and actuation outputs interfacing with the Auxiliary Feedwater system, the Turbine Control system, the Steam Generator Blowdown system, and the Sampling system.
The transmitter and instrument AC bus numbers referenced below apply individually to each unit (eg. transmitter PT-485 is IPT-485 for Unit 1, 2PT-485 for Unit 2).
Power Sources - The AMSAC system electronics will be powered from dual multinest power supplies rack-mounted in the base of each AMSAC cabinet. Both power supplies are capable of providing all power requirements for the rack-mounted equipment. The two rack-mounted power supplies receive instrument AC from independent computer uninter-ruptible power supplies (UPS's). The same instrument AC sources will be used for the AMSAC systems of both Prairie Island units. These are nonsafeguards sources, totally diverse from the reactor protection and control system.
Each computer UPS is powered from an AC bus which has a nonsafeguard diesel generator as an alternate source. Each UPS has its own battery. This results in a power supply system for the AMSAC electronics which is redundant and diverse from the sources used in the reactor protection and control system.
The Turbine Impulse pressure transmitters to be used for AMSAC are PT-485 and PT-486. This design requires the use of reactor protection system uninterruptible instrument AC sources for the transmitter and existing isolation amplifier power supplies for the impulse pressure signals. Transmitter PT-485 is powered from Instrument AC bus 2.
The isolation amplifier which would provide an impulse pressure signal to AMSAC from PT-485 is powered from Instrument AC bus 1.
PT-486, and its isolation amplifier providing the signal to AMSAC, are powered from Instrument AC bus 3.
Although Feedwater Flow transmitters are presently used in the reactor protection system, Prairie Island intends to upgrade its feedwater control system and reactor protection system in approximately the same time frame in which AMSAC is installed. This is expected to result in the elimination of the need for these transmitters to be powered from the existing reactor protection system power sources. At the time of this upgrade, the transmitter power supply circuits will be changed to the Foxboro SPEC 200 product line described below. The power source for the transmitters will be from the AMSAC sources. This will increase the diversity of the overall installation for AMSAC versus the reactor protection system.
If the feedwater control and reactor protection system upgrade is not accomplished, a schedule for installation of Feedwater Flow sensing diverse from the reactor protection system will be provided to the NRC.
1-2
The'Feedwater Flow transmitters and associated isolation amplifiers to be used on AMSAC are powered as follows:
TRANSMITTER LOOP _
M POWER SUPPLY-FT-466 A
Instrument Bus 1 FT-467 A
Instrument Bus 2 FT-476 B
Instrument Bus 3 FT-477 B
Instrument Bus.4 System Electronics - The Prairie Island AMSAC system will be built around the Foxbero SPEC 200 system of control instrumentation, in-cluding use of the microprocessor-based SPEC 200-MICR0 control cards.
The system is implemented in a single rack of electronics per unit.
Thr system electronics are diverse in design from the existing Prairie Island reactor protection system electronics manufactured by Foxboro.
Input to and output from the SPEC 200 equipment is by means of I/O modules with extensive field use and established reliability.
The analog input signals are monitored for loss of signal, or signal levels beyond normal operating range. These monitors are an input to the system trouble alarm. The SPEC 200-MICR0 control card performs the logic and ti;ning functions for the system (including calculation of the actuation timer variable setpoint).
If an analog input signal fails, Test Switches installed on the Test Panel can be used to set the associated bistable function to a logic "1".
The control card output goes to rack-mounted relay interface cards, which drive the relays for the final actuation logic. The microprocessor design includes a self-monitoring function which will drive the outputs to zero in the event of a fatal hardware or software failure. The complete system is designed on an energize-to-actuate basis. Therefore the possibility of inadvertent actuation because of the loss of signal, loss of all power, or the loss of a control module is minimized.
Analog Inputs - The AMSAC system receives analog inputs for Turbine l
Impulse Pressure and Feedwater Flow.
For the failure of the instrument AC bus serving either the transmitter power supply or the signal isola-t l
tion amplifier, the signal to AMSAC would drop below the nominal live
-zero level and would be detectable as a signal failure.
The Turbine Impulse Pressure signals are from existing safety-related/IE l
transmitters, which are used for reactor protection and control. Each i
transmitter, with its power supply, forms a current loop providing an input signal to bistables and signal isolation amplifiers. (See attached sketch of typical analog signal system.) The transmitters are PT-485 and PT-486). The signsi isolation amplifiers are Foxboro type l
M/66-BC. This equipment is used throughout the reactor protection and i
control system to isolate protection functions from pu6ential failures in the control systems.
t i
I-3 l
f The present Feedwater Flow transmitter loops, which may be used for an'
~
interim period as discussed above, are designed as follows. The Feed-water-Flow transmitters (two per feedwater loop) are presently used in -
the reactor protection and control system as part of.the Low Steam Generator Level /(Feedwater Flow $ Steam Flow) reactor trip. An isolat'ed signal from these transmitters is used in.Feedwater. Flow control. In
'each case an additional isolation smplifier provides an isolated signal.
nto a computer input.
It is this isolation signal.which will also be used for AMSAC.
System Status Outputs - The AMSAC system will provide outputs for control room information and annunciation. This will include a control board status alarm and computer-based. alarms to indicate syste'n hardware trouble.or AMSAC actuation.
-The requirement to provide continuous indication in the control room when the system is bypassed for surveillance-is addressed by installation of a control room status panel alarm to indicate that the'AMSAC system is unavailable. (See attached sketch for logic.)
The computer alarm screen will be used for three alarms. (See attached sketch for logics.) The first alarm is a general hardware system trouble alarm. The second computer alarm will. appear if AMSAC actuation occurs.
[
(There will also'be an output to the sequence-of-events data logger.)
F The' third alarm will occur when the' actuation output Block Switch is in L
the Block position, or if Bistable Trip Test Switches are operated to
~
the Trip position.
' The computer alarm CRT is continuously displayed in the control room.
Since AMSAC actuation should not affect operation of the reactor and
-turbine until there has been a failure of both normal control and protection systems, this level of control room indication will provide
. adequate'information to the,cperator while allowing Prairie Island to conserve.the scarce annunciator spare positions for future needs.
~
Actuation Outputs - The AMSAC system is required to start the Auxiliary Feedwater system, trip the turbine, isolate Steam Generator Blowdown, and isolate Steam Generator sampling. When the actuation logic formed
.in the microprocessor control card is satisfied, a logic "1" is sent
~to'the rack-mounted Relay Driver cards. These actuate auxiliary relays
' mounted in relay cabinets, which form a 2-of-3 relay logic for actua-tion. The 2-of-3 actuation logic formed by the auxiliary relays drive a pair _of actuation relays, whose contacts will be used in parallel for the required AMSAC functions. These contact pairs will provide the IE interface with the contrcl logic circuits used in each of the required ' unctions.
This array of relay logic is designed to minimize the risk a single failure causing either failure to function on demand or inadvertent actuation. All of the AMSAC relay logic is configured on an energize-to-actuate basis to avoid inadvertent actuation. The specific interface design will insure that when AMSAC actuation occurs the action goes to completion.
I-4
?-
A y
!4.0 TESTING CONSIDERATIONS The ATWS Rule'and the NRC SER for WCAP-108'58 require the.AMSAC system to be testable at power,.and to.be tested prior to installation &nd periodi-cally. The proposed AMSAC system will be tested prior to completion of
. installation,. consistent with the. modification process used by' Northern States Power. This testing will verify that the installation has been
. accomplished.as designed, and that the hardware is operating properly.
Functional testing of the system hardware will be accornplished'at power.
- A conceptual outline of. test to be done at power follows:
- 1.. Inform operations about testing.
g 2.
Operate Block Switch to preclude relay actuation.
3.
Insert analog test signals into the Impulse Pressure signal Test Points. Varying these inputs, verify the proper. operation of the C-20-permissive bistables.
-+
4.
Insert analog-test signals into the Feedwater. Flow signal-Test Points. Varying these inputs, verify the proper operation of the individual Low Feedwater Flow bistables.
- 5. 'Using analog input's and Test Switches as necessary, verify proper
~ operation of--the 3/4 Low Feedwater Flow logic, the 2/2 Impulse Pressure C-20 logic, the actuation logic, and the proper function of the two timers.
6.
Remove all test gear, and reset Test Switches.
- 7. ' Operate Block Switch to unblocked position
- 8. ' Verify on AMSAC rack Display Unit.that all analog signal systems are restored to normal operation.
Calibration and functional testing of the AMSAC system, including output relays, is to be done during refueling outages. This testing will be similar to that described above, except that the Block Switch will be unblocked to allow relay actuation'and'resulting operations to be verified.
I-5
w ag u
a
^
s a' k N
R a
VI s
Fo y^ r G
o 8
l tt )
4 l
o v
/
s o
f l
l se i
tF T
r (p D
m Ac L
I vI E^
o M
1 N
5 I
8 A
B 4
R l
l R
U v
T i
/
s r=
l T
l H
A r
OT S
D D
O RAC LA 7
o I
E I
5 T
M 5
U o
7 P
i
,4 l
l T
r v
U c
A O
lI l
l l
OT wu F
c o
A G
s 7
W 4
l l
l u
o v
A s
A l
i F
t T
l R
E Il A^
4 lvi T
ol W
7 o
G v
E 4
E i
F l
l t
N A
s I
e.
T o
M I
l t.
gu,e A
e e M
s e
o g
GG 4
A l
v S
/I l
l W
5 T
H t
D S
rYc a R
S s
U Ka A T Ci L I
w A
o C
D R
C Ai E Ws R
c a
t DS L
A o
J C
K O
a u
w TrE T c R
T r
e SeM so T
U u
EeI et N
P P
n TT TT e O
T wt C
C UO k ]<< a@a s
,=
C-2o PaFMssive ELCCK SWncH CoWTick CARD iN SlocK iN~
dor 6ATJSFlBD PbstT' lod Fall MoOE I
- AMSAC, INACTIV&
STAToe PAsat. WIMoow i
l AWALM
.lsoLATioN
- AMeAc,
+
TRANSMITTER AMPLIF/ER 1/V ISOLATOR
+
i TRANsMirreg Ys$'
Loop FbweR' SUPPLY TYPICAL Ant.oe ElesaL DevnceMear (PS = Powsg SPPL[
I BISTABLE FUNcrioel Block SWlTCH TEST 5 witches IN (P(PICAL, f oF(o )
Block FbsiTic)M l
3, AMSAC SYSTEM IN Test ACTUATION) RELAT (8v"x.)
c.oNTAc.75 I
1 l SEQUENCE OF AMEAC EvsNg Loc, OPERATION
@ AWALoc, SIGNAL RrA POWER CONTROL CARD FAILURE IN FAIL MODE (T'(FICAL, I oF(o)
SUFFL'[FAILugtose I
w T
l AMsAc system TFouett C MPUTER-BASED.
I ALARMS
- =.
t t
AMsAc FINAL ACTUATioM Lo@lc.
TasT ~
LIQHT 85' block SWATCH U
U 2.b10 oF 3 RELAY (SPDT)
' DRIVER CARDS 8
6 [DPDT) 2 l
2f getgy Loc,ic (oCh (b) MN WATloM
__ d RELAT6 u
AUX. FEEDWATER ONj TURSiWE TRIFl ETc.
l kTUATiod OUTPUT
)
- ,,/ ' -
l IMPULS&
PRESSURE.
INEUTE I/V I/V PT485 FT4%
CowTRol CARD INTERFAC.E c
PRESSURE GIGt&L~ HIC,H SELECTOR VARIASLE -
TIMER FUNCTIM Calc 0LATOR TIME CELAf VARIES IMVERSELY WITH TUR61tJe FbWER FEEDWAllER LON Flovd Loc,IC 3/4 VARIASLE EETPoiMT i(
FOR' TMER u
ACTUATicW Logic
\\/ARIAfSLE ACTLIATloNI T.)
' TIM ER we esm concepts
y
\\
e' ATTACHMENT-II Response to Plant Specific Questions Contained in NRC Safety Evaluation of WCAP-10858
-The following is proviaed in. response to the plant specific questions.
contained in the NRC Safety Evaluation of WCAP-10858 "AMSAC Generic Design Package".
1.
Diversity---the proposed AMSAC system is diverse from the reactor protection and control system to the extent practicable. The
~
AMSAC power sources are totally diverse from the protection system Instrument AC power supplies..The AMSAC control elec-tronics are significantly more current in design and operating principles than those used in the reactor protection and control system. The analog signals are isolated within the reactor protection and control instrument racks (existing isolation correspondino to another function the signals provide). They are isolated again with isolation circuits of diverse design within the Foxboro SPEC 200 instrument racks. The outputs to plant systems are in the form of relay contacts to be wired into existing system circuitry to provide the redundant actuation.
-2.
Logic Power Supplies---The logic power is supplied from dual Instrument AC sources, both of which are. totally diverse from power sources used in the reactor prctection and control system. The AMSAC sources are from computer uninterruptible power supplies with dedicated batteries. They can receive power from diesel generators which are separate from those used for safety functions.
3.
Safety-Related Interface---The existing reactor protection system will be unaffected by the AMSAC installation. The analog signals used in reactor protection are isolated from the signals leaving the existing instrument racks, going to the AMSAC system. The use of these isolators is discussed in WCAP-7685 " Isolation Amplifier" (June 1971), and in the Prairie Island USAR (page 7.4.-4).
The analog signals are re-isolated at the AMSAC racks.
The system interface for actuation is accomplished by use of energize-to-actuate relay logic. The IE AMSAC actuation relays will be wired into the device actuation circuits for Auxiliary Feedwater initiation, Turbine trip, Steam Generator Blowdown isolation, and Sample isolation.
4.
Quality Assurance---The quality assurance requirements for AMSAC were described in Generic Letter 85-06. The quality control..s imposed in the procurement process, plant modification process, and the testing and calibration programs applied to plant instru-mentation and control systems, are sufficient to satisfy the guidance expressed in Generic Letter 85-06.
II-1
o l
5.
Maintenance Bypasses---Maintenance will be performed with the AMSAC system in the Bypass mode, in which the logic output Block Switch is put to the Block position. With the output blocked, it will be possible to test, calibrate, or repair the software logic and analog portions of the system without affecting plant opera-tions.
When the system is in the Bypass mode, the System Status annunciator panel in the control room will continuously indi-cate that the AMSAC system is inactive.
In addition, there will be a computer alarm to indicate that the system is in test.
6.
Operating Bypasses---The operating bypass consists of the 2 of 2 logic in which the actuation permissive is satisfied whenever the power measured by Turbine Impulse pressure exceeds the permissive setpoint. The setpoint is based on generic work by the Westinghouse Owners Group. This permissive is subject to a time delay in removal, to maintain protection during power decreases. The analog signals upon which the C-20 permissive is based are created using transmitters used in the reactor protec-tion and control system, but using a signal which is isolated electronically from that system. The AMSAC system monitors signal quality for these analog inputs, causing a computer alarm to the operators upon signal failure.
The operating bypass causes the System Status annunciator panel in the control room to continuously indicate that the AMSAC system is inactive when the permissive conditions are not satis-fied.
7.
Mear.s for Bypassing---The means for bypassing the AMSAC system is an administratively controlled switch. The bypass means discussed and disallowed in the generic SER are not involved in the proposed design for Prairie Island.
8.
Manual Initiation---Manual turbine trip is accomplished by use of a pushbutton on the control board. The auxiliary feedwater actuation is done by use of control switches on the control board. Their use is directed in the plant emergency operating procedure for response to ATWS.
9.
Electrical Independence---The AMSAC system is powered from AC sources which are totally diverse from the reactor protection AC sources. The AMSAC power sources are secure, involving the use of computer uninterruptible power supplies which have dedi-cated batteries and nonsafeguards diesel generator backup for battery charging power.
The proposed design does require the use of reactor protection system power supplies to support existing transmitters and signal isolators.
Final actuation is accomplished by 1E qualified relays powered from AMSAC sources, the contacts of which interface with the turbine trip, auxiliary feedwater system, steam generator blowdown isolation, and sample isolation controls.
II-2
' -- 7 c,
The existing isolators, which are powered by reactor protection -
system sources, were ' subjected to testing and failure analysis prior to completion-of plant construction. The use of these isolators is discussed in WCAP-7685 " Isolation Amplifier" (June 1971). The signal input circuits used in the Foxboro SPEC 200 instrument racks have been subjected to the testing described in Appendix A to.the NRC Safety Evaluation for WCAP-10858, 10.
Physical Separation---The implementation of the AMSAC system does not-degrade the physical separation of the existing reactor pro-tection system. All analog inputs entering the AMSAC system, which are derived using equipment from all channels of reactor protection, are isolated signals before proceeding to AMSAC. The wiring of those signals from the reactor-protection system to AMSAC will use cable tray or conduit other than that used'for reactor protection system wiring. The use of protection system conduit and cable trays for any function not directly related to protection is prohibited. The AMSAC instrument rack is physically separated from the reactor protection and control instrument racks.
11.
Environmental Qualification---The Foxboro SPEC 200 equipment is designed to operate in a mild environment. The proposed location is supported by safeguards HVAC.
12.
Testability at Power---The testing of the AMSAC system during installation, at power operation, and during refueling outages will be as performed described in Attachment I of this submittal under Section 4.0 " TESTING CONSIDERATIONS". The.AMSAC actuation signal is sensed as an input for an alarm which will be part of the control room computerized alarm display.
13.
Completion of Mitigative Action ~---The AMSAC design for actuation output interfaces is such that, upon actuation, the completion of mitigating actions shall be consistent with the plant turbine trip and auxiliary feedwater circuitry. Once actuated, there is no mechanism to prevent completion of the mitigative action.
Return to normal power operation will be accomplished in accord-ance with normal operations manual procedures, which require deliberate operator action.
14.
Technical Specifications---Northern States Power is a member of the Westinghouse Owners Group Technical Specifications Subcom-mittee, which has been negotiating with the NRC on the issue of Technical Specifications for the AMSAC system. Northern States Power intends to continue to participate in that forum to resolve the issue of what Technical Specifications, if any, are appropri-ate for the AMSAC system.
II-3
.