ML20214E058
| ML20214E058 | |
| Person / Time | |
|---|---|
| Site: | Byron, Braidwood, 05000000 |
| Issue date: | 04/16/1987 |
| From: | SARGENT & LUNDY, INC. |
| To: | |
| Shared Package | |
| ML20214E025 | List: |
| References | |
| 7725-52-53, 7775-07-08, 7775-7-8, NUDOCS 8705210623 | |
| Download: ML20214E058 (31) | |
Text
>
CARGENT 0 LUNDY.
- , t.
,+c+*
ENGINEERS CHICAGO e
April 16,1987 :-
Rev. 2 l
W, ATWS MITIGATION SYSTEM SPECIFIC DESIGN
.FOR BYRON /BRAIDWOOD STATIONS
~
COMMONWEALTH EDISON COMPA'iY
/
l,
,('
,w Project Nos. 7725-52/53 7775-07/08 hh5210623870511 p
ADOCK 05000454 PDR
'dARGENT 0 LUNDY.
2
~ ? ' '.g(' :
- = "
E N GIN E E RS
. CHICAGO April 16,1987 -
Rev. 2 e
a:y' TABLE 0F CONTENTS Secti on'-
Title Page
.1.0 '.
' INTRODUCTION 1-1 2.0
. DESIGN-BASIS 2-1
. 3.0 FUNCTIONAL REQUIREMENTS 3-1
.4.0 PLANT SPECIFIC DESIGN DETAILS 4-1
5.0 REFERENCES
5-1 3
f t
,s
=i t
e
[O.
.t
'CARGENT O LUNDY-ENGINEERS CHIC AGO i
April 16,1987 Rev. 2
-~
1.0 INTRODUCTION
- The'purhose-of this document is to provide a description of the
- specific-ATWS Mitigation System design _ proposed for implementation atc
- the Byron and Braidwood Stations. The description is intended for the-
. use of the Nuclear Regulatory Commission in evaluating the specific
. design for. compliance to the. ATWS rule of 10CFR 50.62(c)(1).
~
i t
F
.g
. T I
f 1-1 6
r
- N-EP e
ARGENT Cr LUNDY
.=
- ~
-ENGINEERS CHIC AGO '
April - 16, 1987 Rev. 2-E 12.
~ATWS' MITIGATION SYSTEM DESIGN BASIS The Byron /Braidwood ' Stations ATWS Mitigation. System (AMS) design.is-based on the following requirements:
a.
'The ATWS. Rule (Reference 1) b.
ATWS Quality Assurance Requirements (Reference 2)
Westinghouse AMSAC Generic Design Guidance (Reference 3) c.
The foregoing documents provide the basis for the specific AMS system-des'ign as described in Section 3.0.
In addition to the details provided in Section 3.0, plant specific information, as requested by the NRC in their letter (Reference 4) stating acceptance of the Westinghouse. AMSA Generic Design, is included in Section 5.0.
T
+
4 2-1 i
-m, ;
.?
' OARGENT 'O LUNDY
'8.-
~ * -
E N GIN E E R3 CHICAGO April 16,1987 Rev. 2 3.0 ATWS MITIGATION SYSTEM FUNCTIONAL DESCRIPTION
'This section will functionally describe the proposed ATWS Mitigation
' System-(AMS) design for the Byron and Braidwood Stations. The operation of the proposed AMS is defined in Figure 3-1 and by the-following descriptions.
3.1' System Overview The required initiating actions of the AMS are as follows:
a.
initiate the auxiliary feedwater system, and b.
trip the. main turbine The plant variable that is monitored to determine loss of heat sink and provide for the actions described above is main feedwater flow to each steam generator. Each steam generator feedwater.line is monitored by two existing sets of flow
-instrumentation. Either of the two flow measurements indicating low feedwater flow is an indication of loss of heat sink for that steam generator.
As shown in Figure 3-1, two identical sets of logic trains are provided and are defined as AMS Train A and B respectively. Both the main turbine trip and auxiliary feedwater actuation signals-are initiated by the two logic trains.
3-1
CARGENT Q LUNDY
'D E N GIN E E R S CMICAGO April 16,1987 Rev. 2 t
Each logic train monitors one of the two flow' transmitters from each steam generator feedwater line for a' total of four inputs-per train. A 3 out of 4 coincident logic scheme is employed for each logic train to interrogate these feedwater flow' signals, therefore requiring three of the steam generators to indicate a loss of heat sink.in order to actuate the AMS.
The AMS Train A logic will actuate the auxiliary feedwater system (i.e., motor driven auxiliary feedwater pump and related equipment) and trip the main turbine (through the emergency
- trip). Similarly the AMS Train B logic will actuate the auxiliary feedwater system (i.e., diesel driven auxiliary feedwater pump and related equipment) and trip the main turbine (through the auto stop trip).
In both -logic trains a tin.e delay (approximately 25 seconds) is provided to allow the unfaulted-main feedwater pump to automatically increase flow in the event of a single main feedwater pump failure and avert an AMS initiation.
Arming of the AMS is automatic and is accomplished when the C-20 power level (> 40% of nominal full power) permissive is achieved. Upon a decrease in power below the C-20 power lev <
the AMS will be automatically bypassed. The C-20 power level permissive is developed in the AMS system based on turbine impulse pressure.
3-2
-,a CARGENTOLUNDY ENGINEERS CHICAGO April 16,1987 P.ev. 2
' After 'an AMS initiation of the auxiliary feedwater system and tripping of the main turbine, the AMS will self reset. That is,-
after AMS initiation as power decreases and after a time delay (approximately 120 seconds), the C-20 interlock will ~ inhibit the logic trains thus allowing shutdown of the auxiliary feedwater system and reset of the main turbine trip. The time delay allows l
the ~ AMS to. remain armed long enough to perform its function in the event of a turbine trip.
The logic provides for one inhibiting signal which is manually implemented under administrative control and -prevents the logic from initiating its intended functions (i.e., start the auxiliary feedwater system and trip the main turbine). This inhibiting l
signal results from the requirement that the AMS must have the capability for testing during power operation. Each logic train can be tested independently thus allowing a logic train to remain in service while the other is in the test mode. When the operator selects the AMS test mode for either logic train, the final AMS actuation output devices (relays) for that train are inhibited from operating and inadvertently initiating the auxiliary feedwater system or tripping the main turbine during power operation.
3-3
~ CARGENT O LUNDY ENGINEERS CHICAGO
']
l April 16,1987 Rev. 2 Control of the. auxiliary' feedwater system and main turbine are provided for by existing controls and are not.in the scope of the AMS design.
- 3. 2.
-Main Control' Room' Interface.
'The control room interface between the AMS and the operator includes the following alarms and indications located at the main control. boards:
AMS Initiated a.
. Alarms.
AMS Inoperable Train A*
AMS Inoperable Train B*
-125 VDC/24VOC P/S Failure
-b..
Indications - AMS Initiated Train A - Red Light AMS Initiated Train B - Red Light AMS Armed Train A - Green Light AMS Armed Train B - Green Light AMS In Test Mode Train A - Red Light AMS In Test Mode Train B - Red Light c.
Bypass Permissive Light Box - ATWS Permissive C-20
- Inoperable alarm includes loss of power, AMS in test, and automatic bypass (C-20 < 40%).
3-4
CARGENT Cr LUNDY 3
'~
T' E N GIN E E R S CHIC AGO
~ April 16,1987 Rev. 2 3.3 Termination of Steam' Generator Blowdown Steam generator blowdown will' not be automatically terminated by the AMS; Since the immediate effect of steam generator blowdown, in the event of an ATWS event, is to remove heat from the steam generator, automatic. isolation is not necessary. Once AMS is initiated, steam generator inventory can be adequately satisfied with both trains of auxiliary feedwater operating. Auxili ary feedwater flow per steam generator will be approximately 320 gpm with maximum blowdown flow 'per steam generator of 90 gpm.
Operating procedures could be ' developed, however, if necessary,
~
to address the-manual termination of steam generator blowdown flow if the AMS is initiated.
3-5
SGA SGB SGC SGD SGA SGB SGC SGD FW FW FW FW FW FW FW FW FLOW FLOW FLOW FLOW FLOW FLOW FLOW FLOW
< 25%
(25%
(25*/.
<25%
<25%
<25%
<25%
<25%
1rir1rir ARM SYSTEM ABCNE C-20 iririr1r 3/4 LOGIC 3f4 3/4 20 9
TRAIN A 4
TRAIN B d
1r 3 r LOGIC QN) 25 SEC LOGlC QN/25 SEC y120 SEC
%lf/120 SE(
TRAIN A 1r q r
TRAIN B yp 1r INHIBIT SYSTEM FOR TEST AND INHIBIT SYSTEM FOR TEST AND CONT
~-
CONT SWCH SWCH 1P 1r 1r ilP APO AND 1
1r 1r 1r 1r INITIATE MOTOR DRIVEN TRIP MAIN TURBINE INITIATE DIESEL DRIVEN TRIP MAIN TURBINE AUX FW PUMP 8 ELATED (EMERGENCY TRIP)
AUX FW PUMP & RELATED (AUTO STOP TRIP )
SYSTEM COMPONENTS SYSTEM COMPONENTS FIGURE 3-1 REV.
ATWS MITIGATION SYSTEM SIMPLIFIED LOGIC DIAGRAM APRIL 16,1987-2 i.. '
CARGENT O LUNDY
- i
'~
ENGINEER $
4 CHICAGO Apri l ' 16,- 1987 Rev. 2
- 4.0 PLANT ~ SPECIFIC DESIGN DETAILS The' following section provides-the plant specific design details as
. requested by the NRC. Each topic is addressed in the order 'in which they are listed in Reference 4 4.1' Diversity The ATWS Mitigation System (AMS) design for the Byron and Braidwood Stations uses equipment which is largely diverse from that used in the Reactor Protection System (RPS). AMS inputs are derived from the existing feedwater flow instrumentation which, while they are located in the RPS Westinghouse 7300 protection cabinets, no; longer provide a reactor trip function, (instrumentation provides indication and alarm function only).
The AMS feedwater flow inputs are isolated from the existing feedwater flow instrumentation loop signals by Technology for Energy (TEC) Analog Signal Isolators. These isolators are classified as safety related. After isolation the feedwater flow signals are fed to Rosemount master trip units which generate the feedwater low flow logic inputs to the Rochester Solid State Logic System. The Rochester Solid State Logic System provides implementation of the coincidence logic, permissives, test inhibits, time delays and other AMS functions. Outputs from the logic system are then used to trip the turbine and start 4-1
o CARGENT Q LUNDY,
' ENGINEERS CHICAGO April 16,1987 Rev. 2.
auxiliary feedwater via Ja number of interposing re. lays. The interposing relays interlocking safety related circuits are classified'as safety related. These relays are the same as other safety related relays used in similar circuits elsewhere:in _the Byron and Braidwood Station designs.
Power supplies used within the AMS for DC to DC voltage reduction are supplied by Lambda. Major components of the AMS are therefore provided by manufacturers who are diverse from those used in the Westinghouse 7300 protection cabinets and Westinghouse solid state logic ' cabinets.
4.2.
Logic Power Supplies
.The 125 VDC system at Byron /Braidwood consists of two independent safety related trains. Each train consists of a battery, battery charger and DC distribution center. Each train's DC distribution center is divided into two sections. One section is dedicated to feeding the safety related DC system loads. The other section is dedicated to feeding the non-safety related DC system loads. The non-safety related loads are isolated from the safety related DC bus by two safety related breakers in series (Ref. FSAR, Appendix A, compliance with Reg. Guide 1.75). Figure 4-1 illustrates the Train A DC system configuration. Each train of the AMS shall be powered from one of the independent trains of the 125 VDC system.
I 4-2
e CARGENTQ LUNDY
,y
" " $dE[co" "
~
~
April 16,1987 Rev. 2 The guidelines in 10CFR40.62 (ATWS Rule) state that:
o-The AMS power supply is not required to be safety-related.
o The' AtiS must be capable of performing its' safety-related function following a loss of offsite power.
o The AMS logic power must be independent from the power supply for.the Reactor Trip System.
Selection of the 125 Vdc system, as the AMS power supply, complies with the guidelines in 10CFRSO.62 as discussed below:
a.
Safety Classification of AMS Power Supply As illustrated in Figure 4-1, each train of the AMS shall be powered from an independent division of the 125 VDC system. The AMS cabinet shall be powered from the section-of the DC distribution center dedicated for non-safety related loads. The power feed shall be from a dedicated circuit breaker. The ultimate power supply for each. train of the AMS cabinet is a safety-related 125 VDC battery.
Utilization of a safety-related power source exceeds the requirements of the guidelines provided in 10CFR50.62.
~
4-3
.,z.-
6ARGENTO LUNDY ENGINEER 9 CHICAGO
- April 16,1987 Rev. 2 b.
Operation Following Loss of Offsite Power Since each train of the AMS cabinet is powered from a de source (i.e. the 125 VDC batteries), the system is capable of performing its' function following a loss of offsite power.- The Byron /Braidwood DC system design does not require load shedding of non-safety related loads following a loss of offsite power.
c.
Independence From Reactor Trip System Power Supply As illustrated in Figure 4-1, the Reactor Protection System cabinets are energized from an NSSS Instrument Power (IP) inverter. The normal power supply to the inverter is from the station Auxiliary Power System. The dc supply serves as the reserve power supply. Several levels of circuit breakers (e.g., circuit breakers at IP distribution panels, IP inverters and dc distribution panels) ensure that malfunctions (e.g., short circuits) in the Reactor Protection System do not result in loss of the 12.5 Vdc System.
As illustrated in Figure 4-1, the Reactor Trip Switchgear
~
^
is fed from the safety-related 125 Vdc bus. Fuses and circuit beakers ensure that malfunctions (e.g., short circuits) in the Reactor Trip Switchgear do not result in loss of the 125 Vdc system.
4-4
CARGENT O LUNDY ENGINEERS CHIC AGO April 16,1987 Rev. 2 It is recognized that utilization of the 125 VDC system as the AMS logic power supply does not result in a power supply totally independent of the reactor trip system power supply. However, as discussed above, the DC system design provides sufficient isolation to ensure that malfunctions in the reactor trip system do not disable the ATWS Hitigation System.
4.3 Safety-Related Interface Two safety-related interfaces exist between the AMS and the existing protection system. The first is the interface between the AMS and the main feedwater flow instrumentation ci rcui ts. As previously discussed in Subsection 4.1, isolation is provided by the use of Technology for Energy Corporation analog signal isolators. The existing criteria for physical separation between reactor protection and non-safety system wiring will also be utilized. Specifically RPS Ch.1 main feedwater flow signal inputs will be routed to AMS Train A for isolation and RPS Ch. 2 main feedwater flow signal inputs will be routed to AMS Train B.
Both trains of AMS are located in the same cabinet, however, the cabinet is physically divided into two sections by a metal barrier.
4-5
CARGENTO LUNDY e.
'I-ENGINEERS
'* ~
CHICAGO April 16,1987 Rev. 2
~The second interface,'while it is not a direct interface-between the reactor protection system and the AMS, is
'between the AMS and the safety-related station batteries.
A discussion of this interface is included in Subsection 4.2.
4.4 Quality Assurance Safety-related components which are part of the AMS will be procured with the appropriate quality assurance required for safety-related equipment. All other components in the AMS design will be procured using the quality assurance requirements stated in Generic Letter 85-06,(Reference 2).
4.5 Maintenance Bypasses Maintenance at power can be accomplished by taking the affected AMS train out of service administratively and removing power to that train.
It is recommended that the main test switch for that train, located in the AMS cabinet, be placed in the test mode to ensure that maintenance activities do not result in spurious actuation of the AMS output relays.
It is not however a requirement to do so since power must be available for the AMS to actuate auxiliary feedwater and trip the turbine. Loss of 4-6
n CARGENT O'LUNDY E N GIN E E R S CHICAGO April 16,1987 Rev. 2 power to a ' train of the.' AMS or placing a train in test mode
. will result in an - AMS inoperable main control alarm. This alarm along with other AMS alarms. and indicating lights
.will be grouped and located on the main control board utilizing human factors ' engineering practices.
4.6 OperatinLBypasses The AMS shall be automatically armed coincident with power above C-20 (401, of nominal full power) as a permissive.
Bypass of the AMS shall be automatically initiated if the power is reduced below C-20 The C-20 power level is measured by dedicated transmitters for each AMS train. The transmitters will measure first stage impulse pressure at the high pressure turbine. The basis for the 40% of full power setpoint is provided in 9G-87-10 (Ref 5). The automatic bypass of the AMS is alarmed as AMS inopercble.
Separate annunciator windows are provided for AMS Train A&B. The C-20 power level permissive will be indicated at l
the Bypass Permissive Light Box.
4-7
CARGENT O LUNDY.
ENGINEERS CHICAGO April 16,1987 Rev. 2
~
4.7
'Means for Bypassing The' main test switch for each AMS train as discussed in Sections 3.1 and 4.5 is a ' permanently installed selector switch with two positions: normal and test. The main test
- switch for each train is located in the AMS cabinet and is the-only means provided for bypassing the system. Other means for bypassing as specifically excluded by the'
. guidance are not used. The main test switch will be included in the overall human factors engineering. review of the system.
4.8 Manual Initiatio_n_
tianual actuation of the AMS is not provided. Manual initiation of auxiliary feedwater and manual tripping of the turbine can be accomplished by the operator at existing controls provided on the main control boards.
4.9 Electrical Independence From_ Existing Reactor Protection System And Other Safety Related Circuits The interface between the main feedwater flow instrumentation loops and the AMS is made through Technology for Energy Corporation (TEC) Model 156 Nuclear Qualified Analog Isolators. These isolators, which are 4-8
CARGENT O LUNDY p'
~*
E N GIN E E R O CHIC AGO April 16,1987 Rev. 2 located in a mild environment, have been fully qualified by.
the vendor according to the guidelines set forth in the applicable-IEEE Standards. 'The results of the environmental qualification testing envelope the
. Byron /Braidwood Stations requirements.
In addition, the isolators were functionally tested for input isolation (i.e... signal degradation) during short circuits, open circuits and faults on the output side. The maximum credible voltage transient which the non-saftey-related (output) side of the circuits would be exposed to is approximately 140 ' volts dc (i.e., the isolators are powered with 24VOC, however, the AMS cabinets where the isolators are located, are powered from the 125 volt DC System as described in Section 4.2a). The isolators were tested to a fault voltage of up to 2,000 volts dc between terminals.
e For current transients,' the 125V circuits will be appropriately protected (e.g., fuses and circuit breakers) in order to interrupt a fault on the non-safety-related t
I circuit side before the operability of the isolation function is affected. The isolators were tested at 20 amps, as applied to the non-safety-related side, without degrading the safety-related side below an acceptable level. The design of the isolators is based on an L
inherently fail-safe principle which ensures isolation, 4-9
ICARGENT d LUNDY
- - ~ - "
- E N G I N E E F19 -
CHICAGO -
April 16,1987 Rev. 2 even.if all power.-is removed from the device. The stainless steel case will be grounded which generally eliminates electromagnetic interferences. These isolators
'have been used in many other nuclear. plants and have been evaluated by the NRC. More detailed documentation addressing. qualification and testing is available in the' qualification test reports.
The AMS output interface to the safety related auxiliary feedwater circuits is provided at the output relays via coil to contact separation. The output relays are Westinghouse auxiliary relay model numbers ARD 8800R and ARD 4400R. These relays, which are located in a mild environment, have been qualified by the vendor according to the guidelines set forth in the applicable IEEE Standards.
The results of the environmental qualification testing l
envelope the Byron /Braidwood Stations requirements. In addition, the relays were functionally tested. The maximum credible voltage transient which the non-safety-related side of the circuits would be exposed to is approximately 140 volts dc (i.e., the AMS cabinets where the relays are located, are powered from the 125 volt DC System as described in Section 4.2a). The relays are rated 600V for isolation between contacts and between contacts and coils. The relays were tested to withstand a voltage of up t
i 4-10 i
CARGENT O LUNDY EN GIN EER@
CHIC AGO April 16,1987 Rev. 2 to 1,500 volts ac between terminals. For current transients, the circuits will be appropriately protected (e.g., fuses and circuit breakers) in order that a fault on the non-safety-related circuit side will be interrupted by the protective devices before the operability of the isolation function is affected. The relays are rated 10 amps non-inductive and 6 amps inductive. The relays are inherently f ail-safe because power is not required for the relays to function as isolation devices. Typically electromagnetic interference is not a problem with relays. These relays are used throughout the Byron /Braidwood Stations as isolation devices and have been evaluated by the NRC. More-detailed documentation addressing qualification and testing is available in the qualification test reports.
4.10 Physical _ Separation From Existing Protection System The AMS hardware is located in its own cabinet which is separate from the existing reactor protection system cabinets. Actual isolation of the main feedwater flow signals will be done in the AMS cabinet. The two sets of main feedwater flow signals (RPS Ch.1 - four signals routed to AriS Train A and RPS Ch. 2 - four signals routed to AMS Train B) will be the only direct interface between the reactor protection system and the AMS.
4-11
CARGENT O LUNDY
~
ENGINEEQC C HIC AGO April 16,1987 Rev. 2 4.11 Environmental Quali,fi_ cation The AMS cabinet is located in a mild environment. The environmental parameters for the location, Zone A1, are listed in the Byron /Braidwood FSAR Table 3.11-2.
The existing main feedwater flow transmitters are also located in a mild environment. The environmental parameters for the location, Zone A8, are listed in the Byron /Braidwood FSAR Table 3.11-2.
Both non-safety and safety-related components of the ATWS cabinet and the main feedwater flow transmitters will be designed to meet the environmental conditions existing in the zones they are located.
Seismic qualification will be provided for the AMS cabinet and internal safety-related components which provide the input and output AMS interface to external safety related circuits.
4.12 Testability of Power The AMS is designed to allow testing of the master trip units, solid state and relay logic system, and final AMS output relays during power operation as well as below the 4-12
c; CARGENTQLUNDY' e n gg n m April 16,1987 Rev. 2 C-20 power. level permissive. AMS testing is subdivided into three areas which are described individually below, a.
Testing of master trip units (MTU) - Each logic train requires four MTUs (one per steam generator) which are housed in a single MTU chassis. A calibration unit with a dual readout assembly is provided to insert in the MTU chassis and calibrate each individual MTU. One calibration unit will serve both trains of logic since only one train of logic is to be tested at a time allowing the other train to remain in service.
The calibration unit when placed into the MTU chassis allows testing or calibration of each MTU (only one MTV can be tested at a time). The calibration unit generates a calibrate comand signal, calibration current, and a calibration. status signal. Calibra-tion of any selected MTU in the chassis is initiated by the calibrate command signal directed to that MTU, which causes the MTU under test to accept a calibra-tion current in place of the input signal. The input signal is switched to a fixed resistor (located in the MTU), while the MTV is under test, to prevent opening the input circuit. The calibrate comand 4-13
a.
, = _ _ _
=
0 ARGENT Q LUNDY
_,*~
- E E N GIN E E R S CHICAGO April 16,1987 -
Rev. 2 signal also causes the MTU under test to generate a calibration / gross f ailure output signal which energizes the cal / gross failure relay. While the MTU is under test an AMS inoperable alann for the logic train under test is annunciated in the MCR via the cal / gross f ailure relay.
During testing, the MTV receives a calibration current (continually adjustable) from the calibration unit which is simultaneously displayed on the readout assembly as the calibration status signal. A second display on the readout assembly tracks the calibra-tion status signal until the HTU changes state (non-trip to trip state or vice versa). The calibration current reading at that point is latched on the trip.
current display by the trip status signal from the MTV under test. This allows an accurate determina-tion of the MTU trip setpoint setting.
When the MTU is returned to normal operation, the input signal is switched back to the MTU, and the cal / gross failure relay is de-energized (provided the input signal is within its normal range of 4-20 ma DC). Each MTV is provided with a process indicator which will display the input process signal 4-14 5
CARGENT & LUNDY I
EN NEERC April 16,1987 Rev. 2 (differential pressure) or the calibration current.
Although each MTU can be tested on an individual basis, the AMS actuation signal for the train under test should be blocked from inadvertently actuating the final AMS output relays. This is accomplished by placing the AfiS test mode selector switch in the test position. This action will illuminate an indicating light both at the MCR and AMS cabinet and also will activate the AMS inoperable annunciator alarm for the logic train under test. To return the AMS logic train under test to normal service a two step process is required since otherwise resetting the AMS test mode selector switch to normal during a test would inadvertently actuate the final AMS output relays.
Once testing for a particular logic train is completed the operator would return the AMS test mode selector switch to normal and then press the respective logic AMS train test reset pushbutton, b.
Testing of system logic (solid state and relay) -
Since the MTUs are tested individually, it is not possible to force more than one MTU into a trip status simultaneously from the calibration unit. To artificially initiate the system logic for testing, 4-15
CARGENT a LUNDY.
E N GIN E E R 9 April 16,1987 Rev. 2 external MTU test switches are provided for each MTU. The HTU test switch is a three position switch with each position accomplishing the following respective function:
MTU Test Switch Position Function Norm.
Allows the MTV to directly operate the HTU trip relay LMTU Test Switch Position Function Test-Trip Olsconnects the MTV trip relay from the MTU and energizes the trip relay creating an artificial " trip situation."
Test-florm Disconnects the MTU trip relay from the MTU and de-energizes the trip relay creating an artificial "non-trip or normal situation."
This position allows logic testing during fuel load and maintenance when the input signal would normally maintain the MTU in a tripped state.
Placing the MTU in either test mode from the MTU test switch causes the AMS inoperable alarm for the logic train under test to be annunciated in the MCR. An indicating light for each MTU at the AMS cabinet alerts the operator when the MTV trip relay is artificially energized by the MTV test switch.
4-16
CARGENTQ LUNDY
' ~'
EN GIN EERS C HIC AGO April 16,1987 Rev. 2 To test either train of system logic the AMS test-mode selector switch for that train would be placed in the test mode. As described previously this action would prevent the actuation of the final AMS output relays during test. The AMS test mode indicating light for the train under test would illuminate in the MCR and at the AMS cabinet and the AMS inoperable annunciator alarm would be activated. The operator would proceed to place three l
l or more MTVs in the tripped state until all combinations are tested for the train under test.
Successful generation of the AMS actuation signal by the system logic is verified when the AMS initiated indicating lights are illuminated in the MCR and at the AMSC and also by actuation of the AMS initiated annunciator alarm. Prior to returning the train under test to the normal mode by the AMS test mode selector switch and pushbutton, each MTU test switch should be placed in the normal mode.
I L
c.
Testing of final AMS output relays - 1he testing i
circuits used for the final AMS output relays and final actuated devices will be similar to the testing schemes used in the Byron /Braidwood Safeguards Test 4-17 l
l i
i
CARGENT'O LUNDY ENGINEERS e
C HIC ACQ April 16,1987 Rev. 2
. Cabinets. However, for the purpose of the AMS, testing.of the final AMS output relays and final actuated devices will be limited ~ to a continuity test only of the circuits and not full actuation of the final devices (control relay which operates the auxiliary feedwater pump, for example).
Continuity testing of the circuits will be used
- because, o
the AMS is not safety-related, o
any additional periodic cycling of safety related system components in the auxiliary feedwater system as a result of AMS testing should be limited in order to maximize the qualified life of those components, and a
tripping of the turbine at power is obviously unacceptable.
4.13 Compl_etion of Mitigative Action Once initiated the AMS actuation signal will go to completion except as delayed by the 25 second time delay which allows for main feedwater pump recovery in the event of a single main feedwater pump failure. The C-20 permissive is delayed from de-energizing for 120 seconds to 4-18
CARGENTO LUNDY-
' t, (*
- 8 ENGINEERS C H icAGO
(.
April 16,1987 Rev. 2 ensure that the C-20 permissive is present so that AMS l
operates.
Seal-in of the AMS actuation signal is not necessary at -the logic level, since the final actuated or tripped equipment control circuits (auxiliary feedwater and turbine trip) will remain in that condition until stopped or reset by the main control ' room operator.
4.14 Techni_ca_1_ Sp,e,ci ficat,13 No specific technical specification is proposed at this time.
.6.
k I
l l
4 l
l i
I e
l 4-19 E
t
os J SATTERY CHARGER U) o A
O C
- 0) U
,,,0 U)
U ni n W
O 3ggQ
^
FEED TO AMS m
", TRAIN A 12 5V DC n
n BATTERY OTHER
- 3. Md.c LOADS FEED TO OTHER
+
^
^
LOADS 3ggc U
/
s DISTRIBUTION PANEL FOR NON-SAFETY RELATED LOADS REACTOR TRIP FEED TO SWITCHGEAR OTHER LOADS
^(U... (U IP m
ocf 3 NT.fh DISTRIBUTION PANEL STATION
^
AUXILIARY O@
($* * * (oo POWER SYSTEM NSSS INVERTER y
y FEED TO RPS CABDIETS FIGURE 4-I POWER SUPPLY ARRANGEMENT FOR AMS CABINETS, RPS CABINETS AND REACTOR TRIP SWITCHGEAR TRAIN A.
TYPICAL FOR TRAIN B.
R E V.
APRIL 16,1987 2
CARGENT O LUNDY' L,,,
l' ?
E N GIN EE RS p
1/
CHICAGO -
1 April 16,1987.
(b Rev. 2 8
5.0 References 1.
ATWS Final ~ Rule - Code of Federal Reguia' tions 10CFR50.62 and
[
Supplementary Information Package, " Reduction of Risk from Anticipated Transients Without Scra'm (ATWS) Events. for Light-Water-Cooled Nuclear a
Power Plants".
2.
" Quality Assurance Guidance for ATWS Equipment That is Not -Safety-Related", Generic Letter 85-06; April 16,1985.
3.
"AMSAC Generic Design Package", WCAP-10858.
4 4.
Rossi, C.
E., " Acceptance for Referencing of Licensing Report", NRC J
Letter to L. D. Butterfield, Chairman of ATWS Subcommittee, Westinghouse Owner's Group, July 7, 1986.
'5.
West'inghouse Owners Group Letter 0G-87-10, dated February 26, 1987.
l s
- s Y*f
,s s
5-1
' e,
j ]'
t.
!. y
.c s
.m
..,_r
.-._.-._4._.
-