ML21278A196
Text
7.10 AUXILIARY FEEDWATER ACTUATION SYSTEM The AFAS starts the AFW pumps upon detection of very low level in either SG and it blocks AFW to a ruptured generator. Detection of very low level on any two of the four wide-range SG level signal channels on either SG will produce, after a time delay, signals to open the AFW pump turbine-driven steam supply valves, close the SG blowdown valves, and close the breaker of the motor-driven AFW pump. The AFW system valves are aligned to allow flow on start of the pumps. The time delay of the auto-start actuation signal is required to ensure that valid wide-range SG level signals exist. Spurious AFAS actuations can develop during reactor trip from high power due to the power dependent decalibration phenomena of the wide-range SG level indication system. A SG is identified as ruptured if P exceeds a preset value on any two of the four SG pressure signal channels. Signals are generated to close the redundant AFW block valves in each flow leg which feeds the ruptured generator. The auto-start signals are sealed-in while the ruptured isolation signals are not. The independent (from RPS) initiation of the AFW system satisfies the Diverse AFAS requirement for mitigation of ATWS events, 10 CFR 50.62.
7.10.1 DESIGN BASIS 7.10.1.1 Conformance to Standards The design of the auxiliary feedwater actuation systems and component parts was based on the applicable requirements of IEEE 279, "Criteria for Protection Systems for Nuclear Power Generating Stations." Maximum consideration has been given to the following criteria consistent with the objectives of this document:
- a. Single Failure Any single failure within the protection system will not prevent proper protection system action when required.
- b. Quality of Components and Modules Components and modules used in the manufacture of the actuation systems exhibit a quality consistent with the nuclear power plant 40-year design life objective and with minimum maintenance requirements and low failure rates.
- c. Channel Independence The actuation systems include four redundant sensor subsystems and two redundant actuation subsystems. Independence has been provided between redundant subsystems or channels to accomplish decoupling of the effects of unsafe environmental factors, electric transients, and physical accident consequences, and to reduce the likelihood of interactions between channels during maintenance operations or in the event of channel malfunction. Independence has been obtained by:
- 1. Electrical Isolation Electrical isolation has been provided between redundant channels, between sensor and actuation subsystems and between the auxiliary feedwater actuation system and ancillary equipment. Where electrical isolation is provided, an application of short circuit, open wire, ground, or potential does not inhibit a protective action as a result of the failure of the redundant system.
CALVERT CLIFFS UFSAR 7.10-1 Rev. 47
- 2. Physical Separation Physical separation has been maintained between redundant sensor subsystems, between sensor and actuation subsystems, and between redundant actuation subsystems by providing separate and isolated cabinets for each of the four sensor subsystems, and each of the two actuation subsystems. A minimum clearance of 3' is provided for each sensing point and its associated transmitter.
- 3. System Repair The system has been designed such that routine servicing and preventive maintenance can be performed without interface to normal plant operation or without loss of system function availability.
Performance of these operations does not result in a simultaneous unavailability of both actuation subsystems. The system is mechanically and electrically divided into subunits or modules based on the following considerations:
a) Standardization of subunits b) Minimization of interconnections and interwiring c) Interchangeability of subunits The subunits include associated equipment, such as indicating lights, pushbuttons, potentiometers, and selector switches.
7.10.1.2 Security and Annunciation The ESFAS is designed to provide annunciation and indication of module withdrawal or loss of power. Withdrawal or loss of power to, a sensor module results in a trip signal to its associated two-out-of-four logic matrices. Sensor modules are not interlocked to prevent withdrawal of more than one module; however, withdrawal of two sensor modules of a common actuation signal will result in a trip of the associated actuation channels.
The doors of each cabinet are equipped with a lock; one key fits all doors.
Contacts are provided for annunciation of an open door. A withdrawal of an actuation logic module will not result in a trip of that channel.
7.10.1.3 Seismic and Environmental Requirements The auxiliary feedwater actuation systems are classified as Seismic Category I and are designed to withstand all simultaneous horizontal and vertical accelerations resulting from a Safe Shutdown Earthquake without loss of function.
The specifications for AFAS and emergency power system components incorporate the applicable seismic requirements for each component, including spectrum response curves for specific component location generated by the time-history method.
These components are qualified by either of the following methods:
In most cases, the supplier is required to qualify his equipment by calculation or testing, or a combination of both. This qualification is formally documented and submitted for approval.
In other cases, tests or calculations are performed by independent consultants or laboratories who submit a formal report. Acceptance of the equipment from the CALVERT CLIFFS UFSAR 7.10-2 Rev. 47
supplier is contingent upon the proof of suitability as established by the results of those tests or calculations.
The choice of an analytical or experimental qualification procedure is determined by the size, shape, and structural or functional simplicity of the equipment in accordance with the criteria outlined in IEEE 344 "Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations (1975)."
Racks, panels, or other supporting structures are generally qualified by analysis, while bistable trip units and other modules are generally qualified through testing.
Tests and calculations are performed following the guidelines of IEEE 344.
Analysis and/or tests have verified that the safety-related characteristics of components are maintained when those components are subjected to the worst-case environment postulated for the component location.
7.10.2 SYSTEM DESCRIPTION The Auxiliary Feedwater Actuation System is shown on Figures 7-24A, B, C and D. The actuation system is divided into four sensor subsystems (sensor channels ZD, ZE, ZF and ZG), and two actuation subsystems (actuation channels ZA and ZB).
The cabinets of the Auxiliary Feedwater Actuation System are appropriately tagged ZA, ZB, ZD, ZE, ZF and ZG, respectively, to distinguish between channels.
7.10.2.1 Sensor Subsystems The sensor subsystems monitor redundant and independent process variables and trip when the variables reach unsatisfactory levels. Physical locations of the sensors are shown on the instrument location drawings prepared from the plant general arrangement drawings. Each of the sensor subsystems consists of one sensor channel of the following process variables:
- d. SG Pressure (SG 12) 7.10.2.2 Actuation Subsystems The two redundant and independent actuation subsystems monitor isolated sensor subsystem trip outputs and, by means of coincidence logics, determine whether a protective action is required. On detection of very low level in either SG on at least two of the four sensor channels, auto-start of AFW takes place and the SG blowdown valves close. One AFW Pump Turbine Drive steam supply valve is opened by each actuation channel. One actuation channel also initiates closure of the breaker of the motor-driven AFW pump. The auto-start signal is sealed in.
There is a bypass valve to each turbine steam supply valve. To avoid turbine overspeed on startup, initial steam flow is controlled by first opening the small by-pass valve, and then the main supply valve after an appropriate time delay.
It should be noted that at steaming rates corresponding to greater than 10%
power, the velocity head in the vicinity of the wide-range level transmitter variable leg SG tap induces a significant offset in the transmitter output. The indicated level reads lower than actual. The magnitude of this effect is a function of power level. This phenomenon is factored into the safety analyses.
CALVERT CLIFFS UFSAR 7.10-3 Rev. 47
On detection of a d/p between the SGs in excess of the setpoint value on at least two of the four sensor channels, signals are generated to close redundant block valves in the AFW flow paths to the low pressure SG. Each flow path contains an "A" and a "B" channel block valve. This feature ensures that AFW flow to a ruptured SG is terminated in order to prevent return to power which could be caused by excessive cooldown of the primary system. The AFW block signal is not sealed-in, but a maximum hysteresis has been set in such that if the d/p approaches zero after initial AFW isolation the AFW block signal will reset. Seal-in of the block signal is not possible due to the scenario of remote probability described below in which first one and then the other SG is identified as ruptured by d/p.
A d/p first in one direction and then in the other occurs with MSLB just downstream of one of the MSIVs and failure of the other MSIV to close.
Performance of the AFW System is factored into the analyses for MSLB, excess load, feed line break, and loss of main feed water. The minimum auto-initiation setpoint, the minimum AFW flow controller setpoint, and the maximum system response times ensure that sufficient water is delivered to the SGs during the first 10 minutes following a feed line break or loss of main feed water.
The maximum auto-initiated setpoint, the maximum AFW flow controller setpoint, the minimum response times, and the AFW block valves ensure that:
- a. The reactor does not return to power following an MSLB, and
- b. The probability of initiating SIAS or draining the pressurizer in the first 10 minutes after initiation of AFW is very small.
7.10.3 SYSTEM SURVEILLANCE 7.10.3.1 Remote Annunciation
- a. Tripped Sensor Channel
- b. AFAS "A" Actuated
- c. AFAS "B" Actuated
- d. Steam Line 11 Rupture
- e. Steam Line 12 Rupture
- f. Motor System Line-up Improper
- g. Turbine System Line-up Improper
- h. SG 11 Line-up Improper
- i. SG 12 Line-up Improper
- j. AFW 11 Flow to Break
- k. AFW 12 Flow to Break
- l. Turbine System No Flow
- m. Motor System No Flow
- n. Air Accumulator Low Pressure
- o. AFW System Suction Pressure Low
- p. Excess Flow
- q. Door Open/Module Withdrawn
- r. Loss of Power Supply
- s. Sensor Channel Bypassed CALVERT CLIFFS UFSAR 7.10-4 Rev. 47 48
7.10.3.2 Local Sensor Channel Surveillance Each module or subunit is equipped with its associated indicating lights. Typical functions to be indicated are:
- a. Bistable trip
- b. Power supply available All indicating lights are visible with the cabinet doors closed. Features are provided for manually checking bulb function.
7.10.3.3 Local Actuation Channel Surveillance Each module or subunit is equipped with its associated indicating lights. Typical functions indicated are:
- a. Tripped actuation subchannel
- b. Power supply available 7.10.4 ELECTRICAL POWER SUPPLY The four redundant 118 Volt, 60 Hz, vital sources of supply (Section 8.3.5) are utilized by the AFW actuation systems. Two vital sources provide power for a sensor subsystem and an actuation subsystem. The remaining two sensor subsystems receive power from the remaining vital sources. Physical and electrical isolation is maintained between the various redundant power supplies. Short circuit protection is provided at each system cabinet, and a trip of the protective device is indicated locally and annunciated in the Control Room.
7.10.5 SYSTEM EVALUATION The AFW initiation, control, and power supply systems were designed in accordance with the Proposed IEEE Criteria No. 279, so that no single fault in components, units, channels or sensors will prevent ESFs operation.
The wiring is installed so that no single fault or failure, including either an open or shorted circuit, will negate minimum AFAS operation. Wiring for redundant circuits is protected and routed so that damage to any one path will not prevent minimum AFAS action.
Sensors are piped so that blockage or failure of any one connection does not prevent AFAS operation.
The detailed design incorporates the following characteristics in order to counteract faults resulting in loss of power:
- a. All redundant components are powered from separate busses;
- b. The reliability of the 125 Volt DC and 120 Volt AC vital power busses used, as discussed in detail in Chapter 8;
- c. Loss of power to a sensor channel results in bistable trip signals. Loss of power to an actuation channel will not produce actuation signals.
There are no AFAS instrumentation transmitters for which the trip setpoints are within 5%
of the high or low end of the calibrated range, or within 5% of the overall instrument design range.
7.10.6 MANUAL TESTING FEATURES 7.10.6.1 Bistable Trip Test Each bistable has built-in provisions for testing bistable operation. An adjustable voltage source is applied when a local pushbutton is depressed. While initiating CALVERT CLIFFS UFSAR 7.10-5 Rev. 47
the test, the process variable input to the bistable is not interrupted. Local indicating lights and Control Room annunciators verify proper operation.
7.10.6.2 Actuation Channel Trip Test Each coincidence two-out-of-four matrix includes a local independent pushbutton.
The test with simultaneous presence of a sensor channel trip causes an output of the associated coincidence matrix and trips the actuation channel logic.
An unbypassed bistable trip signal will indicate as an input to the logic module.
This provides a means of verifying that the bistable trip signal reaches the two-out-of-four logic module. Testing during refueling outages verifies total system operation.
CALVERT CLIFFS UFSAR 7.10-6 Rev. 47