ML20198G217

From kanterella
Revision as of 22:56, 21 November 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Forwards Rept Re Analyses Performed to Verify That B&W 1E Sys Meet Physical Separation Criteria of Reg Guide 1.75, Rev 1,to Assist in Review of SARs Demonstrating Isolation Device Capability & BAW-10085P
ML20198G217
Person / Time
Site: Washington Public Power Supply System
Issue date: 01/23/1976
From: Suhrke K
BABCOCK & WILCOX CO.
To: Stolz J
Office of Nuclear Reactor Regulation
Shared Package
ML20198G202 List:
References
CON-WNP-1115, RTR-REGGD-01.075, RTR-REGGD-1.075 NUDOCS 8605290297
Download: ML20198G217 (21)
v  d  e


Text

___ - - .

i.*.: -

~.

~

Babcock & Wilcox poe, ceremen c.c.m P.O. E:41260. Lyn: :vs. Va. 2:5C5 Tele nene: (504) 38.:.5111

,, d anuary 23, 1976

/ -

gV; r t 3 Director of Nuclear Reactor Regulation . 7 G ;;:

l' ' I

l. 'I ATIN: Mr. John F. Stol:

Chief, DiR Branch #1  !.d 376 r-Division of Project Management i' A u.s. -

.....u U.S. Nuclear Regulatory Cot:tission , . .. 2 Washington, D. C. 20555  %') s '

~

. . . . . . <- ,/

Dear Mr..Stol.:

B6W has recently conducted an evaluation of the IE electrical systems within its scope in view of the regulatory positions given in Regulatory Guide 1.75, Revisica 1. 'lhe attaci=ent to this 1ctter is a report docttacnting the analyses performed to verify that BG'.. IE systems meet the physical separation criteria of that Regulatory Guide.

We request that this report be used to assist your review of SAR's in which BM or the applicant has agreed to supply ndditional information regarding l'egulatory Guide 1.75, e.g. , to demonstrate capa-bility of isolation devices. We also st6 nit this report to support the review of the RPS-II Tcpical Ecport, BAN-100S5P. Because of the 1cng Icad. time required for manufacture of IE equipment.ke will be appreciative of a timely review of this report.

Further infomation concerning this matter can be arranged by contacting Mr. Steve Panwarth (804/3S4-5131, Ext. 2702) of my staff.

Very truly yours, BABCOCK 6 WILCOX CC.'.: PAW Nuclear Power Generation

/ / -

"'l

/ /

h%

Kenneth E. Suhrke

. Manager, Licensing

\'

KES/db Attach, cc: R. B. Bors mt (B6W) .

k B605290297 760416 PDR ADOCK 05000460 A PDR The Babcock & V.'.! con Company / Established IE57

. . )

l>

I. INTRODUCTION When commencing this evaluation program, B&W recognized that the scope "

of IEEE Std. 384-1974* and NRC Regulatory Guide 1.75 is the physical independence of IE systems. The guide "... sets forth criteria for the separation of circuits and equipment that are redundant." B&W considers then that R.C. 1.75 presents criteria for the physical separation of redundant IE circuits to assure system protection against the physical hazards of missiles, flood, and fire.

B&W protection systems have been designed to the separation and independence criteria of IEEE Std. 279-1971 such that:

1. Separation of redundant IE channels shall assure that a single physical event cannot fault redundant channels and provent system function.
2. Physical separation of IE and non-IE systens shall assure that a credibic fault of non-IE equipment cannot degrade the IE systen below an acceptabic icvel. -

IEEE Std. 279-1971 is limited in scope to protection systems. In 1tght of the more detailed and specific criteria of the Regulatory Guide and its expansion of scope to include all IE equipment, a reassessment of the B&W safety and protection systeas was decmed necessary to discover potential threats to the physical separaticn of redundant IE channels. .

B6W reviewed previous costs and analyzed for evidence of lack of physicci independence. The results of these studies provide assurance that, with some modification, the present system confir,urations utilize design criteria which satisfy the requirements of Regulatory Guide 1.75. Specifically, the codifications consist of relocating field wiring terminal blocks to provide greater separation of cables entering and exiting the system cabinets as described herein and the development of more specific Balance of Plant Criteria Documents.

Sections II, III and IV of this document are devoted to the safety and protection systems normally supplied by B&W and are concerned primarily with the B&W scope.Section V describes the electrical isolation between the B&W supplied IE equipment and non-IE equipment.

Certain portions of the total NSS safety and protection systems are designed and supplied by the customer. These interfaces cust be compatible with the B&W designs to ensure that independence of IE equipment is caintained.

B&W issues Balance of Plant Criteria documents to the custocor for consideration in his designs to ensure compatibility such that no loss of independence results. Sections VI, VII, and VIII of this document describe those criteria that relate to maintaining safety and protection system independence to facilitate review of the overall systems.

  • All references to this standard contained herein are to the criteria as -

modified by NRC Regulatory Guide 1.75, Rev. 1.

4 e

II. ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (ESFAS)

A. General i The ESFAS* is a protection system designed to sense that a design basis accident has occurred and to automatically send actuation signals to Engineered Safety Features equipment to mitigate the consequences of the accident.

The ESFAS has three analog sensing channels. Each analog channel monitors each key plant parameter and outputs a trip signal when any one of the parameters reaches a predetermined setpoint indicating that a design bases accident has occurred.

The ESFAS has two digital actuation channels. Each digital channel receives inputs from all three analog channels. When any two of the three inputs indicate a tripped condition, the digital channel sends actuation signals to one train of ESF equipment. The redundant digital channel sends actuation signals to a redundant train of ESF equipment.

B. Sensor-To-Process Connections The ESFAS conitors reactor coolant pressure, steam generator pressure, and reactor building pressure to determine when safety features actuation is required. Each parameter is sensed by each analog channel with an independent decoctor. Ma>:imum separation of sensor taps is achieved in accordance with scetica 5.8 of IECE Std. 384-1974 as follows:

1. RC Prusaure: No more than two taps are required on each hot leg of the 1;C system. The two taps are located on opposite sides of the 38" I.D. pipe.
2. OTSC Pressure: No more than two taps are required on cach main steam line. The two taps are located on opposite sides oc the 28" 1.D. pipe. .
3. RB Pressure: Three taps through the containment boundary are required. Tap locations are determin,ed by the customer but B&W does recommend compliance with section 5.8 of IEEE Std. 334-1974.
4. Cencral: The routing of sensing lines frem the caps to the detectors is beyond the B&W scopo. Ilowever, B&'.! does recccmend that the customer

. provide suf ficient separation and/or barriers to protect against damage from a credible common cause such as a missile or pipe whip.

C. ESFAS Cabinets In accordance with section C.16 of Regulatory Guide 1.75, Rev.1, the B&W ESFAS design complies with sections 5.6 and 5.7 of IEEE Std. 384-1974. .

  • Reference is to ESFAS-1, supplied by Bailey Meter Company, and provided for WNP-1 and -4 and Pebble Springs 1 and 2.

0 e

.e

Typically, there are two cabinets for each analog channel and three cabinets for each digital channel, providing a total of twelve cabinets.

Each cabinet is Seismic Class I and provides physical protection of the cabinet internals from external hazards as well as providing ,

physical separation between redundant circui.ts located in redund. .t cabinets. .

Al'1 modules mounted within any given cabinet forn a part of one protection channel. Therefore, internal physical separation is not required.

The cabinets form the physical boundaries between redundant channels and between the protection systen and non-IE ecuipment. Electrical isolation devices form the electrical boundaries. These devices will be discussed in note detail in section V.

Outputs of the'ESFAS fall under three basic categories:

1. Interchannel IE communications (e.g. , coincidence logics)
2. IE communications within the same channel (e.g. actuations)
3. Co=munications to non-IE equipment (e.g. , plant computer)

The output terminal connections for these signals are within the protective boundaries of the system cabinets. In addition, physical separation of terminal blocks for the different output types is provided in accordance with paragraph 5.6.2 of IEEE Std. 3S4-1974 All non-1E outputs are located on terminal biochs separated from all IE terminal blocks. IE terminal blocks for interchannel cor unications are further subdivided to separate by channel. For exampic, cach analog channel out-puts to both digital channels. In each analog channel, the outputs to one digital chanact are en terminal bicchs ecparate from the torninal blocka for the outputs to the redundant digital channel. The separation provided will be in accordance with section 5.6.2 of IEEE Std. 334-1974.

The entire ESFAS cabinet array is loented in a roon or rooms within a safety class structure. The rooma protect the ESFAS from and do not

. contain high energy switchgcar, transforcers, rotating equipnant or potential cources of missiles or pipe whip. The rooms do contain low energy switchgcar, transforects and rotating equipment that are integral parts of the instrumentation and control systems (e.g., cabinet fan motors). A list of typical low energy devices is contained in Tabic II-1.

D. Actuated Enuiomont ,

The location of equipment actuated by the ESFAS in dictated by the customer's design. B&W will recon =end that the customer consider section 5.9 of IEEE Std. 384-1974 in hic design.

Similarly, the location of cotor control contors for ESFAS actuated equipment is dictated by the customer's design. B&W will recommend that redundant Class IE ector control conters be physically separated in accordance with paragraph 5.4.2 of IEEE Std. 384-1974 G

G 1

?,

TABLE 11-1 COMPO!;E :T RATING FUNCTION Motor 250VA -

Recorder Drive Motor 120V-2A Cabinet Fan Circuit Breakers 30A Distribution Transformer ,

240/120V:24/12V3.75RVA ESFAS Control Motor 120VAC Printer Drive

~

Motor 120VAC Printer Fan Motor 120VAC Printer-Plotter Drive Motor 120VAC Printer-Plotter Bic.ce 0

+

D G

e G

W 8 m b

I O

e

+

p .

III. REACTOR PROTECTIO.'; SYSTE" (RPS) * -

A. General l .

The RPS is a protecticn systea which performs the sole function of initiating a trip of all full length reactor control rods when the plant conditions require such actions to protect the core.

The RPS initiates a reactor trip when a sensed parameter (or group l of parameters) exceeds a setpoint value indicating the approach to

an unsafe condition.

The RPS consists of four separate, independent and redundant channels with identical functions. All functions of the RPS are implemented by redundant sensors, measuring channels, logic and actuation devices.

l l B. Sensor-To-Process Connections l Each of the four protection channels is served by its own independent i

sensors which are physically separated from the sensors of the other protection channels. Each protection channel monitors reactor coolant pressure, RC pump status, tcaperatures, flow, neutron flux. and pressurizer icyc1 to determine when a reactor trip is required.

Maximum separation of sensors and sensor taps is achieved in accordance with scetion 5.8 of IEEE Std. 384-197!. as folleus:

! 1. RC Pressuror No more than two taps are required on cach hot leg of the RC system. The two taps are located on opposite sides of the 38" 1.D. pipe.

2. RC Te neraturorg No more than two RTD penetrations are required l

" on each hot Icg and cold Ice of the RC system. The penetrations are located on oppisite sides of the 38" 1.D. het icg piping and 28" 1.D. cold Icg piping.

3. RC Flou: Each hot ics contains a gentile flow tube. Each flow tube has a high pressure annulus and a low pressure annulus with t

four process connections for each. Sencing caps for the !!cw detectors are located on opposite sides of the hot leg pipe.

4. Neutron Flu::: The four detector assemblies are arranged around the l periphery of the reactor vessel, thus allowing measurement of i -

each reactor quadrant as well as maximizing physical separation.

! 5. Pressurizer 1.ovel: The high and low pressure caps for the four IcVel detectors are spaced around the 108" I.D. pressurizer vessel.

6. RC Pum9 Status Four pump power monitors per RC pump are required, one for each protection channel. The monitors are nupplied by i the custonor. B!.U will, through Balance of Plant Critoria documents, l require that the configuration comply with Regulatory Guide 1.'5, ,

Rev. 1. .

I

c -

l -

l

7. cenerg1: The routing of sensing lines from the caps t- the j- detectors is beyond the B&W scope. However, B&W does recommend that the customer provide suf ficient separation and, or barriers j to protect against damage from a credible common ca2se such as a

! - missile or pipe whip.

i

! C. RPS Cabinets

, In accordance with section C.16 of Regulatory Guide 1.75, Rev. 1, I the B&W RPS design complies with sections 5.6 and 5.7 of IEEE Std. 384-1974.

Typically, there are two or three cabinets for each protection channel, providing a total of eight or twelve cabinets. Each cabinet is Scisnic Class I and provides physical protection of the cabinet internals from external hazards, as well as providing physical separation between redundant circuits located in redundant cabinets.

All modules mounted within any given cabinet form a part of one protection channel. Therefore, internal physical separation is not required. The cabinets form the physical boundaries between redundant chauncis and between the protection system and external non-IE l equipment. Elcetrical isolation devices form the electrical boundaries.

l These devices will be discussed in more detail in section V.

Outputs of the RPS fall under three basic categories:

1. Interchannel IE communications (e.g., coincidence logics).
2. IE communications within the sane channel (e.g. , actuations) .

l ,

! 3. Communications to non-IE equip =ent (e.g., plant ec=puter).

The output terminal connecticas for these signals are within the l protective boundarios of the systen cabincts. In addition, physical separation of terminal blocks for the different output types is

! provided in accordance with paragraph 5.6.2 of IEEE Std. 384-1974 All non-IE outputs are located on terminal blocks separated f ren all IE terminal blocks. IE terminal blocks for interchannel communications

are further subdivided to separato,by channel. For example, all
channel A to channel B outputs are on terminal blocks separate from all channel A to channel C outputs and all channel A to channel D outputs. The separation provided will be in accordance with section
5.6.2 of IEEE Std. 384-1974.

l The entire RPS cabinet array is located in a room or rooms within i

j a safety class structure. The rooms protect the RPS from and do not contain high oncrgy switch 6 ear, transforects, rotating equipment,

! or potential sources of missiles or pipe whip. The rooms do contain low energy switchccar, transformers and rotating equiptent that are integral parts of the instrumentation and centrol systems (e.g., a cabinet fan motors). A list of typical low energy devices is .

contained in Tabic II-1.

i L_ .

D. Actuated Ecuter.ent Actuation devices for the reactor trip function are normally supplied by B&W. Redundant devices are housed in independent, separate and redundant cabinets.

Each cabinet is Seismic Class I and provides physical protection of the cabinet internals from external hazards os well as providing physical separation betueen redundant devices located in redundant cabinets. Since the actuation devices are used to interrupt holding power to the Control Rod Drive Mechanisms (CRDM), their location is not dictated by any design features other than the fact that their cabinets must be within a safety class structure.

e O

e O

e 4v sees.

- ~ _. - - . - . .- -- - - . -- - .

IV. SAFETY RELATED CONTROLS N;D INSTRt*'IENTATION (SRCI, FORMERLY ECI) [

^

A. General ,

The SRCI* is a two channel system that includes, but is not limited to, control i

! and instrumentation for such safety functions as post-accident monitoring and post-accident control. The SRCI is not a protection system. The SRCI  ;

is safety-related, however, and therefore separation criteria are applicable.

2 Each channel is completely separate and independent of the redundant channel.

] There are no physical or electrical connections between channels.

s t B. Sensor-To-Process Connections &

4 Esch of the two safety channels is served by its own independent i sensors which are physically separated frcm the sensors of the redundant safety channel. Maximum separation of sensors and sensor taps is achieved i in accordance with section 5.8 of IEEE Std. 384-1974 as follows:

1. Pressurizer Pressure:

Pressuri cr Level: There are two pressure detectors and two 1cvel  :

4 detectors. Each pressure detector shares a tap with its associated level detector (i.e., same channel). The two sets of pressure taps are ,

arranged around the circumference of the 108" 1.D. pressuri:cr vessel.

L L

2. RC Cold Lee Tennerature: Each SRCI channel monitors loop A'and loop B l cold leg tenperature. No more than one RID penetration is required on each of the fcur 28" 1D cold legs.  ;
3. RC Hot Lee Temnerature: No more than one RTD penetration is required on each of the two 36" ID hot legs.
4. Steam Cencrater Level: The tuo sets of Icvel taps required for each i steam generator are spaced around the circumference of the 139" 1D steam generator shell.

L

5. Steam Generator Pressure: Each SRCI channel nonitors pressure in both steam generators. No more than one pressure tap is required -

i for each of the four 28" ID cain steam lines.

6. Core Flood Tank Level: -

Core Flood Tank Pressure: Two sets of taps are required for each l i

core flood tank. The taps are arranged around the circumference of  :

, the tanks.  !

i  !

, 7. Decay Heat Flow:  !

l (Low Pressure In_icction): No more than one sensor is required for j each of the two decay heat injection lines. i i

i 8. High Pressure Injection: No more than one sensor is required for each  ;

Flow of the four high pressure injection lines. , [

l *0n Greene County a:td future contracts this system is referenced as the SRCI. On "

WNP-1 and 4 and Pebble Springs 1 and 2 this system is referenced as the Essential Controls and Instrumentation. This section is applicable to both where R.G. 1.75 l 1s a design criteria. -l j

1

?

4 .

t

r.

9. Essential Ccaponent:

Cooline '.?ater Flow All flow sensors in train A of Essential Component Cooling are provided by one SRCI channel. All flow sensors in the redundant train B of Essential Component Cooling are provided by the redundant SRCI channel.

10. Cencral: The routing of sensing lines from the taps to the detectors is beyond the B&*J scope. Ilowever, B&W does recom=end that the customer provide sufficient separation and/or barriers to protect against danage from a credible common cause such as a missile or pipe whip.

C. SRCI Cabinets In accordance uith section C.16 of Regulatory Guide 1.75, Rev. 1, the B&W SRCI design complies with sections 5.6 and 5.7 of IEEE Std. 384-19 74.

Typically, there are three cabinets for each safety channel, providing a total of six cabinets. Each cchinct is Scisnic Class I and provides physical protection of the cabinet internals fron external hazards, as well as providing physical separation betueen redundant circuits located in redundant cabinets.

All modules mounted within any given cabinet form a part of one safety channel. Therefore, internal physical separation is not required. The cabinats form the t hysical boundarics between the redundant channels and between the safety system and non-IE equipment.

Electrical isolation devices forn the cicctrical boundaries. These devices will be discussed in more detail in section V. (Refer to Fig. V-4)

Outputs of the'SRCI fall under two basic categories:

1. IE com=unciations within the same channel (e.g., remote shutdown indicators). >
2. Communications ts non-IE equipment (e .g. , non-nuclear instrumentation) .

The output terminal connections for these signals are within the protective boundaries of the system cabincts. In addition, all non-IE outputs are located on terminal blocks separated from all IE terminal blocks in accordance v.ith section 5.6.2 of IEEE Std. 384-1974.

The entire SRCI cabinet array is located in a room or rooms within a safety class structure. The rooms protect the SRCI from and do not ' contain high energy switchgcar, transformers , rotating equipment, or potential sourecs of missile or pipe whip. The rooms do contain ,

low energy switchgear, transformers, and rotating equipment that are integral parts of the instrumentation and control systems (e.g., cabinet fan motors). A list of typical lew energy devices is contained in e Table 11-1.

4 2

. _ 9-

_D. Actuated Eculotent

  • The SRCl performs no protective function but does automatically control Auxiliary Feedwater flow and Steam Dump flow as well as provide manual control of various safety related equipment. SRCI controls within the B6W scope are designed in accordance with section S.9 of IEEE Std. 384-1974 B&W reconnends to the customer that he consider section S.9 in his design of SRCI controls.

S 6

e O

9 e

6 4

0 mo,emeo - wp . ~ , D L.

,s.

V. ELECTRICAL ISOLITION .

A. Intreduction The B&W safety and protection systc=s are comprised of independent, separate and redundant circuits. These redundant circuits are housed in separate cabinets such that all modules within any given cabinet form a part of one safety or protcetion system channel.

Each cabinet is Seismic Class I and provides physical protection of the cabinet internals from external hazards as well as providing physical separation between redundant circuits located in redundant cabinets.

In addition to separation provided between redundant safety and protection channels, all safety and protection equipment is separate and independ- -

ent 'of all other control and instrumentation equipment. Sonc process analog and digital signals availabic within the boundaries of safety ,

and protection systers are transnitted to non-safety equipment for recording, indication and annunciation purposes.' Electrical

  • isolators are provided in the safety and protection systems for the transmission of IE signals to non-IE equipacnt. The signals at the output of these isolation devices are considered to- be non-IE.

Thus, the system cabincts for= the physical boundaries of the safety and protection systems and isolatien devices form the cicctrical boundaries.

These isolation devices are designed to withstand opens and shorts at their outputs (non-IC side) as well as fault voltages up to a ,

Icyc1 which could credibly be applied from the surrounding equip-ment. TO demonstrate the validity of their design and application, circuit analysis and tests were perfer cd under credibic fault conditions. .

B. Analvris The analog isolation technique used in the B&W safety and protection systems consists of integrated circuit epcrational amplifiers (buffer amplifiers) connected to'the output of a main acplifier. (

Figure.V-1 shows a typical analog isolation circuit used to derive non-IE outputs from IE signals.

The prime requirement of the output isolation circuitry is to prevent I credible fault voltages at the output from causing a loss of the safety or protection function of the main amplifier providing its input. To acct this requirement, the output isolation circuitry must not only prevent damage to the main amplifier but

.must also prevent the fault voltage frca reducing the accuracy of the mala amplifier below acceptabic limits. .

t 4

0 t

j:  ;

t 1

1 Normal full load on the main amplifier is 1 cA but the main -

amplifier is capable of delivering up to 5 =A to the loads connected to its output without loss of accuracy. Therefore,

as long as the eain amplifier output current does not exceed 5 mA, the main amplifier output voltage will be proportienal to its input signal with no loss of accuracy.  ;

I To analyze the worst case condition for loading of the main 1 amplifier, it is assumed that the output buffer amplifier shorts from output to input when subjected to a fault voltage. This  ;

condition minimizes the impedance between the fault voltage and the main amplifier as shown in Figure V-2. The value of the 7 4 output resistor is not considered due to its relatively low impedance.  ;

7 Assuming that the main amplifier is operating under a full load of l j 1 mA the current induced through Rs by the fault voltage can be l

as high as 4 mA without affecting the cafety or protection output of the main amplifier. Since Rs = 100iM, the f ault voltage can be i as high as 400 VDC without in any way affecting the accuracy of '

1 the main amplifier output, l

Digital IE to non-IE isolation in the Et.'t safety and protection [

systems is accorplished by relays. The relays have a minimun  ;

dielectric strength rating of 1000VAC (n".S) coil to contact and 7

. contact to contact.  ;

C. Testin t  ;

The analysis of the analog isolatten circuit assuccd a worce case .f condition where the output isolation amplifier sherted fren cutput  !

to input. To further prove the validity of the isolation circuit ,

i desiEn, a test was performed on a typical analeg isolation circuit i

! where various faults ucre applied to the non-IE output. Ihe circuit l used for testing is shewn in Figuro V-3.

l B1 is a buffer amplifier used for transnittieg an analog signal fron the safety or protection system to non-IE equipcont. 32 is a similar  ;

. amplifier used for signal conditioning in the nor.a1 IE signal path.

The acceptance criterion for the test was that any credible fault i 1 voltage applied to the output of B1(Vg) did not significantly affect the accuracy of the signal at the buffer anplitior input (V1).  !

In addition, since small changes at Vi could be applified by B2, the l output of B2 (Vo) was monitored to ensure that any changes were of  ;

little or no consequence.

\  !

The output of B1 (Vf ) was opened, shorted to ground, sbc-tca to the  !

o +15VDC supply, shorted to the -15VDC supply, and shorted to fault  :

voltages of 265VDC, 475VDC, 200VAC(RIS) and 430VAC(R:!S) . 31 vas , l intentionally shorted from output to input during the fault voitt.ge [

applications to simulate the worst case failure mode.  !

i  ;

l I

t

. - ,- ,-_,._.m_.___._,,____,___.___,....-,_,__,,_,,_o_,.._,_,_-__, - _ , . . _ , _ , . , _ . - , , , m__._,_w,,,,.,--..,,,,,

j The maximum devia' tion observed at the isolation a=plifier input j (VI) was 2 m V, 0.02?. of the 0-10V operating range. The eaximum deviation observed at the output of B2 (Vo) was also 2=V, 0.02%'of the 0-10V operating range. Thus, the application of these fault ,

voltages caused variatiens in the IE signal path of so slight a  !

magnitude as to be considered insignificant. l l

The magnitudes of the fault voltages chosen were based on ready ,

.ayailablity from laboratory test equipe.ont as well as providing l some s.casure of conservatism over the value obtained by analysis j 1

in section II.

(

D. Sun.ary j The analog isolation circuits used in the BW cafety ar.d protection cystems for transnicsion of analog si;;nals te non-1E equipent can  ;

withstand f ault voltages up to 400VDC i ithout af fecting the.  !

accuracy, and thus the function, of the 1E circuitry. Although  ?

costed to 475VDC and 430VAC (CS), 4007 vill be the establishef. limit f for conservatism. j Digital In to non-IE isolation relays have a nininun dielectric l strent,th rating of 10007AC (5C15) between coil to centact. and l contact to contact. l l

Thoso itvols are considerably higher than the voltfa,e luvels present l in the EW safoty and protection syytet.4. The higiast pcuer supplied >

to cysten cabinets is 120V.'.C (P2:S) . Interfaec criteria provided by BW will recorrerd that the custo:cr does not run safety atid protection systen cutputs its cabic trays contair. int, voltages highc;-

than the isolation deviec ratinrs. In the caso of relays, the critoria will specify no hir,her than '.SOVAC (FJtS) as a conservative measure. ,

t The non-IE outputs of the isolaticn deviccs aro routed to terninal strips physica117/ separated frem IE terminal ctrips by a aininun of sfx inchos of free air space or by barriors. The wiring between the isolation devices and the termin31 strips is of the sa.o grade as the internal 15 wirin6 with th'e sar:c flane retardancy characteristics.

Thus, the entire cloctrical interface batueen the B W safety and protection systems and non- E equipment can withstand fault voltagm to a highur level than can credibly be applied.

I 6  %

i o .

FIGURE V-1 .

Input f rom : \ W200 > En-IE main amp. / Output Buffer Amp 4

\ g/\A > IE

[ 200 Output Buffer amp Figure V-2 Rf W100k ns Input fron > AAf _

>nn-[L nain a.p. 100k Output t imA k

>\AA A/\A > IE 100k 200 Output Bu Anp Figuro V-3 s

100k 100k W 200 vi Input from >

main amp W B1 W > Non-IE Output (Vf) 100k W 200 tput (Vo)

FICURE V-4 C

il oi From Signal ,

Conditioning Circuits

--Q - /\q^ +

/,

e ass E

= To !!c 100K 10K Loads Output Buffer Driver To Class

>- lE Loads

, NOTE: The circuit configuration for analog isolation in the SRCI differs fro:.: the configuration used in the protect-fon systems in that the operatienal a..plifier in the SRCI is used in the non-inverted node unile the amplificrs in the protectica systen are used in the inverted code, llowever, the volta;c isolation capabilities of the SRCl configuration is very similar to that of the protectica systems. In fact, analysis perforced on the SRCI cir-cuits in the manner described in scetion V.B resulted in the same voltage iso'latica capability, Due to the similarity in the circuits an'd the analytical re::ults, no specific tests were pceformed on the SRCI configuration.

\

t

m. i ..

. . . . . , -., - .--- ..--- _ . . - . . . . . . . .. -- -- ~. . . _.

1 I

VI.

CABLES M*D PACE *.1AYS The routing of cables and raceways are not within the B&U scope. j

> However, B&W does reconnend that the customer comply with section  !

5.1 of IEEE Std. 384-1974 l i

t B&W facilitates customer compliance by the following: i i

3 1. B&W provides the customer with channel designations for j all B&W supplied electrical equip =ent. l

2. B&W supplied safety and protection system cabincts have subdivided  !

input and output terminal sections to aid separ.1 tion of field  :

4 wiring terminations (ref. II.C, III.C, and IV.C).  !

(

i

3. B&W will stipulate maximum voltage icvels to be present in j raceways containing outputs from safety and protection systems r i to be compatible with section V of this document. e i

i 1

  • 1 i

[

h

}

I e

i i . (

-l 1

l i

(

. l i

I

? .

j.

4 i

- ..__.-.________,__.__-__m_. ...-_...-,_.__.-___-_.._-_~._.m._-,_.___--___- -

~

~ ,s, .

VII. CO . TAI :'!E::T PE!*ETRATIO';S ,

The number and location of containment penetrations are deteroined Ly the customer in his design of the' reactor building. ELW provides the custer.er with a tabulation of cables and pipes supplied by B&W that cust traverse the containment boundary.

B&W will recem=end tigat the custo=cr comply with section 5.5 of IEEE Std. 384-1974. In addition, BLU will take the following recommendations beyond the criteria of section 5.5:

1. Non-class 1E circuits should not be run in cable pencerations containing IE circuits. B&W's design philosophy is to avoid having associated circuits if at all possibic or feasible.
2. IE cable pencerations should be physically separated f rc=

.non-IE cable penetrations in accordance with the requirc=ents of cection 4 of IEEE Std. 384-1974.

4

  • a G

/ .

\

e e

VIII POWER SOURCES The B&W protection systems are arranged so that they will be '

powered from four vital power supplies, each redundant and independent. These supplies should provide reliable power under all operating conditions. Each vital bus should be capable

~

of being powered via charger / inverters frcm one of two Nuclear Servico Busses (diesel generator backed) and a Class IE DC supply (bat tery-backed) . Upon loss of the AC supply _from a Nuclear Service Eus, vital power will be supplied from the battery via the DC bis and charger / inverter.

The power sources are supplied by the customer. B&W will recommend

. compliance.with sections 5.2, 5.3 and 5.4 of IEEE Std. 384-1974 as well as require compatibility with the B&W system designs.

In addition, B&W provides the customer with lists of safety and protection equipnent to be powered by each vital bus and diesel generator loading requirements. BLU stipulates t!at the power supplies must not compremise the physical and electrical separation provided in the B&W safety and protection systcms.

L

\ -

8

. ~

^

IX. CONTROL S*4 ITCH 30ARDS Main control switchboards are located in a control room within a safety class structure. The control room protects the switchboards from and does not contain high energy switchgcar, transformers, rotating equipnent or potential sources of missile or pipe whip. The control room does contain low energy switchgear, transformers, and rotating equipment that are integral parts of the instrumentation and control systems (e.g., cabinet fan motors). A list of typical low energy devices is contained in Table II-1.

Where possible, redundant Class IE equipment and circuits are located in separate control switchboards physically separated in accordance with the requirements of Section 4 of IEEE Std. 384-1974, tihere this is not possibic or feasible, the requirements of paragraphs 5.6.2, 5.6.3, 5.6.4, and 5.6.6 are adhered to.

e 4

s-

. .. s-17 -

X.

SUMMARY

B&W safety and protectica system designs provide physical separation between redundant circuits by the use of separate and independent sensors, cabinets, and actuation devices (in the B&U scope) . Interface criteria supplied to the customer ensures this physical separation is maintained in the inter-connecting cables and raceways, sensing lines, containment penetrations, power sources, and locations of actuated equipment in the customer's scope. Thus, the entire safety and protection system channels, from sensor to actuation device, have sufficient physical separation between redundant channels, and between IE and non-IE equipment, to minimize the likelihood of a single event causing loss of core than one redundant circuit.

Electrical boundaries between IE circuits and non-1E equipment are established by operational amplifier circuits for analog signals and by relays for digital signals. Interface criteria provided to the custeccr will ensure that voltage potentials in raceways containing these isolated outputs will not c::cced the voltage ratings of the isolation devices. The racings established are 400VDC for analog and 480' LAC (R::S) for digital devices.

e w

D &

h a

Retrieved from "https://kanterella.com/w/index.php?title=ML20198G217&oldid=3006862"